Glynna Christian and Nikki Mondschein of Kaye Scholer LLP provide food for thought for businesses and covered entities when reviewing contracts with IT service providers:
IT service providers, particularly cloud service providers, increasingly are resisting unlimited liability for breaches of privacy and data security obligations in their customer agreements. Instead, they offer unlimited liability for breaches of confidentiality, asserting the customer’s risk of a data breach would be covered as a breach of confidentiality, and arguing that unlimited liability for breaches of data protection obligations is simply double dipping.
A Data Breach Is Not Needed to Create Liability
When an IT service provider takes this position, one of the first questions a customer asks is: Assuming that the service provider has access to data that would be covered by privacy and data security laws, what is the risk if the provider breaches the privacy and data security obligations without an actual data breach.
In other words, does there need to be a data breach for the customer to incur liability? Unfortunately, the answer is no.
Read more on Lexology.