Key Takeaways:
- As in-house counsel, our job is to mitigate or manage our company’s risk, at least down to a level that is consistent with our company’s overall level of risk tolerance.
- Contract provisions relating to privacy and security obligations can be used to frame out responsibilities and set expectations.
- It’s important to understand what data is being shared and what laws govern the protection of such data.
- Indemnification is helpful for allocating certain risks, while insurance enables additional risk to be mitigated for a price.
- Limitations of liability are heavily negotiated. The nature of the services and negotiation leverage will impact the cap amount and necessary carveouts.
Our job description as in-house counsel often includes common themes: (i) assisting our company in achieving its business goals and (ii) ensuring that our company does not take on undue risk. While each of these themes seems fairly straightforward, as we look more closely at our company's business in the context of the overall risk spectrum, we may find that there are circumstances where these roles may pull us in different directions (if not be diametrically opposed) or, at a minimum, it becomes clear that there is much to unpack here.
In a perfect world, we would be able to eliminate our company’s risk altogether. Yet seasoned in-house practitioners have come to know, often through hard-fought experience, that risk elimination is rarely a realistic outcome. If we cannot eliminate risk for our company, we want to focus on ensuring that our company is not saddled with more risk than is appropriate under the circumstances.
We need to ascertain whether there is another party to the transaction who should more appropriately bear the risk in question, in which case we will endeavor to transfer or allocate such risk to that party. If we are unable to allocate the risk to another party, we need to assess the overall risks and then determine strategies that will help us mitigate or manage our company’s risk, at least down to a level that is consistent with our company's overall level of risk tolerance.
The key provisions of contracts that deal with managing risk usually appear toward the end of the document. Frequently mischaracterized as boilerplate, these provisions dictate key terms that manage the risk exposures for our companies. The following tips are designed to help you identify and evaluate these common risk exposures that arise in commercial contracts.
1. Privacy. Depending on the type of contract, privacy provisions are either a small portion or the essential part of the contract. Begin by understanding what data is being shared with the vendor, what levels of protection are afforded to that type of data, and what laws govern the protection of such data. Understand the risk to your company if there were a breach, and ensure that responsibilities, expectations, and standards are reflected in the clauses. Additionally, you may want to consider how breaches of privacy terms may relate to your indemnification obligations, evaluate whether such breaches should be specified as carve-outs to limitations of liability, and assess the types of insurance you may require.
2. Security. Privacy and security considerations frequently go hand in hand. For services (such as software as a service or SaaS) where infrastructure will be outsourced to a third party, it is essential to understand the technical and organizational measures taken by the vendor to protect and secure any data that it will process or store (notably, the vendor’s processes, policies, controls and procedures). The vendor’s compliance with its security program during the term should be a representation, and should be verifiable by direct audit right, SOC reports, ISO certification, or another reputable third-party audit. Similar to privacy, breaches of security representations that result in unauthorized access to data are typically carved-out or subject to a super cap under the limitation of liability.
3. Intellectual Property. It is important to determine which party will own newly developed and jointly developed intellectual property (“IP”). If the services to be performed involve the creation of deliverables developed for your company, then clear language is needed showing that the full ownership of and all rights to the deliverables (whether existing or future) will automatically vest in your company upon creation. This is known as the work for hire concept.
Another area of importance related to IP involves the vendor indemnifying the customer for claims by third parties related to infringement, misappropriation, or other violation of any IP rights of the vendor that are provided for use by the customer under the agreement. From the customer’s perspective, this type of indemnity should always be excluded from the limitation of liability, because the vendor is in a better position to manage their own IP and the related infringement issues and should have insurance to back up these risks. Most vendors accept this concept and will provide an uncapped indemnity on this point, but occasionally vendors do push for a cap on these types of damages, arguing that there needs to be a limit on all types of damages. It is worth pushing back on vendors that take this position, as the risk on these IP indemnity issues should not be with the customer.
4. Warranty. Consider whether the warranties offered by the vendor are appropriate for the type of service. For general services, you can expect to see: (i) a warranty that the services will be performed in a diligent and workmanlike manner in accordance with industry practices, (ii) a warranty that the deliverables will function and comply in accordance with the agreement and statement of work, and (iii) that performance of the services will comply with applicable law.
