Data Protection Report - Norton Rose Fulbright

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.

The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.

Before addressing the Eleventh Circuit’s decision in Silverpop, some background on consequential damage waivers may be helpful –

How are Consequential Damage Waivers Involved in IT Contracts?

The typical vendor-friendly IT service contract will contain a section titled “limitation of liability” with two key provisions:

  1. one capping the vendor’s total liability at some amount (often the total fees paid under the contract, or fees paid in the prior twelve months), and
  2. one stating that in no event will the vendor be liable for any consequential, incidental, or indirect damages.

Purchasers will often focus on the first provision but fail to address the second provision, perhaps because it reads like boilerplate language that reasonably confirms that the vendor will not be liable for speculative damage claims.  But that is a misconception—the consequential damages waiver has important ramifications, especially in the context of confidentiality breaches.

What are Consequential Damages?

To understand the effects of a consequential damages waiver, one must first understand what consequential damages are.  But this task confounds both lawyers and judges.

Textbooks and treatises on contract law will define consequential damages in the context of the following summary of contract damages:

  • Only damages foreseeable at the time of contracting are recoverable in the event of a contract breach.
  • Direct (also known as general) damages are those damages that would have been foreseeable to a stranger to the transaction, without any knowledge of the transaction except the contract itself. As an example, if the contract were one to repair the foundation of a building, someone without any other knowledge of the transaction could foresee that if the foundation were improperly repaired, the building might collapse.  That damage to the building would be a direct damage.
  • Consequential (also known as special) damages are those damages that would not have been foreseeable by the stranger to the transaction, but would have been foreseeable to the parties to the contract, given what they knew of the transaction. Continuing the prior example, if the parties knew that the building whose foundation was being repaired housed a popular retail establishment, then the store’s profits that were lost due to the building’s collapse would be consequential damages.

Even using this scholarly definition, direct and consequential damages are difficult to differentiate.  This confusion is compounded by the fact that courts will often add layers of additional analysis to distinguish direct and consequential damages.  For instance, in Schonfeld v. Hilliard, 218 F.3d 164, 175–76 (2d Cir. 2000),  the influential Second Circuit Court of Appeals (which handles appeals from New York’s federal courts, among others) adds the test of whether damages compensate for “the value of the very performance promised,” such that they are direct damages, or whether they compensate for “additional losses (other than the value of the promised performance),” such that they are consequential damages.

The result is that judges, attorneys, and scholars regularly note that the distinction between direct and consequential damages is difficult to apply, and one should never rest easy in believing that potential damages are one or the other.

Are the Damages from a Confidentiality Breach Direct or Consequential?

Against this background, breaches of confidentiality agreements present unique challenges in sorting direct from consequential damages.   Some writers have argued that any damages from the breach of a confidentiality obligation are necessarily consequential, because the specific harm caused by the breach would rarely be apparent on the fact of the contract.

That position has some support from the recent decision of the Eleventh Circuit Court of Appeals in Silverpop Systems, Inc. v. Leading Market Technologies, Inc., 61 Fed. Appx. 849 (11th Cir. Jan. 5, 2016), which summarily affirmed the federal district court’s “well-reasoned and thorough decision” finding, among other things, that the parties’ consequential damages waiver barred all damages from an IT vendor’s data breach.

The defendant in that case, Leading Market Technologies, Inc. (“LMT”), is a digital marketer that had hired the plaintiff Silverpop Systems, Inc. (“Silverpop”) to use LMT’s confidential email address list to distribute advertising content.  But hackers accessed the portion of Silverpop’s network where LMT’s email list was stored, and  the list may have been misappropriated (though this could not be confirmed).  LMT sued Silverpop for breach of the confidentiality provisions in their agreement, alleging that the value of its confidential email list was diminished by the data breach.  Silverpop moved for dismissal of that claim with the argument that those damages were consequential, and were therefore barred by the consequential damages waiver in their agreement.

In addressing this argument, the court acknowledged the black-letter “foreseeable to a stranger/foreseeable to the parties” test of direct versus consequential damages, but decided that the Second Circuit’s “value of performance/additional losses” analysis was a helpful gloss on that test.  Using that analysis, the court found that contract’s purpose was email marketing, and that the confidentiality obligations were only incidental to that purpose.  Therefore, direct damages would consist of the lost money paid for the promised marketing services, and other damages (such as the lost value of the confidential email list) were consequential.  In a telling passage, the court reasoned:

[T]he loss suffered by LMT is of a type resulting from the breach of a specific term of the agreement. In the absence of a breach of the confidentiality provision, LMT would not have incurred the loss to the sale value of the LMT List. Thus, considering the purpose of the parties’ agreement, the damages LMT seeks are not the type that “arise naturally and from the usual course of things.” LMT’s damages are consequential rather than direct.

The court then dismissed LMT’s claim for breach of contract because it had agreed to waive all consequential damages—even though claims for breach of confidentiality were exempted from the contract’s separate cap on total damages.

This analysis is significant, because it could apply in almost any IT services contract.  In most cases, the primary purpose of such a contract is to provide IT services—the obligation to maintain the confidentiality of the data involved is only incident to that main purpose and performance.  (Stand-alone non-disclosure agreements might be exceptions).  And if a court uses the Silverpop analysis and finds that maintaining the confidentiality of data is not the primary purpose of the IT contract, then damages from the confidentiality breach will be consequential.  If the IT contract contains a standard waiver of consequential damages, then the aggrieved party may be without a remedy.

Our Take

In contracting for IT services, it is important for purchasers to thoughtfully consider the risks of harm presented by the services, and then negotiate terms that appropriately allocate those risks between the parties.  This requires both parties to reconsider the standard vendor-friendly term waiving all consequential damages.

Reassessment of the consequential damages waiver is especially important in the context of confidentiality and data security obligations.  If the vendor allows confidential information to be breached, this could harm the value of that data, cause competitive harm and lost profits, and expose the company to claims by third parties with interests in the exposed data, among other things.  If the exposed data contains personal information or protected medical information subject to state and federal regulation, then the breach could also expose the company to breach notification and remediation expenses, which could be construed as consequential.  Options for addressing these risks at the contracting stage include:

  • Removing the consequential damages waiver entirely, and relying on the background common law that damages unforeseeable at the time of contracting are not recoverable;
  • Carving out from the consequential damages waiver any claims arising from breach of confidentiality, even if such claims are already exempted from the contractual damages cap;
  • Adding indemnification provisions for third-party claims arising from a breach of confidentiality (and adding a carve out for indemnification to the consequential damages disclaimer); and
  • Adding indemnification provisions for expenses incurred in addressing a breach of regulated personal information and protected health information (and adding a carve out for indemnification to the consequential damages disclaimer).

Not all of these options are mutually exclusive, and together they provide a toolbox for allocating the parties’ liabilities in the event of a data breach.