Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

March 17, 2025

New York Law Journal, "Hacking the Contract: How Cybersecurity Failures Can Be a Business's Best Bargaining Chip"

Charles Nerko, team leader for data security litigation in Barclay Damon's Data Security & Technology Practice Area, and Xun Chen, associate, had their “Hacking the Contract: How Cybersecurity Failures Can Be a Business’s Best Bargaining Chip” article published in New York Law Journal. The article explores how cybersecurity breaches can be used as tools to renegotiate terms, exit unfavorable agreements, or demand better performance leveraged in business relationships. Charles and Xun suggest that rather than passively absorbing risk, businesses should proactively use cybersecurity weaknesses to gain contractual leverage.

Charles and Xun assert that cybersecurity should be treated as a core contractual obligation—on par with price, quality, or delivery. Many vendors fail to meet basic security benchmarks, even among Fortune 500 companies. Yet businesses rarely scrutinize these standards before problems arise. Conducting proactive security reviews—like quality control inspections—can convert vague boilerplate promises into actionable leverage, especially when dealing with costly or outdated vendors.

Commissioning third-party security audits of vendors can uncover hidden vulnerabilities that serve as powerful negotiation tools. Charles and Xun cite Verizon’s acquisition of Yahoo as a prime example, where security breaches resulted in a $350 million reduction in the purchase price. In ordinary commercial settings, too, documented security failures can provide legal justification to terminate contracts, reduce fees, or demand better terms—transforming what seems like a liability into a financial opportunity. “Every cybersecurity failure has a price; the only question is who foots the bill,” the article said.

Finally, Charles and Xun’s article emphasizes how security lapses can override contract protections like liability caps. Courts have voided these limitations when failures amount to gross negligence or fraud, as shown in several New York cases. Misrepresentations about cybersecurity controls can also give rise to fraud and trade secret claims. The key message: businesses shouldn’t just manage cybersecurity—they should weaponize it strategically to reshape deals and enforce accountability in their commercial relationships.

Click here to read the full article.

Featured Media

Alerts

EPA Issues Memorandum Reminding States and Tribes of Their Limited Authority Under Section 401 of the Clean Water Act

Alerts

Non-Judicial Collateral Remedies, Part 2 – Sale of Collateral

Alerts

NYS Court of Appeals Applies the Assumption of Risk Doctrine to One Golf Course Injury but Not Another

Alerts

Bankruptcy Avoidance Actions, Part 2 – Fraudulent Transfers

Alerts

NYS Court of Appeals: CVA Plaintiff Must Prove Notice of Abuse Applying Then-Prevailing Standards in Decades-Old Sexual Abuse Case

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Darnell Williams, Tanisia Bowman, Dominique Tompkins, Kimberly Miller, and Judith Adela Fernandez Martinez—Targeting Businesses in Recent Flurry of Lawsuits