Of all the issues addressed in contracts, one would be hard pressed to find an issue that is more negotiated and misunderstood than indemnification. Even the term itself is hard to pronounce for the uninitiated.

This article provides business professionals and new attorneys with a brief, high-level explanation of indemnification in the context of technology contracts. The issues covered in this article are addressed in a generalized, broad-strokes fashion. All of the topics addressed herein contain significant nuance. Nevertheless, business professionals and new attorneys will be able to analyze indemnification issues through the framework provided in this article.

We’ll use the chart set forth below to illustrate indemnification in technology contracts.

1. What is Indemnification?

Indemnification is a promise by the indemnifying party to pay for certain losses, liabilities, damages, costs and expenses (collectively, “Losses”) of the indemnified party that result or arise from certain occurrences that are enumerated in the applicable contract. That is it. A promise to indemnify is a promise to pay the other party to cover certain Losses. An insurance policy is a type of indemnification obligation. An insurer promises to pay the insured for Losses that result or arise from the occurrences covered by the insurance policy.

But, nothing can be quite that easy in the legal world. “Indemnification” (when used loosely during negotiations) typically includes the separate and distinct “defend” obligation in addition to the “indemnify” obligation. The defend obligation means the indemnifying party must defend the other party from third-party claims (i.e., pay lawyers to litigate the case). This is why an indemnification provision in a technology contract usually lists both the “defend” and “indemnify” obligation. For example, a simple, standard indemnification provision may commence as follows: “The indemnifying party shall defend, indemnify, and hold harmless the other party…”

2. So, what does “hold harmless” mean?

Let’s add a bit more confusion. For most practical purposes, “indemnify and hold harmless” means the same thing as “indemnify.” There is a split among the various different state laws on whether or not “hold harmless” adds something extra to “indemnify.” For example, some states take the position that a “hold harmless” provision adds a release that prevents the indemnifying party from directly suing the indemnified party in connection with the occurrences that are enumerated in the applicable contract.

Any further discussion of the nuanced differences between “indemnify” and “indemnify and hold harmless” is beyond the scope of this article. Most new attorneys and business professionals should take comfort in the fact that most practitioners treat “indemnify” and “indemnify and hold harmless” as synonyms. If you master all aspects of indemnity provisions except this issue, you will be in a better position than 99% of practitioners.

3. Why do technology contracts contain indemnification provisions?

Business parties may be at higher risk of third-party litigation by entering into a business arrangement with another party. In the chart above, Customer would have a virtually 0% chance of getting sued by the Third Party for intellectual property infringement relating to Provider’s software if the Customer did not enter into a contract with Provider for the use of Provider’s software. Why would anybody sue Customer for infringement relating to Provider’s software if Customer isn’t using Provider’s software in the first place? Even the most litigious plaintiffs out there probably won’t go this far.

After the Customer enters into the software license agreement and begins using Provider’s software, such risk is no longer 0%. While not likely, it is certainly possible for Customer to get sued by Third Party if Customer is using Provider’s software and Third Party believes Provider, Customer or both are infringing its intellectual property rights in the software. Indemnification is a tool to address this increased risk of third-party litigation.

By agreeing to an indemnification obligation in a contract, the indemnifying party is saying, “I understand that you (counterparty) could get sued by third parties if X, Y, or Z happens. I am willing to defend those lawsuits and cover the related costs and damages from those lawsuits because I believe I am in the best position to mitigate that risk and the business deal is still worth it for me despite this indemnification obligation.”

For these reasons, most, but not all, indemnification obligations in technology contracts are imposed upon the Provider in favor of the Customer. As a practical matter, the Customer is usually the party at increased risk of third-party litigation by virtue of entering into the contract for use of the Provider’s SaaS solution or software.

4. What occurrences are usually enumerated in technology contracts as indemnified claims?

Technology contracts contain a wide variety of indemnified claims. Negotiating leverage between the Provider and Customer plays a large role in determining what indemnities are ultimately included in the contract.

It is widely expected that the Provider should defend and indemnify the Customer from and against all Third Party claims that allege Customer’s use of the Provider’s technology (SaaS solution, software, etc.) infringes the Third Party’s intellectual property rights. This is considered a “market term,” and a Provider would be taking an aggressive position if it refused to provide such indemnity protection.

Another important indemnity for SaaS Customers is protection from Third Party claims resulting from data breaches. A detailed discussion of risk allocation and obligations resulting from a SaaS provider’s data breach is outside the scope of this article. However, most SaaS customers with at least some leverage should negotiate some level of indemnity protection for Third Party claims that result from a Provider data breach.

One important indemnity for a SaaS provider is protection from Third Party claims resulting from a claim that Customer did not have the proper authority and consents to disclose the Customer data to the Provider. In order to provide a SaaS solution, the Provider needs to process Customer’s data. It is reasonable for a Provider to expect indemnity protection from the Customer if the Provider is sued by a Third Party claiming that Customer did not have the proper authority and consents to disclose the Customer data to the Provider.

Other common occurrences that are included within indemnity provisions as indemnified claims are: (i) breach of the contract, (ii) violation of law, and (iii) negligence, gross negligence, fraud and willful misconduct. Depending on the specific circumstances, a party should think carefully prior to agreeing to broad indemnity obligations that are triggered by any breach of the contract, any violation of law or mere negligence.

