There is always significant negotiation around caps on liability when negotiating a contract with a technology vendor. If the vendor will have access to the personal information of its customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance. In fact, limitations of liability are a key indicator of the allocation of risk between the parties. Both parties are seeking to insulate themselves from liability and minimize the financial harm in the event of a data security incident. Vendors have become increasingly reluctant to provide unlimited liability to protect customers against harms caused by security incidents, going to great lengths to narrowly tailor the situations under which the vendors will bear risk. Customers have been increasingly reluctant to have a data security incident classified as a regular contract breach and subject to regular contract damages. The resulting compromise, in many instances, is the “super cap.” The super cap is a number greater than the general cap on liability, but less than unlimited liability. It can exist in many forms; for example, as a multiple of fees paid, a multiple against 12 months’ fees paid, a number tied to insurance coverage or a flat dollar amount.

Given the findings in the 2019 Data Security Incident Report (“DSIR”), what rule of thumb or general guidance exists to guide decision-making regarding acceptable financial risk allocation? We know the following facts from the report:

  • 50% of all incidents from the DSIR are in companies with revenue between $10 million and $500 million (with 27% of those between $10 million and $100 million). These are typically considered small- to medium-sized businesses (SMBs).
  • The average number of individuals that must be notified is just shy of 7,000 (6,977).
  • The average forensics costs range between $63,000 and $121,000, depending on the nature of the incident.

Using industry rubrics and rules of thumb, the average incident costs may range between $116,000 and $187,000, depending on notification costs and other variable factors around credit monitoring.

Depending on the financial deal terms, these costs may fall within the general or the super cap. However, for SMBs, a typical cloud outsourcing deal may be far less in annual fees than the average costs cited above. Using these numbers as a guide, a customer can get a feel for how much risk the vendor is seeking to push for harms not of the customer’s making. Additionally, these numbers can be used to support the general proposition of larger super caps on those deals with greater exposures of personal information. The corollary result is also true. Negotiations around these caps can be streamlined with personal information exposure is lower. Negotiating from this factual, as opposed to a more speculative, basis will likely yield better results for the customer, as this will provide greater certainty for both parties as they attempt to assess overall deal risk.

Outside of the contract, these numbers can also be useful in assisting the customer in developing an overall risk mitigation strategy around data, which should include cyber insurance coverage for first- and third-party claims.