Allocation of Data Breach Risks and Costs in Vendor Contracts: Negotiate, Negotiate, Negotiate
Most companies are rethinking data breach risk and cost allocations in new and existing vendor agreements, points out Anne S. Peterson in McGuireWoods’ Password Protected blog.
“Limitation of liability and indemnification clauses form the framework for reducing unforeseeable, and potentially devastating, data breach costs,” she writes. “To defend against unpredictable damages, these clauses are fast becoming the most fiercely negotiated language in service provider agreements.”
“Under most state statutes, a service provider’s obligations, and liability for costs, end with notification to the customer. Simply put, if the organization’s sensitive data is breached while under the control of a vendor, the vendor’s only obligation is to notify the organization. It is then the customer’s obligation to handle the fallout, unless the customer’s contract with the vendor provides otherwise.”
