28 January 2020
Data protection law can be a quagmire of clauses, contradictory court precedents and confusing terminology.
For a business owner seeking to limit her own liability in the case of a future data breach, the best risk-mitigation strategy is not always clear, especially in light of the GDPR.
This article will discuss Terms and Conditions disclaimers that relate to data breaches and liability, how well these clauses may hold up in court and how the GDPR may affect data breach liability and procedures.
Every online business should have a Terms and Conditions agreement that lays out rules for customers and users, as well as any necessary legal terms. Limitation of Liability is one of the most important clauses you will find in almost any Terms and Conditions agreement.
The Limitation of Liability clause clarifies a business's legal liability and responsibilities in the case of legal litigations in the future. The standard Limitation of Liability clause for an online business looks something like this one from Microsoft:
As you can see, this paragraph attempts to mitigate damages or penalties that could be assigned to Microsoft as a result of a legal dispute. There is no mention of data breaches, however, which could potentially leave Microsoft vulnerable to unlimited liability in the case of a security breach or cyberattack.
As data breaches and unauthorized hacks of consumer personal information become more and more common, most companies are incorporating security breach or data loss details into their liability clauses.
In this example from the International Risk Management Institute (IRMI), the Limitation of Liability clause is quite a bit longer:
After sifting through a slew of legalese, you'll find a sentence that reads something likes this:
"To the maximum extent permitted by law, under no circumstances... shall IRMI, its officers, directors, employees, subsidiaries, or affiliated companies be liable for any direct, indirect, incidental, special, consequential, or punitive damages, such as, but not limited to, loss of revenue, loss of anticipated profits, goodwill, diminution of value, business interruption costs, or any other intangible losses arising out of... damage from any security breach or any other security intrusion."
This is a very long, drawn-out way of saying that IRMI may not be held liable for any damages related to a data breach. The clause goes on to set a liability cap at either $1,000 or "the total amount, if any, of subscription fees paid by [the consumer] to access and use the services during the twelve (12)-month period immediately preceding the bringing of any claim."
Although a version like the one above may hold up in court, precedent indicates that a more straightforward approach could be more useful, both for the consumer and for legal purposes.
Staffing software provider Spongy Elephant has a separate Data Protection Policy. This is its liability clause:
In this instance, Spongy Elephant states that they will only assume liability if the data breach occurred due to a breach of their data protection policy and was in no way caused by a customer. They also mention that they will only pay damages up to a preset liability cap. The language used is also very easy to understand.
Liability clauses such those shown above are a necessary component of any Terms and Conditions agreement. Including the possibility of a data breach within this clause can certainly do no harm, but may not always be ironclad protection against liability if a data breach does occur.
Another popular disclaimer is the security clause. Within this disclaimer, most businesses will reassure users that they take all possible precautions to protect consumer personal data but cannot guarantee its security 100%. This disclaimer has been used in court as a defense against indemnification for data breaches.
For example, Montrose and Merrick presents the following paragraph in what it calls its Privacy and Security/Terms and Conditions:
Above you can see the phrase:
"No data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot guarantee or warrant the security of any information you transmit to us and you do so at your own risk."
Brown Brothers Harriman & Co. has decided to incorporate a security disclaimer into its No Warranties/Limitation of Liability clause:
They choose to phrase the disclaimer as so:
"We do not guarantee the security of the portal or the services or the prevention from loss of, alteration of, or improper access to, your account information or data."
While these disclaimers may reduce liability for security breaches to some extent, they are in no way a guarantee against incurring data breach damages in court.
While there are few clear precedents to illustrate how security disclaimers and Limitation of Liability clauses hold up in court, there are enough examples to show that judges are treating it on a case-by-case basis. Here are a few court cases that went in several different ways:
One famous example of a Limitation of Liability clause losing its effectiveness is the Yahoo data breach that occurred in 2013 and 2014. After 3 billion accounts were affected by multiple breaches, users sued Yahoo when they were finally informed of the events years later. According to Yahoo, the company could not be held liable for the theft of personal information because of Limitation of Liability clauses and disclaimers on their website claiming that no security system is 100% effective.
The plaintiffs (users), however, argued that Yahoo's Terms of Service was unconscionable, placing the Limitation of Liability clause at the end of a long and arduous terms policy that was difficult to understand.
The courts sided with the plaintiffs, agreeing that Yahoo's Terms agreement was unconscionable, hard to understand and unethical in its presentation because users had no choice but to agree to them if they wished to create an email account.
The court also determined that Yahoo took inadequate measures to protect consumer data, which was another factor in their decision. The settlement cost Yahoo $80 million.
After malware infiltrated Target servers in December of 2014, hackers were able to gain access to the personal information and payment details of over 70 million people. That information was sold on the black market and millions of users' credit card numbers were then utilized to make fraudulent charges before they could be cancelled.
Naturally, customers banded together to sue Target for their troubles, claiming direct damages in the form of fraudulent charges, replacement card fees, late payments and blocked bank accounts.
Target countered with the claim that these were not "direct damages" because most consumers' banks covered or voided the fraudulent charges and other associated fees. Since the plaintiffs (customers) were not prepared to prove which transactions and fees had not been voided, Target moved to dismiss the case since its liability clause would protect it from indirect or consequential damages.
The court did not uphold limitations to liability, however, determining that Target had been negligent in both their security protocols and their breach notification process. Target failed to discover the breach immediately and, after the breach had been discovered, they failed to report the breach to customers in a timely manner. This mistake would cost them millions.
Silverpop Systems was a provider of email marketing tools which were used by Leading Market Technologies to send out hundreds of thousands of promotional emails. When Silverpop security was compromised by hackers, some of Leading Market Technologies' user emails were exported during the attack.
Leading Market Technologies sued Silverpop Systems for the lost value of their email lists, but Silverpop argued that these were consequential damages, excluded from liability as stated in their contract terms.
The court sided with Silverpop, upholding their Limitation to Liability claims and dismissing the case.
Heartland is a credit card payment processing service. Their system contains millions of consumers' payment information, credit card numbers, and personal data. Hackers gained access to their system in 2008, stealing the personal data and payment information for millions of consumers.
Banks sought reimbursement for the large number of fraudulent charges and credit card replacements they incurred, as well as a variety of other direct damage claims for Heartland's failure to provide reliable security systems.
Heartland argued that all consequential damages, such as fraudulent charges and credit card replacement costs, would not hold valid under their Limitation of Liability clause. What's more, they had a liability cap within the clause as well, reducing the total amount they could be required to pay for direct damages.
In the end, Heartland still racked up a hefty amount of direct damages and state fines, but the loss was much less than it could have been without any Limitation of Liability clause in place.
As you can see, a Limitation of Liability clause is not ironclad. Precedent shows that it may be upheld or dismissed, according to the specifics of each particular case and how the responsible party responds to the breach when it takes place.
However, there are a few lessons we can take away from cases like those shown above:
The GDPR affects internet privacy in almost every way possible. Data breaches and their implications are no exception. If you process the data of European consumers, or may do so in the future, then the GDPR will apply to you. Besides the wide range of transparency, consent, and Privacy by Design statutes that you will now have to follow, a range of data security measures may also affect your liability and protocols in the event of a data breach under the GDPR.
Here are a few points to consider regarding liability and data breaches under the GDPR:
Overall, the GDPR will have a great effect on how companies react to data breaches and possibly on the litigation that follows. How far Limitation of Liability and other disclaimers will be upheld in courts under the GDPR remains to be seen.