From the Experts

Data Breach Liability: Confidentiality vs. Privacy

, Corporate Counsel


When an IT service provider offers uncapped liability for breaches of confidentiality and breaches of privacy and data security obligations, is it double dipping?

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Continue to Lexis Advance®

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at

What's being said

  • SevenTeen

    I am a lawyer for a cloud service provider. We do no accept uncapped liability for data breaches OR confidentiality breaches for the reasons Mr. Freibrun states below. This is a sticking point in most negotiations. However, in my experience, the parties can generally compromise on a more reasonable liability limit for those kinds of breaches.

  • Tien Doan

    Agreed that unlimited liability is probably not a realistic expectation. But the points above regarding the flow through of data/privacy requirements (contractually) to the cloud service providers are valid as the flow through make it clear to the providers any additional requirements expected of the data as well as the additional liability (though not unlimited) that may levied on the providers.

  • Eric Freibrun

    Echoing Ms. Cannon‘s comment, the notion that cloud service providers should be subject to additional avenues through which their large corporate customers (frequently with much greater resources to pursue litigation) can sue them for unlimited liability for data breach -- especially in the absence of the provider‘s fault -- is inherently unreasonable. As has been pointed out, data breaches or unauthorized intrusions are inevitable. Terrorist groups, hackers and other criminals, as well as hostile (and friendly) governments continuously work to circumvent the latest security technologies. Even if the cloud service provider has taken reasonable steps using available technology to prevent unauthorized intrusions, it should be assumed they can still occur. Customers frequently choose cloud software and data storage over internally installed systems because of the costs savings. With that must come acceptance of the greater risk of data breach. Cyber-liability insurance is available to both parties to address this and customers shouldn’t expect the service provider to bear unlimited liability nor, for that matter, any liability disproportionate to the economic benefit it receives. (Of course, this is the argument on behalf of the service provider. Attorneys who represent cloud customers may be well advised to do what the author suggests, but they should be under no illusion that any sophisticated cloud service provider will accept those positions.) - Eric Freibrun, Law Offices of Eric S. Freibrun, Ltd. (eric AT freibrun DOT com)

  • Stacey Cannon

    Please explain how smaller, responsible hosting companies are supposed to do business with the risk of UNLIMITED liability when they have exercised due care and still remain liable for an incursion? As everyone and every article says, it is not a matter of "if" but "when". I haven‘t seen any discussion about the protection (ie. no unlimited liability for the service providers since they would quickly be put into bankruptcy with ONE event) that should be afforded smaller companies. Any thought given to that?

Comments are not moderated. To report offensive comments, click here.

Preparing comment abuse report for Article #1202727103440

Thank you!

This article's comments will be reviewed.