Banner artwork by SOMKID THONGDEE / Shutterstock.com
Nearly all commercial contracts include indemnification provisions. Generally, they are filled with legalese, which can complicate the fact that these clauses simply allocate risk between parties. Approach indemnification as a risk allocation arrangement and the result is better business outcomes (as well as risk mitigation). This article describes the following key elements of indemnification provisions with the goal of assisting in-house counsel who draft and negotiate these clauses:
- What an indemnification provision addresses;
- The duties an indemnification provision may impose;
- The events that an indemnification may cover; and
- The interplay of limitation of liability and governing law provisions vis-à-vis indemnification.
We include real-world examples to illustrate how certain indemnification aspects impact business outcomes, links to helpful reference tools, and a few sample provisions.
What does an indemnification provision address?
An indemnification provision in a commercial contract allocates risk between the parties. It assigns responsibility to one party for losses incurred by the other when certain events happen. Indemnity provisions “pre-determine how potential losses incurred during the course of a contractual relationship will be distributed between the potentially liable parties.”
An indemnification provision obliges the indemnifying party (indemnitor) to make the indemnified party (indemnitee) whole for a loss, damage, or liability that the indemnitee has suffered. In addition, indemnification provisions allow the parties to customize remedies in a way that may differ from remedies available under a breach of contract claim. It is important to note that the obligation to indemnify may arise by contract (as this article discusses) or by common law.
Typically, the obligation to indemnify arises when a third-party claim is made against the indemnitee. But, depending on how the indemnification clause is drafted, it may also cover regulatory fines and direct claims, meaning claims that one party has against the other. In effect, the premise of most indemnification provisions is that if one party does something (or doesn’t do what it was supposed to), and that act or omission gives rise to a claim for damages by a third party, then the indemnitor is responsible for damages and losses in relation to the third-party claim.
What duties does an indemnification obligation impose?
Many commercial indemnification clauses state that the “Indemnitor will indemnify, defend, and hold harmless the Indemnitee,” which imposes three separate duties on the indemnitor. What does each duty mean?
“Indemnify” v. “defend” v. “hold harmless”
- Indemnify: The indemnitor’s duty to reimburse the indemnitee for losses and damages, once they have been incurred.
- Hold harmless: The indemnitor’s promise to pay costs that may result from a covered claim. The majority of courts consider “hold harmless” and “indemnify” to be duplicative.
- Defend: The indemnitor’s duty to defend the indemnitee against claims that may result in losses, damages, or liabilities and the duty to pay the associated costs (e.g., attorney’s fees) related to such defense. This obligation arises as soon as a claim is asserted against an indemnitee.
Many vendors’ standard commercial terms may only offer to indemnify the indemnitee/customer against third-party claims covered by the indemnification provision, without a duty to defend. If the indemnitor’s duty is to indemnity — and specifically not to defend — then the indemnitee will need to front the legal costs, including attorney’s fees, to defend itself until losses or damages are incurred (or the claim is finally adjudicated), which could be years. This important distinction between the duty to defend and the duty to indemnify can result in substantial monetary and business implications for the indemnitee and indemnitee counsel should discuss this aspect with her business stakeholders and determine an appropriate negotiation strategy accordingly.
The duty to “defend” arises when a potential claim is asserted against the indemnitee. It obligates the indemnitor to “pay as you go” and cover the costs to defend the claim, including attorney’s fees. The duty to defend may also obligate the indemnitor to take over the defense of the claim by hiring defense counsel, etc.
However, to ensure the indemnitee maintains options with regard to defending a claim made against it, counsel should take care in drafting the indemnification rules so as not to lose control over the case. For example, by adding a clause like: No settlement of any such Claim may be made without the Indemnified Party’s prior written consent to the terms of settlement, which consent may be withheld at Indemnified Party’s sole discretion. An Indemnified Party will have the right to participate in the defense of any such Claim at its own expense.
