Confidentiality language may not throw you into the breach!
Lisa A. Carroll, Martin B. Robins, David G. Kern and James M. Fisher II of Fisher Broyles write:
A recent 11th Circuit case may – if followed elsewhere and not reversed by the US Supreme Court – reduce a company’s potential exposure under conventional contract language requiring sensitive materials to be held in confidence. Many companies have been concerned that such language would make them liable if they were the victim of a third-party data breach as opposed to an intentional disclosure by one of their employees or contractors.[…]
In Silverpop v. Leading Market Technologies, 2016 U.S. App. LEXIS 196, the US Court of Appeals for the Eleventh Circuit held that losses associated with a data breach “are best characterized as consequential” and recovery on a contract claim should be barred when the contract contains a prohibition the award of consequential damages. The Court further found that negligence claims for such data breaches would be barred due to the lack of an applicable standard of care, as well as by the economic loss rule. Thus, absent proof of negligence or specific contractual language that is on-point, a data breach of itself does not constitute a breach of the obligation to take reasonable measures to safeguard confidential material under a confidentiality provision.
Read more on Lexology while I go pour some more coffee and try to find someone to translate this into non-legalese for me.