Last month I wrote a short article on the topic of the new General Data Protection Regulation and the question of the liability of data processors for security breaches. Quite coincidentally I then became aware of a US Court of Appeal case exactly on point, about which more later. Firstly though, to set the debate in context, I thought it might be useful to provide an example to highlight the significant impact that contractual indemnities and exclusions from liability and limitations on liability can have in the event of a significant data breach.
Example
In my example the customer can provide an IT service in-house at a cost of £1 million per annum. The alternative is to buy the service externally from a service provider at a cost of £900,000 per annum. I have assumed that:
– the service provider would make an annual profit on that contract of £225,000;
– a single data security breach occurs which triggers the following:
- · a fine from the regulator of £200,000 (high based on current practice, at least in England, but perhaps not in the future given the enhanced fining powers that will be available once the GDPR comes into force);
- · compensation paid to customers of the customer of £1 million (not just in direct payments but in terms of additional discounting etc of other products by way of compensation);
- · loss of future business from customers leaving, not renewing or simply not signing up with the customer, estimated at a further £1 million.
These figures are not fanciful. Only within the last month, Carphone Warehouse confirmed that its total losses from its well-publicised data breach last autumn would total some £60 million (up from the original estimates of £35 million).
In-house vs outsourced provision – no cap
Under the original in-house scenario, the customer bears the full cost of providing the service and all fines, costs etc. There is therefore a total ‘cost’ of £3.2million. Compare that with the situation where the service is outsourced but where the relevant outsourcing contract either has no limitations on or exclusions from liability or a completely uncapped indemnity. In such a circumstance, the net cost to the customer is only £900,000 (the charges for the service) assuming that all other fines/losses are recovered from the service provider. This represents an improvement of £2.3million for the customer. The service provider on the other hand incurs a loss of almost £2million.
Given the risk and the frequency with which such breaches apparently occur, who would agree to be a supplier on this basis?
In-house vs outsourced provision – with cap
Compare that to the position where there is a limitation of liability equivalent to the annual fee applicable under the contract. In exactly the same set of circumstances in terms of fines and losses, the customer will incur a net cost of £2.2million made up of the cost of the service (£900,000) and damages not recovered of £1.3million. This still represents an improvement for the customer in terms of its overall financial position as a result of the outsourcing of some £1 million.
The service provider still loses significantly but its loss is at least capped to a more manageable and sustainable level of £675,000.
I give this example as ‘food for thought’ not to justify any particular level of cap on liability but merely to demonstrate how significant these issues could be in purely financial terms going forward and to inform the debate.
Silverpop Systems v Leading Market Technologies
I then became aware of a US case on data security which has enormous potential ramifications unless it is overturned on further appeal. The case is Silverpop Systems v Leading Market Technologies No. 14-14258 (11th Cir. 2016) and it was decided by the United States Court of Appeals for the Eleventh Circuit on appeal from the United Stes District Court for the Northern District of Georgia. Judgment was handed down on 5 January 2016.
Silverpop provides digital marketing services using its own proprietary software tools. LMT has a substantial marketing database of those who had historically expressed interest in its products. The database was uploaded onto and stored on the Silverpop system. It consisted of almost half a million e-mail addresses.
In November 2010, Silverpop’s systems were the victim of ‘unauthorised intrusion by unidentified parties’. The hackers seemingly gained access not just to the LMT database but to the information belonging to 110 of Silverpop’s 1,500 customers. (This fact alone merely emphasises how critical these issues are given the figures I quoted above. If such exposure is multiplied by a hundred or so customers, how many service providers would be able to sustain such losses?).
Damages – ‘direct’ or ‘consequential’?
For the purposes of this note I am focussing only on one aspect of the Appeal Court judgment namely the issue of whether the losses claimed by LMT were excluded by the outsourcing contract on the assumption that breach of contract can be established. The contract contained the following exclusion “In no event will Silverpop be liable to the other party for consequential damages“. It was therefore critical for the Court to decide whether the damages claimed were ‘direct’ or ‘consequential’. LMT sought to recover the lost sales value of its database, arguing that following the data breach its value was arguably zero as no third party would buy a database that was no longer confidential.
General principle
The Appeal Court quoted a general principle which will be very familiar to English lawyers. It said that “damages recoverable are such as arise naturally and according to the usual course of things and such as the parties contemplated when the contract was made as the probable result of its breach“. The Court split this into two ‘limbs’ saying that damages ‘which arise naturally and according to the usual course of things’ are so called ‘general damages’ and those which are simply contemplated by the parties as the probable result of its breach are ‘consequential’. The Court went on to say that this formulation does very little to explain where the boundary between the two limbs falls and in that respect I would entirely agree with the Court.
The Court therefore then distinguished between general or direct damages which it said compensate ‘for the value of the very performance promised’ (presumably the e-mail marketing services themselves) and consequential damages ‘which seek to compensate for additional losses (other than the value of the promised performance) but which are [nevertheless] incurred as a result of the breach’.
Consequential damages
The Court held that, based on this distinction, LMT’s damages were best characterised as consequential. Rather controversially in my view (and I suspect I am not alone), the Court said that the parties’ agreement was not one for the safeguarding of the list. Instead it was the provision of e-mail marketing services, “The safe storage of the list was not the purpose of the agreement between the parties“. How many database owners would agree with that statement? Is it possible to artificially segment a contract in this way? I would argue certainly not. Rather bizarrely in my opinion, the Court said that “the loss suffered by LMT is of a type resulting from the breach of a specific term of the Agreement“. Why that should be relevant I am not sure. Surely confidentiality and security of data are at the very heart of these contracts?
Exclusion of consequential loss
The Appeal Court then went on to find that the exclusion of liability for consequential loss was effective to bar recovery of the damages claimed. Would such a result have been achieved under English law? I very much doubt it. An English court may very well have found other reasons to defeat or just substantially reduce the value of the claim by LMT but I am not sure that an English court would find the claim excluded entirely on this basis. This reasoning may perhaps explain why US-based contracts typically exclude loss of profit as a sub-category of consequential loss whereas for many years now English lawyers have always been advised to exclude liability for specific heads of loss such as loss of profit as standalone exclusions.
Where do we go from here?
For the present moment in time, this judgment means that the impact of a data security breach as between data controllers and data processors may be critically dependent upon whether the contract is governed by the law of a US State (in this case it was the law of the State of Georgia) or by English or some other local law. The decision perhaps also goes some way to explain why so many customers seek absolute, all-encompassing indemnities in respect of the losses arising from data security breaches. Conversely, the example quoted above illustrates the impact that limitations of liability may have and why they are so important, assuming of course that any claim is not excluded in the first place.
Paul Golding is a Director at TRG Law (www.trglaw.com).