Data Vendors Used to Have ‘Unlimited Liability’ for Breaches—but Not Anymore

Nobody wants to be left holding all the legal jeopardy when a data breach exposes the personal information of thousands of consumers. But where companies used to be able to forge deals with data processing and storage providers that foisted the majority of the liability for a breach into the arms of the vendor, an increasingly complex web of global privacy laws and the dramatic expansion of remote work may be tipping the balance of power.

Brian Hengesbaugh, chair of the global data privacy and security business unit at Baker McKenzie, noted that vendors are approaching contracting much more thoughtfully in terms of limiting their liability. “It used to be, back in the day, that [vendors] would have unlimited liability for any kind of breach of confidentiality, right? And vendors have been much focused on that as a reason and particularly focusing on caps around data security breach,” he said. 

Still, while vendors may be pushing back, the degree of leverage they have to wield has typically varied from client to client. In 2019, for example, a hacker used a misconfiguration in Capital One Financial Corp.’s firewall to breach the personal information of approximately 100 million Americans and 6 million Canadians.

However, Chris Ballod, an associate managing director in the cyber practice of Kroll, who at the time was a partner with Lewis Brisbois Bisgaard & Smith, previously told Treasury & Risk sister publication Legaltech News that cloud infrastructure provider Amazon Web Services (AWS) was unlikely to absorb any liability. This may have had more to do with the size and clout Amazon wields in the tech and business communities than anything else. 

“AWS contracts are very detailed and tend to favor Amazon, not surprisingly. … With contracts like that, it’s always difficult to get some liability share onto Amazon or the cloud host,” Ballod said. 

Conversely, when Delta was breached in 2018, Efraim Harari, general counsel at cybersecurity technology company SentinelOne, believed that the airline’s “longevity in the market and size” meant that a smaller tech vendor was likely to be held liable for the exposure. But in many ways, 2021 is a very different world than 2018 or even 2019. 

For starters, the financial stakes for companies associated with a data breach have risen. Jarno Vanto, a partner at Crowell & Moring, pointed out that the California Consumer Privacy Act (CCPA)—enacted in 2020—opened the possibility for class-action lawsuits and statutory damages. 

“It is still the case that the data controller under these statutes or the business in California is still primarily liable for not only incidents occurring with the data but other obligations like interacting with the consumers, all of that. So then it really becomes a dollar discussion [with the vendor],” he said.

Further motivating companies to play hardball with vendors when negotiating the apportionment of liability: The cost of information security overall is continuing to increase. Vanto argued that one of the ways organizations protect themselves post-breach is by showing every possible shred of evidence that reasonable security precautions were taken—which, in and of itself, can be a costly endeavor. 

“That means more documentation, more technical information security solutions being sold. So one thing that is certain is that the cost of managing information security overall will increase,” Vanto said. 

Despite the incentives that companies have for pressing vendors to absorb more of the liability around cyber breaches, circumstances may have conspired to ultimately place vendors in the stronger bargaining position. Hengesbaugh at Baker McKenzie cited a “perfect storm” rising on the corporate cybersecurity landscape. Remote work has forced many businesses to expand their cyber infrastructure—and attack surface—rapidly, all while data volumes continue to rise. 

Corporations may require more of a tech assist from vendors to meet those challenges—and thus be more willing to meet them on the vendors’ terms. “I would say there was more leverage for the providers in that type of context,” Hengesbaugh said. 

But it’s likely that neither businesses nor their vendors will concede to shouldering the bulk of the cyber liability without a fight. “I’m afraid where this is going to go is that there’s going to be a lot more litigation, right? … It’s going to get more into litigation and dispute over who is responsible for what,” Hengesbaugh said.

From: Legaltech News