MATTHEW SPOHN, J.
This article discusses the effects and enforceability of consequential damages waivers in technology contracts, under both the common law and the Uniform Commercial Code.
Contract forms are notoriously slow to evolve. Sprinkled with musty anachronisms like “witnesseth” and “hereinafter,” they comfort drafters with the feeling that they are treading a well-worn path of competence.
But the business world evolves much faster than our contract forms, and as a result those forms can be traps for the unwary. This is especially true in the context of technology-related contracts, where the risk of a data breach lurks in nearly every transaction. Even where the parties negotiate specific confidentiality and data privacy terms, the drafter must pay special attention to the contract’s “boilerplate” limitation of liability terms. The typical technology contract will contain a section titled “limitation of liability” with two key provisions: one capping the vendor’s total liability at some amount (often the total fees paid under the contract, or fees paid in the prior 12 months, or some multiple thereof), and one stating that the vendor will not be liable for any consequential, incidental, or indirect damages.
Lawyers and non-lawyers alike appreciate the meaning of the damages cap, and often negotiate it. But the consequential damages waiver often reads as if it only excludes remote or speculative damages, and may receive less attention—even though it can have very serious consequences. As recent cases from other jurisdictions illustrate, the consequential damages waiver can leave a company without a monetary remedy when its vendor allows the company’s data to be breached or disclosed.
This article examines those recent cases and analyzes whether the result would be the same under Colorado law, given its definition of consequential damages and its regime governing the enforceability of consequential damages waivers under the Uniform Commercial Code and the common law. The article concludes with recommendations on how to address data breach risk when presented with a contract containing a blanket waiver of consequential damages.
The Silverpop Case
The power of a contract’s consequential damages waiver was most recently illustrated in an Eleventh Circuit Court of Appeals decision, Silverpop Systems, Inc. v. Leading Market Technologies, Inc.2 In that case, the appellate court summarily affirmed the federal district court’s “well-reasoned and thorough decision,” finding, among other things, that the parties’ consequential damages waiver barred all damages caused by a technology vendor’s data breach.3
The defendant was a digital marketer that had hired the plaintiff vendor to distribute advertising content using the marketer’s confidential email address list. But hackers accessed the portion of the vendor’s network where the marketer’s email list was stored, and the list may have been misappropriated (though this could not be confirmed). The vendor sued for unpaid invoices, and the marketer counterclaimed for breach of the confidentiality provisions in their agreement, alleging that the value of its confidential email list was diminished by the vendor’s data breach. The vendor moved for dismissal of that claim, with the argument that those damages were consequential and were therefore barred by the consequential damages waiver in their agreement, which read, “In no event will [the vendor] be liable to the other party . . . for any . . . consequential damages . . . in any way relating to this agreement.”4 Claims for breach of confidentiality were exempted from the contract’s separate cap on total damages, but were not exempted from that consequential damages waiver.5
Applying Georgia law, the court found that the lost value of the marketer’s data was a consequential rather than a direct damage, and therefore was barred by the parties’ agreement. As a result, the court dismissed the marketer’s claim for breach of the contract’s confidentiality obligations; the marketer was left without a remedy.6
The Allen Brothers Case
Silverpop echoes Allen Brothers, Inc. v. Abacus Direct Corporation, a prior case decided by the U.S. District Court for the Northern District of Illinois, which applied Colorado law.7 In Allen Brothers, the plaintiff was a “purveyor of fine meats” that contracted with the defendant to obtain market research services; in exchange, the meat purveyor provided the market researcher with access to its confidential customer database. The vendor then sold that customer database to an intermediary, which sold it to the meat purveyor’s competitor. The meat purveyor sued its vendor, alleging that the vendor’s sale of the customer database violated their contract’s confidentiality provisions.
Despite negotiating protections for the confidentiality of the data it provided to its vendor, the meat purveyor agreed to a limitation that the parties “will not hold each other responsible for any incidental or consequential damages including but not limited to lost profits, lost data, or lost business that may arise from this relationship regardless of the cause.”8
Upon the vendor’s motion to dismiss, the court found that the purveyor had pled a valid claim for breach of the contract’s confidentiality provisions. But the court dismissed the purveyor’s claim for damages, which it had characterized as “lost sales and lost business opportunity,” finding (without analysis) that they were covered by the contract’s consequential damages waiver.9 When the purveyor amended its complaint to re-characterize its damages as the lost value of its data, the court dismissed that claim as well, reasoning that that it was the “doppelganger” of the previously dismissed damages claim.10 The purveyor’s attempts to seek disgorgement of the vendor’s profits from its acts, or a refund of sums paid under the contract, were also dismissed under Colorado law.11 In addressing why the meat purveyor may not also bring a claim for equitable relief, founded upon the lack of an adequate remedy at law, the court concluded:
[The meat purveyor] may sincerely believe, with the benefit of 20/20 hindsight, that agreeing to a very restrictive limitation on damages was a bad idea. But this belief is not enough to show that there is no adequate remedy at law. Instead, it simply shows that there is no relief available under the parties’ contract.12
Together, Silverpop and Allen Brothers suggest that one should proceed with caution any time a contract containing a confidentiality clause also contains a blanket waiver of consequential damages. But under Colorado law, does a consequential damages waiver bar all damages for a confidentiality breach, as occurred in these cases?
Consequential Damages versus Direct Damages
To assess the effect of a consequential damages waiver, attorneys must understand how consequential damages are defined and distinguished from other damages. For contract actions, Colorado follows the familiar definition announced over 150 years ago in Hadley v. Baxendale.13
First, a plaintiff may recover those damages that “may fairly and reasonably be considered . . . arising naturally, i.e., according to the usual course of things, from [the] breach of contract itself.”14 These are termed direct, or general, damages.15 The parties to the contract need not actually foresee those damages—the damages must only be reasonably foreseeable to an ordinary person, as a probable consequence of a breach.16
Second, a plaintiff may recover those damages “such as may reasonably be supposed to have been in the contemplation of both parties, at the time they made the contract, as the probable result of the breach of it.” These are termed consequential, or special, damages.18 They are damages that would not have been foreseeable to an ordinary person, but were foreseeable to the parties because of unusual circumstances that the parties had reason to know.19
In either instance, foreseeability is judged at the time the contract was entered into.20 As explained by the Colorado Supreme Court, “[t]he Hadley rule is designed to further a fundamental principle of contract law: parties must be able to confidently allocate risks and costs during their bargaining without fear that unanticipated liability may arise in the future, effectively negating the parties’ efforts to build these cost considerations into the contract.”21 Given that parties to contracts are only responsible for damages they should have reasonably foreseen at the time they formed their contract, they can take those risks into account in negotiating that contract.22 “In other words, Hadley guarantees the fairness of a bilateral agreement by protecting the parties from unanticipated liability arising in the future.”23
But even using Hadley’s facts as an example, it can be difficult to apply Hadley’s test of direct and consequential damages. In that case, the plaintiff owned a mill whose crankshaft broke, shutting down operations. The mill owner contracted with the defendant, a common carrier, to transport the broken crankshaft to the manufacturer, which had committed to build a new one in its pattern as soon as possible. The mill owner’s employee told the carrier’s clerk “that the mill was stopped, and that the shaft must be sent immediately.”24 The carrier’s clerk committed to deliver it the next day, but through the carrier’s neglect the crankshaft was not delivered on time, and the mill owner lost several days’ worth of profits.
The court found that those lost profits were not recoverable...