Allocating liability for data breaches in technology contracts is a growing concern for Canadian businesses. Blakes recently launched the first edition of the Canadian Data Liability Study, which identifies and analyzes market trends related to data liability in negotiated commercial technology agreements.
This article highlights the study's key findings and provides guidance on best practices for managing data-related liability.
- Separate Liability Caps. One of the most significant findings of the study was the widespread use of separate liability caps for data breaches. About 75% of agreements imposed a cap on data-related liability, and of those, 65% featured a distinct cap for data issues. This approach reflects the heightened risk of data breaches while avoiding unlimited liability, allowing parties to bridge the gap between a general limitation of liability and the reality of potentially catastrophic data losses.
- Regulatory Developments. Regulatory compliance remains a driving force behind the need for clear contractual provisions. Canadian privacy and cybersecurity laws are evolving rapidly, with mandatory breach notification regimes and new enforcement powers raising the stakes. Proposed amendments to federal law are expected to align with these stricter provincial regimes, and industry-specific obligations in finance, health and telecom further complicate compliance.
- Breach Cost Drivers. The study highlighted the staggering financial impact of data breaches, underscoring why liability caps are so heavily negotiated. According to industry research, the average cost of a data breach in Canada is approximately US$4.66-million, with larger breaches exceeding US$375-million. These costs stem from investigation, crisis management, regulatory reporting, credit monitoring, lost business and more. Understanding these costs helps parties assess appropriate liability limits and set realistic caps relative to potential exposure.
- Litigation Precision. From a litigation perspective, liability caps, exclusions and definitions must be drafted with precision. Courts interpret caps narrowly, and poorly defined exclusions for indirect or consequential damages can create disputes over recoverability. Concepts like breach of confidence and intentional misconduct, when not clearly carved out, may undermine intended risk allocation.
- International Trends. The Canadian market appears broadly aligned with international trends. Parties negotiating with global vendors and customers will encounter similar approaches to liability caps, indemnities and insurance obligations across jurisdictions, tailored only to accommodate local legal nuances. As international standards continue to evolve, Canadian businesses should anticipate higher liability expectations and prepare to revisit templates and negotiation strategies to stay competitive.
For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.
© 2025 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
