IT Service Providers and Customers Battle Over Data Breaches

"The service provider was on the hook," says Chris Ford, chair of the global sourcing group at the law firm Morrison & Foerster. For other data breaches, there may have been a limitation of liability, typically set at a year's worth of service provider revenue associated with the contract. There were few, if any, special terms or requirements around data security processes.

Very aggressive approach

"Companies like IBM took a very aggressive approach," said Ford. "The usual limitation on liability -- an amount equal to 12 months of revenue -- was a standard you never had to negotiate. They all became fairly aggressive about limited liability. It was a paradigm shift."

It became common to encounter outsourcing providers capping liability at two or three months of fees, said Robert Finkel, a partner in the corporate practice of the law firm Dewey & LeBoeuf. In the meantime, most offshore vendors were willing to take on unlimited data security liability to get new business, and many however are, according to Finkel.

Outsourcing clients started demanding that new data security processes be written into their contracts, as so then. "Clients understood the risks and started requiring more protection," said Helms. They began "demanding specific data security requirements, just as specific firewall policies, encryption or limited network access to [provider employees]," he said.

Today, data breach liability "is the most contested provision in outsourcing contracts today," according to Ford. And it's only poised to become more contentious as clients consider cloud computing services.