In a recent decision, a West Virginia federal district court declined to dismiss a lawsuit brought by Princeton Community Hospital Association, Inc. (PCH) against its IT vendor, Nuance Communications, Inc., alleging millions in damages arising from a cyberattack of PCH’s IT system.1 This case highlights the importance of scrutinizing limitation of liability, indemnification, and force majeure provisions in IT-related agreements. The court’s decision reveals valuable tips for optimizing the pro-customer and pro-vendor approaches traditionally used for these types of provisions.
Background
In 2016, PCH and Nuance entered into a health care master agreement that incorporated a business associate addendum (BAA)2.Under the agreement, Nuance provided PCH with licenses, equipment, and services related to Nuance’s medical dictation software. PCH provided Nuance with server credentials (i.e., domain administrator username and password), which provided Nuance with a data port into PCH’s servers and computer system.
According to PCH, in March 2017, many businesses, including PCH, installed a Microsoft patch to guard against a virus known as WannaCry. PCH alleged Nuance failed to install this Microsoft patch. In June 2017, as acknowledged by both parties, businesses worldwide encountered a cyberattack through malware known as NotPetya.
PCH alleged NotPetya exploited the same Microsoft vulnerability as WannaCry. PCH further alleged that, because Nuance did not install the Microsoft patch, Nuance left an IT tunnel into PCH’s system open, and NotPetya used this tunnel to spread. According to PCH, NotPetya caused PCH’s computers to display ransom demands for payment by Bitcoin without enabling PCH to pay, instantly putting PCH’s entire network in a state of viral disintegration. According to PCH, NotPetya encrypted PCH’s entire computer network and destroyed all data content.
PCH alleged approximately $10.8 million in losses, including computer system damage, costs of an array of cybersecurity consultants, and revenue loss caused by a 10-month business interruption. PCH described the following consequences of NotPetya:
- Being forced to divert ambulances and turn away patients to other hospitals
- Long wait times in PCH’s emergency room and other hospital service areas, causing patients to go to other hospitals for treatment
- Being forced to refer patients to other health care providers
- An increase in PCH’s competitors’ marketing strategies focused on shorter wait times to capitalize on PCH’s impairment
- Hiring cybersecurity vendors, remediation consultants, data-breach counsel, a cyber-forensics investigation firm, a vendor to assist with regulatory notifications, and various third-party vendors to assist with recovering from the attack
PCH obtained a recovery from its insurance provider. After applying the insurance proceeds, PCH alleged a net loss of $6.8 million. Accordingly, PCH sued Nuance for $6.8 million, alleging both breach of contract and negligence by Nuance.
Agreement
In reaching its decision, the court interpreted the following provisions of the agreement and BAA:
12.2 Nothing in this Agreement shall be taken to exclude or limit Nuance’s liability for fraud or fraudulent misrepresentation, for intentional or criminal misconduct; for death, personal injury or tangible property damage caused by its negligence in providing services ….
12.3 Subject to the foregoing provisions of this Section, Nuance shall not be liable for loss of profits or revenues, loss of anticipated savings, loss of customers, or loss of use of any software or Data, nor for any special, consequential or indirect loss or damage, costs … which arise out of or in connection with this Agreement ….
12.4 Save for Nuance's liability under the second subsection of this Section 12 (“Limitation of Liability”), … Nuance's total liability shall not exceed … 100% of the amount paid by the Company during the corresponding Annual Period.
14.2 Except for the obligation to make payments, nonperformance of either Party shall be excluded to the extent that performance is rendered impossible by strike, fire, flood, acts of God, governmental acts or orders or restrictions, acts of terrorism, war, failure of suppliers ….
[Nuance] shall reimburse, indemnify and hold harmless [PCH] for all costs, expenses (including reasonable attorneys' fees), damages and other losses resulting directly from any negligent breach of this Business Associate Addendum, Security Incident or Breach of PHI maintained by [Nuance] ….
