Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

March 17, 2025

New York Law Journal, "Hacking the Contract: How Cybersecurity Failures Can Be a Business's Best Bargaining Chip"

Charles Nerko, team leader for data security litigation in Barclay Damon's Data Security & Technology Practice Area, and Xun Chen, associate, had their “Hacking the Contract: How Cybersecurity Failures Can Be a Business’s Best Bargaining Chip” article published in New York Law Journal. The article explores how cybersecurity breaches can be used as tools to renegotiate terms, exit unfavorable agreements, or demand better performance leveraged in business relationships. Charles and Xun suggest that rather than passively absorbing risk, businesses should proactively use cybersecurity weaknesses to gain contractual leverage.

Charles and Xun assert that cybersecurity should be treated as a core contractual obligation—on par with price, quality, or delivery. Many vendors fail to meet basic security benchmarks, even among Fortune 500 companies. Yet businesses rarely scrutinize these standards before problems arise. Conducting proactive security reviews—like quality control inspections—can convert vague boilerplate promises into actionable leverage, especially when dealing with costly or outdated vendors.

Commissioning third-party security audits of vendors can uncover hidden vulnerabilities that serve as powerful negotiation tools. Charles and Xun cite Verizon’s acquisition of Yahoo as a prime example, where security breaches resulted in a $350 million reduction in the purchase price. In ordinary commercial settings, too, documented security failures can provide legal justification to terminate contracts, reduce fees, or demand better terms—transforming what seems like a liability into a financial opportunity. “Every cybersecurity failure has a price; the only question is who foots the bill,” the article said.

Finally, Charles and Xun’s article emphasizes how security lapses can override contract protections like liability caps. Courts have voided these limitations when failures amount to gross negligence or fraud, as shown in several New York cases. Misrepresentations about cybersecurity controls can also give rise to fraud and trade secret claims. The key message: businesses shouldn’t just manage cybersecurity—they should weaponize it strategically to reshape deals and enforce accountability in their commercial relationships.

Click here to read the full article.

Featured Media

Alerts

Attention Providers! OMIG Audit Update: New Settlement Flexibility at Lower Confidence Payment Restored and DME Protocol Released

Alerts

NYS Trial Court Holds: Animals Are Family Too

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Victor Lopez, Myrna Driffin, Damon Jones, Tazinique Echols, and Ashley Bahena—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Brian Flores Gerardo, Jonathan Drummond, Makeda Evans, Andre Campbell, and Zephyrin Victor—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

New York State Executive Order Expands Pharmacist Authority to Administer COVID-19 Vaccines Without Prescription

Alerts

Federal Judge Halts DOE's Crackdown on Diversity Programs