[dsr_]

Our security policy doesn't let us put confidential information into other people's hands unless they are willing to commit to the full value of damages from a breach on their side.

It's a great question to differentiate sales critters: the new ones are sure that they can work something out; the middle ones are dubious; the experienced people chuckle and disengage politely.

[andy_ppp]

Are any external suppliers stupid enough to agree to this? Isn’t it basically writing you an unlimited cheque if someone hosting your data gets hacked?

[dspillett]

I suppose some might reason that if something that serious happens they'll be out of business anyway, and just make sure the responsibility can't follow them if it does happen and the business does fall.

Those that specialise in holding other party's data like this will have liability insurance to cover significant events financially (though there is of course still reputational risk to consider) and processes in place to try make sure such events don't happen so calling on that insurance never needs to happen.

> if someone hosting your data gets hacked

It wouldn't be if any someone got hacked, just if something they are responsible for fails and enables a data leak, so they are not accepting third-party risk unless they themselves involve third parties in the mix. Proving you are not the source of a leak could be an interesting proposition though.

[firebird84]

This is actually a fairly big deal in enterprise sales. I learned that one of the reasons my company didn't use Slack and opted for a larger company's (arguably inferior) clone was that Slack was basically not suable (blood from a stone and all that). My company basically wanted the ability to hold the provider liable for a breach. I look around at our other vendors and most of them appear to be capable of weathering a lawsuit, whereas Slack (at that time) was not. Now...however....things have changed. :)

[Terretta]

Every supplier to regulated industries is smart enough to do this, as it’s generally required.

[andy_ppp]

I suppose you need to charge a lot more to provide such guarantees.

[chipsa]

You find how much their data is worth, then take insurance out to cover it, and pass the cost along.