Skip to main content

Claims for losses incurred for Data breaches by a IT Service Provider's are consequential damages barred under the disclaimer of liability clause - Interesting read!

-

A recent judgment of the US court has held that claims for losses incurred for a data breach is a consequential damage and is barred under the Disclaimer of Liability clause dealing with indirect and consequential damages - Interesting update on Indirect and direct damages.

Image result for limitation of liabilityRecent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

By Matthew Spohn (US) and David Navetta (US) on Norton Rose Fulbright US LLP

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.
The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.
Before addressing the Eleventh Circuit’s decision in Silverpop, some background on consequential damage waivers may be helpful –

How are Consequential Damage Waivers Involved in IT Contracts?

The typical vendor-friendly IT service contract will contain a section titled “limitation of liability” with two key provisions:
  1. one capping the vendor’s total liability at some amount (often the total fees paid under the contract, or fees paid in the prior twelve months), and
  2. one stating that in no event will the vendor be liable for any consequential, incidental, or indirect damages.
Purchasers will often focus on the first provision but fail to address the second provision, perhaps because it reads like boilerplate language that reasonably confirms that the vendor will not be liable for speculative damage claims.  But that is a misconception—the consequential damages waiver has important ramifications, especially in the context of confidentiality breaches.

What are Consequential Damages?

To understand the effects of a consequential damages waiver, one must first understand what consequential damages are.  But this task confounds both lawyers and judges.
Textbooks and treatises on contract law will define consequential damages in the context of the following summary of contract damages:
  • Only damages foreseeable at the time of contracting are recoverable in the event of a contract breach.
  • Direct (also known as general) damages are those damages that would have been foreseeable to a stranger to the transaction, without any knowledge of the transaction except the contract itself. As an example, if the contract were one to repair the foundation of a building, someone without any other knowledge of the transaction could foresee that if the foundation were improperly repaired, the building might collapse.  That damage to the building would be a direct damage.
  • Consequential (also known as special) damages are those damages that would not have been foreseeable by the stranger to the transaction, but would have been foreseeable to the parties to the contract, given what they knew of the transaction. Continuing the prior example, if the parties knew that the building whose foundation was being repaired housed a popular retail establishment, then the store’s profits that were lost due to the building’s collapse would be consequential damages.
Image result for liability Even using this scholarly definition, direct and consequential damages are difficult to differentiate.  This confusion is compounded by the fact that courts will often add layers of additional analysis to distinguish direct and consequential damages.  For instance, in Schonfeld v. Hilliard, 218 F.3d 164, 175–76 (2d Cir. 2000),  the influential Second Circuit Court of Appeals (which handles appeals from New York’s federal courts, among others) adds the test of whether damages compensate for “the value of the very performance promised,” such that they are direct damages, or whether they compensate for “additional losses (other than the value of the promised performance),” such that they are consequential damages.
The result is that judges, attorneys, and scholars regularly note that the distinction between direct and consequential damages is difficult to apply, and one should never rest easy in believing that potential damages are one or the other.

Are the Damages from a Confidentiality Breach Direct or Consequential?

Against this background, breaches of confidentiality agreements present unique challenges in sorting direct from consequential damages.   Some writers have argued that any damages from the breach of a confidentiality obligation are necessarily consequential, because the specific harm caused by the breach would rarely be apparent on the fact of the contract.
That position has some support from the recent decision of the Eleventh Circuit Court of Appeals in Silverpop Systems, Inc. v. Leading Market Technologies, Inc., 61 Fed. Appx. 849 (11th Cir. Jan. 5, 2016), which summarily affirmed the federal district court’s “well-reasoned and thorough decision” finding, among other things, that the parties’ consequential damages waiver barred all damages from an IT vendor’s data breach.
The defendant in that case, Leading Market Technologies, Inc. (“LMT”), is a digital marketer that had hired the plaintiff Silverpop Systems, Inc. (“Silverpop”) to use LMT’s confidential email address list to distribute advertising content.  But hackers accessed the portion of Silverpop’s network where LMT’s email list was stored, and  the list may have been misappropriated (though this could not be confirmed).  LMT sued Silverpop for breach of the confidentiality provisions in their agreement, alleging that the value of its confidential email list was diminished by the data breach.  Silverpop moved for dismissal of that claim with the argument that those damages were consequential, and were therefore barred by the consequential damages waiver in their agreement.
In addressing this argument, the court acknowledged the black-letter “foreseeable to a stranger/foreseeable to the parties” test of direct versus consequential damages, but decided that the Second Circuit’s “value of performance/additional losses” analysis was a helpful gloss on that test.  Using that analysis, the court found that contract’s purpose was email marketing, and that the confidentiality obligations were only incidental to that purpose.  Therefore, direct damages would consist of the lost money paid for the promised marketing services, and other damages (such as the lost value of the confidential email list) were consequential.  In a telling passage, the court reasoned:
[T]he loss suffered by LMT is of a type resulting from the breach of a specific term of the agreement. In the absence of a breach of the confidentiality provision, LMT would not have incurred the loss to the sale value of the LMT List. Thus, considering the purpose of the parties’ agreement, the damages LMT seeks are not the type that “arise naturally and from the usual course of things.” LMT’s damages are consequential rather than direct.
The court then dismissed LMT’s claim for breach of contract because it had agreed to waive all consequential damages—even though claims for breach of confidentiality were exempted from the contract’s separate cap on total damages.
This analysis is significant, because it could apply in almost any IT services contract.  In most cases, the primary purpose of such a contract is to provide IT services—the obligation to maintain the confidentiality of the data involved is only incident to that main purpose and performance.  (Stand-alone non-disclosure agreements might be exceptions).  And if a court uses the Silverpop analysis and finds that maintaining the confidentiality of data is not the primary purpose of the IT contract, then damages from the confidentiality breach will be consequential.  If the IT contract contains a standard waiver of consequential damages, then the aggrieved party may be without a remedy.

