So, the Customer wants you to take on unlimited liability for breach of confidentiality, indemnify (and hold harmless) for any and all bad acts of your employees, and to carry a multi-million dollar insurance policy. What do you do?

First, begin by triaging these from simplest to more complicated. During a negotiation it can be helpful to appear to “give” as much as possible up front when you’re down to a few points. This way, when the final hot button items arise, you appear reasonable.

Insurance requirements are usually no-brainers, and as long as the amounts demanded are not grotesquely high, your Risk folks will approve the proposed language with very light editing, if any. Today, it is also not unusual for the Customer to demand to be named as a payee in the event of a loss; this is often fine, and usually not an issue. More practice pointers, after the jump….

Next, tackle indemnity. This is not the first party indemnity that mergers and acquisitions folks look for during due diligence. This is third party indemnity, akin to insurance, in that you, the Vendor, are agreeing to indemnify the Customer in the event of third party claims brought about by your behavior. Tread carefully here, as vestigial language can trip you up. Indemnity, in theory, is an acceptable demand from a Customer. For instance, if one of your employees does something on-site that causes harm to a third party (employee of the Customer), and that third party sues his employer, then you’d expect to be on the hook.

However, what if the Customer is at least partly at fault? Joint and several liability could be assessed — unless you’ve agreed to “hold harmless.” Courts around the country have sporadically held that “holds harmless” means just that — no matter what, the Customer is being held harmless in the event that you agree to indemnify. I strike this language as a matter of course, and when questioned, I turn the question back on the objector and ask what they think it means. I guarantee you that you will win this point almost every time. Lawyers tend to become comfortable in what they think they know, and when challenged, often agree to strike language that can reasonably be described as obsolete.

Indemnity is often unlimited in scope, and can also be bilateral. It’s up to you how you treat this topic, based upon your decision tree of the value of the deal versus the real risk of third party claims. I have had Customers attempt to receive indemnity “in general” for acts of our employees, but this “general” indemnity makes no sense, as taken to its logical conclusion, the company would be suing itself and then asking us to step into its shoes. What the Customer is really looking for here is a limitation on liability (“LoL”).

Any number of hypotheticals have been thrown my way in an effort to obtain a greater LoL:

“What if your product catches fire and burns our building?”

“Well, if you lease your space, then the landlord would come after you, and we’d indemnify you.”

“What if your employee shoots some people on-site?”

“Again, this would be an indemnity issue.”

And this goes on and on. My absolute favorite hypothetical was from a very nasty lawyer with an entertainment agency in LA and it went something like this: “What if we have you print some scripts for an Al Pacino movie, your technician sees the script, steals it, and sells it to the National Enquirer which prints a story and Al Pacino sues us?” This was in an effort to obtain an unlimited LoL for breach of confidentiality. She didn’t even get close.

It’s important to remember that (unless you’re dealing with an insurer) no matter which side you’re on, your business partners are not insurance companies. Usually, the LoL is tied to the revenue of a deal. Other factors could be used, but a twice annual figure is more than reasonable.

And what about confidentiality? Shouldn’t that be unlimited in this technologically advanced day and age? Depends. Consider, if you’re the vendor, that first, someone would have to steal some confidential information, act on it, and damage the Customer in some way. Assess what you’ll be doing for the Customer before assessing a risk factor. If the services you’ll be providing only run an incidental risk of your employees’ exposure to confidential information, then the risk of facing a claim for breach is likely also incidental.

Next time, GLBA and HIPAA (not HIPPA).


After two federal clerkships and several years as a litigator in law firms, David Mowry is happily ensconced as an in-house lawyer at a major technology company. He specializes in commercial leasing transactions, only sometimes misses litigation, and never regrets leaving firm life. You can reach him by email at [email protected].


comments sponsored by

20 comments (hidden for your protection) Show all comments