Are any external suppliers stupid enough to agree to this? Isn’t it basically writing you an unlimited cheque if someone hosting your data gets hacked?
I suppose some might reason that if something that serious happens they'll be out of business anyway, and just make sure the responsibility can't follow them if it does happen and the business does fall.
Those that specialise in holding other party's data like this will have liability insurance to cover significant events financially (though there is of course still reputational risk to consider) and processes in place to try make sure such events don't happen so calling on that insurance never needs to happen.
> if someone hosting your data gets hacked
It wouldn't be if any someone got hacked, just if something they are responsible for fails and enables a data leak, so they are not accepting third-party risk unless they themselves involve third parties in the mix. Proving you are not the source of a leak could be an interesting proposition though.
This is actually a fairly big deal in enterprise sales. I learned that one of the reasons my company didn't use Slack and opted for a larger company's (arguably inferior) clone was that Slack was basically not suable (blood from a stone and all that). My company basically wanted the ability to hold the provider liable for a breach. I look around at our other vendors and most of them appear to be capable of weathering a lawsuit, whereas Slack (at that time) was not. Now...however....things have changed. :)
Those that specialise in holding other party's data like this will have liability insurance to cover significant events financially (though there is of course still reputational risk to consider) and processes in place to try make sure such events don't happen so calling on that insurance never needs to happen.
> if someone hosting your data gets hacked
It wouldn't be if any someone got hacked, just if something they are responsible for fails and enables a data leak, so they are not accepting third-party risk unless they themselves involve third parties in the mix. Proving you are not the source of a leak could be an interesting proposition though.