“If we get sued, you get sued!” Sounds warm and comforting, right? I bet you cannot wait to partner or contract with a company that already has litigation on its mind. Nevertheless, these types of statements are common, and once formalized by lawyers, are called “indemnification clauses.” They are often necessary but can be very broad and potentially catastrophic to your business.
An indemnification provision is an example of contractual risk transfer. It means that one party to a contract is agreeing to indemnify (reimburse or pay) that party under certain circumstances. Some indemnification provisions also include a duty to defend, meaning not only are you agreeing to pay for a loss that occurs, but also you are paying for that party to defend against the claim (and even pay the other party to sue you). A third facet is that an indemnification will often require you to “hold harmless” the other party. Forgetting the grammatical nightmare that that language brings, this third facet acts like a release, indicating that you cannot place blame on the other party.
I was recently reviewing an indemnity provision in a client’s contract for purposes of insurance guidance. It was a particularly broad provision that shifted all liability to the client. For everything. Forever. Of particular interest in this contract was that the client was going to be responsible for any “misuse, loss, or breach of security as it relates to data” of the other party. As I complied a list of things for the client to consider, I noted that indemnification provisions are not one-size-fits all, but they are standard in most contracts, and typically not removed. So, it’s likely most companies have them, and will be asked to sign more.
If you are the party in a contract being asked to indemnify another party, we recommend consulting and attorney to ensure your business is properly advised. To better protect your company and reduce your exposure, you will want to consider requesting the following:
Scope. What is the indemnification provision requiring you to pay? All losses/claims of the other party related to your work? Any claim that remotely relates the project? The cost of their attorneys’ fees and expenses if the other party has to defend a lawsuit? Does it limit claims to those arising directly out of your work, or does it broaden to the whole project?
Data. What indemnification requirements does it have for data in the event of a security breach? A note about data and indemnity: When contracting to indemnify a party for a cyber security breach, there are some additional nuisances of which to be aware. First, if there is a possibility that a breach of your organization’s network, system, or data could compromise data of the other party (because you receive and retain such data), you may want to consider having a data/cyber insurance policy that covers such losses. Because there is a contractual risk transfer you breach, you will need immediate coverage of the loss and risks, which insurance can provide (and allow them to subrogate on the contractual breach). A cyber policy may give you coverage if there is a delay, denial, or other reason for non-payment or failure to immediately address (and protect) against the loss. The mere timing of enforcing a contractual obligation is critical during a very time-sensitive situation.
Mutuality. Is the indemnity mutual? Is there a carve out for any breach under the agreement by the other party or non-payment (meaning if the other party does not pay or breaches against you and is sued, you should not have to indemnify them).
Exclusions. Does it specifically exclude any claims due to the other party’s own negligence, omission, misconduct, etc., including any cross-claims or counter-claims asserted by other parties?
Mitigation. Does it have an express obligation that the other party must mitigate (make reasonable efforts to reduce) its loss?
Notice. Is there a notice requirement (e.g. that you must be notified within 20 days of the other party’s first notice of any alleged claim and/or loss)? Is there protection for you if the other party fails to properly notify you of a potential loss or claim?
Defense. Does it preserve your right to choose defense counsel, the theory of liability, and control settlement if required to defend?
Limits. Does it limit the time during which claims can be brought under the indemnify clause (e.g. two years after the completion of work)? Does it cap or give a liquidation of damages on liability (such as the amount of the agreement’s payments for your services in total)?
This is only a starting point as you review the indemnity provisions in your written agreements, and we encourage you to review and discuss your agreements with an attorney. With any contract, the terms and conditions will be entirely dependent upon the tone of the negotiations, the relationship of the parties, and the bargaining power of your organization. From there, you will have to determine what is most important for your business needs and risk exposure.
For more information on cyber security issues, such as those discussed here, register for our upcoming webinar “Update on cyber crime and data breaches: Understanding the new risks of doing business in a digital age.” We will give you a better understanding of the risks posed by data breaches and cyber crime in the workplace and steps to help reduce those risks. For more information about cyber exposures or risk management in general, please contact us.
Heather offers practical guidance and helps employers find solutions to employment law and compliance matters.
Heather educates and advises employers on all aspects of employment law, including compliance with state and federal laws, leaves of absence, discrimination, harassment, accommodations, discipline and discharge, wage and hour obligations, unfair competition, and other issues that arise in the workplace. In addition to Heather’s employment counseling, her background includes nearly a decade of litigation experience. Her prior experience includes litigating for a regional insurance company, business disputes, and employment.
Enterprise risk management (ERM) is a holistic approach to understanding and managing risk throughout an organization.
To develop an effective ERM program, organizations must first identify their risks, assess their current situation and come up with solutions. Those solutions must then be integrated throughout the organization, because controlling risks in one department won't protect the business if another area is vulnerable.
Enterprise risk management (ERM) is a holistic approach to understanding and managing risk throughout an organization. Almost any business, but especially those that have the potential for large losses, can benefit from ERM.
The terminology — enterprise risk management — is designed to emphasize the need for a coordinated effort to address all types of risks. Essentially, all of a company’s risks fall into one or more categories:
Send a Message
Find a Location