This is the third and final post for non-lawyers on key issues in SaaS Service Agreement negotiations. The first post explored Representations and Warranties and the second covered Indemnification Provisions. This post closes out the set with a few pointers on Limitation of Liability (LoL) provisions.
Why Limit Your Liability?
If you sell someone a car, do you expect to be liable for them using it in a bank robbery? For them running out of gas? Causing an accident? Of course not.
But what if the tires fall off as they pull out of your driveway? In that case, you’re probably liable.
Similar to selling a car, SaaS services can be used in any number of ways by customers: to keep their finances, defend against computer viruses and process customer payments. It is not reasonable to expect the SaaS services provider to take on the liability for every possible harm that could flow from those transactions or some other use or misuse of their service.
LoL provisions exist to cap or eliminate some of the risks that may arise from getting into a business relationship with someone else. Few SaaS services providers could stay in business if they were to take on unlimited liability for any role that their service might have when in the hands of a customer, particularly when they only receive a relatively small monthly or annual payment. The LoL provision lets you cap or eliminate the monetary value of that risk.
A Typical SaaS LoL Provision
An LoL provision will typically:
- Completely exclude indirect types of damages;
- Place a cap on the amount of direct damages either party may have to pay the other;
- Exempt indemnity obligations from the cap; and
- Possibly provide a higher cap for the service provider’s data breach liability.
A. EXCEPT FOR EACH PARTY’S INDEMNIFICATION OBLIGATIONS, EACH PARTY’S LIABILITY TO THE OTHER PARTY AND ITS AFFILIATES FOR ALL CLAIMS ARISING OUT OF THE AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, WILL NOT EXCEED THE AMOUNT PAID BY CUSTOMER TO COMPANY DURING THE TWELVE MONTHS PRIOR TO WHEN THE LIABILITY ARISES. NOTWITHSTANDING THE FOREGOING, COMPANY’S LIABILITY TO CUSTOMER FOR DATA BREACH WILL NOT EXCEED TWO TIMES THE AMOUNT PAID BY CUSTOMER TO COMPANY DURING THE TWELVE MONTHS PRIOR TO WHEN THE LIABILITY ARISES.
B. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO LOST REVENUES, PROFITS, OR GOODWILL, FOR ANY MATTER ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OR NONPERFORMANCE OF THE AGREEMENT, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Indemnity obligations are typically exempt because they would mean very little if capped. Indemnity obligations involve a promise to pay the legal costs to defend one party from a lawsuit caused by the other party, and that indemnity would mean nothing if limited to paying a few thousand dollars towards defense of a lawsuit which will likely cost at least tens of thousands of dollars.
Data breach is a common negotiation topic for SaaS services since data transfer and storage is part of a SaaS system. But data breach liability can be significant given state and federal laws applicable to providing consumer notification (and other requirements if the breach involved credit card or banking information of a consumer). While the amount of a data breach cap is subject to negotiation, it should not be open-ended. Ideally, the SaaS service provider will have cyberliability insurance that covers data breach liabilities to its customers, and will craft an LoL provision that fits within that insurance coverage.
Four Suggestions in Negotiating LoL provisions in a SaaS Services Agreement
1. Courts Are Skeptical, So Draft Carefully
2. Data Breach Liability Should be Defined
If you are being asked to provide an LoL cap for data breach, it is best to specifically define what it is and what steps a SaaS service provider will take to protect data. Then, impose liability only for breach of those promises. An LoL that provides a higher cap for “claims relating to data breach” without defining “data breach” is unnecessarily broad.
Data protection promises will often be set out in a separate “Data Protection” exhibit, and will specifically list what data security measures will be used, how data will be monitored, and who can have access. These promises are within the SaaS provider’s control and would not include liability for hacking attacks that overcame industry-standard security or were caused by breaches by unrelated third party cloud services or others. Those exposures would fall to the contract’s standard LoL provision.
3. Cap Amounts Should Be Tied to Revenue Received
SaaS services are often on-demand, pay-as-you-go services with no large, guaranteed revenue to the SaaS provider, in which case it makes sense that the liability cap amount bear some relationship to the amounts paid. Why give the same $1 million liability cap to a customer that pays $100 a year and a customer paying $100,000 per year? The customers present different exposures, and the potential frequency and amount of a claim typically rises with a higher level of use. So avoid hard cap numbers if at all possible in favor of formulas based on revenue paid by the customer. If you do provide a hard number (such as for data breach or another specific exposure), make sure it is not greater than the limit of liability of your applicable insurance policy.
4. Unique LoL Provisions
In some jurisdictions, local lawyers suggest including a specific waiver of a right to sue for the excluded damages:
… and each party waives, releases and agrees not to sue upon any claim for any such damages, whether or not accrued and whether or not known or suspected to exist in its favor.
This may be a belts-and-suspenders approach in most jurisdictions, but generally would not be a negative for a SaaS services provider or customer.
Some LoL provisions may also look to impose uncapped liability for breach the contract’s confidentiality provision. Such an exemption should be avoided because many contract breaches or disputes could involve an alleged breach of confidentiality, allowing this seeming minor exception to eviscerate the core benefit of an LoL provision.
Lastly, some unscrupulous customers have argued that LoL provisions apply to their contractual obligation to pay the SaaS service fees. While most courts see through this ploy and read the LoL as not applying to core payment obligations, it may be worth clarifying that the LoL provision does not apply to a customer’s obligation to pay service fees.
While most SaaS service providers and customers never have the misfortune of litigating Limitation of Liability provisions, making sure that you have a provision that is well-tailored to the SaaS service being provided and to your jurisdiction will help make sure you do not join that unlucky minority. Having an incomplete LoL provision or one that is not clearly enforceable could give someone’s overly litigious lawyer the idea that he can circumvent the LoL and chase a big payday (for the lawyer, that is). A good LoL provision is critical to removing an incentive to go to court rather than work it out.