For a software license or SaaS warranty, the customer will typically look for the following:
(i) the documented description of functionality or documentation is complete and accurate,
(ii) the software or SaaS services will perform in accordance with the documentation,
(iii) the software or SaaS services will be free of viruses and malicious code,
(iv) the vendor will include substantially similar successor software or SaaS services, and
(v) all upgrades or new releases are made available free of charge.
From the vendor’s perspective, the vendor will offer: (i) a limited warranty for software in regards to time (i.e., 90 days), and (ii) a warranty of a narrow scope that excludes all warranties not specifically offered.
5. Warranty Remedy. Warranty remedies should be appropriately tailored to the services provided. For professional services, re-performance of non-conforming services or refund is standard. For SaaS, a commitment to bring the software’s functionality back in conformity with the documentation is typical. These remedies should be at no cost to customer and subject to commercially reasonable timeframes for resolution. In general, warranty remedies are intended to support an ongoing business relationship, so vendors will frequently view these as sole remedies unless the breach reaches a materiality threshold, at which point the customer will typically have a separate termination and refund right, and the ability to seek additional claims.
6. Indemnification. Indemnification is one of the most commonly negotiated provisions. Begin by assessing the nature of the services and the relationship. Understand what types of risks and exposure your client has. What are the potential claims related to third parties and how much control do you have over the outcome? It is common to make indemnity mutual, but this may vary depending on the relationship.
Common strategies from the vendor’s perspective may include:
(i) clearly limiting the indemnity to third-party IP claims,
(ii) prorated liability (“to the extent” language), and
(iii) designing an overall cap that limits any non-IP related indemnity obligations.
Common counter strategies from the customer’s perspective are:
(i) to seek an unlimited indemnity for damages that arise out of or relate to any breach in a representation, covenant, or obligation of vendor contained in the service agreement, and
(ii) requiring all indemnity obligations to be carved out of the liability cap.
7. Limitation of Liability. If there is one issue (other than price) that typically gets negotiated in every commercial contract, it’s the limitation of liability. It is frequently the most contentious issue in the contract. The nature of the services will impact the carve-outs and/or super caps (specific caps higher than the contract’s general liability cap) that are most important to the customer.
For SaaS or other services where data (especially personal information) will be shared with the vendor, carve-outs or super caps for breaches of confidentiality, privacy and security obligations are heavily negotiated. Vendors will typically look to cap inestimable claims at a multiple of fees paid or payable, although they may be willing to accept uncapped liability for certain remediation costs related to data breaches.
As discussed above, one key exception is indemnification obligations related to IP infringement claims, which should not be subject to any cap. Mutual waivers of consequential damages are standard in commercial contracts, but certain carve-outs may be negotiated.
As with most of the provisions covered herein, there are many factors that impact leverage, including the respective size of the parties, the value and term of the contract, the number of competing vendors, the speed with which the services need to be implemented, and the uniqueness of the service offering or product.
8. Insurance. Customers generally require vendors to have certain levels of insurance per occurrence and aggregate, in order to back up the liability that the supplier takes on under the contract terms.
The most common coverages required are:
(i) general liability,
(ii) workers compensation,
(iii) errors and omissions/professional liability,
(iv) blanket crime coverage,
(v) commercial automobile, and
(iv) umbrella liability.
It is also common for the customer to ask to be added as an additional insured on certain policies and for the vendor to push back on this request for certain types of coverage (i.e., professional liability), but to accept it in other types of coverage (i.e., general liability). When considering whether to accept lower amounts of insurance than your company standard, the subject matter of the contract and potential liability that could occur under the contract are the most important factors.
It is also essential to consider how the insurance provision interplays with the limitation of liability clause. Customers should seek to:
(i) include a clause stating that the insurance provisions set forth the minimum amounts and scopes of coverage to be maintained by vendor and are not to be construed in any way as a limitation or release of vendor’s liability under the agreement, and
(ii) include a clause that states that all policies of insurance procured by vendor will be written as primary policies, not contributing with, nor in excess of coverage carried by customer.
For claims made policies, customers should ask for tail coverage for the longest period then available (beyond the end of the contract’s term) to ensure that insurance coverage in the amount set forth in the agreement is maintained for claims which arise from the acts or omissions of the vendor.
