Contracting in the Cloud: Who Pays for a Data Breach?

In a recent white paper I co-authored with Protenus, Inc., we noted the significant risks of a breach involving a vendor or business associate. In following up in a subsequent post, I also included a “pop quiz” for readers to use to test their understanding about the terms of any contract they have in terms of responsibilities following a breach.

Now Scott Nonaka and Kevin Rubino have written a more lawyerly analysis about contractual clauses that may be very important in determining who pays for what in the event of a breach involving a cloud service. Here’s part of their article:

Although much is at stake, the answer to the question is not always clear because allocating costs will usually depend on the terms of the cloud services contract, which in most cases will contain a limitation of liability clause that is commonplace in contracts for the sale of goods and services. Standard clauses usually state that, in the event of a breach, neither party will be responsible for the other party’s “consequential damages,” thereby limiting their potential liability to “direct damages.” While the clause may seem clearly worded, the meaning of the term “consequential damages” is by no means clear, let alone in the context of a cloud services contract. Below, we identify some issues to consider when negotiating and drafting a limitation of liability clause so as to provide greater clarity and predictability in allocating risk and costs.


At this time, and for the foreseeable future, it will be difficult to predict with great certainty how courts will decide whether any particular harm arising from a data breach is direct or consequential damages. Given this uncertainty, as well as the potentially massive costs associated with a data breach, both consumers and providers of cloud services would be well-advised not to rely on standard, boilerplate language in limitation of liability clauses that simply waives consequential damages to allocate their potential liability. They should instead address the issue of potential future costs associated with a data breach in detail at the outset of their relationship by bargaining for and expressly assigning or excluding those costs in their agreement.

Read more on Bloomberg BNA.

About the author: Dissent

Comments are closed.