In our cloud-centered business environment (which will only become all the more so), there are usually at least two potentially responsible parties to a data breach: (1) the business that provides services or products to customers/patients (the Data Owner) and (2) a service provider that holds and/or processes the data (the Data Holder).
A simple example would be SalesForce. You run customer relationship management (CRM) functionality of your business using the SalesForce cloud-based service. You own your customer data and SalesForce holds your data. If there is a breach of your data on SalesForce’s servers – who is liable for the ensuing expenses and losses? Under the state data breach laws and the terms of most vendor agreements, only the Data Owner will be responsible. However, this outcome can be changed through negotiation and the agreed wording of the contract (though with an industry leader the likes of SalesForce – don’t expect too much, or any, negotiation on this issue).
Magnitude and type of damages
It’s important to first appreciate the potential impact of a data breach on a Data Owner. A quick look at some recent famous data breaches, though only dealing with one party, will bring to light the types of costs and damages that can flow from a data breach.
From mid-May through July, 2017, sensitive data of at least 143 million U.S. consumers was hacked at Equifax, which is one of the three major U.S. credit reporting agencies. The sensitive information hacked included names, Social Security numbers, birth dates, addresses and driver’s license numbers. In the days following the announcement of the breach, the market value of Equifax dropped by about $4 billion as shareholders bailed out. Following the breach, Equifax announced that the chief security officer and chief information officer “retired.”
A large breach occurred to Yahoo in 2014 (though only discovered two years later in 2016). Over 500,000 user records were accessed, which access included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions. Even though there was no sensitive financial data exposed, Verizon, which was in the process of purchasing Yahoo, reduced the purchase price of Yahoo by $350 million dollars based upon the anticipated losses that would be associated with the data breach. Additional fallout was that the General Counsel of Yahoo resigned and the CEO forfeited her annual multi-million-dollar bonus.
In 2013, credit card data for over 40 million Target customers (including customer names, card numbers, expiration dates, security numbers and debit card PINs) was hacked via a third-party vendor connection. Target has reported costs from this data breach of over $292 million, which included settlements paid to impacted financial institutions and consumers, and most recently in May of this year, a $18.5 million settlement paid to 47 states. Apparently, insurance has only covered $90 million of these costs. The CEO of Target resigned as a result of this breach.
The costs of a data breach may include all or some of the following: legal expenses, outside response teams, digital investigation and forensic services, remediation of information infrastructure, identity fraud alert services, payments for crisis communication, compliance with state data breach notice obligations, identity theft insurance requirements, and settlements with financial institutions, customers and government entities. Collateral damage can include damage to reputation, consequential loss of business, shareholder suits and replacement of management.
Allocation of risk
Data breaches to the security world have become what bugs are to the software world - inevitable. Every programmer knows that software will have bugs. Well, by the same token, we all know now that data breaches will occur. Of course, there is a major difference between software bugs and data breaches. Software bugs are the result of human error and data breaches are the result of human malfeasance. Today, information systems are under constant attack by want-to-be intruders. So, data breaches are a matter of when and not if.
Under U.S. law (except under HIPAA which places direct liability on a Data Holder), and standard contact terms, it is the Data Owner that will be liable for losses resulting from a data breach, even if due to the security failures of the Data Holder. Why is that?
Standard vendor agreement terms exclude consequential damages and cap direct damages. Generally, all damages flowing from a Data Holder vendor’s data breach will be considered consequential damages and barred by a standard provision disclaiming all liability for consequential damages. (See this recent case on this: Silverpop Systems, Inc. v. Leading Market Technologies, Inc.) Even if some of the damages could be considered direct damages, the liability cap (say a standard 12 month fee cap) would only compensate a small portion of the damages.
Nuances of negotiation
Below is laid out the possible ebb and flow of a contract negotiation for data breach liability between a Data Owner and a Data Holder:
- Taking into account all of the above, now a Data Owner will want the Data Holder to be liable for all damages flowing from a data breach. Whereas, the Data Holder will not want to be liable for any of these damages.
- The Data Owner will claim that the Data Holder should be responsible because the data would be in the Data Holder’s possession when a breach might occur and the Data Holder would be responsible for the data security that failed.
- The Data Holder may counter that (1) the Data Owner has primary legal responsibility to its customers for data breaches, (2) the Data Holder applies reasonable security measures, and that is all it is responsible to do, (3) the Data Owner is welcome to audit the Data Holder’s systems to verify the level of security, (4) the contract revenue does not justify liability for data breaches, and (5) no level of security can hermetically seal a system from professional hackers.
- In an effort to reach a reasonable middle ground, the Data Owner might propose that liability of the Data Holder will only arise if the breach is due to a failure of the Data Holder to comply with its stated data security obligations. The effectiveness of this approach will depend upon the quality and level of detail contained in data security requirements that are binding on the Data Holder.
- A shrewd Data Owner might draft the confidential information provision to include all customer data. That way a data breach may constitute a breach of confidentiality, which is often excluded from the limitations of liability clause. However, if a breach of confidentiality is only carved out from the liability cap and not from the consequential damage exclusion, then this will still leave the Data Owner without a remedy, since as mentioned above, data breach liability is primarily consequential damages.
- Confidentiality provisions can also be drafted to either apply strict liability for a breach, whether there is fault or no fault, or it can be drafted to only apply liability if there is fault. For instance, if the confidentiality obligation is to protect information in not less than a reasonable manner, or as the responsible party would protect its own confidential information, then a data breach occurring without fault would not result in liability to the Data Holder.
- If agreed that the Data Holder would have liability for data breaches, then this liability can arise from a carve out from the liability limitations provision and/or be covered under an indemnification.
- Depending upon how an indemnification is drafted, it can cover internal losses and damages that the Data Owner is obligated to pay to a third party. The Data Holder would obviously want to limit an indemnification to amounts owing to third parties, or direct “out of pocket expenses, and not to internal losses, and would also want to be specific about these costs (e.g., only covers cost of notifications and identity theft insurance requirements, etc.).
- Even if a Data Holder agrees to accept liability, then it would be prudent for the Data Holder to seek a special liability cap on this type of liability that would be above the standard cap in the agreement, and not leave this liability unlimited.
- At the end of the day, if the Data Holder is not a substantial company, then there may be no money available even with a carve out for data breaches from the liability limitations and under an indemnification.
- Accordingly, both parties need to seriously consider cyber insurance and the agreement can require a minimum amount of such coverage.
When drafting and negotiating provisions allocating responsibility and liability for data breaches, care and thought will need to be applied to clearly address the contingencies and accurately draft the nuances.
If you want to discuss this post or any other legal issue with the author, contact him using the contact form below or via firstname.lastname@example.org or by calling (410) 484-2500. We'd like to hear from you!