Liability of Cloud-Based Service Provider For Data Breach

By Richard Stobbe

Silverpop Systems provides digital marketing services through a cloud-based tool called ‘Engage’. Leading Market Technologies, Inc. (“LMT”) engaged Silverpop through a service agreement and during the course of that agreement LMT uploaded digital advertising content and recipient e-mail addresses to the Engage system.  A trove of nearly half a million e-mail addresses, provided by LMT, was stored on the Engage online system. In November 2010, Silverpop’s system was hacked, putting LMT’s email list at risk. Silverpop notified LMT of the data breach.  After LMT refused to pay for further service, Silverpop suspended the agreement.

Litigation commenced in 2012, with LMT claiming damages for breach of contract and negligence based on Silverpop’s failure to keep the email list secure. Should the service provider be liable? Silverpop argued that it was engaged to provide access to its online system, not specifically to keep data secure. Thus there was no breach of its obligations under the agreement. And anyway, if LMT suffered any damages, they were indirect or consequential and consequential such damages were excluded under the terms of the agreement. LMT countered that, in fact, the agreement quite clearly contained a confidentiality clause, and that the damages suffered by LMT were direct damages, not indirect consequential damages.

The US Federal Circuit Court of Appeals in Silverpop Systems Inc. v. Leading Market Technologies Inc. sided with Silverpop:

  • “Here, the parties’ agreement was not one for the safeguarding of the LMT List. Rather, the parties contracted for the providing of e-mail marketing services. While it was necessary for LMT to provide a list of intended recipients (represented as e-mail addresses on the LMT List) to ensure that the service Silverpop provided (targeted e-mail marketing) was carried out, the safe storage of the list was not the purpose of the agreement between the parties.” (Emphasis added)

The court was careful to review both the limit of liability clause (which provided an overall cap on liability to 12 months fees), and the exclusion clause (which barred recovery for indirect or consequential damages). The overall limit of liability had an exception: the cap did not apply to a breach of the confidentiality obligation. However, this exception did not impact the scope of the limit on indirect or consequential damages.  Since the court decided that the claimed breach did not result from a failure of performance, and the consequential damages clause applied to LMT’s alleged loss. As a result, LMT’s claims were dismissed.

Lessons for business?

  • Those limitation of liability and exclusion clauses are often considered “boilerplate”. But they really do make a difference in the event of a claim. Ensure you have experienced counsel providing advice when negotiating these clauses, from either the customer or service provider perspective.

 

Calgary – 07:00 MST

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.