• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

The General Data Protection Regulation - Apportioning Security Risk

The Government will need to consider the impact of Brexit on the new General Data Protection Regulation  ("GDPR"). Although what will happen with the Brexit negotiations is still uncertain, this article was written on the assumption that the GDPR will apply to the UK.

All commercial lawyers spend a considerable amount of their time negotiating and advising upon limitation of liability provisions. Particularly in an IT context, the financial consequences of a breach of contract, which often far outweigh the value of the contract in question, have made this a very contentious area to which a great deal of attention has been devoted. Especially in the last twenty years or so since data protection legislation was first introduced, limitation of liability provisions in services contracts involving processing or even just access to personal data have had to take account of the risk of data security breaches. It is not uncommon for there to be a separate, often higher, limit of liability for data security breaches than for other ‘performance’ related breaches. More recently, particularly large customers have not been content with simply getting higher limits of liability. Often they demand that no liability cap should apply at all to such matters. Others go even further still and seek unlimited indemnities.

The purpose of this article (which is featured by the Society of Computers and Law here) is to discuss the appropriateness of such uncapped liabilities and indemnities and to see how the implementation of the GDPR might make that debate even more important.

Missing the point?

When Talk Talk suffered a security breach in Autumn 2015 some predicted that the result would be costs in the region of £35 million. So far as we are aware no services contract was involved there but that just reminded us that, in a services context, debates over limits of liability, indemnities etc. are very real and critically important given how much is at stake and seemingly, how often such breaches occur.

It is perfectly understandable on the face of it that customers would want service providers to accept uncapped liability. Equally we can see why absolute indemnities have a superficial attraction to customers. Why not try to place all of the risk with service providers? However, can such approaches really be justified and are they not slightly missing the point?

Lawyers have a tendency to focus on liability clauses. We would argue strongly that such focus is misplaced. If very significant data security breaches occur, this is disastrous for everybody – data controller customers and service providers alike. Given the catastrophic consequences, a major breach may well spell curtains for both the customer and service provider involved. By that point it could be far too late for all concerned and reaching for the contract is likely to offer little in the way of comfort. Very rarely will awarded damages or agreed compensation fully compensate for actual losses and, crucially, damage to customer goodwill, which is virtually impossible to quantify.

We think all concerned would be better off focussing on:

• agreeing details as to exactly what security technologies and procedures will be implemented;
• ensuring that adequate testing (and regular independent auditing) of the same does take place and the results are acted upon; and
• reviewing security measures regularly against evolving threats and in the light of technological developments.

Contracts also have to deal with what happens in the event of a security breach – in this respect it is perhaps worth noting that under the new GDPR, one of the explicit factors to be taken into account when setting the level of a fine is action taken to mitigate the damage, the degree of co-operation with the supervisory authority and the manner in which the infringement became known to the supervisory authority. It is quite clear that it will be better for the controller or processor to ‘self-notify’ within the prescribed time limits and without undue delay rather than any notification being made only following adverse publicity.  

In this regard, negotiating contracts can be extremely useful in setting common expectations. It is worthwhile bearing in mind that whilst many service providers from outside the EU are now much more aware of data protection legislation and what it requires in general terms, some may well not be familiar with the detail of what is needed and the contract can be helpful in that respect.

Apportioning risk

Getting back to the subject of unlimited indemnities and uncapped liability limits, such clauses are essentially a matter of apportioning risk. Indemnities generally seem much more prevalent than they have been historically. Traditionally restricted to areas such as third party IP infringements where, quite correctly, the customer did not want to be involved in a fight between the service provider and the third party claimant and was therefore happy to step aside, having no real interest in how the claim was resolved provided it was able to continue using the service and suffered no damage itself. In a traditional indemnity, financial responsibility and control are inextricably linked and there is no obvious ‘conflict of interest’ between the party giving the indemnity and the party who has the benefit of it.

That is very different from a data security breach where the interests of the data controller (and its customers) are absolutely crucial. Very rarely, if ever, would a data controller be prepared to give up control over how a data security breach is resolved. Data controllers will want complete control over dealings with any data protection supervisory authority (not to mention any other applicable regulator). Minimising damage to goodwill is paramount in such situations and this may be costly. Talk Talk, for example, offered customers affected free upgrades by way of compensation in an attempt to lessen any loss of customer goodwill. Should the cost of such upgrades (which may, in part at least, be more generous than the damages that a customer would be entitled to in the absence of demonstrable financial loss) be covered by an indemnity? In contrast, the primary interest of the service provider in such a situation is, one might expect, to minimise its financial exposure. For these reasons we do not believe that indemnities are appropriate in such circumstances.

