Data Availability and Retention – Managing Consequential Loss Risks
In this article, with database technology consultant Rob Nicholson from Nicholson SQL, we examine how consumer guarantees and consequential loss liability applies in the context of data storage, retention, and overall system availability. We’ve written recently about consumer guarantees and consequential loss. In a previous article, we addressed:
- who counts as a ‘consumer’ (the definition sometimes applies in surprising ways); and
- the meaning of ‘consequential loss’.
The important point is that when you are involved in an arms-length business-to-business transaction, consumer law may still capture the transaction. In this article we look at the potential scope of consequential losses in a tech context, and some strategies for managing the consumer guarantee risks.
Liabilities for losses caused by breaches of the consumer guarantees are not limited to recovering the loss in value of the good or services caused by the failure to meet a consumer guarantee. They may also include compensation for losses that are ‘reasonably foreseeable’. These losses are called ‘consequential losses’.
The consumer law concept of a ‘reasonably foreseeable’ loss can be quite difficult to apply in an IT situation. A classic example of a reasonably foreseeable loss is that of a building burning down due to a malfunction in a faulty toaster. In the physical realm, it is usually easier to draw the line of causality – for example, the faulty toaster causing a fire, or shorting electricity circuits. In the digital realm, it’s often less clear – but what is apparent is that the scope of consequential losses can balloon out more easily than in the physical world.
What happens if you are managing data for customers who are consumers, and systems are not available or have crashed? It does not matter if you have backups if the network cannot be used or the power is out. If you provide a data storage system, and a consumer could not access their system for two days, losing two days of income, are you liable for losses to them? If the losses are reasonably foreseeable consequences of your breaching a consumer guarantee, then you may well have to take on that liability. Here are some examples of what can cause loss of availability:
- the data centre losses power and it takes hours to restore;
- a hard disk fails it needs to be replaced but will take days to order;
- a network device fails, the server is on but consumers cannot connect;
- a staff member spills coffee on the server leaving it inoperable;
- an application code upgrade leaves the system unavailable until it can be rolled back;or
- the system is attacked by malware or Denial of Service leaving consumers unable to connect.
Risks Associated with Unwanted Disclosure
What happens if someone internal or external to the organisation views or copies valuable data? Disclosure of certain kinds of data can result in an array of consequential losses. With financial information such as credit card details, the attacker could use this data to commit fraud or cause financial (consequential) damage to those affected. If thousands of credit numbers from a large database were exposed and subsequent transactions were made, the accumulated damages could be massive. Disclosure of personal information such as names, addresses, contact details, and date of birth could lead to fraud (identity theft) and possibly physical harm to the individuals. If these losses turn out to be reasonably foreseeable consequences of your breach of a consumer guarantee, your liability could be huge.
Here are some examples of unwanted disclosure:
- someone physically breaking into a server room and stealing the hard disks;
- a staff member within the organisation looking up this information in the interest of curiosity or malice;
- a hacker breaking into the system from the Internet to steal data;
- a staff member accidently sending information to the wrong person; or
- a phishing website that collects user information.
Managing Consequential Loss Risks Through Contracts
The liabilities that tech businesses may be exposed to as a result of consumer guarantees and consequential losses are quite intimidating. This is not helped by unavoidable uncertainty about what consequences are foreseeable results of breaching a guarantee. One key way to manage your exposure is through contractual provisions that manage customers’ expectations. This does not necessarily settle the question of what losses will be foreseeable consequences of a breach of guarantee. What it can do, though, is help to limit the application of some consumer guarantees in the first place. The usual way to do this is through a Service Level Agreement (SLA).
An SLA can set expectations about service availability, data security and data retention. It can help you to clarify customers’ expectations about the level of care, skill, security or quality associated with these features of the service. For example, the guarantee of acceptable quality (which can apply to goods like software) can be shaped by consumer expectations. ‘Acceptable quality’ is determined by looking at the expectations of a reasonable customer, fully acquainted with the state and condition of the goods, including any hidden defect. An SLA helps to acquaint customers with these matters.
An SLA will clarify and formalise when a consumer can and can’t rely on your skill and judgment. This may limit your exposure under the guarantee of fitness for purpose. The fitness guarantee does not apply if the consumer did not rely on your skill and judgment, or it would be unreasonable to have such reliance. The SLA may help to prevent customers from relying on you to control or protect against things that are in fact beyond your control (like zero day viruses, or certain forms of malicious hacking or disclosure). By limiting the application of the guarantees, you limit your exposure to liability for consequential losses.
- You may have to pay for ‘reasonably foreseeable losses’ caused by your failure to meet consumer guarantees.
- The scope of these losses in the context of data retention or availability of online services is potentially very wide and very deep.
- Contracts and service level agreements can help to clarify consumer expectations.
- Clarifying expectations may protect tech businesses from heavy burdens that might otherwise apply under consumer guarantees.