Indemnity and Insurance Provisions in E-Business Contracts

New and/or Different Risks to Which Companies Are Exposed

For illustrative purposes, let's focus on a company that is contracting with a third-party service provider for particular services that involve e-business activities. Such contracts typically involve some type of outsourcing, such as a particular back room function (e.g., payroll), an information technology function, a logistics/distribution function, etc. The key point is that these contracts involve one or more of the following activities.

• The company is providing sensitive information about its customers/clients and/or employees to the service provider.
• The company is giving access to its internal computer systems to the service provider.
• The company is sharing proprietary intellectual property with the service provider (whether software, hardware, or business process).
• The company and the service provider are communicating with each other via the Internet, and sensitive company data is being transmitted to the third party via the Internet.

Because of these activities, the company that has contracted for services that involve e-business activities is exposed to a variety of risks, some of which are unique to e-business activities. Legal liability risks include the following.

• Information about the company's customers/suppliers and employees are subject to theft, which can lead to claims of invasion of privacy and other legal liabilities.
• Some person or organization alleges that some of the proprietary software, business process, or other thing used by the company or the service provider infringes intellectual property rights.
• The service provider fails to perform, which can lead to claims for pure financial loss sustained by the company's customers or clients or downstream users.
• The company is responsible for destruction or corruption of the service provider's or another person's or organization's computer data, software, or programs (collectively, "data").

First-party risks include the following.

• The company's important information assets (e.g., any information reduced to electronic form and residing on the company's computer system) are subject to theft by the service provider or another third party, which can lead to lost business income because a competitor obtains the information.
• The company's computer system is subject to corruption by the service provider or another third party, whether accidentally or intentionally, which can lead to lost business income and extra expense.

The foregoing is a high-level discussion of the risks faced by companies as they conduct e-business activities. In short, the risks include, but are not limited to, intellectual property infringement, invasion of privacy, pure financial loss, damage to/corruption of data, and impairment of a computer system.

Indemnity Provisions to Address the Risks

Importantly, legal liability and first-party risks produced by e-business activities can be managed in part by indemnity and insurance provisions in contracts. But because some of the risks faced by companies conducting e-business activities are unique to those activities, traditional indemnity and insurance provisions simply are not adequate for e-business contracts.

With respect to the indemnity provisions of a contract involving e-business activities, risk managers and a company's contracting personnel responsible for reviewing such contracts should take care to ensure that the contract addresses certain risks. On the legal liability side, one typically sees the following risks divided into separate indemnity provisions: intellectual property infringement, privacy, pure financial loss, and general indemnity (limited to bodily injury and property damage). However, it is very important to note that in some contracts, you see only two indemnity provisions, one for intellectual property infringement, and one for general indemnity not limited to bodily injury and property damage (which means it can include indemnity for privacy and pure financial loss risk).

Regardless of how the contract is set up with respect to the indemnity provisions (i.e., whether four different indemnity provisions or two), the key point is that the risk manager or contracts person reviewing the contract must understand how the contract addresses indemnification for third-party claims for intellectual property infringement, privacy, pure financial loss, and bodily injury and property damage (including data). Those provisions must be reviewed and negotiated to ensure that the risks for which the company wants to be defended and indemnified by the service provider are addressed.

Also, all the good work that can go into such provisions are going to be for naught if the contract contains any type of consequential damages waiver and/or limitation of liability clause that does not except the service provider's indemnity obligations to the company for third-party claims. These provisions can be found in separate clauses, or in one and the same clause, in a contract, but they deal with two different, albeit related issues.

The consequential damages waiver (CDW) clause will set forth the types of losses that the company cannot claim against the service provider, period. That is, the company is waiving the right to claim certain losses against the service provider. In contrast, the limitation of liability (LoL) clause does not waive the company's right to claim a particular type of loss against the service provider. Rather, it places a monetary limit on the amount of a particular type of loss that can be claimed. For example, if the company can claim up to $1 million in costs to restore data that was damaged/corrupted by the service provider, such costs will not be listed in the CDW, but rather will be listed in the LoL.

In any event, regardless of whether CDW and LoL provisions in a contract are listed in separate clauses or in one and the same clause, it is vitally important that risk managers and contracting personnel for the company ensure that any such provisions expressly except the service provider's indemnity obligations to the company under the contract. If they do not, they might limit the service provider's indemnity obligations to the company for third-party claims, making all the hard work done on the indemnity provisions for naught.

Finally, the consequential damages waiver and/or limitation of liability clause will also impact the ability of the company to obtain compensation from the service provider for any first-party losses sustained by the company. [Remember, the indemnity provisions typically only address what happens when another person or organization (other than the service provider) brings a claim against the company.] So, if you want the service provider to be liable to you for first-party loss (e.g., lost profits, extra expenses, cost to restore lost/corrupted data, etc.), you need to make sure they are not excluded by the consequential damages waiver clause or overly limited by the limitation of liability clause.

Insurance Provisions to Address the Risks

In traditional contracts, the company would simply require standard insurance policies to ensure that the service provider had the financial wherewithal to carry out its indemnity obligations under the contract, and to otherwise shift risks under the contract to the service provider's insurers. A typical contract would require the service provider to maintain workers compensation and employers liability, automobile liability, commercial general liability, and perhaps also foreign general liability and/or umbrella liability.

However, these traditional policies are problematic when it comes to addressing the unique risks associated with e-business activities. If you look at the previous article in this column, traditional general liability insurance policies cover less and less e-business risks. The service provider's general liability insurance might not respond to third-party claims for invasion of privacy when it comes to theft of private information (where was the "publication or utterance"?), damage to/corruption of data (now expressly excluded by traditional general liability coverage), pure financial loss (typically not covered even by traditional general liability coverage), and a host of the intellectual property risks posed by e-business activities.

So, what can a company do in this situation? The company should expand the types of insurance policies required in its contracts and also expand the descriptions of coverages that it wants the service provider to maintain. There are any number of ways to do this. For example, the company's insurance provisions can insert an omnibus e-business insurance requirement that sets forth the types of coverages required and permits the service provider to maintain the coverage in one or more types of insurance policies (e.g., internet liability, professional liability, crime, etc.). Or the company can set forth several types of insurance policies the service provider is to maintain (professional liability, Internet/e-business liability, and crime) and explain the types of coverages that each insurance policy should address.

Regardless of which method is adopted, it is important that the company spell out the types of risks that will be covered by the insurance being required to be maintained. That's because the insurance policies that can address these risks are not standard. Depending on which insurer's form is used, a professional liability policy can actually cover more than an Internet liability policy can with respect to these risks. So it is not sufficient to merely require that the service provider maintain a certain type of insurance. Rather, you have to spell out the types of risk the insurance, regardless of the label or name you're giving it, is required to cover.

Concluding Remarks

Reviewing and negotiating indemnity and insurance provisions in contracts is an important risk management function for companies to carry out. However, traditional indemnity and insurance provisions in contracts are are inadequate for contracts involving e-business activities. Such contracts require specialized indemnity and insurance provisions that can, and should, be obtained. Hopefully, this article provides some useful information in that regard.

More information on this subject will be provided at the Tech-eRisk Seminar.