Gartner Blog Network


Who Is Liable, and For How Much, When Your Third Party Isn’t Available?

by Roberta J. Witty  |  February 4, 2013  |  Comments Off

Friday’s Bank of America outage reminded me of an increasingly frequent question we receive on third party liability due to an operating outage.  The use of cloud service providers is making this question top-of-mind for many organizations. But it’s not just cloud providers that you need to worry about: it’s all of your third party providers: business processors, IT  SPs et al. Nearly all contracts have a force majeure clause in them that exclude outages such as acts of God, war, terrorism, civil disturbance, court order, 3rd party performance or nonperformance, strike, work stoppages et al. But another interesting twist we’ve started to see in contracts is a $0 valuation of the data being held or processed by the 3rd party.

I nor Gartner is a legal advisor, so you need to consult with your own legal advisor for how to address the liability issue in your contracts. Our findings from recent research about 3rd party liability and data valuation might provide some background for those discussions.

  • Data valuation is a highly unaddressed, very difficult thing to do.
    • Since few if any of us have perfect foresight into the future uses of data, the most that one can do is estimate the probable maximum value of data elements – which is no way to do risk management.
    • Organizations can buy data insurance but it is very expensive and there is no standard approach to assigning policy premiums by the insurance companies.
  • We see it extremely unlikely that a vendor/service provider would take on business impact liability of an outage that is based on data valuation. One method might be to have customers pay a premium for the SP service and then that premium goes into a pool that the vendor would use for liability payout if an outage occurs.
  • We do see some contracts (for cloud SPs) where there is a “per incident” minimum of how much the SP would pay the customer if there is an outage. Most of these outages are related to data loss, especially when the SP is processing personal information (PII). How these minimums are calculate is unknown, but what the organization should be doing is trying to get more money back from the SP than the fee return for the outage period, e.g. 12 months of fees max is one option, another is to craft contract terms that require that the fees returned to the customer are based on the amount of time of the outage.
  •  Customers require the SP to hold higher levels of liability insurance:
    • Commercial general liability (CGL), example: no more than 1 million for each occurrence including death and 1 million for each property damage. This type of insurance coverage protects against all liability exposures of a business, except ones specifically excluded. Important to note that it is limited to bodily injury and property damage, and includes defence costs for defending against suits from third parties, and payment only if the insured is found liable for the loss.
    • Liability Insurance for Professionals – example: the amount of One Million Dollars ($1,000,000) per occurrence and Three Million Dollars ($3,000,000) in the aggregate including coverage for X,Y and Z. The policies will name the client as an additional insured and be written as a primary policy, not contributing to any other policy client may have. The provider needs to provide certificates of insurance. This type of insurance coverage protects professionals in various fields i.e. lawyers professional liability insurance, manufacturers professional liability insurance, etc. This insurance essentially covers “errors and omissions” and is not limited to bodily injury or property damage.
    • Umbrella (Excess) Liability Insurance – example: in an amount of not less than four million ($4,000,000) per occurrence. CGL and professional liability insurance is written on a “primary” basis, usually with a deductible or “self insured retention” and usually has a limit of liability of ~$1 million per occurrence. Excess liability policies are used to increase the limit of liability on specific CGL and professional liability policies. Umbrella liability policies are used to increase the limit of liability on several of these policies. Limits of liability in this market can go into hundreds of millions of dollars.
  • Organizations can buy contingent business interruption insurance (CBII) to cover supplier outages. To buy CBII you first need to have a business interruption insurance (BII) policy in place. To buy BII you need to have a property insurance policy in place. BII and CBII are property insurance policies that cover primarily “loss of earnings” following a property insurance loss. Sometimes these coverage points are included in a company’s property insurance policy, and sometimes they are written separately. Casualty policies do not come into play.
  • Valuing lost revenue (in the case of business interruption insurance) is a tricky calculation, and usually involves looking at the average revenue of a company for the three months prior to a loss, and adjusting for the seasonal revenue ups and downs of some businesses.
  • We do not have data regarding a SP’s liability to all of its customers if the SP has an outage.
  • After a negative impact to a SP outage, organization can sue the SP because the returned fees aren’t nearly enough to compensate the customer. Valuing losses in these cases sometimes depends on the creativity of the attorneys and case law. SPs and storage vendors provide remedies in contracts to limit their exposures, not to keep their customers whole. This also keeps insurance cost for the vendors lower than it would be if they were providing remedies based on the value of data lost and its impact on a company’s reputation, revenues, and future success.

Category: advisory  bcm-process  event-2  

Tags: availability-risk  backup-and-recovery  bcm  bcp  business-continuity-management  business-continuity-planning  business-interruption-insurance  business-resiliency  cloud-computing  commercial-general-liability-insurance  compliance  contingency-planning  contingent-business-interruption-insurance  continuity-of-operations  coop  data-protection  data-protection-insurance  disaster-recovery  gartner  governance  liability-insurance-for-professionals  operational-risk-management  property-and-casualty-insurance  recovery-planning  resiliency  risk-assessment  roberta-witty  umbrella-excess-liability-insurance  

Roberta J. Witty
Research VP
11 years at Gartner
33 years IT industry

Roberta Witty is a research VP in Gartner Research, where she is part of the Compliance, Risk and Leadership group. Her primary area of focus is business continuity management and disaster recovery. Ms. Witty is the role specialty lead for… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.