In Silverpop Systems, Inc. v. Leading Marketing Technologies, Inc., in a per curiam decision, the US Court of Appeals for the Eleventh Circuit affirmed and adopted the US District Court for the Northern District of Georgia’s opinion and reasoning that a provider of digital marketing services was not liable for damages for an alleged breach of a service contract’s confidentiality provision when it suffered a data breach exposing a customer’s email list ( (11th Cir. Jan. 5, 2016)).

Silverpop Systems, Inc. provided digital marketing services to Leading Market Technologies, Inc. (LMT) under a service agreement that allowed LMT to access Silverpop’s web-based email marketing tool. LMT uploaded digital advertising content and recipient email addresses to Silverpop’s system, which ultimately stored nearly 500,000 of LMT’s customers’ email addresses. In November 2010, unidentified parties gained access to the information stored on Silverpop’s system, possibly exporting LMT’s customer email list.

Silverpop thereafter sought a declaratory judgment that it was not liable for damages to LMT, and both parties sought summary judgment on whether Silverpop breached the parties’ contract. LMT argued that Silverpop breached the confidential information provision of the parties’ agreement by failing to protect LMT’s customer list from disclosure to third parties. Silverpop argued that LMT could not:

In granting Silverpop’s motion for summary judgment, the district court assumed that LMT had suffered damages. The district court then assessed whether the contract prohibited the damages LMT sought because they were consequential damages. The district court explained that:

The court found that any damages LMT suffered were not the result of a failure to perform the contract. Instead, the damages resulted from the breach of a specific term of the agreement, the confidentiality provision, and were therefore non-recoverable consequential damages.

The court also found that the provision barring recovery of consequential damages survived termination of the agreement, rejecting LMT’s argument that it expired because it was not enumerated in the survival provision. The court explained that the survival clause only applied to performance obligations of the agreement. Alternatively, the court found that since the agreement was in force at the time of the alleged breach, the limitation on damages applied when LMT’s damages were fixed.

The district court also granted Silverpop’s motion for summary judgment on LMT’s negligence counterclaim. Assuming that Silverpop had a duty to conform its conduct to a particular standard to protect against data breach, the district court agreed with Silverpop that LMT failed to present evidence to establish the applicable standard of care. As a result, LMT was unable to establish a breach of that standard.

The court's decision provides a useful reminder for parties drafting contracts that provide for sharing confidential data. In drafting contracts, parties should carefully consider in particular provisions that: