Response #1: You should define direct damages in the NDA. The advice so far has presumed to know what would be consequential versus direct damages. And having read Hadley v. Baxendale as law students, we all do have a general understanding of those concepts. But simply using "consequential" and "direct" to describe damages is to rely on a third party (the court) to interpret your contract for you. Maybe you want that; probably you do not. It is easier and safer to interpret your own contract. You can start by clearly defining direct damages.
You might also be dealing with a contracts person whose playbook demands that they insert a limitation of liability into all contracts.1Response #2: Our answer has always been no. On the buy side, if they want to come in and do a presentation, or need more of our information in order to assess the scope of the engagement, they should be prepared to face both direct and indirect damages in the event they walk away with our critical or sensitive information. It does go both ways typically though. We understand that if we were to misappropriate their IP we would be in the same position. So we will tell our vendors that we are okay with that position - why are you not? Since, we will not be stealing your IP, is there a reason that you do not feel that you will not be walking away with our critical data - if not, what is the issue?2Response #3: I typically do not agree to that disclaimer since the type of damages that will be suffered is consequential. I have never had the other side push back since it goes both ways.3Response #4: Just adding another voice to help confirm the consensus: I agree that would be very unusual to cap or excluded consequential damages with respect to a breach of confidentiality obligations.4Response #5: Generally, I agree with the other comments that it is customary for a party to be liable for direct and consequential damages resulting from its breach of confidentiality obligations. Many people believe that the consequential damages are the likely damages suffered from a breach of confidentiality.I do not know the objective of this IT service provider to propose disclaiming all consequential damages in this NDA. Lately, some IT providers are attempting to either disclaim consequential damages or limit the liability for damages. It is possible that IT service providers are reacting to some of the recent changes to data privacy laws (e.g., General Data Protection Regulation [GDPR] in the European Union [EU]) and the potential damages for a breach of data privacy laws.As mentioned by respondent #2, it is a good suggestion to think about the likely damages and possibly define those damages. If the IT provider is concerned about data privacy liability given its limited role, it may also be helpful to consider separate treatment of confidential business information and personal data. The confidential business information may be treated customarily with unlimited direct and consequential damages, and the personal data could be treated with mutually defined damages or a limit of liability. Obviously, you need to be confident that both kinds of information will be handled and protected with appropriate safeguards.5