Pub. 9 2014-2015 Issue 6

March/April 2015 13 Extraordinary Service for Extraordinary Members. breaches are a risk the bank has anyway. If the bank was supporting itself with in-house resources, the bank would run the risk of an information security breach. The bank, so the vendor says, “should not try to shift that risk” to the vendor. A vendor is also likely to try some variation of “this is standard in the industry.” There is plenty to argue about in these (and other) rationales that vendors use. Arguments about rationales for a limitation of liability typically do not, however, move a negotiation forward. Contractual limitation of liability is nothingmore than risk allocation. At its core, the vendor is simply taking the position that, for example, a $500,000 revenue stream is not worth a $5million risk exposure. Put a little more bluntly, “your busi- ness is not worth this risk to us.” The vendor’s position may not necessarily be unreasonable, depending on its specifics and the circumstances. The challenge lies in discovering the boundaries of the vendor’s real bottom line. Exploring for those boundaries involves more than solving for one number in a limitation of liability dollar cap. The Liability Threshold Before limitation of liability can be negotiated, the circum- stances inwhich the vendor has liability should be considered. The vendormust be liable for something before it makes sense to worry about how much liability it will have. Addressing all the substantive components of good confidentiality and information security provisions is beyond the scope of this article. Nonetheless, limitation of liability provisions cannot be evaluated apart fromunderstanding the vendor’s underly- ing obligations: • What thresholds have to be crossed before the vendor has any liability at all? Ideally (from the bank’s standpoint), the vendor should be responsible if the security breach occurs in the vendor’s systems, regardless of fault. The vendor ismore likely to prefer a fault-based approach, e.g., the vendor is liable only if it can be proved to have been negligent. Some vendors may try to limit their responsibility even further so they are liable only if they fail to do specific things (e.g., fail to fulfill very specific information security duties spelled out in the contract, like not maintaining a firewall, etc.). • Vendor confidentiality and information security respon- sibility is not monolithic. The vendor should have respon- sibility for a variety of things. Obviously, a vendor should not itself disclose the bank’s information. It also should be prohibited fromusing information for other than authorized purposes. Crucially, the vendor should be responsible for protecting against unauthorized access to information. The vendor also should comply with applicable laws, regulatory information security requirements, and relevant association requirements (e.g., PCI requirements). • The bank’s exposure may be dependent on key commit- ments from the vendor. For example, how long will the vendor store data? Will data be encrypted in transit and at rest? Commitments in these types of areasmay influence the bank’s willingness to consider certain limitations of liability. What happens if these key commitments are breached? • In the past, banks simply looked to general confidentiality provisions for protection. As regulatory information security responsibilities evolved, banks layered a vendor information security commitment on top of the general confidentiality obligations. Close attention should be paid to vendor at- tempts to segregate confidentiality and information security commitments and to assign different levels of liability to them. How Are Limitation of Liability Provisions Resolved? Assuming the vendor is going to have a consequentials exclusion and some dollar cap on its general duties under the contract, what are some of the ways to address information security breaches? • Ideally (from the bank’s viewpoint), liability for breaches of confidentiality and information security provisions is simply “carved out” (i.e., the limitation of liability provi- sion should provide it is not applicable to those particular breaches). Until recently it would be fair to say this was a standard approach generally accepted by both sides. • Less satisfactory (from the bank’s viewpoint), liability for breaches of confidentiality and information security provisions can be made subject to a higher dollar cap. For example, if the basic dollar cap is equal to 12 months’ revenue, confidentiality and information security breaches could be subject to a cap of 60months’ revenue. This higher cap should, as the FFIEC says, bear “an adequate relation- ship to the amount of loss the financial organization might reasonably experience as a result of the vendor’s failure to perform its obligations.” • Least satisfactory (from the bank’s viewpoint), liability for breaches of confidentiality and information security provi- sions would remain subject to the basic dollar cap. Inmany cases, this will not be sufficient to allow the bank to recover fully for a security breach. • In addition to whichever of the above approaches is taken, a bank should always request carve outs from both dollar caps and consequentials exclusions for the vendor’s gross negli- gence and willful or intentional misconduct. 3 While this will not be a panacea for the bank, it may be a useful backstop in the event the vendor’s conduct is truly egregious. Beyond negotiating carve outs and/or enhanced caps, a bank also may wish to: • make clear that it has a right to terminate without penalty in the event of an information security breach, regardless of whether the vendor was at fault; • bargain for specific remedies relevant to the security breach, like reimbursing the bank for notification costs. Ideally, 3 In many states, a vendor cannot disclaim responsibility for this type of conduct anyway.  Counselor’s Corner — continued on page 15