The Data Breach Battle: Why You Lose Before You Start – Part 2

Following on from last week’s Oh Lawdy! (answering a reader’s question)...

Maximising your negotiating power as a buyer

If you are a seller, the best way to fix that problem is by using the SSSU – the Sales-Side Set Up. For more information on the SSSU, see Risk is a Price Point – SSSU!

If you are a buyer, it’s the same approach, but reversed. As a buyer, the best way to approach contract negotiations is – before the negotiation – to say (ideally to more than one potential seller):

Here’s what I’m looking for: I want a service that does ABC, and I want the key terms of the contract to be X, Y, Z.

Now price to this.

Why is it important to do this before the negotiation? Because that’s when a buyer’s negotiating power is at its maximum. When assessing potential suppliers, a buyer’s negotiating power is at 100. When you announce your preferred supplier, your negotiating power goes down to something like 20. That means that not only do you get a worse deal, the contract negotiation takes that much longer and costs more.

For more on this, check out Buyer Negotiating Power.

Insurance

Apart from general boilerplate insurance clauses, I do not think that insurance should form part of the negotiation around limitations of liability. There are a number of reasons for this:

1. The buyer and the supplier are both able to take out insurance for a particular event. There is no particular reason why it should be the supplier rather than the buyer.

2. If it’s a small company selling to a large company, it’s going to be cheaper for the large company to buy the insurance (even if the cost gets passed back to the seller as a discount).

3. If the seller decides to take on additional risk, it’s up to them how they deal with that additional risk (ie. whether they take out additional insurance, increase security, or do nothing).

4. Most contracts are multi-year, but insurance is normally sold on a per year basis. The price you pay for Year 1 is not necessarily the price you pay for Year 2, particularly if the insurance has been triggered. As a seller, assuming that you will pay the same premium every year of the contract is optimistic.

5. If you are a buyer buying from a SaaS company, then it’s likely that any breach will affect all the supplier’s customers, not just you. If that’s the case, and it’s a serious breach, then there’s a reasonable chance that the seller’s insurance won’t be enough to cover all the breaches. On the other hand, if you are the buyer and you take out your own insurance, you know you will be covered.

 10th February 2026