Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Thanks for publishing the article Tanya – very helpful. I think the point you make about the scope of sensitive information as opposed to pure PII is particularly welcome.

One of the issues that you raise is the difficulty of reconciling a SaaS customer’s risk exposure for data compromise with the SaaS provider’s fee structure. While it’s very understandable for a customer to expect an unlimited indemnity from the provider for data compromise, often the provider’s services aren’t priced to underwrite this degree of risk. In many cases, if the service provider were to price its services to handle the risk, then the value of the service to the customer (relative to its practical benefits) would be significantly diminished.

In negotiations between customers and providers, it’s often the case that the last items to get resolved are a customer’s need to hold its service provider accountable, and the service provider’s need to operate at a manageable level of risk.
While not wishing to propose any general standards, I’ve found the following compromises helpful:

1. Many customers, particularly those in the financial services
and healthcare sectors, sensibly incorporate default provisions in their supplier contracts to protect sensitive data. It can be very difficult for a customer’s legal and procurement teams to modify or remove these provisions without seeking high level approvals that may be overkill for the proposed transaction.

If the expectation is that the service provider won’t be storing or processing sensitive data, then the service provider may be able to accept the customer’s proposed provisions if the customer will agree that
a. the service provider is not expected to store or
process sensitive information,
b. the customer will not intentionally transmit or
distribute sensitive information to the service provider, and
c. the service provider may reject sensitive information from the customer.

It’s important for the customer that these exceptions don’t apply to sensitive information that may be “accessible” to the service provider, for example, if the service provider will have personnel on-site at the customer, or if the service provider will be provided with access to a customer’s computer networks.

2. Where service providers are storing or processing sensitive
information, then it’s often possible to resolve risk allocation with a tiered approach to the limitations of liability, broadly as follows:
a. Unlimited liability / no exclusion for consequential
damages: for the service provider’s or its personnel’s gross negligence, willful misconduct, theft or fraud.
b. Fixed dollar liability cap (with exposure for
consequential damages up to the cap), generally in excess of the default cap, and often commensurate with a service provider’s E&O insurance coverage: for sensitive information compromises by third parties resulting from the service provider’s failure to use “reasonable security measures”
(ideally, as defined per your article, or which are consistent with industry accepted practices for the service provider’s sector and, often more controversially, the price point for the services). I often refer to this as “Vendor Controlled Activity.” This broadly equates to a negligent standard of care, but not gross negligence.
c. Default liability cap / consequential damages
excluded: for sensitive information compromises not resulting from Vendor Controlled Activity or the service provider’s gross negligence or willful misconduct. In many contracts, service providers won’t assume liability for third party acts beyond their reasonable control: for example, if the service provider is using industry standard encryption, but the bad guys are able to break the encryption.

Again, thanks for publishing the article.