Determining consequential damages from data breach ‘difficult to apply in practice:’ Willis Towers Watson

22/12/2016 13:41

A ‘significant percentage’ of data breaches involve a loss or compromise of data in the hands of third-party vendors, and many technology vendor agreements cap those vendors’ liability to fees paid and leave customers on the hook for consequential, incidental and indirect damages, suggests a recent report released by Willis Towers Watson plc.

London-based Willis Towers Watson announced Tuesday its Winter 2016 Cyber Claims Brief, a semi-annual publication from its Finex and legal claims group.

“The reliance on third party vendors, whether directly or indirectly, has increased dramatically with technological advancements and competition,” wrote Adeola Adele, David Navetta and Matthew Spohn in the Cyber Claims Brief.

“At the same time, several studies have reported that loss or compromise of data in the hands of such third-party vendors accounts for a significant percentage of all data breaches or cyberattacks.”

Willis Towers Watson was formed about a year ago with the merger of commercial brokerage Willis Group Holdings plc and Arlington, Va.-based Towers Watson & Co., whose services include actuarial valuation, product development, predictive modeling, claims consulting and catastrophe modeling.

Its most recent Cyber Claims Brief contains several articles and includes data from the Willis Towers Watson Reported Claims Index.

“A comprehensive information security plan may include, among other things, a cyberrisk assessment, involving external penetration testing (sometimes called ethical hacking, in which cyberdefenses are tested), as well as an internal evaluation” wrote Tom Brown with Emily Lowe in an article titled Know Your Enemy. “For example, are software patches applied in a timely fashion? Is the network adequately segmented? Are network logs appropriately detailed and maintained?”

Brown is global leader of Berkeley Research Group’s cyber security/investigations practice.

In the article by Adele, Navetta and Spohn, the authors suggest that if a third-party vendor’s services include direct access to the customer’s network or if the vendor holds confidential data, than “the vendor’s technology errors and omissions policy should include network security and privacy coverage.”

Their article was titled More Vendors, More Problems.

“Unless a contract states otherwise, it is almost always true that an organization has ultimate responsibility for breach of its data while in the hands of a vendor,” they wrote. “The typical vendor contract contains a section titled ‘limitation of liability’ with two key provisions: one capping the vendor’s total liability (often with total fess paid under the contract, or fees paid in the prior 12 months), and another stating that in no event will the vendor be liable for any consequential, incidental, or indirect damages.”

Consequential damages are generally defined as “those damages that are not foreseeable to a stranger to the contact, but are foreseeable to the parties to a contract at the time they signed it, given what they know of the transaction,” according to the article. “But even judges will admit that this definition is difficult to apply in practice. The result is that in case of a data breach, one could argue that some or all of the resulting damages – costs to notify affected individuals, costs to respond to regulators; investigations, etc. – are consequential damages.”

When there are data breaches, many cyber policies “expressly provide coverage for fines and penalties imposed by regulatory agencies,” Willis Towers Watson noted in the cyber claims brief. “It is imperative that health care organizations work closely with their brokers to negotiate the most competitive wording available.”

Download the Report 

Read more: