Paul Golding considers the perennial arguments among negotiating lawyers about limitation of liability and indemnities in the special context of data security. He also looks at the impact that might be seen from the GDPR and hopes to hear the views of others with different perspectives.
All commercial lawyers spend a considerable amount of their time negotiating and advising upon limitation of liability provisions. Particularly in an IT context, the financial consequences of a breach of contract, which often far outweigh the value of the contract in question, have made this a very contentious area to which a great deal of attention has been devoted. In the 20 years or so since data protection legislation was introduced, limitation of liability provisions in services contracts involving processing or even just access to personal data have had to take account of the risk of data security breaches. It is not uncommon for there to be a separate, often higher, limit of liability for data security breaches than for other 'performance' related breaches. More recently, particularly large customers have not been content with simply getting higher limits of liability. Often they demand that no liability cap should apply to such matters at all. Others go even further and seek unlimited indemnities.
The purpose of this article is to invite debate on the appropriateness of such uncapped liabilities and indemnities and to see how the implementation of the new Regulation might make that debate even more important.
Missing the point?
When TalkTalk suffered a security breach in autumn 2015 some predicted that the result would be costs in the region of £35 million. So far as I am aware no services contract was involved there but that just reminded me that, in a services context, debates over limits of liability, indemnities etc are very real and critically important given how much is at stake and, seemingly, how often such breaches occur.
It is perfectly understandable on the face of it that customers would want service providers to accept uncapped liability. Equally I can see why absolute indemnities have a superficial attraction to customers. Why not try to place all of the risk with service providers? However, can such approaches really be justified and are they not slightly missing the point?
Lawyers have a tendency to focus on liability clauses. I would argue strongly that such focus is misplaced. If very significant data security breaches occur, this is disastrous for everybody – data controller customers and service providers alike. Given the catastrophic consequences, a major breach may well spell curtains for both the customer and service provider involved. By that point it could be far too late for all concerned and reaching for the contract is likely to offer little in the way of comfort. Very rarely will awarded damages or agreed compensation fully compensate for actual losses and, crucially, damage to customer goodwill, which is virtually impossible to quantify.
I think all concerned would be better off focussing on:
· agreeing details as to exactly what security technologies and procedures will be implemented;
· ensuring that adequate testing (and regular independent auditing) of the same does take place and the results are acted upon; and
· reviewing security measures regularly against evolving threats and in the light of technological developments.
Contracts also have to deal with what happens in the event of a security breach. In this respect it is perhaps worth noting that, under the GDPR, one of the explicit factors to be taken into account when setting the level of a fine is action taken to mitigate the damage, the degree of co-operation with the supervisory authority and the manner in which the infringement became known to the supervisory authority. It is quite clear that it will be better for the controller or processor to 'self-notify' within the prescribed time-limits and without undue delay rather than any notification being made only following adverse publicity. In this regard, negotiating contracts can be extremely useful in setting common expectations. Bear in mind that, whilst many service providers from outside the EU are now much more aware of data protection and what it requires in general terms, some may well not be familiar with the detail of what is required and the contract can be helpful in that respect.
Getting back to the subject of unlimited indemnities and uncapped liability limits, such clauses are essentially a matter of apportioning risk. Indemnities generally seem much more prevalent than they have been historically. Traditionally restricted to areas such as third-party IP infringements where, quite correctly, the customer did not want to be involved in a fight between the service provider and the third-party claimant and was therefore happy to step aside, having no real interest in how the claim was resolved provided it was able to continue using the service and suffered no damage itself. In a traditional indemnity, financial responsibility and control are inextricably linked and there is no obvious 'conflict of interest' between the indemnifier and the indemnified.
That is very different from a data security breach where the interests of the data controller (and its customers) are absolutely crucial. Very rarely, if ever, would a data controller be prepared to give up control over how a data security breach is resolved. Data controllers will want complete control over dealings with any data protection supervisory authority (not to mention any other applicable regulator). Minimising damage to goodwill is paramount in such situations and this may be costly. TalkTalk, for example, offered affected customers free upgrades as compensation in an attempt to minimise damage to customer goodwill. Should the cost of such upgrades (which may, in part at least, be more generous than the damages that a customer would be entitled to in the absence of demonstrable financial loss) be covered by an indemnity? In contrast, the primary interest of the service provider in such a situation is, one might expect, to minimise its financial exposure. For these reasons I do not believe that indemnities are appropriate in such circumstances.
