Raleigh, N.C. — A proposal that would limit how much large information technology contractors would have to pay the state if something went wrong with a system they sold to North Carolina cleared the House Judiciary II Committee on Wednesday.
The measure, which has already passed the Senate, states that, with few exceptions, a company could be held liable for a maximum of double the value of most contracts, or three times for contracts deemed particularly sensitive by the state's chief information officer.
Rep. Jason Saine, R-Lincoln, said the measure would help make sure that big computer companies would continue to work with the state.
"Vendors have to have some certainty ... that they have some sense of what their liability may be," Saine said after the meeting.
The issue is not an abstract one for North Carolina.
Three years ago, the state battled major problems with a pair of systems used to manage health care for vulnerable citizens and was forced to scrap a partially completed system for the Department of Revenue.
"What if the damages involved in this thing are more than what you assess it to be?" Rep. Mickey Michaux, D-Durham, asked.
The answer, according to committee staff, was that the state could collect only up to the capped amount unless there was some sort of willful misconduct. However, the bill does exempt some costs from counting toward that cap. For example, if there is a data breach that exposes the personal information of citizens, the company would be liable for the cost of notifying those people, and that would not count toward the cost cap.
That provision would play a role in cases such as when the state discovered a pair of personal information breaches related to the state's Medicaid system.
Ed Turlington, a lobbyist for the North Carolina Technology Association, pointed out that the state's standard IT contract caps costs at two times the contract's value already.
This bill, he said, would encourage qualified contractors to bid on state business.
Asked about the question of problems that could exceed the liability caps, Saine said that the IT vendor was not working in a vacuum. The state, he said, has to do its due diligence as well.
"It is a shared responsibility," he said.