Author: John C. Mitby
It is a good idea to prepare for data breaches in advance—it may not be possible to prevent breaches entirely, but having the right insurance and legal protections in place up front can minimize their impact.
Step one is to check the written terms of your service contract.
Step two is to determine whether you need indemnification and liability limits in your own contract.
One problem is that on a third-party claim where there is data breach there may be no damages because the risk of loss is low and credit monitoring is sufficient. Therefore, the party who was responsible for the breach may not have insurance coverage.
But just because the party who had a breach does not have “actual” damages does not mean that such party does not have exposure. In addition, the party whose data was breached has a significant PR problem along with the real problem of that party’s customers no longer wanting to do business with it. The breach itself often happens when a vendor of the party will access the party’s data and inadvertently become a pathway for hackers to access the party’s data. It is suspected that is exactly what happened in the recent Target data breach.
Regardless, if there is a data breach, all parties will be reviewing their contracts with each other. The typical clauses under “Terms and Conditions” in such contracts to avoid liability are as follows:
Vendor shall not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses, or other technologically harmful material that may affect your computer equipment, computer programs, data, or other proprietary material due to your use of the website or the service or items obtained through the website or the service or to your downloading of any material posted on it or any website linked to it.
Vendor shall not be liable for damages of any kind, under any legal theory, arising out of or in connection with your use or inability to use the services or any websites associated with it, including any direct, indirect, special, incidental, consequential, or punitive damages, including but not limited to personal injury, pain and suffering, emotional distress, loss of revenue, loss of profits, loss of business or anticipated savings, loss of use, loss of goodwill, loss of data, and whether caused by tort (including negligence), breach of contract, or otherwise.
The result of the above clauses eliminates any liability. Of course, one way to deal with contract language is to strike it. In addition, you should have your insurance agent review the contract and your insurance to determine the risks, exposure, and limits of coverage. If possible, the vendor’s insurance should also be reviewed.
One should insert a provision such as follows where the vendor is liable for data breach:
X requires that vendor shall at all times maintain compliance with the most current version of the Payment Card Industry Data Security Standard (the PCI DSS). Vendor acknowledges responsibility for the security of cardholder data defined within the PCI DSS and agrees that cardholder data may only be used for completing the contracted services between X and the vendor or as required by applicable law.
In the event of a breach, vendor acknowledges any and all costs related to breach or unauthorized access to cardholder data entrusted to vendor deemed to be the fault of vendor shall be the liability of vendor. Vendor agrees to assume responsibility for informing all affected parties in accordance with applicable law and to indemnify and hold harmless X and its officers and employees from and against any claims, damages, or other harm related to such breach unless such claim was the sole result of X’s causal negligence.
However you choose to deal with the issue you must be aware of it, figure out what insurance may provide coverage, and understand who is to bear the risk. It is easier to address data breaches at the time the contract is negotiated with the vendor as opposed to when a data breach actually happens.