Tech & Sourcing @ Morgan Lewis


There is no “one size fits all” solution when drafting and negotiating the liability provisions relating to data protection obligations and security incidents. Every contract has unique business drivers that will shape the appropriate allocation of liability, such as financial risk and the sensitivity of the data involved. There are, however, common issues that the legal, sourcing, and business teams should carefully consider when structuring the liability framework as it applies to data safeguards. Below we identify some of these key issues.

Liability Issues Relating to Data Breaches

  • Defining the Trigger. As an initial matter, the contract should be clear on what triggers liability for the service provider with respect to the agreed data protection obligations. There is typically a contractual definition of a “security incident,” which may be tied to unauthorized access or disclosure of data or a breach of the security protocols (or both). Consider whether the occurrence of a security incident is the trigger or if a broader breach of data protection obligations is the appropriate trigger.
  • Indemnification. The indemnification provisions should address claims relating to breaches of the data protection obligations under the agreement. Consider adding a specific indemnity for a breach of the data safeguards and discuss whether the indemnity is limited to third-party claims or includes direct claims from the company receiving the services.
  • Damages Cap. The liability provisions should also address whether breaches of the data protection obligations are subject to the damages cap (if any) or if they are excluded. Depending on the deal, the solution may be to add a standalone or enhanced cap for damages flowing from a breach of data protection obligations. On a related note, assess whether any indemnities for data protection–related claims are excluded from the cap.
  • Disclaimer of Consequential Damages. Determine whether damages resulting from a breach of the data protection obligations are excluded from the waiver of consequential damages. If not carved out from this provision, case law suggests that such damages are likely to be waived. Depending on the deal, there may be additional considerations with respect to specific categories of indirect or consequential damages, such as lost profits, a decline in stock price, and reputational damages.
  • Specific Data Breach Damages. Consider establishing in the contract that certain costs and expenses flowing from a breach of data protection obligations are directly recoverable from the service provider. This type of provision can help bring clarity around the big-ticket items, such as the costs of providing notices to individuals and governmental agencies, the costs of remediation, credit monitoring expenses for individuals affected by the data breach, other response costs, and government fines and penalties. If included, consider whether the specified costs fall within the damages cap or are excluded.
  • Subcontractors and Agents. Most service providers use subcontractors and other agents for at least some portion of their data processing activities. Determine whether the contract includes a requirement for the service provider to be responsible and liable for its subcontractors’ and agents’ compliance with the agreed data protection obligations.

In prior posts of this Contract Corner series, we discussed the importance of assessing and defining the types of data involved in a services agreement, key issues to consider with respect to the ownership and control of company and personal data, and drafting points regarding the security requirements typically addressed in services agreements. This post concludes the Contract Corner: Data Safeguards in Services Agreements series, but check back for additional topics in our recurring Contract Corner series.