Nuance’s Key Arguments
In support of its motion to dismiss, Nuance asserted that, pursuant to Section 12.3 of the agreement, Nuance had no liability for PCH’s losses. In particular, Nuance noted the language in Section 12.3 that stated “... Nuance shall not be liable for loss of profits or revenues, loss of anticipated savings, loss of customers, or loss of use of any software or Data, nor for any special, consequential or indirect loss or damage, costs, expenses, or other claims for consequential compensation, however caused …”
Nuance also asserted the indemnification provision in the BAA did not apply to first-party claims such as, in this case, PCH’s claim for its losses. Nuance further asserted the BAA was subject to the liability limitations in the agreement. Furthermore, Nuance asked the court to find as a matter of law that Section 12.4 of the agreement capped PCH’s damages to the total of the fees paid by PCH to Nuance in the 12-month period preceding PCH’s losses.
In addition, Nuance argued the force majeure provision in Section 14.2 of the agreement excused Nuance from liability for PCH’s losses. For this point, Nuance relied upon the provision’s language: “... nonperformance of either Party shall be excluded to the extent that performance is rendered impossible by ... governmental acts or orders or restrictions, acts of terrorism, war ...” Because NotPetya was a cyberattack by the Russian military, Nuance reasoned it should have no liability for PCH’s losses.
Finally, Nuance argued the gist of action doctrine and economic loss rule barred PCH’s negligence claim. For this argument, Nuance asserted the gist of action doctrine bars an action in tort if a party establishes one of the following:
a) The liability arises from the contractual relationship
b) The alleged breached duties were grounded in contract
c) The liability stems from the contract
d) The tort claim essentially duplicates the breach of contract claim or the tort claim’s success depends on the success of the breach of contract claim
Also, Nuance asserted the economic loss rule requires physical harm or property damage to support tort liability. Nuance argued that, because of the agreement and lack of property damage, the gist of action doctrine and economic loss rule barred PCH’s negligence claim.
PCH’s Key Arguments
In opposition to Nuance’s motion to dismiss, PCH argued that Section 12.3 of the agreement did not preclude its claim for losses. For this argument, PCH relied on Section 12.3 beginning with the phrase, “Subject to the foregoing provisions of this Section” and Section 12.2 stating the following: “Nothing in this Agreement shall be taken to exclude or limit Nuance's liability for ... tangible property damage caused by its negligence in providing services at Company locations; or to the extent that such exclusion or limitation is not otherwise permitted by law.” Based on these provisions, PCH argued that shutting down its computers was not merely a loss of data but was tangible property damage. In support, PCH alleged that, as a result of NotPetya, it was necessary for PCH to replace 59 workstations and rebuild its computer network from the ground up.
PCH also argued that public policy precludes the application of the agreement’s limitation of liability provisions. In this argument, PCH asserted Nuance had a statutorily imposed standard of conduct because of Nuance’s role as a business associate pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and related regulations. Accordingly, PCH argued that Sections 12.3 and 12.4 of the agreement should not limit Nuance’s liability.
Furthermore, PCH argued the indemnification provision in the BAA was not limited to third-party claims. PCH pointed to the reimbursement language in the BAA. PCH also pointed out that the language of the indemnification provision did not state the indemnifiable losses were limited to third-party claims.
In addition, PCH asserted that Nuance’s breach of duty did not fall within the force majeure provision of the agreement. PCH argued the force majeure provision only excuses nonperformance, not negligent performance.
PCH also argued that the gist of action doctrine did not bar its negligence claim because the claim was based on Nuance’s breach of an independent standard of care under HIPAA. Also, PCH argued that the economic loss rule did not bar its negligence claim because PCH suffered physical harm to its computer system and because of the parties’ special relationship under HIPAA.
Decision
In Princeton, the court interpreted the above-referenced provisions of the agreement in arriving at its decision to deny Nuance’s motion.
With respect to Nuance’s liability exclusion in Section 12.3 of the agreement, the court pointed out that Section 12.2 states “[n]othing in this Agreement shall be taken to exclude or limit Nuance's liability for ... tangible property damage caused by its negligence in providing services at Company locations; or to the extent that such exclusions or limitation is not otherwise permitted by law.” The court found that PCH’s pleading that its computer systems were all shut down and destroyed was a sufficient allegation of damage to the computers themselves, therefore constituting a sufficient allegation of tangible property damage caused by Nuance’s negligence. On this point, the court appears to have sided with the reasoning, which varies from court to court, that a computer shutdown is not merely a loss of data, but tangible property damage.
