Who is liable in court for this hypothetical double breach of contact?
Just something I'm curious about as I can totally imagine it happening in the real world.
Let's say that Healthcorp is a medical services provider of some kind, and as such are required to keep certain records for a certain amount of time. They sign a contract with Archivetopia to keep safe all the records that they absolutely have to hold onto. However, the guy that used to work at GitLab got hired for Archivetopia, and he accidentally deletes a ton of entries from their database, which included Healcorp's records, and there is no way to recover any of it. Then, Healthcorp gets subpoena'd, so they call up Archivetopia only to find out they can't produce the records they need.
Healthcorp is still liable, you can subcontract a job, but uou can't subcontract the responsibillity.
What I mean is that Healthcorp should have procedures to test the backup, and as soon as it failed, they should inform the government.
It can also be asked, why Healthcorp only had one backup of the data, when it is best practice to have a 3-2-1 backup system, if Archivetopia offered a service as a 3-2-1 solution, why didn't Healthcorp select that? If they did why didn't they verify the claims of the service?
At the end, Healthcorp would get hit with a fine, but they in turn could sue Archivetopia for breach of contract.
That may be the beginning of a chain of lawsuits starting with Healthcorp because the first breach of contract would be between them and the patient. They would then bring a lawsuit against the contractor for their failures that breached contract between companies.
This is guesswork, mind you and if someone has a sure answer I'd be interested in knowing. Great question!
Unless Healthcorp can be shown to have contributed to the loss of data, I would think Archivetopia will take the full blame. For example, if they knew Archivetopia was prone to losing data and had a good chance of losing their data then perhaps they could also share in the liability.
That makes the most sense to me. I imagine if Healthcorp were found liable, or even had a hint that they might be liable, they would turn around and sue Archivetopia (or execute whatever penalty clause they had already agreed to, assuming it covered all related damages.)
I'm not a lawyer, but I think this would be on archivetopia. I think the question would be whether healthcorp had taken reasonable care to preserve these records, or had been negligent by leaving them entirely in the hands of archivetopia. It seems to me that the former would be the case, and that archivetopia has failed to appropriately safeguard those files, if a random employee can delete them without any procedures in place to prevent that or to keep additional backups.
Obviously there are multiple points of failure here - any one out of healthcorp, archivetopia, or the employee could have acted differently to prevent this. But if healthcorp had a reasonable expectation that handing these documents over to archivetopia would meet their obligations to preserve them, they should be in the clear - just as they would be if their document warehouse met all health and safety regulations but somehow burned down anyway. In both cases, they did what they could but events beyond their control resulted in data loss. In both cases, there is still a question about reasonable care: Did their warehouse meet all safety requirements? Did they have good reason to believe that these documents would be safe with archivetopia? If the answer to those questions is no, they are still at fault. If yes, they are in the clear.
On top of this, archivetopia is certainly at fault (multiple parties may be in the wrong here). And of course, the employee is at fault, although I don't know if they'd be legally culpable or if it would be an internal matter.
Not a conclusive answer, but I hope this helps to clarify some of the considerations involved.