Indemnification is one of the most highly negotiated provisions in any commercial contract. Getting it right is essential for in-house counsel to fairly allocate the risk between the parties and protect your organization’s interests.
On Thursday, July 21, 2022, Foster Sayers provided practical tips for in-house counsel to master negotiating indemnification provisions.
Here are the top 10 takeaways from this informative webinar.
#1 Indemnification is about making the other party whole.
It’s about standing in the shoes of the other party and bearing the full harm, damages and loss. This is because it would be unjust for the other party to bear the consequences.
Another essential aspect of it is the fair allocation of risk between the parties. The indemnifying party should be expected to control the risks that give rise to the indemnified claim.
Practice Tip: The consent of the indemnified party should be required in the event of any settlement which involves an admission of liability and/or equitable relief on the part of the indemnified party.
#2 Claims you MUST (and MUST NEVER) indemnify for.
The claims of gross negligence; bodily injury, death and property damage; and violation of law, are all rooted in common law. This means that, even if they are not included as a provision in a contract, no one can disclaim responsibility if sued. Don’t waste time negotiating over these terms as they are sine qua non.
Additionally, there are industry standards that should be indemnified as a matter of course. It’s important that you know your industry (or the industry of the product you are acquiring) well enough to know what the expectations are for indemnification.
As an example, it can include things such as IP infringement, breach of confidentiality, breach of warranty, and breach of security.
In commercial contracts, NEVER agree to indemnify for a “breach of any of your obligations, covenants, or representations as set forth in the agreement.”
This language is intended to be a catchall for all claims and can negate your limitation of liability clause.
Practice Tip: Understand what the other side’s real concern is and ask for an example of what type of third-party claim they have in mind when asking for this type of “catch all” indemnity. Then you can focus on discussing that scenario and drafting language narrowly tailored to that concern.
#3 Claims for breach of warranty.
The 4 most common types of warranty that we see in commercial contracts are:
- Professional services – the warranty is that the services will be performed in a workmanlike manner and will be consistent with industry standards (versus “best”). The remedies are to re-perform the services, or the termination of the underlying agreement.
- Product – this provides that the product will perform in accordance with its specifications and intended use. The remedies for this would be to repair the product, replace the product, or accept return of the product and issue a refund.
- Non-infringement – the warranty is that the product does not infringe. The remedies for this are laid out in #4 below.
- SaaS – the warranty is that the product will perform in accordance with the functionality description that is published about the product.
The remedies would be to repair the service, (bringing it into conformity with the product description) and establish a Service Level Agreement to set expectations on remedying performance issues. Offer credits as the remedy for downtime.
Practice Tip: If you offer a credit for a service outage, ensure that you state that it is the exclusive remedy for the customer and sole compensation for the downtime.
#4 Claims for IP infringement.
Depending on the industry, claims for infringement are typically subject to indemnification. The remedies that are typically set forth for indemnification for claims arising from infringement are:
- Obtain a license – obtain/provide the right to use the allegedly infringing portion or buy a license from the party which has raised the claim of infringement.
- Replace – replace the infringing product with a modified version.
- Remove and refund – simply remove the infringing product and issue a refund.
- And lastly, terminate the agreement.
Practice Tip: If your client is the customer and is asked to agree to a remedy to replace an infringing solution, include language to the effect of “so long as it does not decrease the functionality.”
If you represent the party providing the indemnification, do not deviate from the remedies or agree to allow the customer to choose which remedy they want you to provide.
#5 Breach of confidentiality.
There are some key things to consider when it comes to claims for breach of confidentiality.
The first and foremost is, how is confidential information (CI) being defined? It’s not a legal definition, it’s a contractual definition. You need to be comfortable indemnifying for a claim as it pertains to the definition being used.
Additionally, don’t agree to carve outs from your limitation of liability for claims related to breach of your agreement’s confidentiality provisions. Focus on the fact that this is an allocation of risk and consider the fairness.
