• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Liability for data security breaches

SILVERPOP SYSTEMS v LEADING MARKET TECHNOLOGIES [2016]

This is a US case in which a provider of digital marketing services was found not to be liable for a particular category of loss when it suffered a data security breach. This decision has enormous potential ramifications unless it is overturned on further appeal.

Facts:

• Silverpop Systems (“S”) provides digital marketing services using its own proprietary web-based e-mail marketing tool, ‘Engage’. Leading Market Technologies (“L”) has a substantial marketing database of those who had historically expressed interest in its products. The database, which consisted of almost half a million e-mail addresses, was uploaded onto and stored on Engage.
• In 2010, S’s network was the victim of an ‘unauthorised intrusion by unidentified parties’. The hackers seemingly gained access not just to L’s database but the information belonging to 110 of S’s 1500 customers.
• L sought to recover the lost ‘sales value’ of its database, arguing that following the data breach its value was arguably zero as no third party would buy a database that was no longer confidential.
• The contract contained the following exclusion, “In no event will [S] be liable to the other party for consequential damages”.
• For the purposes of this report, we are only focussing on one aspect of the United States Court of Appeals for the Eleventh Circuit judgment: namely the issue of whether the losses claimed by L were excluded by the contract. It was therefore critical for the US Court to decide whether the damages claimed were ‘direct’ or ‘consequential’.

Decision:

• General principle - The US Court quoted a general principle which will be very familiar to English lawyers. It said that, “damages recoverable are such as arise naturally and according to the usual course of things and such as the parties contemplated when the contract was made as the probable result of its breach”.
• This was split into two ‘limbs’ with the US Court saying that:
  • damages ‘which arise naturally and according to the usual course of things’ are so called ‘general damages’; and
  • damages which are simply contemplated by the parties as the probable result of its breach are ‘consequential’.
• The US Court went on to say that this formulation does very little to explain where the boundary between the two limbs falls.
• It therefore then distinguished between ‘general’ or ‘direct’ damages which it said compensate ‘for the value of the very performance promised’ (presumably the e-mail marketing services themselves) and consequential damages ‘which seek to compensate for additional losses (other than the value of the promised performance) but which are [nevertheless] incurred as a result of the breach’.
• Consequential damages - The US Court held that based on this distinction L’s damages were best characterised as consequential. It said that the parties’ agreement was not one for the safeguarding of L’s e-mail list; instead it was the provision of e-mail marketing services. It also commented that, “the loss suffered by [L] is of a type resulting from the breach of a specific term of the Agreement”.
• Exclusion of consequential loss - The exclusion of liability for consequential loss was therefore found to be effective to bar recovery of the damages claimed.

Points to note:

• In categorising L’s damages as consequential, the US Court’s view seems rather controversial. How many database owners would agree with the US Court’s opinion that the safe storage of L’s list was not a fundamental aspect of the agreement? Is it possible to artificially segment a contract in that way? We would argue certainly not and would suggest that confidentiality and security of data is at the very heart of these types of contracts.
• Would such a result have been achieved under English law? We very much doubt it. An English Court may well have found other reasons to defeat or just substantially reduce the value of the claim by L but we are not sure that an English Court would find the claim excluded entirely on this basis. This reasoning may perhaps explain why many US based contracts typically exclude loss of profit as a sub-category of consequential loss whereas for many years now English lawyers have always been advised to exclude liability for specific heads of loss, such as loss of profit, as standalone exclusions. This case may also have the effect of encouraging customers to seek wide ranging indemnities, including in respect of so-called ‘consequential’ loss, to ensure that they can recover appropriate damages.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com