By: James K. Paulick, Esq.
“You get NOTHING, you LOSE, GOOD DAY, SIR!”
These were the words Gene Wilder boomed at Charlie at the end of ‘Willy Wonka and the Chocolate Factory’ after quoting the tiny, obviously unnoticed Latin waivers contained in the contract. As silly and slapstick as the scene is, it rings true in today’s data breach risk allocation in modern cloud computing and Software-as-a-Service (“SaaS”) contracts.
While compliance with data privacy laws in 2023 may limit your exposure in government agency investigations, data risk allocation with contractors and service providers might be your company’s biggest area of concern in data privacy.
Many companies are not aware of the vast amounts of risk exposure they have with cloud and SaaS computing service offerings. In simple terms, cloud computing and SaaS services simply permit you to store your data on another company’s network (cloud) or run a service provider’s applications using that company’s remote resources, rather than installing the application locally (SaaS).
Although there are many operational and cost-saving advantages to these technologies, the inherent risk is your company’s loss of control and insight of the infrastructure that now hosts your sensitive data with the added risk element that, as you access your data or run your applications, all the personal data that is attendant to that service is now traversing the internet – constantly. So, what is the problem? If you did not have your contract with that service provider reviewed carefully for data breach considerations, there is a high likelihood that the contract contains a sweeping limitation of liability provision that limits your recovery, in any situation, to the fees paid by you to the service provider over the course of 12 months, or some similar provision. In most scenarios, the fees you pay for the service will be a drop in the bucket compared to the cost of a data breach.
Consider this, the average cost is between $250 and $450 per record lost in a data breach ($750 in the instance of protected health information or PHI). If you were sharing a modest number of individuals’ (customers’) personal information, for example 1,000 records, and we use the lowest estimate of a per-record cost, the estimated cost of a breach is still around $250,000 in out-of-pocket costs and fees. However, data breaches, on average, can set your company back much more. According to most cybersecurity-focused firms, the average cost of a data breach is between $4M to $9M USD.
What can you do? Most of these service providers are using boiler-plate contracts that have the most sweeping waiver and limitation of liability terms – sometimes limiting total recovery to $1,000. Even if your company has very little leverage against a large SaaS or cloud provider, a reasonable pushback on their initial terms with a citation to actual data breach costs can yield advantageous concessions. At the end of the day, because these service providers practice in the business of data, they often have cyber liability insurance policies with coverage limits of up to 5, 10 and sometimes 15 million dollars. One can now see why a limitation of liability clause could be one of largest risk allocation concerns facing your company.
As a further, and perhaps even more important issue, even if your company did have the contract reviewed and the limitation of liability contains a reasonable, arms-length provision for data breaches, the limitation of liability clause contains a waiver of indirect and consequential damages. This is a problem because, unless your service provider’s primary service offering is the protection of personal data (most times it is not), then any damages flowing consequently from a data breach will be considered a “consequential” damage by most courts in the United States. Thus, even if you took the time to negotiate a reasonable cap on data breach liability with your service provider, other terms in the limitation of liability might scuttle your company’s hopes of recovering the lion’s share of the costs of a data breach.
For assistance with data breach contracts or other privacy related law, please contact James K. Paulick at firstname.lastname@example.org or 424.738.4400 for an initial consultation. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he leads the Data Privacy & Cybersecurity Group.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a national, full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, construction, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, emerging cyber technologies, energy & natural resources, entertainment, healthcare, hospitality, and life sciences industries. Leech Tishman has offices in Chicago, Los Angeles, New York, Philadelphia, Pittsburgh, Sarasota, Washington, D.C., and Wilmington, DE.