Practice Tip: If you indemnify for a breach of confidentiality, make sure you specify it’s for a breach of your duties and obligations in the relevant “Confidentiality” section, NOT merely any breach of confidentiality.
#6 Breach of security.
Breach of security is a cousin to breach of confidentiality. Taking a similar approach to confidentiality, a key consideration to pay attention to is how “breach” is being defined.
Push back on any request for full indemnification or unlimited liability. Don’t agree to carve outs on this one. Again, it comes down to allocation of risk and fairness.
Practice Tip: Make sure you understand the expectations that your industry has for this type of indemnification. Government entities may have strict requirements you cannot regulate around. Other vendors or customers may have set a precedent in your industry that you need to understand.
#7 Data distinctions.
Knowing what data would be impacted in the event of a breach is crucial to understanding how you’re going to navigate indemnification for it.
Here are the 4 types of data that are most consequential from a breach perspective:
- Confidential Information (CI) – this is defined in your agreement and is often a catchall which includes PII and PHI in its definition.
- Personally Identifying Information (PII) – any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
- Protected Health Information (PHI) – individually identifiable health information. If you have access to or are hosting this, then HIPAA applies. This type of data also prompts Business Associate Agreements.
- Non-Public Information (NPI) – this information may or may not include CI, PII, or PHI. It includes information such as social security numbers, birth dates, account numbers, etc.
Practice Tip: If neither party has access to any of these data types, efforts to negotiate and indemnify for a breach of confidentiality or security are misplaced.
#8 Business Associate Agreements (BAA).
If you have access to PHI now, or will at some point, you will likely be asked to enter into a BAA.
These are standard types of agreements that healthcare providers and adjacent businesses enter into so that they can demonstrate they’re compliant with HIPAA. A BAA is typically collateral to your primary commercial agreement. Ideally, it’s negotiated in parallel to the commercial agreement.
A BAA may contain a provision requiring the indemnification/unlimited liability for a breach of the agreement. It’s best to strike this and have the commercial agreement speak to that matter.
Practice Tip: If you receive a BAA with an indemnification provision after the commercial agreement has already been established, then keep the terms consistent between the 2 documents. You can either cite the commercial contract indemnification provision in the BAA or duplicate it by using the same language.
#9 Limiting damages.
An important part of minimizing risks is limiting damages. You can limit indemnification in terms of how much money a party can recover, but also by specifying remedies.
For IP infringement the remedies are detailed in #4 above.
For breach of confidentiality and security, remedies would be notification of impacted third parties, credit monitoring, and costs of security investigation.
Practice Tip: Use the IP remedy framework as your precedent for codifying your specific remedies for breaches of confidentiality and security.
You can also limit damages by capping them. When possible, subject the relevant indemnification claims to the limitation of liability (e.g., breach of confidentiality, security).
Practice Tip: If the standard cap is not acceptable, negotiate a super cap: “provided however that claims for a breach of [section references] will be capped at [the higher amount negotiated].”
#10 Jedi mind tricks for navigating indemnification.
Indemnifications are a scenario where sometimes we just wish we could wave our hands and convince the other party “these aren’t the droids you’re looking for,” and move on.
Whether you call it Jedi mind tricks, mentalism, or something else, the idea is to develop the skill to redirect attention, and redirect focus in order to keep productively moving through negotiations.
When it’s necessary to pivot or steer through a sticking point, try using the following prompts:
- “This isn’t the risk you care about us indemnifying you for.”
- You can pair that with “See this other thing we indemnify you for? That’s the risk you care about.”
- Or “Surely you can understand that I don’t have control over this risk.”
- And “The reason I agreed to that other thing is because I was expecting you to agree to this.”
Remember to be professional and responsible in their use as you continue to hone your skills.
Summary:
For more useful and enlightening practice tips on navigating indemnification—including a deeper-dive Q and A session with Foster Sayers as he answers the pressing questions in-house counsels are asking—we invite you to watch the full webinar below.
Watch here: In-House Connect On-Demand