Our Take

In contracting for IT services, it is important for purchasers to thoughtfully consider the risks of harm presented by the services, and then negotiate terms that appropriately allocate those risks between the parties.  This requires both parties to reconsider the standard vendor-friendly term waiving all consequential damages.
Reassessment of the consequential damages waiver is especially important in the context of confidentiality and data security obligations.  If the vendor allows confidential information to be breached, this could harm the value of that data, cause competitive harm and lost profits, and expose the company to claims by third parties with interests in the exposed data, among other things.  If the exposed data contains personal information or protected medical information subject to state and federal regulation, then the breach could also expose the company to breach notification and remediation expenses, which could be construed as consequential.  Options for addressing these risks at the contracting stage include:
  • Removing the consequential damages waiver entirely, and relying on the background common law that damages unforeseeable at the time of contracting are not recoverable;
  • Carving out from the consequential damages waiver any claims arising from breach of confidentiality, even if such claims are already exempted from the contractual damages cap;
  • Adding indemnification provisions for third-party claims arising from a breach of confidentiality (and adding a carve out for indemnification to the consequential damages disclaimer); and
  • Adding indemnification provisions for expenses incurred in addressing a breach of regulated personal information and protected health information (and adding a carve out for indemnification to the consequential damages disclaimer).
Not all of these options are mutually exclusive, and together they provide a toolbox for allocating the parties’ liabilities in the event of a data breach.

Reference: http://www.dataprotectionreport.com/2016/09/recent-case-highlights-the-dangers-of-consequential-damage-waivers-in-it-contracts/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20DataProtectionReport%20%28Data%20Protection%20Report%29

Comments

Post a Comment

Please share your valuable comments and thoughts on this article. Thanks!

Popular posts from this blog

Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

-
Image
Managing Audits to Prevent Unauthorized Disclosures by Technology Teams by Keli Johnson Swan in Blogs , Software Audits Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request. It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages cla
Read more

"What is the right thing to do?" What's The Difference Between Compliance And Ethics?

-
Image
  What's The Difference Between Compliance And Ethics? Bruce Weinstein, Ph.D. Contributor Customized ethics keynotes, training, and online courses for CE credit May 9, 2019, 01:19pm EDT  TWEET THIS High-character leaders ask, "What is required of me?" but they don't leave it at that. Ethical leaders also ask, "What is the right thing to do? How would an honorable person behave in this situation?" I've noticed some confusion about the roles that ethics and compliance play in organizations. This confusion arises, in part, from the way these two fields are identified. Some companies have only a compliance department. Others have a compliance  and  ethics (or ethics and compliance) department. Some companies have a Chief Ethics Officer separate from compliance. To get some clarity on these crucial roles, I asked seven leaders who are involved in both ethics and compliance to explain the similarities and differences as they saw them. I'll present their vi
Read more

The 6-D model of national culture by Geert Hofstede

-
Image
The 6-D model of national culture Geert Hofstede, assisted by others, came up with six basic issues that society needs to come to term with in order to organize itself. These are called dimensions of culture. Each of them has been expressed on a scale that runs roughly from 0 to 100. Dimension maps of the world: Individualism Each dimension has been derived by comparing many, but not all, countries in the world. The findings can be summarized into six world maps of the distribution of that dimension. Of course, in reality there can be quite a bit of within-country variation; these maps should be seen as rough 'climate maps' of culture. Individualism Individualism is the extent to which people feel independent, as opposed to being interdependent as members of larger wholes. Individualism does not mean egoism. It means that individual choices and decisions are expected. Collectivism does not mean closeness. It means that one "knows one's place&q
Read more