The Liability Clause | The Centauri Step, Governance and IT Security
The Liability Clause
Marion Mellor
How to estimate the financial impact of a security breach? And how to negotiate with suppliers?
The liability clause: a fundamental contract feature
Sometimes, security teams have to handle some very technical contractual aspects. So are you ready for a whirlwind journey into the land of legal affairs? Fasten your seatbelt, here we go!
A limitation of liability clause – also known simply as a “liability clause” – sets out the conditions under which a party can be held responsible for loss or damage.
And the point of this is…? Above all, this clause establishes the maximum damages that can be claimed in certain cases. This is crucially important. Security teams must be involved in negotiations on IT risk liability (see Article on The Risk-Management Approach).
Limitations of liability may or may not be enforceable depending on their clarity. In order not to be held liable in certain situations and to cap the amount of damages one can claim (if you are a supplier or a subcontractor), or protect yourself (if you are the client), the liability clause must be clearly written.
Liability is the obligation to provide compensation in the event of a breach in the standards that were negotiated or agreed. This is why it is important to have set these out in a clear security Schedule which both parties have discussed (see Article on the Security Schedule). Once you have produced this document, you can then state in the main contract that “failings with respect to the Security Annex constitute a major breach of this agreement”.
Supplier obligations
Now that you have understood what a liability clause is (well done!), I am thrilled to tell you that it is almost always impossible for a supplier to meet the contractual obligations 100% of the time. That is why it is important to agree limits under contract law.
An example borrowed from another world: The installation of your swimming pool cost you € 10K; however, damage caused in the process may exceed € 10K. If the limit of the liability clause has been reached, the swimming pool installation firm will not be liable to pay damages over and above this amount. This applies in all areas of business.
But what about in the case of information security, when you are dealing with information to which several stakeholders have access, with data exchange or system developments used company wide? Who holds liability in this case?
To Infinity and beyond!
If the residual risk is low but the potential impact is significant, it means that while the risk of the event occuring is low, it could be extremely harmful (or critical) for the business if it were to occur.
Let’s take an example: A software publisher provides you with a service or system which enables you to operate your business on an everyday basis. This publisher is one of your trusted partners, and has access to your systems via its support features via which it provides you with remote assistance. A negligent employee asks you to download a plug-in during a maintenance task, but this turns out to be a corrupt file which damages your systems. If you have negotiated security conditions in your contract, you will probably be able to take action against your publisher. But how do you assess the losses? Based on the volume of data you have lost? Or on the operational losses if the cyber attack put your systems out for three days?
The losses caused by a security problem can be endless. In the case of Sopra Steria, which lost over 50 million euros following an attack via its on-prem Windows Active Directory against who can it take action? Against Microsoft which detected the vulnerability and reported it to its clients – leaving an opportunity for hackers? Against the suppliers of its internal firewall systems? Against its SOC/Fusion Center? It is very difficult for the IT or IT security teams to predict the possible losses at the time of negotiating a liability clause.
MY ADVICE
I usually recommend following EU directives and the minimum amounts demanded in the case of personal data breaches. Negotiating a liability clause equivalent to five times the annual contract amount tends to be a good compromise. You will not receive full compensation in the event of a major attack (and this is even if accountability is established), but you can reduce losses to a minimum.
If you would like examples of liability clauses, or you want to discuss how best to deal with security in your contracts, drop me a line via the contact form!