of dollars, was only worth $40,000 if completely lost by its vendor that was supposed to be the one safeguarding such information?” The likely answer is that Mentis either was not aware of the limitation, it did not consider the full financial impact such a limitation could have, or it said to itself, like so many others do, “What can we do about it?” In fact, there is a lot that can be done, because as the court put it, Mentis “chose to enter into the contract.” Limitations of liability are one such provision that dealers should be acutely aware of and should evaluate fully before agreeing to, including discussions with your legal counsel to understand the full impact such clauses could have. Limitations of liability in the commercial context are generally enforceable3 and can have severe impacts on what types of damages may be pursued and the maximum recovery that can be achieved. Many service providers limit liability to the value of services rendered, the fees charged to date for the service or the value of fees charged for a certain number of months preceding the event giving rise to liability. In many scenarios, this amounts to a mere fraction of the damages that can be caused by the failure of a service provider to perform. If you are entering into a contract with a provider who is essential to the daily operation of your business, you may want to think long and hard and seek the advice of counsel before agreeing to that limitation of liability, as it could be the difference between a $40,000 recovery, or a recovery worth millions. DATA SHARING/PRIVACY Another aspect of the fallout of the recent CDK cyber incident is what data of those being serviced by CDK was placed at risk, and what reporting obligations do the users of CDK have as a result? Such concerns are not unique to CDK and the services it provides. Recently, I saw a thread where someone was discussing a manufacturer agreement that required the dealers to install, use and pay for manufacturer-specific technology. As part of that requirement to use a new system, at the dealer’s expense, to facilitate the exchange of information between the manufacturer and dealer, the dealer was also required to grant the manufacturer an unconditional and irrevocable license to all rights, title and interest in and to the dealer’s data. This included both personal information and intellectual property rights. Now, beyond being entirely too overbroad, such a grant of a license to the data of unknowing third parties could potentially run afoul of numerous data privacy laws. While privacy/data security laws vary by country and state based on where the data subject is sitting, increasingly, the data subject (who the information or data is about — in this case, the customer — not the company collecting that person’s data) owns their data and has certain rights to restrict the use of such.4 In addition to state privacy laws, federal privacy laws and regulations, such as the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule, may apply to certain dealer activities, particularly with respect to and network data backup, network services, antivirus, and comprehensive maintenance and support for servers, PC’s and the network, could only be held liable for direct damages after Pittsburgh Networks caused Mentis to permanently lose valuable data. After filing suit seeking damages estimated to be in the millions of dollars to recreate the lost data and make Mentis whole for lost business, Mentis was likely shocked to find out that it could only recover direct damages, “which is probably close to ... the contract price” all because its agreement with Pittsburgh Networks included a limitation of liability clause. Ultimately, Mentis was awarded $40,000 — not the millions in losses it estimated were caused by Pittsburgh Networks — all because the limitation of liability clause in the service contract with Pittsburgh Networks limited recovery to direct damages. Dealers across New Hampshire may be surprised to learn that the very contracts they hold with many vendors likely have similar limitations, despite the crippling effects breach of such agreements could have. Now I am sure we are all asking ourselves the same thing: “Why on earth would a company agree that its data and the work it obtains employing such data, which is worth millions 27
RkJQdWJsaXNoZXIy MTg3NDExNQ==