Importantly, if the duty to defend is not specifically listed in the indemnification provision, then under most state laws, only the obligation to indemnify will apply. However, in some states, including California, there is an implied duty to defend as part of an indemnity obligation, unless it is expressly negated.
This is a critical distinction to consider when negotiating an indemnification provision because if there is no duty to defend, then the indemnitee (oftentimes the customer in a vendor-customer deal) could be stuck paying for losses, damages, and legal costs related to a third-party claim or covering for those until a court makes a final determination about the third-party claim.
Real-world example: how the indemnitor’s duties may impact business outcomes.
Let’s say a retail company contracts with a SaaS vendor to use its service to help with inventory distribution. Then, a third party sues the retail company asserting that its use of the SaaS service infringes that third party’s intellectual property rights. The result may be that the retail company has to:
- Stop using the SaaS service until the infringement matter is resolved, and
- Allocate financial resources to cover legal costs to defend itself until actual losses are incurred or until a court enters a judgement in the case.
This type of situation can severely impede the retail firm’s business objectives because the company has to:
- Find an alternative SaaS service, and
- Pay unanticipated costs to defend itself against the third-party claims.
Further, the SaaS vendor is in a much better position to defend this claim than the retail company, given that it developed the SaaS product and can more easily assess the validity of — and likely defend — lthe infringement claim.
What events does an indemnification provision cover?
An indemnification provision lists specific events for which the indemnitor will indemnify (and/or defend) the other party. These events vary depending on the particulars of the commercial transaction and, usually, are the subject of negotiation. In a typical commercial contract between a vendor and customer, the indemnification may cover the following events:
- Third-party intellectual property infringement claims;
- Breach of representations and warranties;
- Breach of confidentially obligations;
- Gross negligence or willful misconduct;
- Non-compliance with applicable laws; and
- Breach of data privacy obligations.
Not every indemnification provision should or will cover all of the above events, but if these are all things within the control of the indemnitor, then it may be reasonable to include them. For example, if the SaaS vendor in the example also received customer data to help prepare orders it should be responsible for how it handles that customer data and indemnify the retailer accordingly.
If the retail company gets a claim from a data subject whose data was leaked inadvertently by the SaaS company, the SaaS vendor should cover those costs (which could be minimal against one data subject). When extrapolated across millions of customers, however, customer data breach claims can rack up costs quickly.
Additional key aspects of indemnification provisions
There are several other additional indemnification-related aspects that may also impact the business outcomes relative to the commercial transaction. These include:
- A list of triggering acts (e.g., third-party allegations, claims, lawsuits)
- A list of recoverable damages (e.g., losses, liabilities, damages, fines, legal fees)
“Finally awarded damages” language is one that counsel should consider negotiating due to the financial strain such language may impose on customer/indemnitee as they will be paying the costs to defend a claim until damages concerning such claim are finally awarded. Rationale: customer company shouldn't have to cover litigation defense costs up front and only get reimbursed if / when a court finally awards damages. - Nexus phrases that link the recoverable damages to the covered events (e.g., “related to” or “directly caused by”)
Exceptions to the indemnitor’s indemnification obligations
Common exceptions to the vendor’s indemnification obligations include the following three actions by the customer:
(1) Using the product/service beyond the authorized scope;
(2) Making unauthorized modifications to the product/service; and
(3) Using an outdated version of the product/service, after the vendor has provided an updated version and the use of the updated version would have averted the infringement claim. Like many aspects of an indemnification provision, these exceptions are also negotiable.
How do limitation of liability and waiver of consequentials clauses relate to indemnification?
While separate from the indemnification provision, a limitation of liability clause plays an important role in determining the monetary impact of the indemnitor’s obligations. Similarly, a damages waiver clause excludes certain damages from being applicable.
Counsel should advise his/her business stakeholders that any agreed monetary limitation of a party’s liability under the contract must be expressly set forth in the contract. Why? Subject to common law limitations, unless otherwise agreed in the contract, courts generally will interpret a party’s liability to the other under a contract to be uncapped and unlimited.
