"Companies like IBM took a very aggressive approach," said Ford. "The usual limitation on liability -- an amount equal to 12 months of revenue -- was a standard you never had to negotiate. They all became fairly aggressive about limited liability. It was a paradigm shift."
It became common to encounter outsourcing providers capping liability at two or three months of fees, said Robert Finkel, a partner in the corporate practice of the law firm Dewey & LeBoeuf. Meanwhile, most offshore vendors were willing to take on unlimited data security liability to get new business, and many still are, according to Finkel.
But among IBM and others that took a hard line on limited liability, negotiators would sometimes leave the table if the limits on data breach liability were financially unfeasible. "IBM took the corporate position that they were unwilling to assume that level of liability and even walked away from huge deals. Customers were frankly a little stunned," Ford said.
Outsourcing Customers Push Back on Liability
In recent years, however, outsourcing customers have begun to fight back. "Four or five years ago, they were okay with just getting some data breach liability," said Ford. "Now they're saying, 'We need a multiple of [the standard 12 months of fees] limitation.' I've seen a number of deals where it's three or four times that."
Outsourcing customers started demanding that new data security processes be written into their contracts, as well. "Customers understood the risks and started requiring more protection," said Helms. They began "demanding specific data security requirements, such as specific firewall policies, encryption or limited network access to [provider employees]," he said.
IT service buyers are also coming to the table with detailed risk profile assessments that put a real dollar figure on potential data breaches. "Customers are looking at this issue as hard as the service providers and saying, 'I'm handing my data over to you. You're in control of my data. If something goes wrong you need to take responsibility,'" Ford said.
In response, the outsourcing providers began adding very detailed exhibits to their agreements outlining their security obligations.
"In order for the customer to recover under one of these contracts, they have to prove a clear breach of these exhibits. If it's not listed, it's not [the provider's] obligation," Ford said. "It makes the likelihood of the customer recovering much lower."
It doesn't matter that no outsourcing providers or customers have encountered the kind of multi-million dollar data breach they most fear. "There hasn't been any big private case or the government leveraging any huge fines," said Finkel. "But it's inevitable. It will happen. And that's changed things on both sides."