Addressing Cyber Attacks & Data Breaches in Supplier Contracts
Part 2: How are Limits of Liability Evolving, with Respect to the Issue of Data Breaches?
Ten years ago, most “buyers/customers” expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer’s data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier’s potential liability for data breaches.
When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the “standard” limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches).
In negotiating what that “higher cap” should be for data breaches, customers should not necessarily tie that higher cap to the total fees (or total annual fees) payable under the Agreement (for example, a liability cap for data breaches equal to 3 times the annual fees under the Agreement), unless those total fees (or total annual fees) will be so large that having a cap equal to a multiple of the contractual fees will provide adequate protection to the customer for a data breach.
Instead, customers should focus on the question of “What is the potential amount of damages that I could suffer, if my supplier’s actions (or inactions) lead to a data breach?” And the customer is, then, basing the higher liability cap for data breaches, on that potential damage amount. In other words, customers should insist that the higher financial cap for data breaches BE A DISCRETE AMOUNT OF MONEY (such as, for example, $5 million or $10 million or $50 million or $75 million). This should not impact the “standard” limit of liability for other breach of the agreement, which generally continues to be a multiple of the annual fees (such as 12 months’ trailing fees, or 18 months or 24 months depending on the transaction).
How can a customer determine the potential damage that might be suffered if a data breach occurs? We encourage customers to utilize industry analysis to drive their consideration of their own total potential damages due to a data breach. There are several industry reports that track (a) the average cost of a data breach and (b) the average “cost per record breached” (see, for example, the annual report prepared by the Ponemon Institute on the average cost of data breaches. The most recent version of the report is available for download, by registering at: http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/). Based on this analysis, customers can come up with an informed estimate of how expensive a data breach could be to them.
In considering what the appropriate higher liability cap might be for data breaches, customers should appreciate that large/market leading suppliers that regularly have access to customer data usually have adequate insurance in order to cover potential data breach damages (or they are self-insured for such coverage). This is very important: most large/market leading suppliers are now covered for tens of millions (if not hundreds of millions) of dollars of insurance coverage for data breaches. So, when suppliers are negotiating to limit their liability for data breaches, they frequently are doing so purely from a risk avoidance perspective, and not because they are unable to cover the cost of such damages through insurance. If a supplier responds that it does not have adequate insurance or cannot obtain necessary coverage for data breaches, that is a huge red flag, and the customer should ask itself why it would allow such an under-insured supplier to have access to the customer’s data.
Of course, the final limit of liability applicable to data breaches is subject to negotiation, and in some cases, a supplier may be unwilling to contractually commit to covering the customer’s total potential damage due to a data breach. In such cases, if the customer still wants to execute an agreement with the supplier, the customer should make sure that its own insurance policies contain enough coverage (in terms of insurance policy limits and applicable exclusions) to cover the delta between (i) its total potential damages due to a data breach and (ii) the supplier’s contractual liability cap for data breaches.