Commercial contracts: What's the limit of your liability?

The extent of each party’s liability is a key part of a commercial contract and is likely to be subject to extensive negotiation. An indemnity is a promise usually made in a contract to pay money out on the occurrence of a specified event. It aims to protect Part A from suffering a financial loss arising out of the conduct of Party B, over which Party A has no control. Indemnities are important because it is much easier for an indemnified party to establish and recover their loss under an indemnity than through a normal breach of contract claim.

A service agreement which involves the processing of personal data (which includes the personal data of a contracting party’s customers) must include provisions relating to data protection. It is common for the contracting party to insist on an indemnity from the supplier for losses resulting from a breach of data protection provisions, including any fines imposed on them.

In July 2019 the Information Commissioner’s Office (ICO) published its intention to fine British Airways £183.39 million for breaches of the General Data Protection Regulations 2018 (“GDPR”). In October 2020 this fine was ultimately reduced to £20m. This stemmed from a cyber incident where user traffic to the British Airways site was diverted to a fraudulent site. As a result, approximately 500,000 customer details were obtained by attackers. At present, the highest maximum fine that the ICO can impose is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in a company’s preceding financial year, whichever is higher.

In our digital world, cyber security threats are a reality for all businesses with an online presence. The British Airways case did not involve a breach of GDPR arising from the fault of a third party supplier. However, the seriousness of the GDPR breach and steep fine highlights how critical it is for a business to have recourse against a supplier who fails to safeguard their personal data, or any part of the business in which they have a responsibility under the service agreement. It is equally as important for a supplier to know what they are signing up to do and the extent of their liability under any indemnities.

Under the GDPR, a contract relating to the processing of personal data must include certain clauses and would normally include the following requirements for the supplier:

• an agreement that the customer receiving the services from the supplier is the data controller and the supplier is the processor who will process data;
• to process personal data only with the written instructions of the customer in line with an agreed schedule which sets out (amongst other things) the scope, nature and purpose of processing;
• not to transfer personal data outside of the supplier’s business without the consent of the customer;
• to ensure that it has in place the appropriate technical and organisational measures to protect personal data against unauthorised or unlawful use, accidental loss, destruction or damage;
• ensure that all personnel working for the supplier keep a customer’s personal data confidential; 
• to notify the customer of any personal data breach as soon as becoming aware and keep accurate records of any infringements; and
• on the instruction of the customer, delete or return personal data to the customer upon termination of the agreement.

Typically the customer (as the data controller) may seek an uncapped indemnity from the supplier in full against all liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the customer arising out of or in connection with any claim brought against them in relation to breaches of data protection clauses within the service agreement.

An uncapped indemnity leaves a supplier open to an unlimited claim from the customer. If British Airways was able to establish that the data breach resulted from a failure of its supplier then that supplier may have been liable for £20 million which would have been unlikely to be covered by its insurance. This is why it is important for any prospective supplier to negotiate a cap on their liability.

A supplier should consider limiting its liability in the following ways:

• cap liability at no more than the amount of their insurance cover;  
• ask for exclusions back-to-back with any exclusions in the insurance policy;
• set a contractual time limit for claims; and
• ensure that any indemnity is limited to direct losses and does not cover loss of reputation or direct or indirect loss of profit.

Whatever the commercial agreement, you should always review the terms carefully and pay particular attention to indemnities and limitations on liability. If you would like us to help your business please contact our Corporate and Commercial Team on 01242 574244 or e-mail Head of Department, Jon Rathbone.