Indemnification for Data Breaches: Understanding and Allocating Risk
Many contracts between companies and their service providers have broad indemnification provisions. How do those provisions apply in the context of a privacy breach?
Today’s post looks at that question—in particular, a recent federal decision called CVS Pharmacy, Inc. v. Press America, Inc.
Misdirected Mailings Lead to Major Fee Adjustment
CVS Pharmacy is a pharmacy benefits manager for group health plans, such as IBM’s group health plan. CVS’s services included mail-order pharmacy services.
CVS hired Press America to print and mail information to beneficiaries. The mailings often contained beneficiaries’ protected health information (PHI).
Press America made a mistake in one of the mailings; that mistake resulted in 41 separate unauthorized disclosures of IBM beneficiaries’ PHI. Under its contract with IBM, CVS had to pay nearly $2 million to IBM for those disclosures—an amount that CVS had agreed to pay as a “fee adjustment” for privacy breaches.
CVS turned to Press America to recoup the $2 million. Under its contracts with CVS—including a HIPAA business associate agreement—Press America had to indemnify CVS for any liability, cost, or expense “arising out of or in connection with” any breach of PHI within Press America’s control.
Press America refused to pay, so CVS sued.
Secrecy Is No Defense to Indemnity
Press America moved to dismiss.
First, it argued that it had no awareness of the CVS-IBM contract, and so could not have agreed to indemnify CVS for payments made under that contract. That contract had a confidentiality provision that barred CVS from even disclosing the existence of the fee adjustment provision.
Press America also argued that the CVS’s payment to IBM constituted an unenforceable penalty.
The court didn’t buy either argument.
The court homed in on the plain language of the indemnification provision. That language called for indemnification based on any liability “arising out of or in connection with” a data breach and appeared broad enough to encompass CVS’s payment to IBM.
The court also observed that the provision lacked any express exclusion for contractual payments made to third parties because of Press America’s negligence.
The court then considered whether the parties meant for the CVS payment to IBM to fall within the indemnification provision. That question, the court found, could not be resolved on the pleadings.
The court also rejected Press America’s penalty argument. As the court explained, Press America could have contracted with CVS for the right to challenge on CVS’s behalf the enforceability of any payment obligations that might give rise to a claim for indemnification. Having failed to do so, Press America lacked standing to challenge the enforceability of the IBM contract.
Data-Breach Indemnification: What You Don’t Know Can Hurt You
If you prepare HIPAA business associate agreements or other contracts that contemplate the handling of sensitive personal information, Press America is an important read.
As the decision shows, boilerplate indemnity language that applies to privacy and data security failures can be a potent weapon when a breach occurs—especially given the many sources from which losses can arise. These can include claims by affected individuals, fines and other penalties imposed by regulators, and—as Press America shows—contract obligations owed to third parties.
Parties who fail to understand and anticipate their potential exposure under data breach-related indemnification provisions do so at their own peril. That’s especially true for parties who act as subcontractors. As Press America discovered only after the fact, their exposure can include undisclosed payment obligations owed to end customers.
Author: Alex Pearce