As the scale and scope of data breaches have expanded, a new front in litigation has quietly developed: business to business data breach disputes. Because these disputes are often handled through private mediation or arbitration, they don’t receive the same attention as consumer class actions, which are public and often high profile.
But the amount of money at stake in B2B breach litigations often surpasses the damages awards in consumer actions. Target, for example, paid $10 million to consumers to settle class actions arising from a 2013 breach, but it paid financial institutions nearly $40 million to settle claims for business losses.
Unlike consumer data breach class actions, which are commonly based on negligence or other common law theories of liability, B2B breach actions are based on contract law and raise a different set of legal issues than consumer data breach class actions.
Litigation Sources
B2B data breach litigation can arise any time one business suffers monetary losses stemming from a data breach allegedly caused by a business partner. One common fact pattern involves a business that hires a vendor, such as a software-as-a-service provider to host or manage personal data of the business’s employees or customers.
When the vendor suffers a data breach, the business customer often must foot the bill for consumer and regulatory reporting, consumer credit monitoring, costs for forensic consulting and may also suffer business interruption costs—all of which can be significant. A recent IBM study found the average cost per data breach in the US last year was $9.36 million.
Liability Limitations
One of the biggest hurdles for businesses seeking to recover such losses from their vendors is the Limitation of Liability provisions built into almost all commercial master settlement agreements, or MSAs. Most vendor contracts strictly limit the vendor’s liability to some measure of the contract value—often the amount paid to the vendor under the contract, or a multiple thereof.
A second hurdle built into standard vendor contracts is a prohibition on claims for indemnification or for recovery of consequential, special, or indirect damages, including damages for lost profits and business interruption. Many MSAs also include limitations on the timing when a claim can be made, even less than the applicable statute of limitations.
Relevant Carve-outs
A typical vendor MSA will, however, include carve-outs to the limitations of liability. For example, many contracts provide carve-outs for “data security” violations—which can unlock the door to consequential damages in breach disputes.
Businesses also try to leverage breach-of-confidentiality carve-outs, although courts typically interpret these provisions to limit the voluntary sharing of confidential information and not as a data security requirement. More recently, businesses have cited carve-outs for violations of the GDPR or other data privacy laws.
Economic Loss
Another way that businesses try to sidestep contractual caps on liability is by arguing that a business defendant violated a common law duty to provide reasonable data security. Many states now recognize this common law duty.
A principal impediment to this theory of liability is the economic loss doctrine, which operates to prevent plaintiffs from seeking in tort purely economic losses arising from a violation of the contract.
However, some states recognize an independent duty exception to the economic loss doctrine that permits damages claims when a defendant has an independent duty that exists outside the contract, such as a duty to provide reasonable data security.
Contributory Negligence
Another issue that often arises in B2B breach litigation involves the doctrine of comparative negligence, which reduces a plaintiff’s recovery in a tort action by the percentage to which the plaintiff is deemed responsible for the harm. This is standard in most states.
But some states continue to apply the doctrine of contributory negligence in cases seeking purely economic damages. In states that apply this doctrine, a business plaintiff may not be able to recover any damages when it’s deemed to have been negligent for the data breach, even in part.
Forum Selection
Both choice of law and forum section clauses are standard in MSAs between businesses and can limit or prevent recovery in a B2B dispute. For example, contracts that require applying the law of a particular state that doesn’t recognize a duty to provide reasonable data security could act to bar some B2B claims. So too could forum selection clauses, which under the Erie doctrine require application of the forum state’s substantive law.
Few of these legal issues arise in the typical consumer data breach class action, but they are of critical importance in disputes between businesses over data breach liability.
One simple takeaway for businesses that outsource significant amounts of personal data to vendors—and, vice versa for vendors that host significant amounts of third-party data—is to pay careful attention to limitation of liability and other key contractual provisions, as they can make all the difference in data breach disputes.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Phil Yannella is co-chair of the privacy, security, and data protection practice at Blank Rome in Philadelphia.
Jeffrey Rosenthal is partner at Blank Rome and has extensive experience defending companies in high-stakes corporate and commercial litigation.
Timothy Dickens is an associate at Blank Rome and concentrates his practice on privacy, data security, and risk management.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.