“A significant data breach is likely to cost the company materially, and costs could drag on for a number of years,” analyst Shlomo Rosenbaum, commenting on the Equifax breach.
Organizations increasingly rely on third-party service providers for data collection, processing, transfer and storage. As a result of this dependence on external data management sources, most companies are rethinking data breach risk and cost allocations in new and existing vendor agreements.
Limitation of liability and indemnification clauses form the framework for reducing unforeseeable, and potentially devastating, data breach costs. To defend against unpredictable damages, these clauses are fast becoming the most fiercely negotiated language in service provider agreements. Both liability and indemnity have taken on new importance as organizations become acutely aware that the customer, not the vendor, most likely has the ultimate responsibility for data breached while in the hands of a vendor. The harsh reality that a majority of state statutes allocate the risk and costs of unauthorized disclosure to the data owner, not the vendor, is a red flag in contract negotiations. Customers now realize that they are probably legally required to investigate a breach, provide required notifications and cover any and all costs related to a breach despite the fact the vendor is the sole culpable party. Under most state statutes, a service provider’s obligations, and liability for costs, end with notification to the customer. Simply put, if the organization’s sensitive data is breached while under the control of a vendor, the vendor’s only obligation is to notify the organization. It is then the customer’s obligation to handle the fallout, unless the customer’s contract with the vendor provides otherwise.
Despite this presumptive statutory allocation of risk to the data owner, which may result in crippling costs for the organization (think Equifax and Target), most vendor contracts contain woefully inadequate liability and indemnification provisions in the event of a data breach. Standard limitations on liability, such as twice the annual fees paid under the agreement, are almost certainly utterly insufficient to cover the costs of a breach. Customers must recognize that every data breach may expose the organization to significant costs while allowing the responsible vendor to walk away for a nominal amount.
Most vendor contracts are drafted by the service provider and are particularly one sided on the topic of liability limitations and indemnification in the event of a data breach. Often these agreements have been in place for many years and automatically renew. The language in most vendor pro forma agreements ignore today’s reality of massive data breach events, class action lawsuits and aggressive regulatory enforcement. Any organization that has not reviewed and revised (where appropriate) critical service provider agreements should consider a thorough evaluation of contract terms related to data breach risk and cost allocation.
Negotiating Liability Limits and Indemnification Related to Data Breach Events
Many vendors draft form agreements on the premise that risk and revenue stream from the customer are equal considerations. In contrast, the customer will almost always approach the agreement from the perspective that if the vendor is a fault, liability should not be limited to a nominal sum. The substantial gap between these two negotiating positions is self-evident. Finding common ground and negotiating a contract that both parties can live with may be a daunting and protracted task.
The time to defend against data breach risks and costs is during the negotiation stage of every vendor agreement that involves personal data. If existing agreements automatically renew, customers should review and renegotiate critical terms to ensure liability limits and indemnification language adequately protect against present-day threats and financial repercussions. It is well worth the customer’s time and effort to hold fast to realistic and advantageous liability limits and indemnification terms.