April 9, 2020

April 08, 2020

Subscribe to Latest Legal News and Analysis

April 07, 2020

Subscribe to Latest Legal News and Analysis

April 06, 2020

Subscribe to Latest Legal News and Analysis

Contract Corner: Contract Terms Associated with Data Breaches—It’s a Balancing Act

Companies’ increased awareness of the substantial costs and exposure associated with data breaches has motivated them to beef up their data security requirements in vendor contracts. Although this concept has quickly become the market norm, the following issues frequently arise, and companies should consider them when negotiating data security provisions.

What Customers Want

Customers want complete protection from data breaches, and therefore may require a vendor to give representations similar to the following: “Vendor has developed, implemented, and will maintain effective information security controls, policies, and procedures that ensure the security and confidentiality of data and information, protect against anticipated threats to the security or integrity of such information, protect against unauthorized use or access, and ensure the proper disposal of the data and information.”

Because customers want the maximum protection, vendors should carefully consider how broad a requested representation is. It’s a balancing act, because vendors need to be able to be able to provide certain security controls to win business, but they also need to also understand the difference between providing an adequate degree of protection for their customers and an insurance policy.

What Vendors Want

Vendors are willing to guarantee compliance with privacy and security polices but are often unwilling to guarantee security on their platforms. Vendors frequently argue that “we’re not your insurance policy” and “we run a cost-effective, reasonably secure system for the price you’re paying.”

Should Damages Associated with Data Breaches Be Excluded from Limitations of Liability?

Another important consideration is whether or not damages associated with data breaches should be excluded from limitations of liability. As one might expect, vendors often argue for damages associated with data breaches being applied against the overall liability caps, with customers wanting the opposite—to exclude such damages from limits on liability. The resolution may turn on the controls in place, the cause of the data breach, how direct and recoverable damages are categorized, and the overall caps themselves.

Consider Cyber-Liability Insurance

Cyber-liability insurance may be a mechanism for a company (customer or vendor) to mitigate its exposure with respect to damages associated with security breaches. It is important to understand what the insurance actually covers—requiring the covered party to closely check any applicable policies to determine if likely damages associated with the potential types of security breaches at hand are covered under the policy.


When drafting and negotiating data security provisions, It is crucial to have a basic understanding of the type and scope of the data being handled or accessed, as well as the type and scope of access that a vendor has to such data. The type and scope of data and the third-party access to such data will help shape the data breach risk profile and the appropriate allocation of responsibility for damages between the parties.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Emily Lowe, Corporate finance Attorney, Morgan Lewis
Of Counsel

Emily R. Lowe represents clients in commercial transactions, with a focus on the acquisition, use, protection, development, and commercialization of technology and biotechnology. Emily helps domestic and international companies commercialize their products through various commercial vehicles, including manufacturing and supply agreements and distribution strategies, and development and licensing agreements.

Susan Milyavsky, Morgan Lewis, technology attorney

Susan Milyavsky focuses her practice on technology, outsourcing, and commercial contracting matters. She drafts and negotiates outsourcing, consulting and professional services, and other business process outsourcing deals for functions such as information technology, finance and accounting, human resources, and procurement.