When negotiating technology or data services contracts, businesses of all sizes and industries are now spending more time and attention on privacy controls. The increasing prevalence of comprehensive U.S. state privacy laws and the various requirements for sharing data with vendors and third parties have made this necessary. In fact, we discussed this concept in Chapter 21 of this year’s Data Security Incident Response Report (DSIR) with an overview of data processing addendum terms and negotiation.

However, despite all the increased attention on privacy, it is also important to consider the applicability of cybersecurity and incident response when negotiating technology contracts. This is especially true given that 16 percent of the matters reported in the DSIR involved vendor security incidents.

How can the DSIR inform your technology and data services contracting? To answer that, let’s look at some of the numbers from the DSIR:

• Average forensic costs (all incidents): $58,009.
• Forensic costs average for network intrusion incidents: $90,335.
• Forensic costs for 20 largest network intrusion incidents: $550,987.
• Average ransom demand: $3,713,939.
• Average ransom payment: $600,688 (trending up from last year).
• Median length of time from detection to notification: 67 days.
• Nearly 9 percent of incidents with notification resulted in one or more lawsuits filed.

Also of note, per IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach for this year was $4.45 million, a 15 percent increase over three years.[1]

These incident response figures demonstrate that the costs of a data breach can be significant. With forensic costs alone averaging $60,000 (with the most significant forensics expenditures averaging $550,000), and the average overall cost of a data breach at more than $4 million, potential data breach expenses are a business reality that customers and vendors should carefully consider.

In light of these numbers, it is no surprise that limitations of liability and indemnities are some of the most heavily negotiated provisions of a technology or data services contract. These are critical aspects of contracts that intentionally allocate risk and ensure a party’s ability to recover if the other party fails to perform its data-related contractual obligations. These provisions are often tied to the value of the contract, and any attempt to differentiate from that can be met with resistance from the vendor. However, the commercial or dollar value of the data services contract typically doesn’t take into consideration the sensitivity of the data involved or the breach risk for liability purposes. For example, if the contract is a $10,000 annual agreement and the liability is capped at the 12-month dollar value of the contract, that $10,000 cap is not going to help very much with $550,000 in forensics costs or a $4.45 million data breach. Instead, the contracting parties should push for an allocation of risk using a data-driven approach (using statistics like those featured in the DSIR) to the negotiation of liability and indemnity based on not only the value of the contact but also the sensitivity of the data and services involved and the respective roles of and risks to each party in the contract. Similarly, the parties may look for covenants or other obligations in the agreement to minimize the potential exposure. For example, the vendor may want to ensure that the customer does not provide certain types of sensitive data and only provides data in a secure manner, and the customer may want to ensure that the vendor has appropriate data safeguards in place and is following those safeguards.

These days it is common for caps on liability in relation to data protections and obligations to be contemplated as “super caps” or dollar caps that are higher than the general liability cap in the contract. The data points illustrated in the DSIR generally support this trend since the costs of a data breach can be significant and are generally not related to the dollar value of the services. Things that should be considered when negotiating a super cap for data issues include, but are not limited to, (a) the definition of and trigger for the security incident liability; (b) assessing “fault” for a data incident; (c) the potential costs associated with a data incident, including forensic investigations, ransom payments, legal fees and regulatory obligations that may require credit monitoring and call center operations; (d) the privacy obligations and responsibilities of each party to the contract; (e) each party’s ability to prevent data incidents related to the services; and (f) your insurance coverage for such issues.

Whether you are the vendor or customer to a data services agreement, a data-driven approach to negotiation of the contractual limitations of liability and indemnities will allow for a more informed discussion and, hopefully, an allocation of risk that is agreeable to both parties.

[1] See https://www.ibm.com/reports/data-breach.

[View source.]