- Sample Waiver of Certain Damages provision: IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR REVENUE OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY, REGARDLESS OF WHETHER A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATION SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
Counsel is advised to always review indemnification provisions in tandem with the contract’s limitation of liability and damages waiver provisions to fully assess the overall business risks. Specifically, these provisions usually:
- Lists the types of damages (e.g., indirect, consequential) that are excluded, and
- To what extent, if any, the indemnitor’s monetary liability is limited or capped.
The parties may often negotiate which types of damages apply and what the monetary liability cap will be, if any, with regard to respective indemnification obligations. Typically these caps are based on real market standards, like how much a standard data breach will cost to rectify, or if the event can even be easily be measured in a monetary fashion.
How much does a data breach cost? The global average cost of a data breach reached $4.88 million in 2024, as breaches grow more disruptive and further expand demands on cyber teams.
For example, a commercial contract may impose a mutual obligation for each party to protect the other’s confidential information and a duty for each party to indemnify the other if it breaches its confidentiality obligations, the damages amount for which may be uncapped including no cap on incidental or consequential damages.
Counsel may refer to this three-pronged rationale in support of requesting unlimited direct, incidental and consequential damages for one party’s breach of its confidentiality obligations: (1) it is “fair” because it is a mutual obligation with same liability for each party; (2) it is “basic corporate governance” as ensuring the other party’s confidential information remains confidential is fully within the receiving party’s control; an, (3) loss to the disclosing company may be substantial and not only monetary (e.g., reputational hit, disgruntled suppliers).
Sample clause that carves out confidentiality obligations from damages exclusion: EXCEPT IN CONNECTION WITH A PARTY’S CONFIDENTIALITY OBLIGATIONS HEREIN, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY for INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES…
When negotiating a commercial agreement, counsel should consider that once confidential information is leaked, the harm has been done and the direct damages are likely limited to seeking injunctive relief. The company’s real costs in this scenario likely will come from the company’s damaged reputation, trade secret disclosure, loss of customers, etc. which are incidental or consequential damages — so if the contract excludes incidental or consequential damages in such a scenario — your company may out of luck!
The monetary liability cap may vary as concerns different indemnification obligations. For example, it may be unlimited for breach of confidentiality obligations and a multiple of the fees paid under the deal for a different indemnification obligation. Monetary liability caps are an oft-negotiated component of commercial agreements.
What role does governing law play?
The contract’s governing law may determine whether certain aspects of an indemnification clause are enforceable or if certain liabilities may be lawfully limited. Thus, understanding how the applicable governing law interplays with indemnification and limitations of liability is imperative, as rules vary among jurisdictions.
Team up with business counterparts to understand business risk
Given that indemnification clauses allocate important business risks between the parties, which can have monetary and reputational implications, it is wise for both legal counsel and business stakeholders to devote ample attention to these provisions. Generally, an indemnitor should be mindful of the scope of its indemnification obligations and how those interplay with the limitation of liability and damages waiver clauses.
Similarly, an indemnitee should understand which risks the other party is assuming and assess how applicable monetary liability caps or damages waivers will play out in the event of an indemnification-related claim. While legal counsel can advise and make recommendations, the business stakeholders may be in the best position to assess which party is better able to control and, ultimately, to assume various business risks under the deal, like those that an indemnification provision allocates. In our SaaS vendor example, if the vendor’s product collects customer data, and the business stakeholder confirms to counsel that the data is sent only after it is anonymizes, then the data security risks may be substantially lower and a monetary cap on vendor’s indemnification obligations concerning data security may be reasonable It is important that legal counsel and business stakeholders team up to proactively assess commercial risks and negotiate the parties’ respective indemnification obligations and liability limits to ensure the final deal terms achieve the desired business outcomes.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers.
