The stakes are high; losses from faulty technology often exceed the purchase price of the technology itself. A key system may be relatively cheap in comparison to the business losses that result when the system malfunctions. Consider the following fictional example: Consultants, Inc., a mid-sized consulting firm, has a budget for the year that includes money to update elements of its computer and database systems. The firm has agreed to purchase a new server ($10,000) for its billing system and has entered into a standard form agreement with the supplier. Although there are a number of strategies that Consultants, Inc. could have employed to reduce the risk inherent in this kind of purchase, the company wasn't aware of these strategies when it signed the contract. Seduced by the low price of the server, Consultants, Inc. agreed to sign the seller's standard form agreement, which limits the seller's liability to direct damages. We will soon see the results of the firm's ill-fated transaction.
You May be in for a Surprise
Sellers of information technology goods or services generally draft limitation of liability provisions that cover many categories and types of damages. While the seller's standard form might provide that the seller will be liable to the buyer for any "direct" damages suffered by the buyer, it will typically also provide that the buyer will be responsible for any "indirect," "consequential" or "special" damages. While all of these terms have received considerable attention by the courts in many common-law jurisdictions, the meaning of these terms is not clear. For example, the definition of "direct damages" adopted by some courts in Canada, the United States and England includes any damages that would ordinarily result from a deficiency in the goods or services. These courts have awarded direct damages that include a buyer's lost profits and increased borrowing costs, as well as the cost of buying a replacement system. But other courts have used a narrower definition that limits direct damages to the difference in value between what was promised and what was actually provided. If a court adopts this more restrictive meaning, the buyer who signed an agreement with the first definition in mind will be unpleasantly surprised to find that it will not be able to recover much of what it lost.
Let's revisit the unfortunate Consultants, Inc., which recently purchased its new server. Soon after the server was installed, its fan stopped working, which caused the server to overheat. The resulting fire caused $500,000 of physical damage to the computer network and office equipment (including the server), $100,000 of damage to the building and the loss of the entire database and several days of billable time. These damages were accepted by the court as recoverable under the general law of contract, but the court applied a narrow definition of "direct damages." The company that sold the server to Consultants, Inc. was found to be liable for only the $10,000 cost of replacing the server-not the remaining $490,000 in physical damages, the $100,000 of damage to the building, the cost of restoring the database or the lost revenue due to the downtime.
Well-Drafted Liability Clauses Can Help
To avoid unwelcome surprises, the buyer should customize the limitation clause to suit its circumstances. While there is no standard language suitable for every transaction, there are certain strategies that can be employed to reduce the buyer's risk.
Usually, a seller of information technology products or services will limit its liability to a specified amount. This amount is often the monetary value of the goods or services purchased under the agreement. From the seller's perspective, an ideal limitation of liability clause applies to all circumstances and all types of losses under the agreement. Buyers might be surprised to discover that even if the seller has undertaken to perform specific obligations (such as the deployment of industry-standard security technology to monitor against intrusion and prevent virus contamination, or the back-up and restoration of lost data), the dollar cap on liability limits the buyer's ability to recover any amounts that exceed the dollar cap, even if these amounts resulted from a breach of the seller's obligations. From the buyer's perspective, then, a well-drafted limitation of liability clause specifies the circumstances under which damages are not subject to the dollar cap. For example, if the buyer wants the seller to be fully liable for all damages resulting from the seller's breach of its data back-up and restoration obligations notwithstanding the dollar cap, this must be expressly stated in the contract.
The buyer should also ensure that the seller is liable for all losses for certain types of breaches, for all classifications of damages (i.e., direct, indirect, special, etc., including lost profit, lost revenue and lost data). This can be done by carving out certain losses as not subject to the limitation. For example, technology-related agreements often include an exception to the limitation in the context of confidentiality obligations. The seller's breach of its confidentiality obligations will almost always result in economic loss such as lost revenue or lost profits. The disclosure by the seller of a buyer's confidential information will decrease its competitive advantage, which can only lead to an economic loss. If the limitation of liability excludes lost revenue or lost profits from the damages for which the seller will be responsible (often these clauses exclude both), the buyer should insist on carving out breaches of confidentiality from the limitation.
It is even more crucial to address limitations of liability in the context of intellectual property rights infringement. Usually, the buyer will want to hold the vendor completely liable if the goods or services provided by the seller violate a third party's intellectual property rights. In this case, the seller is in a much better position than the buyer to know the risk of third-party intellectual property claims associated with its product or service. Although most sellers will try to limit the extent to which they assume this risk, buyers should be aware that even the use of a product that violates a third party's intellectual property rights can result in potentially enormous liability. Finally, even if the seller agrees to indemnify the buyer for losses resulting from a third-party claim, a third party whose intellectual property rights are being violated may succeed in obtaining an injunction that prevents the buyer from using the technology-technology that might be essential to its business. To address this concern, technology-related agreements often require that the seller obtain the rights necessary to continue to use the technology, modify the technology so that it no longer infringes the third party's rights, or replace the technology, all without compromising the technology's functionality. If the contract does not address whether or not the limitation of liability applies to the seller's obligations regarding intellectual property rights violations (including the IP indemnity and "continued use" obligation), it is not clear if the court will make these obligations subject to the limitation of liability. To ensure that both parties understand the scope and limits of the IP indemnity and "continued use" provisions, the agreement should state explicitly whether or not these provisions are to operate notwithstanding or subject to the limitation of liability.
These drafting tips cover just a few of the issues that should be addressed to ensure a favourable limitation of liability clause. In practice, it can be challenging to ensure that the limitations and carveouts work together, particularly in light of the courts' approach to limitations of liability. Appropriate drafting techniques will depend on the circumstances. This is precisely why a customized agreement is better than one that uses boilerplate language.
Keep in mind that the negotiation of a limitation of liability clause is about allocating risks, not eliminating them. A narrow limitation of liability clause, or no limitation at all, means that the risk is borne by the seller. A broad limitation of liability clause means that the risk is borne by the buyer. In any case, the contract itself cannot eliminate the risk.
Aside from a strong legal agreement, the best way to eliminate risk is through a combination of insurance (such as property and casualty, liability or business interruption insurance) and information technology security precautions (such as following proper back-up procedures). By taking these precautionary measures, the buyer further reduces the potential damage in the event of a hardware failure, a software virus or other common occurrences. The buyer of technology-related goods or services should also have a robust disaster recovery system in place so that it can be up and running as quickly as possible following a disaster that destroys all or a substantial part of its facilities. Finally, by doing proper due diligence on the seller prior to making a purchase, and by avoiding a customized solution if there is a viable commercially available substitute, the buyer further decreases its risk.
So what could Consultants, Inc. do in the future to reduce risk? In addition to ensuring that from now on the wording of purchase contracts and limitation of liability clauses more accurately reflects its needs and circumstances, Consultants, Inc. should examine and update its insurance policies and implement appropriate disaster recovery protocols. It should also devote more time to doing proper due diligence on its technology suppliers before making its purchasing decisions.
Sherri Kreisman is a member of the technology group at Torys LLP. Her practice focuses on commercial transactions and intellectual property law, with an emphasis on the structuring and implementation of strategic technology initiatives, including the development, procurement, licensing and exploitation of sophisticated technology-based products and services.