5. When does the indemnification obligation “kick in”?

An important indemnification concept is understanding when the obligation is “triggered”. In the technology contract context, indemnification is limited to third-party claims (see #6). So, in the chart above, indemnification applies once the Third Party makes a claim against the Customer. Let’s assume the Provider provisions a SaaS solution to the Customer. Let’s further assume that the Provider experiences a data breach that affects Customer data. Finally, let’s assume the contract contains the following provision: “Provider shall defend, indemnify and hold harmless Customer from and against all third-party claims, and all losses, liabilities, damages, costs and expenses resulting from such third-party claims, to the extent the third-party claims arise from the unauthorized access to, or use or disclosure of, Customer’s data in the possession or control of Provider.”

Provider would have no contractual obligations to Customer under this example provision unless and until a third party (e.g., Customer’s customers) sued Customer, maybe because their data is now in the hands of bad actors. Customer itself could experience significant costs and expenses due to the Customer data breach (e.g., business interruption, hiring a forensic investigator to determine cause and extent of the data breach, etc.). Nevertheless, this indemnity provision would not obligate Provider to cover any of those costs or expenses unless and until a third party came along and sued the Customer.

Another very important concept is the idea that the indemnifying party’s indemnification obligation commences the moment the Third Party makes the claim, regardless of the merits of the claim. Claims, by their nature, may be wrong, frivolous, lack merit, etc. None of that matters in a standard indemnity provision. The indemnifying party is “on the hook” to defend the claim (and cover all Losses) if the third-party claim results or arises from one of the occurrences that are enumerated in the applicable contract.

In the chart above, let’s assume the Provider provisions a SaaS solution to the Customer. Let’s further assume that a Third Party sues the Customer alleging the Customer’s use of the Provider’s software infringes the Third Party’s intellectual property rights. Finally, let’s assume the contract contains the following provision: “Provider shall defend, indemnify and hold harmless Customer from and against all third-party claims, and all losses, liabilities, damages, costs and expenses resulting from such third-party claims, to the extent the third-party claims arise from a claim that Customer’s use of the software as permitted in this Agreement infringes such third party’s intellectual property rights.”

In such example, it is somewhat irrelevant whether or not the Third Party’s claim has merit, is ultimately successful or is a frivolous claim. The Provider’s obligations “kick in” the moment the claim is made. Provider will not be able to avoid the indemnity obligation by arguing with the Customer that “the claim is false”, or anything of the sort. As between Provider and Customer, this is besides the point. The mere fact that such a claim was made triggers the Provider’s indemnification obligation.

6. Does indemnification address damages caused by the other party’s breach of contract?

No. As mentioned above, indemnification only addresses paying lawyers to defend lawsuits made by third parties against the other contracting party and covering the resulting Losses from those lawsuits.

In the chart above, indemnification would not play a role in any dispute between Provider and Customer over whether or not Provider or Customer breached the agreement. In these instances, either Provider or Customer would sue the other party directly. For example, if Customer fails to pay license fees, Provider would file a lawsuit against the Customer. Or, if Provider did not provide software with promised functionality, Customer would sue the Provider. Indemnification does not address direct disputes between the parties.

Of course, nothing can be quite that easy. Indemnification can technically apply to direct claims between the contracting parties. However, that is almost always inappropriate in commercial technology agreements. Such matters are better addressed by breach of contract claims between the parties. This is why we say that indemnification is limited to third-party claims.

Finally, indemnification can come into play if, as a result of a contracting party’s breach of the contract, a third-party claim arises against the other party. This assumes the indemnity provision in the contract itself includes “breach of contract” as an occurrence that triggers indemnification. For example, in the chart above, let’s assume Provider provisions a SaaS solution to the Customer. Let’s further assume that the Provider agreed in the contract to implement and maintain certain data security precaution X and that Provider breached that obligation. Finally, let’s assume the contract contains the following provision: “Provider shall defend, indemnify and hold harmless Customer from and against all third-party claims, and all losses, liabilities, damages, costs and expenses resulting from such third-party claims, to the extent the third-party claims arise from Provider’s breach of this Agreement.”

Customer and Provider may very well have a dispute directly among themselves over this breach. Provider’s breach may have resulted in a virus getting into Customer’s systems or resulted in a software functionality error. Customer could sue Provider for breach of contract directly to recoup damages incurred as a result of these events. So far, indemnification plays no role.

However, if Provider’s failure to implement and maintain certain data security precaution X resulted in Customer getting sued by its customers because their data is now in the hands of bad actors, indemnification obligations would be triggered in addition to the breach of contract dispute discussed above. Under the example indemnity provision, Provider will be required to defend those lawsuits and pay the resulting Losses in addition to the dispute litigated directly between Provider and Customer. 

7. Why do lawyers fight so much over indemnification obligations?

As with most questions in the business world, it comes down to money. Indemnification can be very expensive for the indemnifying party. As described above, indemnification commences the moment the claim is made against the other party, whether or not the third-party claim is accurate. So, even in a “good” scenario, the indemnifying party may be required to pay hundreds of thousands of dollars (or even millions) to defend a lawsuit it wins. The indemnifying party did nothing “wrong,” but is still required to spend a very significant amount of money. In the “bad” scenario, it may need to spend all of that money, lose the case, and spend even more to cover all of the Losses that result from the lawsuit, which can easily climb into the multimillion-dollar figures.

Please feel free to reach out to Koley Jessen’s Commercial and Technology Contracts team with any questions relating to indemnification.

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}