All vendor agreements contain a limitation of liability clause. This is common and comports industry practice. The wording of that clause in the overwhelming majority of vendor form agreements is written such that the vendor has little (and sometimes no) liability for breaches of the agreement, including security breaches. Unless that clause is drafted properly, even the strongest information security obligations are essentially illusory. It is not enough to have outstanding information-security obligations; the vendor must also have enough skin in the game to ensure they take those obligations seriously.”]