Knowing What to Ask About Your Privacy and Liability Contractual Obligations

By Antonia Dumas, Associate at XPAN Law Group 

Data breaches are still occurring frequently. These breaches can bring to light security vulnerabilities and potential regulatory obligations and compliance issues. Our team continues to highlight the regulatory enforcement components; but,  it is important to understand the contractual liability can play just as impactful a role in enforcing privacy and cybersecurity. 

To illuminate this area of liability,,we will look at the contractual obligations related to the malware attack that affected Princeton Community Hospital Association (“PCH”) and led to the case currently pending in the District Court of the Southern District of West Virginia. Princeton Cmty. Hosp. Ass’n v. Nuance Commc’ns, Inc. (S.D. W.Va. 2020)

The Security Incident 

PCH used software from Nuance Communications, Inc. (“Nuance”) that was integrated into PCH’s hospital computer network. Nuance’s systems suffered a breach which affected PCH’s network which it confirmed in a press release regarding the malware incident impacting platform used by customers, including PCH. The Nuance breach was part of the global NotPetya attack in 2017, a cyber-attack attributed to the Russian military and known as one of the most destructive and costly attacks in history.  

Nuance and PCH entered into an agreement (Healthcare Master Agreement and Business Associate Addendum (“BAA”) for PCH’s use of Nuance’s software which was integrated into PCH’s systems. In June, 2017, Nuance computer systems were infected by the NotPetya virus. On the same day, PCH then discovered the malware attack to its systems (by discovering false extortion messages requesting ransom bitcoin payment) which encrypted and destroyed data on PCH’s health network. According to PCH, all of PCH’s computer systems were shut down and destroyed as a result of the attack.  

PCH’s Complaint 

PCH’s complaint includes two causes of action: 

  1. Breach of Contract: Breach of indemnification provision for failure to reimburse or indemnify PCH for damages as a result of Nuance’s negligence related to the security incident; and 
  2. Negligence: Breach of duty of care to exercise caution and take appropriate safeguards to prevent malware infection into PCH’s system.

PCH claims that its damages from the NotPetya virus were approximately $10.8 million, including system damage, business interruption for almost a year and additional expenses. These damages included purchasing new workstations, breach mitigation costs (including disaster recovery service and other cybersecurity vendors), breach notification costs,  loss of business and revenue, etc. After utilizing available cyber insurance coverage, their remaining damages were approximately $6.8 million. PCH claims that Nuance refused to pay for the remaining damages as required under their contract. 

PCH claims net damages of $6.8 million because: 

“Nuance system was infected by malicious malware that embedded and destroyed all data. Shortly thereafter, the same malicious malware encrypted PCH’s entire computer health network and destroyed all data content.” 

Nuance’s Contractual Liability 

The Court’s most recent Opinion denying Nuance’s Motion to Dismiss discussed key contractual provisions (under the Master Agreement and BAA) and provides us with important takeaways regarding contractual obligations and liability. 

Data Privacy and Security Obligations

The BAA states:

Nuance agrees “to use appropriate safeguards, and to comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement.” 

PCH’s complaint was brought alleging Nuance had contractual obligations under the Master Agreement and the BAA. Under this provision of the BAA, Nuance agreed to adhere to the requirements of Subpart C of 45 CFR Part 164, the HIPAA Security Rule, requiring appropriate administrative, physical and technical safeguards to protect and prevent unauthorized disclosure of protected health information (“PHI”). While not directly addressed by the court, this provision is key to understanding the obligations under the agreement. 

Key Take-Away: Ensuring that you understand the self-imposed minimum security and privacy requirements that may be agreed to under contract are key. In particular (and as we have seen many times), this highlights the importance of paying attention to any applicable addendums or incorporated provisions that may alter or add additional contractual obligations. Too many times are entities not fully aware of what contractual and legal obligations they have voluntarily agreed to under contract. 

Liability Provisions 

Another key issue to be aware of regarding your contractual obligations is understanding your potential liability including any limitations on liability and potential indemnification obligations.  

The Master Agreement includes a Limitation Liability Provision as follows:  

“Nuance shall not be liable for loss of profits or revenues, loss of anticipated savings, loss of customers, or loss of use of any software or Data, nor for any special, consequential or indirect loss or damage, costs, expenses or other claims for consequential compensation, however caused, which arise out of or in connection with this Agreement or the Services.” 

Nuance claims that PCH’s damages fall within the limitation of liability provision under the Master Agreement. However, the court noted that the agreement includes another provision that could allow for liability for tangible property damage caused by negligence which PCH alleges. PCH claims that the damage to its computer systems were caused by virus attack as a result of Nuance’s negligence. PCH claims that its computer systems were shut down and destroyed). As such, the court did not determine at the current juncture of the lawsuit that PCH’s claims were barred by the limitation of liability provision. 

