A recent California court ruling in Clorox v. Cognizant underscores an important point for customers in IT and cybersecurity deals: well‑drafted carve‑outs can preserve real damages leverage despite the presence of a general limitation of liability.

Although the 2013 agreement capped damages and waived consequential damages, it carved out gross negligence and data‑related obligations. Based on alleged service desk failures, such as improper credential resets and ignored red flags, the court declined to strike Clorox’s ~$380M damages claim at the outset, preserving significant leverage for Clorox in the ongoing litigation.

What this means for customers:

• Liability caps are only as strong as their carve‑outs: liability negotiations should focus as much on what’s excluded from the cap as on the cap amount itself – though we note that the market has moved on in some ways from the 2013-era terms in the Clorox deal.
• Basic operational security failures may be enough to fit within typical “gross negligence” exceptions to liability caps – at least at the pleading stage.
• That leverage could drive settlement outcomes more than the cap’s ultimate enforceability.

Notably, the court refused to treat credential handling and MFA management as low‑level administrative tasks, treating them instead as critical security functions sufficient to support a claim of gross negligence. The ruling supports Clorox’s position that this was not a “sophisticated” attack, rather it was a “preventable” failure to follow basic security procedures. This ruling is welcome news for customers, but likely worrisome for service providers.

What do you think? Did the court assign undue weight to “routine” performance obligations that might ordinarily give rise to a simple breach claim subject to limited liability? Or, should egregiously poor performance of routine obligations allow a customer to escape the provider’s limitation of liability?

Read more on similar topics by following our Hunton Deal Bytes page on LinkedIn.