Unlimited liability?

But what of unlimited liability? Whilst we can understand the desire of the data controller customer to break the long-established link between the value of the contract and the limit of liability, is it reasonable to simply insist on no liability cap applying at all?

A limit upon liability is a balance. Customers want to know that they will have an appropriate remedy and that the service provider has sufficient commercial incentive to ensure that breaches do not happen. They want to receive a service that complies with the contract but they only want to pay a certain price in return. The lower the price the better! The ability of a service provider to be able to offer such a price, indeed to remain in business at all, depends in part upon the degree of risk which it accepts. This is a factor of both the nature of the contractual commitments that it agrees to and the degree of financial risk that it accepts should things go wrong. The limit of liability is part of that equation – albeit one that is often only negotiated just before a contract is signed.

It seems like that, at least where deliberate, reckless or fraudulent acts are not involved, the justification for some form of limitation of liability to apply is exactly the same here as for limitations that apply to performance breaches (and which customers, albeit reluctantly, accept). It looks as if there is a danger that in requesting unlimited liability caps or indemnities, data controllers are confusing data processors for cheap insurance providers. Some may argue that service providers should ensure such breaches do not occur and we would agree that service providers should act professionally to minimise the risks. Nevertheless, despite the best of intentions, breaches will still occur and the consequences do need to be addressed in the contractual liability clauses.

Insurance

Some may also argue that service providers should insure the risk. We very much doubt that insurance is necessarily the whole answer. Some form of insurance may be part of the solution but whether it is always available to data processors at commercial rates needs to be considered as does the question of whether the data controller ought to be prepared to get its own insurance, at least over a certain level. In this respect, it seems that data controllers might be better advised to implement their own insurance and then at least they know that the cover will be available to them. Relying upon insurance coverage which a data processor puts in place for the benefit of its customers generally may be a risky strategy if a service provider suffers a security breach affecting multiple customers.

It should also be borne in mind, particularly where indemnities are concerned, that insurance typically covers, as we understand it, liability which the insured has ‘at law’. If by virtue of a contractual indemnity, the insured service provider accepts a liability beyond that which would have applied at law, insurance may not provide coverage. It is also perhaps arguable that an insured must take reasonable steps to limit its exposure and query whether not insisting upon a limitation of liability at some level is compliant with that obligation?

How does the new GDPR alter the debate?

So how does the introduction of the new GDPR alter the debate regarding apportionment of risk? In short, in a number of ways:

• Fines - The most obvious impact is the increase in the possible level of fines. These are being increased very significantly to 4% of annual worldwide turnover or €20 million for some breaches, 2% of annual worldwide turnover or €10 million for breaches of the Article 30 security provisions (see below). It is not clear whether this would be calculated according to the turnover of the data controller or the data processor but either way, these are potentially very large sums of money. Much will depend upon what fines are actually levied in practice. To date, national regulatory authorities have varied quite considerably in the extent to which they have imposed fines within the scope of their existing powers. Certainly the UK regulator has very rarely levied fines of anything like the maximum currently allowed but just the possibility of these larger amounts will certainly focus data controllers’ minds when negotiating contracts.
• Notification - There are now express obligations to notify data breaches to the supervisory authority and to notify data subjects who are adversely affected. Notifying on a wide scale will be expensive.
• Compensation - Any person who has suffered damage as a result of infringement of the GDPR will have the right to receive compensation. This may be an area of significant focus for claims in the future.
• Data processors' obligations - One final fundamental change is the fact that for the first time data processors will be directly responsible for security compliance under the GDPR. Under Article 30, the data controller and the data processor are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Whereas previously data processors have only been liable for security compliance indirectly via contractual obligations with the data controller, the effect of Article 30 is that there will be a direct obligation on the data processor as well to comply with the security requirements. This obviously raises the spectre of multi-million Euro fines for data processors should they fail to comply with the security obligations.

What will happen next?

It will be interesting to see how both data controller customers and data processor service providers react to these developments and how the regulatory authorities exercise their new powers. The most natural reaction by data controllers will probably be increased insistence upon uncapped indemnities and unlimited liabilities but, as explained above, we are not sure they are either appropriate or sustainable. Will service providers simply withdraw from the market if the risk is perceived to be too great? It seems as if both sides will have to come to a compromise of some kind where a degree of risk is borne by each (perhaps along the same lines as for damage to tangible property) but with an increased focus on prevention.

Further information

We have also written a more general article on The Impact of the General Data Protection Regulation and one on Consent to use data under the GDPR. Otherwise, if you require any further information or have any queries or views you would like to share on this topic, please contact us at info@TRGlaw.com.

19th January 2016

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com