Contract disputes over data licensing and usage rights are a significant issue in the financial services industry. A case in Canada recently covered in Ignites involving BNY Mellon highlights patterns in how enterprise data contracts can be mishandled, particularly in large organizations with multiple divisions and subsidiaries.
Two aspects of the BNY Mellon case are particularly noteworthy: the court’s finding of deliberate evidence destruction and the significant disparity between claimed damages (US$890 million) and awarded damages (US$5.7 million). The gap illustrates the challenges in quantifying damages for data contract breaches, as courts must balance actual economic harm against punitive measures for contract violation.
The Canadian court’s unusually strong language regarding BNY’s conduct (“contempt for the justice system”) suggests that courts may take an increasingly serious view of such violations, particularly when accompanied by attempts to conceal evidence. This response could encourage greater penalties in the future and greater scrutiny of enterprise-wide data usage patterns.
Data Leakage
The practice of inadvertently or deliberately extending licensed data access beyond contractually specified divisions, known as “data leakage,” occurs with frequency in financial institutions. These contract breaches often stem from several organizational factors. First, the complex structure of modern financial institutions makes it challenging to maintain strict data access controls between divisions. Second, the high cost of enterprise data licenses creates incentives for unofficial sharing. Third, mergers and acquisitions frequently complicate existing data licensing agreements as newly combined entities struggle to reconcile different data access rights.
Let the Punishment Fit the Crime
This case may influence how financial institutions structure their data licensing agreements. For compliance officers and legal departments, it underscores the importance of maintaining clear documentation of data access rights and implementing controls to prevent unauthorized data-sharing across corporate entities. It also highlights the reputational risks associated with data contract disputes beyond mere financial penalties.
Many organizations are implementing stronger internal controls and audit procedures to prevent unauthorized data-sharing between divisions. Leading capital markets institutions have implemented robust information barriers to prevent unauthorized data-sharing between divisions. Morgan Stanley utilizes a centralized ‘control room’ system to monitor sensitive information flow, while Goldman Sachs maintains separate information systems with distinct access protocols for different divisions. JPMorgan Chase combines physical separation, segregated IT networks, and strict documentation requirements for cross-divisional communication.
These organizations typically incorporate several key control elements: comprehensive employee training programs, automated monitoring systems for potential breaches, regular internal and external audits, clear escalation procedures, physical separation of sensitive departments, and technological barriers preventing unauthorized access. Most firms employ sophisticated data analytics to flag unusual patterns in employee communications or data access attempts.
Regulatory bodies such as the SEC and FINRA regularly review the effectiveness of such controls, with findings incorporated into ongoing improvements to information barrier systems. Data vendors are also increasingly incorporating sophisticated usage tracking and authentication systems to detect potential contract violations. These systems track not only who accesses the data but also how it’s being used across an organization.
Rise of the Data Vendors
Real-time monitoring capabilities have also become increasingly sophisticated. Vendors such as Refinitiv (now LSEG) and FactSet deploy AI-powered systems that can detect unusual access patterns or potential unauthorized data-sharing between divisions. These systems analyze metrics such as access frequency, volume of data requests, and geographic distribution of users to identify potential contract violations.
Technical integration requirements have also evolved. Vendors increasingly require clients to implement specific APIs or software development kits (SDKs) that include built-in monitoring capabilities. These tools allow vendors to track how their data is being integrated into client applications and systems, providing greater visibility into potential misuse. Refinitiv’s Data Platform API and FactSet’s API products incorporate required monitoring tools that track data consumption, usage patterns, and potential compliance breaches. Their SDKs include mandatory authentication protocols and compliance reporting features. S&P Global Market Intelligence and FIS similarly mandate the use of their Enterprise API solutions, featuring integrated monitoring for tracking data access and distribution. These systems typically include real-time alerts for unusual patterns or potential violations.
Stepping Up to Crack Down
Looking ahead, vendors are likely to enhance their monitoring capabilities with AI-driven predictive analytics to identify potential compliance issues before they occur. We can expect increased integration of behavioral analytics and machine learning to establish baseline usage patterns and flag anomalies more accurately. Vendors will likely expand their authentication requirements to include biometric verification and contextual authentication factors.
Additionally, vendors will likely develop more sophisticated cross-platform monitoring solutions as organizations increasingly use multiple data providers. Real-time reporting capabilities will become more granular, with enhanced visualization tools for compliance teams. These advancements will likely be paired with stricter technical requirements for implementation.
Reach out to me at [email protected] if you’d like to discuss any of the topics or solutions mentioned in this blog post. For a deeper dive into the world of data security, I’d encourage you to download our Top Trends in Cybersecurity, 2025 report (see Trend 6 in particular), as well as attend our upcoming Cybersecurity webinar.