9. Termination. On one hand, termination for uncured material breach is standard in commercial contracts and rarely negotiated. On the other hand, termination for convenience is increasingly uncommon in the SaaS industry, as traditional software providers transition to subscription models that require long-term contract commitments to recognize revenue. Vendors frequently push for multi-year terms, and refuse to permit cross-termination of a related professional services agreement. For consulting agreements and professional service agreements (separate from a SaaS agreement), termination for convenience is more commonly accepted – often depending on the size and sophistication of the vendor.
For your company to realize the value of the business relationship (and retain the right to exit the relationship if that value doesn’t materialize), it becomes increasingly important to clearly define what breaches will result in termination rights. Examples of triggers that customers will often want to specify in the contract may include repeated failure to meet service levels (set forth in a Service Level Agreement or “SLA”), security breaches resulting in unauthorized access to data, or significant non-conformity in a product or system’s functionality.
10. General Provisions. Commonly brushed over, but important clauses such as venue, governing law and force majeure can have material impacts on your liability, financial implications and outcomes. Governing law matters, especially in light of the contract’s subject matter. When selecting venue and governing law, be mindful of favorable case law, unfavorable statutory interpretation in certain jurisdictions, and trends and enforcement practices for federally regulated industries. Additionally, venue selection has cost implications with regard to legal outside counsel fees and travel.
Selecting your home state, if it requires the other party to litigate elsewhere, may have a deterring effect in regard to the other party commencing litigation, as well as give you some local knowledge advantage with regard to laws and courts. Finding a neutral location such as Delaware for the parties is often the easiest compromise. Pay close attention if there are international laws or venue required. Finally, a lesson we’ve all learned this year, read the force majeure language more closely for how broadly or narrowly it is drafted to protect your interests and be prepared to propose your own more balanced version of the clause.
Conclusion
Managing risk allocation in contracts is frequently a key component of the job of an in-house counsel. There will be occasions when you will need to advise the business team against moving a deal forward. For example, if the risk your company has been asked to take on is unreasonable or inappropriate under the circumstances, your advice may simply be for your company to walk away. This can be the case when there are non-negotiable regulatory or compliance requirements.
Similarly, when another party to the transaction, perhaps the one with all of the leverage, does not take on an appropriate level of risk and instead tries to shift that risk to your company, you may also need to advise to walk away from the deal. Occasionally, these “no deal” outcomes feel like hard decisions in the moment. However, in hindsight, the best business decisions often turn out to be the deals that we did not complete.
At the same time, our job description also includes assisting our company in achieving its business goals. You can help your company achieve its business goals while not taking on undue risks by working as a business partner with others in the company, to ensure that everyone -- business and legal -- appreciates the relative risks in a transaction and how they relate to your company's overall risk tolerance. This may mean there is a risk/reward analysis to be applied. For example, to secure a lucrative piece of business from a key customer, a company may be willing to assume greater risk than, say, for an insignificant piece of business.
Of course, as in-house counsel, it is best to establish this partnership early on in our working relationship or over time working together, rather than first trying to establish it when we are sitting at the negotiating table with our counterparty. The most successful contractual negotiations usually result from a balance of working with our business partners to help our company achieve its business goals without taking on undue risks.
Note: This resource was developed as a follow-up to the ACC Annual Meeting 2020 session titled “The Interplay between Indemnity, Insurance and Limitations of Liability in Contract Negotiations.” Watch the on-demand version of the program.
Authors: Todd Borow (Associate General Counsel, AmeriHealth Caritas), Brian Campbell (Chief Legal Officer & Corporate Secretary, DHI Group, Inc.), Megan Lutes (Director of Legal, Convoy, Inc.) & Penny Williams (Vice President, Associate General Counsel, Sotheby’s)
Check Out Additional Resources
- ACC Collection: Contract Negotiation Skills
- “The Top Ten Risk Allocation Pitfalls to Avoid” (2016), by Thomson Reuters
- “Negotiating Privacy and Security in Transactions: NDAs, DPAs, and Privacy & Security Addendums” (2019 OnDemand Webcast)
- “Your Vendor, Your Risk”, by Maggie Gloeckle and K Royal, ACC Docket, October 2019
- “Ground Satellite Litigation: IP Indemnification Provisions Implicating Multiple Suppliers”, by Janine Bloch, Michael A. Molano, Graham M. (Gray) Buccigross, and Jeyshree Ramachandran, ACC Docket, September 2016
- “Introduction to SaaS/Cloud Agreements” (2020 OnDemand Webcast)