Limitation of Liability FAQ

There's no universal "right" cap - it depends on the value of information being shared and the nature of the relationship. Here are common benchmarks:

• Standalone NDAs (no commercial relationship): $100,000 to $1,000,000 is typical. Sometimes "not to exceed fees paid" with a minimum floor.
• NDAs attached to services agreements: Often tied to fees - 12-24 months of fees paid or payable is common.
• High-value trade secrets: $5M-$10M+ or unlimited for confidentiality breaches specifically.
• M&A due diligence NDAs: Often higher caps or unlimited for confidentiality breaches given the sensitivity.

Key principle: The cap should bear some relationship to the potential harm. A $50,000 cap when sharing billion-dollar trade secrets provides essentially no deterrent or protection.

Negotiation reality: Sophisticated disclosing parties will push for confidentiality breaches to be carved out from any cap entirely. The compromise is often a higher "super cap" for confidentiality breaches versus other claims.

From the disclosing party's perspective, absolutely yes. Here's why:

• Core purpose of NDA: The entire point of the agreement is protecting confidential information. Capping liability for the primary obligation defeats the purpose.
• Disproportionate harm: A single confidentiality breach could cause damages far exceeding any reasonable cap (lost competitive advantage, regulatory penalties, customer defection).
• Deterrent effect: Without meaningful liability exposure, there's less incentive to implement proper safeguards.
• Insurance misalignment: Low caps may let the receiving party profit from breach if the value of misappropriated information exceeds the cap.

Sample carve-out language: "The limitations of liability set forth in this Section shall not apply to either party's breach of its confidentiality obligations under Section [X] of this Agreement."

Compromise position: If unlimited liability is rejected, negotiate a "super cap" for confidentiality breaches - perhaps 3-5x the general cap, or a fixed amount like $5M regardless of fees.

Unlimited liability for confidentiality breaches creates serious business risk. Here's how to negotiate:

Arguments to make:

• "We need to be able to quantify and insure against our risk exposure"
• "Unlimited liability would require board/executive approval that will significantly delay the deal"
• "Our insurance doesn't cover unlimited contractual liability - we need a cap we can actually pay"
• "We're a [startup/small company] - unlimited liability could destroy our business for an inadvertent breach"

Alternative structures:

• Elevated cap: Accept a higher cap for confidentiality (e.g., $5M) while keeping general cap lower
• Insurance-backed: Cap at insurance coverage limits, with commitment to maintain coverage
• Willful breach carve-out only: Cap applies to negligent breaches; unlimited only for intentional/willful misconduct
• Graduated caps: Cap increases based on severity (inadvertent vs. systematic vs. malicious)

This matters enormously and is often unclear in standard clauses. The difference:

• Per-incident cap: Each breach triggers a separate cap. Ten breaches could mean 10x the cap amount in liability.
• Aggregate cap: Total liability across all claims during the agreement term cannot exceed the cap, regardless of how many incidents occur.

Common language patterns:

• "Total aggregate liability shall not exceed..." = aggregate cap (clearer)
• "Liability for any claim shall not exceed..." = ambiguous, could be per-claim
• "Combined total liability for all claims..." = clearly aggregate

Receiving party preference: Aggregate cap protects you from multiple claims depleting resources.

Disclosing party preference: Per-incident cap ensures each breach carries meaningful exposure.

Best practice: Make it explicit. Don't leave this to interpretation. Language like "aggregate total liability arising from all claims under this Agreement" removes ambiguity.

Consequential damages (also called indirect, incidental, or special damages) are losses that flow from a breach but aren't the direct result. They include:

• Lost profits: Business revenue you didn't earn because of the breach
• Lost business opportunities: Deals that fell through due to breach-related problems
• Reputational harm: Damage to your brand or customer relationships
• Third-party claims: Lawsuits or losses from your customers or partners
• Cost of capital: Interest on borrowed money needed to address breach consequences

Why they're excluded:

• Unpredictability: Consequential damages can be enormous and hard to predict at contract signing
• Proof difficulties: Hard to establish causation between breach and downstream losses
• Insurability: Difficult or impossible to insure against unlimited consequential damages
• Risk allocation: Parties want to know their maximum exposure

The NDA problem: Most real harm from confidentiality breaches IS consequential - lost competitive advantage, customer defection, regulatory penalties. A broad consequential damages exclusion can gut NDA protection.

