Many tech contracts require that one party indemnify the other against claims “resulting from the Indemnitor’s negligence or other wrongdoing.” In other words, the indemnity obligation gets triggered by the indemnitor’s fault — by something it did wrong. Unfortunately, these fault-triggered indemnities work poorly at best. To understand indemnities, you need to understand why.
Typical Fault-Free Indemnities
In an indemnity, one party promises to defend the other against third party lawsuits — and to pay resulting settlements or judgments. In other words, the indemnity clause typically has two obligations: (1) defend the case and (2) pay losses, if necessary. (Just to make contracts, confusing, the law uses “indemnify” for the second obligation, even though that’s only one of the typical requirements of an “indemnity clause.” But in this article, we’ll use “indemnify” for the whole clause.)
The simplest, most effective indemnities require that the indemnitor take responsibility for a particular type of lawsuit. They apply regardless of whether the indemnitor did anything wrong.
Take the intellectual property indemnity: the most typical version found in IT contracts. The vendor indemnifies the customer against any lawsuit claiming that, by using the vendor’s product, the customer infringed a third party’s IP (particularly patents and copyrights). These IP indemnities do not say, “Vendor shall indemnify customer against IP claims, so long as Vendor negligently or willfully infringed IP rights.” Nor do they say the vendor indemnifies, “so long as Vendor’s technology actually infringes.” If the third party IP suit relates to vendor technology, the vendor indemnifies — even if the vendor did nothing wrong and even if the claim is invalid. It’s the vendor’s technology, and the parties (usually) agree that the vendor/indemnitor will defend it. (Actually, it’s slightly more complex than that, with some exceptions meant to limit the vendor’s obligations. But that’s the principle.)
The Problem of Fault
Fault plays a larger role in other indemnities, and that’s where the clause gets messy. In data breach indemnities, for instance, vendors worry that customer security problems could trigger a breach. So the vendor doesn’t want to defend any data breach claim. It only wants to defend if it was at fault.
Plus, some contracting parties want broad indemnities covering all sorts of claims — so long as the indemnitor did something wrong.
These fault-triggered indemnities create two problems — both related to the first of the indemnitor’s two obligations: its responsibility to defend the case:
- Refusal to Defend: If the indemnity only applies where the indemnitor did something wrong, the defense may never happen. Imagine, for instance, that the indemnity clause covers “data breach claims resulting from Vendor’s negligence, breach of contract, or violation of applicable law.” If the vendor/indemnitor claims it did none of these bad things, it may not defend the customer. And that choice might be justified. Keep in mind: the court might not rule on the vendor’s conduct until the end of the case, when the defense is already over.
- Conflict of Interest: If the indemnitor does defend the case, it’ll have a hard time doing right by the indemnified party in a fault-triggered indemnity. That’s because victory for the indemnified party does not necessarily provide the quickest way out of the lawsuit for the indemnitor. Rather, the indemnitor’s quickest way out may be to prove that it did nothing wrong, terminating the indemnity. In fact, the indemnitor has an incentive to prove that the indemnified party did something wrong, even while defending that party. That conflict of interest makes defense either impractical or extra expensive. The extra expense comes if the vendor has to hire two law firms, one to pursue its own claim of innocence and the other to defend the indemnified party.
To put it another way, indemnities work well when the indemnitor and indemnified party have similar interests in the litigation. In the typical IP indemnity, for instance, the customer and the vendor/indemnitor both want the vendor to win the third party lawsuit. Victory would mean the customer can keep using the vendor’s product, which is good for both. But in a fault-triggered indemnity, the parties have opposing interests. The indemnitor wants to show that it did nothing wrong so it can escape responsibility. The indemnified party wants to establish the indemnitor’s fault, to keep it in the case. That makes cooperation difficult. And just to make matters worse, the parties’ debate might be discoverable. Through the discovery process, the third party plaintiff could learn that the indemnified party said the the indemnitor was at fault — or learn that the indemnitor admitted possible fault. And the plaintiff could use that admission in the litigation.
One qualification: this article addresses indemnities triggered by fault (including breach of contract, violation of law, etc.) — not indemnities alleging fault. The indemnitor has clearer defense obligations in an indemnity against “any claim alleging an injury resulting from Indemnitor’s negligence or other wrongdoing.” But those indemnities raise other issues. What if the third party claim blames the indemnitor, but the indemnified party actually caused the loss? And what if the claim accuses both parties? (Those are topics for another post.)
Doing Fault-Triggered Indemnities Anyway
None of this means fault-triggered indemnities have no value. The defense obligation might fall apart, but the indemnitor could still have to honor its second indemnity clause obligation. The clause might still require that it pay settlements or judgments against the indemnified party. And in some cases, the only alternative to a fault-triggered indemnity is no indemnity. Most IT vendors, for instance, will not indemnify data breach cases triggered by their customer’s IT security screw-ups. They’ll only accept indemnities triggered by their own mistakes.
So you might have to accept fault-triggered indemnities. But avoid them where possible. And recognize that a fault-triggered indemnity might not do its job, which is to provide rules for cooperation between the parties. A fault-triggered indemnity could easily lead to a battle between the business partners, right when they need to cooperate against the third party who’s suing them.
We teach courses specifically on indemnities and on tech contracts in general. Please inquire about training if you’re interested. And please contact David Tollen through his law firm, Sycamore Legal, if you’d like legal help with indemnities.
David Tollen is the founder of Tech Contracts Academy and our primary trainer. He is an attorney and also the founder of Sycamore Legal, P.C., a boutique IT, IP, and privacy law firm in San Francisco. His practice focuses on software licenses, cloud computing agreements, and privacy. And he serves as an expert witness in litigation about those same topics.
© 2019 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock photos!