Bill limiting IT contractor liability clears committee

The measure, which has already passed the Senate, states that, with few exceptions, a company could be held liable for a maximum of double the value of most contracts, or three times for contracts deemed particularly sensitive by the state's chief information officer.

Rep. Jason Saine, R-Lincoln, said the measure would help make sure that big computer companies would continue to work with the state.

"Vendors have to have some certainty ... that they have some sense of what their liability may be," Saine said after the meeting.

The issue is not an abstract one for North Carolina.

"What if the damages involved in this thing are more than what you assess it to be?" Rep. Mickey Michaux, D-Durham, asked.

The answer, according to committee staff, was that the state could collect only up to the capped amount unless there was some sort of willful misconduct. However, the bill does exempt some costs from counting toward that cap. For example, if there is a data breach that exposes the personal information of citizens, the company would be liable for the cost of notifying those people, and that would not count toward the cost cap.

Ed Turlington, a lobbyist for the North Carolina Technology Association, pointed out that the state's standard IT contract caps costs at two times the contract's value already.

This bill, he said, would encourage qualified contractors to bid on state business.

Asked about the question of problems that could exceed the liability caps, Saine said that the IT vendor was not working in a vacuum. The state, he said, has to do its due diligence as well.

"It is a shared responsibility," he said.