Regarding indemnification, the court found that PCH’s claims arguably fell within the BAA’s indemnification provision, referring to the provision’s reimbursement language and to the fact that the language did not expressly limit PCH’s ability to recover first-party losses from Nuance. The court determined there was at least an argument that the indemnification provision was ambiguous as to whether it covered first-party claims.
After considering PCH’s argument that Section 12.4 of the agreement should not apply because of Nuance’s statutory duty of care under HIPAA, the court declined to find as a matter of law that Section 12.4 capped the damages available to PCH. However, the court indicated that Nuance may renew its request for the finding by filing a motion for partial summary judgment.
Addressing the force majeure issue, the court indicated Nuance had not established that its actions constituted “nonperformance” within the meaning of the force majeure provision. In particular, the court explained it was unclear whether the force majeure provision applied, leaving room for PCH’s argument that the force majeure provision only excuses nonperformance, not negligent performance.
The court declined to dismiss PCH’s count pursuant to the gist of action doctrine in view of PCH’s allegations regarding Nuance’s negligence. This will enable PCH to argue the gist of action doctrine does not apply because of Nuance’s breach of a statutory standard of care under HIPAA.
Likewise, the court declined to find that PCH’s negligence claim was barred by the economic loss rule, unpersuaded by Nuance’s argument that NotPetya did not cause property damage. The court found it could not, at the current stage of litigation, conclude that PCH suffered purely economic losses or that Nuance and PCH did not have a special relationship under HIPAA.
Pro-Customer Considerations
As in this case, many IT agreements have a liability exclusion provision that excludes liability for consequential, indirect, and special damages. Also, as in this case, many IT agreements have a liability cap provision that limits the vendor’s total liability in contract and tort to one of the following: a specified amount, the total fees paid to the vendor over a specified time period (e.g., six, twelve, or more months preceding the claim), or an amount available under the vendor’s insurance policy.
For the customer’s protection, it is common to draft exceptions to, at minimum, the liability cap provision. However, as Princeton illustrates, it is also important for customers to draft exceptions to the liability exclusion provision. This enabled PCH to pursue damages for its costs and loss in revenue allegedly caused by NotPetya.
Of the traditional exceptions, professionals often draft exceptions for damages arising from: 1) unauthorized access to data in the possession or control of the vendor; 2) a breach of the vendor’s obligations related to confidentiality, data security, or the BAA; or 3) any third-party claim for which the vendor is obligated to indemnify the customer. However, this traditional approach can fall short in the circumstance of a ransomware cyberattack like NotPetya.
Therefore, professionals should draft additional exceptions for damages arising from: 1) unauthorized access to the customer’s IT environment or data caused by an act or omission of the vendor or 2) damage to, impairment of, disablement of, or loss of use of any computer system, hardware, software, data, tangible property, or any other property caused by an act or omission of the vendor. This will help avoid the risk of a court finding that data is not tangible property. Also, these additional exceptions will help address the risk caused by the vendor’s opening or mismanagement of ports, tunnels, or other entryways into the customer’s IT environment, which may be caused by the vendor’s misuse or mismanagement of login credentials, application programming interfaces (APIs), or other means supplied by the customer.
Professionals should also consider bolstering the indemnification provision to clarify the vendor’s indemnification obligation applies to the customer itself as well as third parties. Using reimbursement and first-party claimant language may also be helpful.
Furthermore, in the force majeure provision, professionals should clarify that the vendor is not excused from its obligation to safeguard against cyberattacks, and the provision does not waive the vendor’s liability for preventable damages.
In addition, professionals should include a provision requiring the vendor to obtain and maintain a cyber-insurance policy with a suitable limit, such as a limit of $20 million per claim depending on the circumstances.
