Pub. 9 2014-2015 Issue 6

www.nebankers.org 12 Extraordinary Service for Extraordinary Members. B ANKERS ARE IN A TOUGH SPOT. Cybersecurity risks demand increasing attention and re- sources. The biggest banks may be able to afford this. One of the biggest has reportedly established a 1,000 person digital security team (larger than Google’s) near NSA head- quarters staffed with ex-military talent and a $250 million budget. Most bank- ers have to face cybersecurity risks with something less. A small bank is often de- pendent on its vendors, whose resources and cybersecurity sophistication may outstrip the bank’s. When a vendor experiences a secu- rity breach, will those resources and sophistication really mean anything? A vendor’s contractual limitation of liability can easily deprive a bank of any meaningful recovery. A famous politician once criticized something he didn’t much like (government, not bank vendors) as “a big baby—an alimentary canal with a big appetite at one end and no responsibility at the other.” 1 What should a vendor’s backend responsibil- ity be? In a considerably less pithy state- ment the Federal Financial Institutions Examination Council (FFIEC) says: “Some vendors may propose con- tracts that contain clauses limiting their liability. They may attempt to add provisions that . . . limit monetary damages. . . . Generally, courts uphold these contractual limitations on liability in commercial settings unless they are unconscionable. Therefore, if organiza- tions are considering contracts that con- tain such clauses, they should consider whether the proposed damage limita- tion bears an adequate relationship to the amount of loss the financial organi- zationmight reasonably experience as a result of the vendor’s failure to perform its obligations. For mission-critical COUNSELOR’S CORNER Vendor Limitations of Liability for Security Breaches: The Alimentary Canal Problem Bryan Handlos , Kutak Rock LLP software, broad exculpatory clauses that limit a vendor’s liability are a dangerous practice that could adversely affect the soundness of an organization because organizations could be substantially injured and have no recourse.” 2 What’s at Risk? An information security breach can easily cost a bank hundreds of thousands of dollars and, in larger transactions, millions or tens of millions of dollars. Lossesmay include, among other things, forensics services to identify, scope, and remediate the breach; costs of notifica- tion to customers and regulators; a credit monitoring subscription for customers; increased call center costs; card reissu- ance costs (if cards are involved); in- creased fraud losses (if open accounts are involved); government and association fines; third-party claims (including but not limited to consumer class actions); and attorneys’ fees. A bank also may suffer severe damage to its reputation and increased customer attrition, with attendant lost profits. What’s the Problem? A vendor may not want to be on the hook for the damages that result from a security breach for which it is respon- sible. There are at least three ways a vendor will try to wriggle off the hook: • Narrowing the circumstances inwhich the vendor is responsible for a security breach (see “The Liability Threshold” on the following page). • Excluding liability for any types of damages other than “direct” damages. For example, a vendor may disclaim any responsibility for special, inciden- tal, indirect, consequential, or punitive damages or for lost profits (sometimes referred to as a “consequentials exclu- sion”). • Establishing amaximumdollar cap on the vendor’s liability. This is typically tied to the revenue the vendor expects to receive. What’s the Vendor’s Story? A favorite vendor line is to point out to a customer that information security 1 Ronald Reagan, campaigning for governor in 1963. 2 http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition/acquisition/software-development-contracts-and-licensing-agreements/vendor-liability-limitations.aspx