Norton Rose Fulbright - Data Protection Report blog

In technology vendor contracts, the vendor’s obligations to protect the customer’s data are often hotly negotiated.  The vendor may want to spell out only the data security measures it currently employs, or—at most—agree to implement “reasonable” data security measures.  Given the stakes if sensitive data is breached, though, the customer may insist that the vendor use its “best efforts” to protect its data.  But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.

Best efforts to protect data

Many attorneys will justify that void by explaining that “best efforts” is “a near fiduciary level of obligation of total efforts” that would require the vendor to do almost everything possible to protect the customer’s data, “regardless of whether it’s unreasonable or not commercially reasonable or cost-effective.”  Such a standard would be particularly onerous in the context of data security, where some say that it is nearly impossible to completely prevent a breach.  Under this interpretation, a vendor’s agreement to employ best efforts to maintain the security of a customer’s data would be tantamount to agreeing to spend itself into bankruptcy in an impossible mission to safeguard customers’ data from every potential threat.

This view may have some limited support under Canadian or English law, but there is a growing awareness that it is not accurate under U.S. law.  As detailed in an oft-cited article, U.S. courts interpret “best efforts” in various ways—to act in good faith, to act with reasonable diligence, or simply to act reasonably.  The distinctions between those variations are subtle, but generally result in an obligation to employ reasonable efforts.  Indeed, this is the conclusion reached by several U.S. courts:  that “best efforts” and “reasonable efforts” are interchangeable.  The same is true with respect to the variations “commercially reasonably efforts” and “reasonable best efforts.”

According to a leading commentator on the issue, as of this year, there are only two outliers in U.S. case law holding that “best efforts” imposes a higher standard than “reasonable efforts,” and they lack explanation or analysis.  Otherwise, the case law provides little support for the popular notion that “best efforts” imposes an onerous, unreasonable burden.  In most U.S. jurisdictions, “best efforts” will be interpreted as synonymous with “reasonable efforts.”

Our Take

Returning to the context of data security, vendor contract negotiations often result in a reasonableness standard—the vendor agrees to implement reasonable data security measures, or agrees to use reasonable efforts to protect the security of the customer’s data (in either case, often accompanied by an explanation of some minimum measures that are negotiated by the parties).  And “reasonable efforts,” rather than “best efforts,” is usually the best term to use, as it avoids confusion and synchs with well-developed case law and commentary.  But where a negotiation is held up by one party insisting on “best efforts,” and the other insisting on “reasonable efforts,” it is helpful to know the stakes—and they appear to be small.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.