Charles Nerko, team leader for data security litigation in Barclay Damon's Data Security & Technology Practice Area, and Xun Chen, associate, had their “Hacking the Contract: How Cybersecurity Failures Can Be a Business’s Best Bargaining Chip” article published in New York Law Journal. The article explores how cybersecurity breaches can be used as tools to renegotiate terms, exit unfavorable agreements, or demand better performance leveraged in business relationships. Charles and Xun suggest that rather than passively absorbing risk, businesses should proactively use cybersecurity weaknesses to gain contractual leverage.
Charles and Xun assert that cybersecurity should be treated as a core contractual obligation—on par with price, quality, or delivery. Many vendors fail to meet basic security benchmarks, even among Fortune 500 companies. Yet businesses rarely scrutinize these standards before problems arise. Conducting proactive security reviews—like quality control inspections—can convert vague boilerplate promises into actionable leverage, especially when dealing with costly or outdated vendors.
Commissioning third-party security audits of vendors can uncover hidden vulnerabilities that serve as powerful negotiation tools. Charles and Xun cite Verizon’s acquisition of Yahoo as a prime example, where security breaches resulted in a $350 million reduction in the purchase price. In ordinary commercial settings, too, documented security failures can provide legal justification to terminate contracts, reduce fees, or demand better terms—transforming what seems like a liability into a financial opportunity. “Every cybersecurity failure has a price; the only question is who foots the bill,” the article said.
Finally, Charles and Xun’s article emphasizes how security lapses can override contract protections like liability caps. Courts have voided these limitations when failures amount to gross negligence or fraud, as shown in several New York cases. Misrepresentations about cybersecurity controls can also give rise to fraud and trade secret claims. The key message: businesses shouldn’t just manage cybersecurity—they should weaponize it strategically to reshape deals and enforce accountability in their commercial relationships.
Click here to read the full article.