Suppliers of IT outsourcing services limit their responsibility for paying damages arising from the loss of customers’ sensitive data (whether or not intentionally lost by the supplier). Only a few years ago, it was commonplace in an IT outsourcing agreement for a supplier to agree to be responsible for any losses of customer confidential information caused by the supplier. Today, however, due to the widespread increase of data breaches and the higher potential for large amounts of liability that can result from such breaches (see Zurich Insurance fine) suppliers are much less likely to agree to open-ended liability.
IT outsourcing suppliers have taken various approaches to capping their exposure to damages resulting from data breaches, both for amounts owed directly to the supplier’s outsourcing customer as well as the amounts owed to the customer’s clients.
Some suppliers will accept “enhanced” liability for some amount of money that is larger than the general limitation on damages recoverable for standard breaches of the contract; this enhanced amount of money is often set aside as a separate pool of money that cannot be replenished once it is “used up” to pay for the data losses. Some differentiate the amount of exposure they have to these breaches based upon whether the data in question is or should have been encrypted. Still others vary the amounts of exposure based upon whether data was merely lost or whether the data was actually misappropriated by the supplier.
Another approach is to specifically identify the types of damages that can result from a data breach (e.g., costs of notifying people whose data has been breached and providing credit monitoring to those people) and state that those costs would be recoverable up to a pre-determined amount.
The important point for the outsourcing customer to take away here is that no matter how creative the solution, the fact is that suppliers are often no longer willing to be 100% on the hook for these types of losses.
Suppliers’ unwillingness to take full responsibility is problematic because these data breaches have become more frequent and more expensive. So what can outsourcing customers do to protect themselves from the expense that can result from a data breach caused by an outsourcing supplier?
As noted above, suppliers’ approaches to limiting their risk varies greatly from deal to deal, so outsourcing customers should negotiate to push at least some of the risk back across the table. Customers should also investigate cyber liability insurance coverage to protect the customer against the losses resulting from these data breaches. An important point to note here is that the customer must be certain that the language of the insurance policy will protect them. There is current litigation between insurers and outsourcing customers over the insurers’ attempt to deny coverage for losses from data breaches of the outsourcing customer caused by outsourcing suppliers.
Since this area is evolving quickly, there is no single correct way to protect against high losses resulting from a supplier’s data breach. However, customers should be aware of the risks and negotiate to limit their liability through strong contractual provisions and reliable insurance.