A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.1 When users of a website are allowed to visit a website and enter their (personal) data, the company owning the website may be liable for loss of said data.
We advise our clients to take reasonable safeguards to protect the customer’s data. However, it is impossible to guarantee 100% failproof security measures. To that end, companies should disclose in their website ToS/T&C document that they employ reasonable, but not foolproof, measures to protect website visitors’ data.
Breaches may not be the fault of the website owner/provider. After all, the website owner/provider may have done everything in its power to protect against breach, but his or her efforts were thwarted by third parties. To that end, we draft our website ToS/T&C documents to outline that remedies only apply when the website owner/provider is at fault/negligent, and/or has breached its contractual obligation to take reasonable security measures. We typically state that in the event of a breach, the website owner/provider will endeavor to discover the cause of the breach, and employ concrete measures to cure the breach or otherwise limit its effects.
Limitation on Liability
When drafting a website ToS/T&C document, we always include a limitation of liability clause. This is a clause is that limits the amount of exposure a company can face in the event a lawsuit is filed or a claim is made against the website owner, based on or arising out of its provision of the website and/or its services. Oftentimes, our clients inquire whether a limitation of liability clause can "cap" the amount of potential damages so that the website visitor cannot recover more than say, for example, the annual subscription fee of the services or product cost.
Looking at the country as a whole, most courts hold that such clauses do not automatically violate public policy. However, several states are more protective, and some have enacted legislation, by way of anti-indemnity statutes, that deem such clauses void and unenforceable.
In California, courts are especially critical when companies try to limit their liability via liability caps. California courts scrutinize whether the consumer had an opportunity to accept, reject, or modify the limitation of liability clause, which is not often the case in a click-wrapped website ToS/T&C document. Courts furthermore consider all of the facts surrounding the transaction, including whether the parties were of relatively equal bargaining power and whether it was an arm’s length transaction.
Because of the large-scale damages that can result from a data breach and the way in which California courts scrutinize liability caps, we always advise our clients to consider purchasing cyber security insurance.
Where visitors to a company’s website can post data or images via the website’s public blog or forum, there is the risk that the company can be liable for a visitor’s improper use of the posted material. For example, a visitor might infringe another party’s trademark or logo, and post it on the company’s website. Because the website owner/provider hosts the publicly-available forum where the trademark violation occurs, it can also be liable for said infringement. To that end, when drafting a website ToS/T&C document for our clients, we include a provision that requires a website visitor to verify that any content posted on the website does not infringe a third party’s rights, and an indemnification clause in favor of the website owner/provider in the event that it does.
Smith Shapourian & Mignano, PC is available to answer any questions or concerns you may have regarding the legalities surrounding your business website.
This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.
1. See http://searchsecurity.techtarget.com/definition/data-breach