Pursuant to § 2.2-2012.1 of the Code of Virginia, in all contracts for a "major information technology project" (as that term is defined in § 2.2.2006), the terms and conditions relating to a supplier's indemnification obligations and liability must be reasonable and cannot exceed twice the aggregate value of the contract. Section 2.2-2012.1 further provides that in instances of "(i) the intentional or willful misconduct, fraud, or recklessness of a supplier or any employee of a supplier or (ii) claims for bodily injury, including death, and damage to real property or tangible personal property resulting from the negligence of a supplier or any employee of a supplier" a supplier's liability is unlimited.
An exception to the liability limitations exists in contracts that pose an "exceptional risk" to the Commonwealth. In these instances, the CIO is required to conduct a risk assessment prior to the issuance of a Request for Proposal. The risk assessment must include consideration of the nature, processing, and use of sensitive or personally identifiable information. If the risk assessment concludes that the project presents an exceptional risk to the Commonwealth and the limitation of liability amount provided for in the paragraph above is not reasonably adequate to protect the interest of the Commonwealth, the CIO may recommend and request approval by the Secretary of Administration to increase the limitation of liability amount. The Secretary of Administration must approve any recommended maximum alternative limitation of liability amount before it may be included in any Request for Proposal issued for the project.