Key Take-Away: We see the importance of having clear language regarding liability and any limitations or exclusions regarding liability. Further, it is important to understand how the provisions relate to one another and the various types of liability. 

Additionally, the BAA includes an Indemnification Provision as follows: 

“[Nuance] shall reimburse, indemnify and hold harmless [PCH] for all costs, expenses (including reasonable attorneys’ fees), damages and other losses resulting directly from any negligent breach of this Business Associate Addendum, Security Incident or Breach of PHI maintained by [Nuance] . . . , subject to the provisions of the Agreement. The foregoing includes, without limitation: fines or settlement amounts owed to a state or federal government agency; the cost of any notifications to individuals or government agencies; credit monitoring for affected individuals; or other mitigation steps taken by Covered Entity to comply with HIPAA or state law.”

The court denied Nuance’s argument that the reimbursement and indemnification provision under the BAA does not apply to PCH’s first-party claims (i.e., the claims for costs related to a security incident or breach of PHI). The court noted that the provision for reimbursement and indemnification is broad and does not expressly limit first-party losses. The court recognized that at a minimum there was an argument that the provision is ambiguous regarding recovery for first-party claims. 

Key Take-Away: This represents an important issue regarding reimbursement and indemnification as it relates to the different types of claims. You should ensure that you understand the difference between first-party and third-party claims both under your contracts and under your cyber insurance coverage. Being informed regarding potential claims and your obligations to pay or reimburse such claims as is critical. Then, you should ensure that the language in your contract is not too broad but rather clearly articulates any reimbursement or indemnification rights or obligations. 

Finally,  the Master Agreement includes a Force Majeure Provision as follows:

 If “that performance is rendered impossible by . . . governmental acts or orders or restrictions, acts of terrorism, war. . .” 

The court denied Nuance’s argument that the malware attack fits within the excuses for non-performance under the force majeure clause. The court notes that even if it fits under one of these acts, whether Nuance’s actions constitute nonperformance within the meaning of the clause. 

Key Take-Away: The fact that the source of the breach was due to a global cyberattack does not necessarily excuse liability for maintaining data privacy and security. Businesses should ensure that contractual provisions are not vague, especially regarding liability or excuses for nonperformance. 

Questions You Should Ask Before Executing That Contract

It is essential  that specific requirements for security of data are addressed in the contract and fully understood BEFORE the contract is finalized and executed. For example, you need to be aware if you are obligating your company to meet certain requirements for technical and organization safeguards and measures (particularly under regulations such as HIPAA and NY DFS cybersecurity regulations).  

Also, check your addendums! Often we overlook addendums or other documents that are incorporated in our contracts that can make you subject to privacy and security requirements or modify liability. 

#1: What are your contractual obligations?

On the one hand it is important to understand your regulatory compliance obligations. But even more importantly, you should understand your voluntary obligations that are self imposed under your contracts. 

Ask: Are you responsible to use certain security and privacy controls, due diligence, documentation or reporting? Are there shared responsibilities/obligations between the contracting parties (e.g., shared responsibility model)? Are you liable for compliance under specific regulatory laws or industry standards/frameworks? 

#2: What are you liable for? 

It is important to understand your potential liability and what circumstances will trigger liability under a contract. And, understanding that before an event triggers that liability is key to mitigating your risks. 

Ask:  If a security or privacy breach occurs, who is liable? How far does liability extend (i.e., only to property damage, or does it include breach notification costs and additional expenses)? 

#3: Are there any limitations for liability? 

Not only do you need to understand potential liability, but you need to understand to what extent liability may be limited or excluded.

Ask: Are there exceptions or limitations for liability? Is reimbursement or indemnification limited to certain types of claims (e.g.,  first versus third party claims)? 

#4: What will my insurance cover? 

This case also brings up the importance of insurance coverage. The case was brought to enforce reimbursement and indemnification provisions to cover damages that were not covered under PCH’s cyber insurance coverage. 

Ask: What triggers my insurance coverage? What types of claims fall under my coverage? What types of claims/costs fall outside of my coverage? 

Big Takeaway 

Make sure you understand your contractual obligations BEFORE signing those contracts and BEFORE signing up for third-party services or platforms. Better yet – implement policies and procedures for reviewing and executing contracts to ensure that the security, privacy and liability obligations you are agreeing to fit within your general strategy for privacy and security. Also, use resources such as outside counsel to take the burden of reviewing your contracts to ensure better management of your contractual obligations. XPAN assists its clients with contract review, negotiating and drafting to ensure that business interests are protected and that contractual obligations are properly understood and managed.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.