The Data Breach Battle: Why You Lose Before You Start – Part 1

Written By Claire

A reader writes in.

“I know you have the post on "Risk is a price point", but one specific point that I've found that comes up repeatedly is around liability for data protection breaches.

On a number of occasions, I've had suppliers in their contract drafts limit their liability generally to 2x annual fees etc, but explicitly stay silent on data protection liabilities so they fall under the general clause…. review the attached document, and make a list of typos and grammatical errors. do not modify the document.

When I've tried to change this, I've always seemed to have a battle. Some suppliers have argued that they can't possibly take such a liability, given the modest contract value to them.

My response has been that they should have insurance to cover them for data protection problems caused by them which should make the cost of pricing the risk modest across all their clients if their operations are up to scratch.

Anyway, I'd be interested in your take on this particular point.” [slightly edited]

There are three points here.

The first is the “risk is a price point” issue, and how it plays out if you are a buyer.

The second point is how to maximise your negotiating power as a buyer.

The third is the role of insurance in contract negotiations.

 

Risk is a price point

Although I’ve written primarily about risk as a price point from the seller’s perspective, the allocation of risk is clearly something that buyers should be thinking about too.

For any particular contract, there’s a finite amount of risk, and that risk has to be distributed between the buyer and the seller. The more a buyer pays then, logically (other things being equal), the more the risk should shift to the seller. The less the buyer pays, the more risk should shift from the seller to the buyer.

Problems usually arise because people typically agree the price before they agree the constituent parts of the price. To use the example given by the reader, it looks like the price has been agreed, and the parties are arguing over what elements are included in the price (in this case, a data protection breach).

This scenario is very common but, in my view, makes no sense. It’s a bit like agreeing the price of a car before agreeing its mileage, or agreeing the price of a meal in a restaurant, before agreeing what dishes are going to make up the meal.

The logical order for any contract is:

1.   agree what you are buying/selling (ie. including contract key terms),

and then

2.   agree the price and payment terms.

The reason that contract negotiations are so painful is that we often put the cart before the horse. We agree a few key points – price, duration – and then we try to retrofit the rest of the terms. More on this here: Why Is Contract Negotiation So Painful?

More in Part 2, next week.

3rd February 2026

Claire
Previous

The Data Breach Battle: Why You Lose Before You Start – Part 2
Next

A £600m problem: Treat the Disease, Not the Sneeze