Pro-Vendor Considerations
In prioritizing deal terms for IT vendors, professionals rightfully consider the main business role of the vendor. Is the vendor in the business of storing or processing the customer’s data? If not, professionals often deprioritize the risk related to data liability. However, as Princeton demonstrates, vendors can face substantial data-related lability even though they play a role limited to supplying and supporting software operating on customer servers. In other words, even vendors that solely offer their software via download face this risk. Therefore, professionals should consider this risk when drafting and negotiating liability exclusion and liability cap provisions, exceptions to these provisions, and indemnification provisions.
It is also important for professionals to consider the customer’s role in protecting its data. Much of what can prevent a cyberattack is within the customer’s control, not the vendor’s. It is possible that a customer may suffer a cyberattack caused by any act or omission of the customer, the vendor, or a combination of the two. The actual cause may not be ascertainable until discovery in litigation. In Princeton, PCH alleged to have installed a Microsoft patch to properly safeguard against NotPetya, and PCH alleged that Nuance failed to install this patch. However, was PCH’s patch an adequate security safeguard? Were PCH’s network access management procedures, firewalls, and security configuration deficient? The answers to these questions may reveal that PCH was fully or partially the cause of the NotPetya attack.
For this reason, professionals representing vendors should include provisions that obligate customers to safeguard their data and IT environments, maintain confidentiality, and comply with applicable law. Even though the vendor may have its data-security obligations, the IT agreement should, for example, obligate the customer to maintain adequate firewalls, network monitoring, data backup, and network access protocols for its personnel.
Professionals should negotiate to exclude all liability caused by any event or condition that is not completely within the vendor’s control, such as the customer’s IT environment, including the customer’s servers, hardware, and software.
In addition, professionals should consider adding language providing that the liability exclusion and liability cap provisions apply to negligence claims based on any statutory duties or standards of conduct or care imposed by applicable law, regulation, or public policy.
Consistent with the approaches outlined above, professionals should also include an indemnification provision for the vendor’s protection. Among other claims and damages, this provision should provide the vendor with indemnification for damages arising from 1) unauthorized access to data arising from an act or omission of the customer; 2) unauthorized access to the customer’s IT environment or data caused by an act or omission of the customer; 3) the customer’s breach of the agreement; 4) the customer’s negligence; or 5) the customer’s violation of applicable law.
Furthermore, professionals should include a provision requiring the customer to obtain and maintain a cyber insurance policy with a suitable limit.
Conclusion
The Princeton decision highlights the importance of carefully drafting and negotiating the limitation of liability, indemnification, force majeure, and insurance provisions of IT-related contracts. In this case, Nuance provided medical dictation software products, not security or firewall software. Still, Nuance faces a multi-million claim related to a worldwide cyberattack. As of the date of this writing, Nuance faces a similar lawsuit in Pennsylvania federal court brought by Heritage Valley Health Systems.
Barclay Damon assists clients with drafting and negotiating a wide array of IT-related contracts, including website and online terms of use, privacy policies, platform services agreements (PSAs), cloud services agreements, software as a service (SaaS) agreements, end user license agreements (EULAs), service level agreements (SLAs), app license agreements, master services agreements (MSAs), master license agreements (MLAs), and business associate agreements (BAAs).
The contract language and approaches outlined above are not necessarily suitable for any specific agreement. The language in an actual agreement should be tailored and customized for the particular facts, objectives, and circumstances of the parties. For assistance with a particular matter, please contact the authors of this alert.
1 Princeton Community Hosp. Assn. v Nuance Communs., Inc., 2020 US Dist LEXIS 60490 [SD W Va Apr. 6, 2020, No. 1:19-00265].
2 “BAA” is commonly used to refer to a business associate agreement or business associate addendum pursuant to HIPAA. See 45 CFR 164.504(e). BAAs, if necessary, are commonly incorporated into a service or master agreement by reference.
If you have any questions regarding the content of this article, please contact Renato Smith, partner, at rsmith@barclaydamon.com; Bridget Steele, associate, at bsteele@barclaydamon.com; or another member of Barclay Damon’s Corporate or Health Care Practice Areas or Cybersecurity Team.