When data breaches occur, it’s not just the business’ problem: it’s the IT service provider’s as well. In the past, IT was willing to take the liability, but with an ever expanding customer list and possibility of huge financial loss for IT, service providers began pushing back, namely by limiting their liability via contract negotiation with outsourcing customers. According to this article from CIO.com, that was just the beginning of the hard line stances: soon the outsourcing customers began to make their own demands. As Chris Ford ( chair of the global sourcing group at the law firm Morrison & Foerster) is quotes in the article: IT service buyers are also coming to the table with detailed risk profile assessments that put a real dollar figure on potential data breaches. “Customers are looking at this issue as hard as the service providers and saying, ‘I’m handing my data over to you. You’re in control of my data. If something goes wrong you need to take responsibility,'” Ford said. Now the two — IT service providers and outsourcing customers — often find themselves at the negotiation table unwilling to shake hands until each establishes just who is liable (and for how much) . Instead of coming closer to an understanding of responsibility, it seems that IT service providers and IT service buyers are moving further apart, leaving big questions on who will take responsibility for data breaches, and just who foots the bill.