In NDAs specifically, consequential damages exclusions are especially problematic because the primary harms from confidentiality breaches are almost entirely consequential in nature:

• Competitive damage: If your trade secret reaches a competitor, your lost market share and lost profits are "consequential"
• Customer loss: If customer data is leaked, customers leaving you is "consequential"
• Deal failure: If M&A due diligence information leaks and kills the deal, that loss is "consequential"
• Regulatory penalties: GDPR fines, HIPAA penalties - often considered "consequential"

What's left as "direct damages"? Often very little - perhaps just the cost of the information's creation or administrative costs of breach response.

Real-world example: Company A shares a trade secret manufacturing process worth $50M in competitive advantage. Company B leaks it to a competitor. With a consequential damages exclusion, Company A might only recover $10,000 in "direct" documentation and investigation costs.

Strong position: For NDAs specifically, consequential damages should NOT be excluded for confidentiality breaches, or the carve-out language should explicitly preserve them.

Yes, this is a common compromise structure. You maintain consequential damages exclusions generally, but carve out confidentiality breaches:

Sample language:

"NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES ARISING OUT OF THIS AGREEMENT; PROVIDED, HOWEVER, THAT THIS EXCLUSION SHALL NOT APPLY TO EITHER PARTY'S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER SECTION [X]."

Why this works:

• Provides meaningful protection for the confidentiality provisions that are the core of the NDA
• Maintains predictable liability for non-confidentiality matters
• Recognizes that confidentiality breach damages are predominantly consequential
• Creates appropriate incentive to protect confidential information

Risk management: If you agree to this, ensure you have adequate cyber liability insurance and implement strong confidentiality practices. The exposure for consequential damages on a major breach could be substantial.

Limitation clauses often list multiple damage types. Here's what each typically means:

• Direct damages: The immediate, natural result of the breach. For confidentiality breach: cost to investigate, notify, remediate the specific breach.
• Indirect damages: Damages that don't flow directly from the breach but result from unique circumstances. Often used interchangeably with consequential.
• Consequential damages: Downstream losses resulting from the breach - lost profits, lost customers, lost opportunities. These are typically the largest category.
• Incidental damages: Costs incurred trying to avoid or mitigate harm - expedited shipping, emergency contractors, overtime labor.
• Special damages: Unusual losses specific to the injured party's circumstances, not typical for such breaches. Must usually be foreseeable at contract signing.
• Punitive (exemplary) damages: Damages meant to punish wrongdoing, not compensate for harm. Generally not available in contract claims, only tort claims involving intentional or malicious conduct.

Practical note: Courts in different jurisdictions define these categories differently. A comprehensive exclusion lists all of them to reduce the risk of creative arguments about what's "really" consequential versus incidental.

Certain types of misconduct are commonly carved out because applying liability limits to them would be against public policy or create perverse incentives:

• Willful misconduct: Intentional breaches shouldn't benefit from liability protection. This prevents a party from "buying" the right to breach by paying the capped amount.
• Gross negligence: Reckless disregard for obligations goes beyond ordinary breach and should face full liability.
• Fraud: Intentional misrepresentation. Courts often refuse to enforce limitations on fraud claims anyway.
• Confidentiality breaches: For NDAs specifically, the core obligation should carry meaningful consequences.
• IP infringement: Misappropriation of trade secrets, patent infringement, or copyright infringement claims.
• Indemnification obligations: Third-party claims may be carved out so the protected party isn't left holding the bag.
• Data breach notification costs: Statutory obligations that can't be contracted away.

Receiving party caution: Too many carve-outs can swallow the limitation entirely. Negotiate to keep carve-outs narrow and defined.

This is a key negotiation point with significant risk implications:

Position 1: Willful breach only

• Negligent breaches (accidental disclosure, insufficient security) remain subject to cap
• Only intentional, knowing violations trigger unlimited liability
• Receiving party argument: "We'll be careful, but shouldn't face business-ending liability for honest mistakes"
• Risk: Creates defense strategy of claiming all breaches were "negligent" rather than willful

Position 2: All confidentiality breaches unlimited

• Any breach of confidentiality - whether negligent or intentional - faces full liability
• Disclosing party argument: "The harm from disclosure is the same regardless of intent"
• Stronger deterrent: Forces investment in proper safeguards
• Risk for receiving party: One employee's mistake could create catastrophic liability

Compromise: Tiered approach

• Negligent breaches: Subject to elevated "super cap" (e.g., 3x general cap)
• Willful/intentional breaches: Unlimited
• Provides meaningful consequences while limiting exposure for genuine accidents

Several approaches can protect your crown jewels while accepting limitations for less sensitive disclosures:

1. Tiered confidentiality categories:

• "Confidential" - Standard protections, subject to limitations
• "Highly Confidential" - Elevated protections, higher or no cap
• "Restricted" - Maximum protections, unlimited liability for breach

2. Trade secret carve-out:

Language: "The limitations in this Section shall not apply to any breach involving information that constitutes a trade secret under the Defend Trade Secrets Act or applicable state law."