But what of unlimited liability? Whilst I can understand the desire of the data controller customer to break the long-established link between the value of the contract and the limit of liability, is it reasonable to simply insist on no liability cap applying at all?
A limit upon liability is a balance. Customers want to know that they will have an appropriate remedy and that the service provider has sufficient commercial incentive to ensure that breaches do not happen. They want to receive a service that complies with the contract but they only want to pay a certain price in return. The lower the price the better! The ability of a service provider to be able to offer such a price, indeed to remain in business at all, depends in part upon the degree of risk which it accepts. This is a factor of both the nature of the contractual commitments that it agrees to and the degree of financial risk that it accepts should things go wrong. The limit of liability is part of that equation – albeit one that is often only negotiated just before a contract is signed.
It seems that, at least where deliberate, reckless or fraudulent acts are not involved, the justification for some form of limitation of liability to apply is exactly the same here as for limitations that apply to performance breaches (and which customers, albeit reluctantly, accept). It looks as if there is a danger that, in requesting unlimited liability caps or indemnities, data controllers are confusing data processors with cheap insurance providers. Some may argue that service providers should ensure such breaches do not occur and I would agree that service providers should act professionally to minimise the risks. Nevertheless, despite the best of intentions, breaches will still occur and the consequences do need to be addressed in the contractual liability clauses.
Some may also argue that service providers should insure the risk. I very much doubt that insurance is the whole answer. Some form of insurance may be part of the solution but whether it is always available to data processors at commercial rates needs to be considered, as does the question of whether the data controller ought to be prepared to get its own insurance, at least over a certain level. In this respect, it seems to me that data controllers might be better advised to implement their own insurance and then at least they know that the cover will be available to them. Relying upon insurance coverage which a data processor puts in place for the benefit of its customers generally may be a risky strategy if a service provider suffers a security breach affecting multiple customers.
It should also be borne in mind, particularly where indemnities are concerned, that insurance typically covers liability which the insured has 'at law'. If by virtue of a contractual indemnity, the insured service provider accepts a liability beyond that which would have applied at law, insurance may not provide coverage. It is also perhaps arguable that an insured must take reasonable steps to limit its exposure and query whether not insisting upon a limitation of liability at some level is compliant with that obligation?
How does the new GDPR alter the debate?
So how does the introduction of the new GDPR alter the debate? In short, in a number of ways:
· The most obvious impact is the increase in the possible level of fines. These are being increased very significantly to 4% of annual worldwide turnover or €20 million for some breaches, 2% of annual worldwide turnover or €10 million for breaches of the Article 30 security provisions. It isn't clear to me whether this would be calculated according to the turnover of the data controller or the data processor but, either way, we are talking about some potentially very large sums of money. Much will depend upon what fines are actually levied in practice. To date, national regulatory authorities have varied quite considerably in the extent to which they have imposed fines within the scope of their existing powers. Certainly the UK regulator has very rarely levied fines of anything like the maximum currently allowed but just the possibility of these larger amounts will certainly focus data controllers' minds when negotiating contracts.
· There are now express obligations to notify data breaches to the supervisory authority and to notify data subjects adversely affected. Notifying on a wide scale will be expensive.
· The GDPR also provides that any person who has suffered damage as a result of infringement of the Regulation will have the right to receive compensation. I strongly suspect this may be an area of significant focus for claims in the future.
· One final fundamental change is the fact that for the first time data processors will be directly responsible for security compliance. Whereas previously data processors have been responsible for security compliance only indirectly via contractual obligations with the data controller, Article 30 now applies directly to impose an obligation on both data controllers and data processors to comply with the security requirements. This obviously raises the spectre of multi-million Euro fines for data processors should they fail to comply with the security obligations.
What will happen next?
It will be interesting to see how both data controller customers and data processor service providers react to these developments and how the regulatory authorities exercise their new powers. The most natural reaction by data controllers will probably be increased insistence upon uncapped indemnities and unlimited liabilities but, as explained above, I am not sure that is either appropriate or sustainable. Will service providers simply withdraw from the market if the risk is perceived to be too great? It seems as if both sides will have to come to a compromise of some kind where a degree of risk is borne by each (perhaps along the same lines as for damage to tangible property) but with an increased focus on prevention.
I would certainly be interested to hear the views of others. I do not profess to have all the answers and others may have different perspectives. I can be contacted at firstname.lastname@example.org.
Paul Golding is a Director at TRG Law (www.trglaw.com).