Most damages resulting from data breaches by Software as a Service (SaaS) providers are not direct damages. Direct damages are those that are the “natural and probable consequence” of a breach of contract. SaaS providers often provide services to customers that include storing sensitive user data.
Data breaches that result in access to sensitive user data can result in significant civil and statutory liability. However, many courts do not view such liabilities as a “natural and probable consequence” of the breach of a SaaS agreement. Rather, direct damages are considered to be limited to the value of the primary service provided under the SaaS agreement.
Because many SaaS agreements exclude liability for any damages other than direct damages, customers may have no recourse against a SaaS provider when the SaaS provider suffers a data breach. Although it may be difficult to negotiate into a SaaS agreement, customers should attempt to exclude data breach damages from liability waivers.
Another strategy is to expressly include the protection and storage of sensitive user data in the description of primary services provided under the SaaS agreement. This may increase the likelihood that a court views the protection of sensitive user data as part of the primary service provided under the SaaS agreement; hence, damages resulting from the failure to provide such service would be available as direct damages.