3. Specific category carve-outs:

• Source code or algorithms
• Customer lists or databases
• Financial projections or M&A plans
• Unreleased product information

4. Marking requirements:

Require marking as "UNLIMITED LIABILITY" or similar for highest-sensitivity materials, with limitations only applying to properly marked lower tiers.

Practical tip: If using tiers, be disciplined about applying them. If everything is marked "Highest Sensitivity," the system loses meaning and credibility.

Courts generally enforce limitation of liability clauses between sophisticated commercial parties, but with important exceptions:

When courts enforce limitations:

• Clear, unambiguous language that parties understood
• Both parties are sophisticated businesses with legal counsel
• Limitation was actually negotiated (or at least could have been)
• Limitation doesn't completely eliminate all remedies

When courts may refuse enforcement:

• Gross negligence/willful misconduct: Many jurisdictions refuse to enforce limitations for these, even if the contract says they apply
• Fraud: Generally cannot contract away liability for fraud
• Unconscionability: Extreme disparity in bargaining power, limitation hidden in fine print
• Public policy: Limitations that would defeat important statutory protections
• Failure of essential purpose: If limitations leave injured party with no meaningful remedy

Jurisdiction matters: California, Delaware, and New York have different standards. California is generally more willing to strike unconscionable terms; Delaware tends to enforce freely negotiated commercial contracts.

Generally yes, if the limitation clause is properly drafted and enforceable. But there are important caveats:

When the cap holds:

• Ordinary breach (even if damages are huge)
• Negligent conduct within the scope of the limitation
• Claims that fall squarely within limited damage types

When you might face more than the cap:

• Conduct outside the clause: If the limitation only covers "contract" claims, they might pursue tort claims
• Carve-outs triggered: If your conduct was "willful" or "grossly negligent" under carve-out language
• Statutory claims: Trade secret statutes, data breach laws may provide separate remedies
• Criminal liability: Contract limitations don't affect criminal prosecution for theft of trade secrets
• Third-party claims: The cap only binds the parties - not regulators or affected third parties who sue

Strategic reality: Even with a cap, major breaches create huge problems - litigation costs, reputation damage, loss of future business, potential personal liability for executives involved.

Limitation of liability clauses typically apply only to monetary damages. Equitable remedies like injunctions are usually preserved:

Injunctive relief:

• Court orders to stop doing something (cease disclosure)
• Not affected by damage caps - it's not money
• NDA typically has separate provision confirming right to seek injunction
• Can be obtained even if monetary damages would be capped at $0

Specific performance:

• Court orders to do something (return documents, destroy copies)
• Also not limited by damage caps
• Usually available in NDAs because confidential information is unique

Why this matters: Even with a low damage cap, you can still get a court to order the other party to stop leaking your secrets and return your documents. This preserves meaningful NDA protection.

Best practice: Include explicit language: "Nothing in this limitation of liability shall affect either party's right to seek injunctive or other equitable relief for breach or threatened breach of confidentiality obligations."

Contractual limitations are just one layer of protection. Implement practical safeguards that don't depend on litigation recovery:

Technical controls:

• Share through secure portals with access logging, not email attachments
• Watermark documents with recipient identification
• Use DRM that prevents copying, printing, or forwarding
• Time-limited access that expires automatically
• Clean room procedures for most sensitive disclosures

Operational controls:

• Need-to-know restrictions - don't share everything with everyone
• Staged disclosure - share less sensitive information first
• Named recipient lists - know exactly who has access
• Regular audits of who has accessed what

Relationship management:

• Due diligence on the receiving party's security practices
• Insurance requirements and verification
• Right to audit compliance with confidentiality obligations
• Termination rights if security concerns emerge

Bottom line: Don't rely solely on the NDA and litigation. Prevention is far more effective than recovery.