Summary
A new front in litigation has discreetly emerged: business-to-business data breach disputes, as the scale and scope of data breaches have expanded. These disputes are not given the same level of attention as consumer class actions, which are frequently high-profile and public, due to the fact that they are frequently resolved through private mediation or arbitration.
Bloomberg Law
"
As the scale and scope of data breaches have expanded, a new front in litigation has quietly developed: business to business data breach disputes. Because these disputes are often handled through private mediation or arbitration, they don’t receive the same attention as consumer class actions, which are public and often high profile.
But the amount of money at stake in B2B breach litigations often surpasses the damages awards in consumer actions. Target, for example, paid $10 million to consumers to settle class actions arising from a 2013 breach, but it paid financial institutions nearly $40 million to settle claims for business losses.
Unlike consumer data breach class actions, which are commonly based on negligence or other common law theories of liability, B2B breach actions are based on contract law and raise a different set of legal issues than consumer data breach class actions.
Litigation Sources
B2B data breach litigation can arise any time one business suffers monetary losses stemming from a data breach allegedly caused by a business partner. One common fact pattern involves a business that hires a vendor, such as a software-as-a-service provider to host or manage personal data of the business’s employees or customers.
When the vendor suffers a data breach, the business customer often must foot the bill for consumer and regulatory reporting, consumer credit monitoring, costs for forensic consulting and may also suffer business interruption costs—all of which can be significant. A recent IBM study found the average cost per data breach in the US last year was $9.36 million.
Liability Limitations
One of the biggest hurdles for businesses seeking to recover such losses from their vendors is the Limitation of Liability provisions built into almost all commercial master settlement agreements, or MSAs. Most vendor contracts strictly limit the vendor’s liability to some measure of the contract value—often the amount paid to the vendor under the contract, or a multiple thereof.
A second hurdle built into standard vendor contracts is a prohibition on claims for indemnification or for recovery of consequential, special, or indirect damages, including damages for lost profits and business interruption. Many MSAs also include limitations on the timing when a claim can be made, even less than the applicable statute of limitations...”
Read more here...
This article was originally published in Bloomberg Law.
