Twenty years ago, privacy and cybersecurity obligations were still taking shape. Today, they sit at the center of commercial risk allocation—and many businesses are still operating under contracts drafted for a very different legal and technological landscape.

In this thought piece, John Pavolotsky traces the evolution of privacy and cybersecurity law from the early days of breach notification statutes to today’s environment shaped by GDPR, CCPA, and AI-driven risk. The article focuses on a practical challenge many organizations now face: interpreting legacy contract language in the middle of modern data incidents and disputes.

The piece takes a close look at how contracts define “data breaches,” “data incidents,” and notification obligations—and why those distinctions matter when allocating responsibility for costs, investigations, remediation, and litigation exposure. As enforcement expectations and financial stakes continue to rise, older contractual language may no longer align with today’s operational realities.

Key takeaways include:

  • Contract language drafted 15–20 years ago may create unexpected gaps in privacy and cybersecurity risk allocation.
  • Definitions matter: a “data incident,” “data breach,” and “notifiable data breach” can trigger very different obligations and reimbursement rights.
  • State breach notification laws vary considerably, particularly around “risk of harm” assessments and notification requirements.
  • First-party response costs—such as forensic investigations, system remediation, and business interruption—often fall outside traditional indemnity provisions triggered by third party claims.
  • Cyber insurance can help offset exposure, but disputes between customers and vendors frequently remain front and center.

The article also explores practical considerations around liability caps, cyber insurance coverage, and the realities of handling incidents when responsibility is disputed or unclear.

Read the full article for a deeper look at how evolving privacy and cybersecurity risks are reshaping legacy contractual relationships and why organizations may want to revisit these provisions before the next incident occurs.

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.