Search
Are You Protected When Your Suppliers Lose Your Data?
Posted
Suppliers of IT outsourcing services limit their responsibility for paying damages arising from the loss of customers’ sensitive data (whether or not intentionally lost by the supplier). Only a few years ago, it was commonplace in an IT outsourcing agreement for a supplier to agree to be responsible for any losses of customer confidential information caused by the supplier. Today, however, due to the widespread increase of data breaches and the higher potential for large amounts of liability that can result from such breaches (see Zurich Insurance fine) suppliers are much less likely to agree to open-ended liability.
IT outsourcing suppliers have taken various approaches to capping their exposure to damages resulting from data breaches, both for amounts owed directly to the supplier’s outsourcing customer as well as the amounts owed to the customer’s clients.
Some suppliers will accept “enhanced” liability for some amount of money that is larger than the general limitation on damages recoverable for standard breaches of the contract; this enhanced amount of money is often set aside as a separate pool of money that cannot be replenished once it is “used up” to pay for the data losses. Some differentiate the amount of exposure they have to these breaches based upon whether the data in question is or should have been encrypted. Still others vary the amounts of exposure based upon whether data was merely lost or whether the data was actually misappropriated by the supplier.