IT contracts and confidentiality agreements: Do we need an indemnity clause?

This Insight was prepared with the assistance of summer student Nick Klatt.

When entering commercial arrangements, parties seek to manage risk and clarify responsibilities through various contractual terms and provisions. One of the most commonly used provisions for this purpose is an indemnification or indemnity clause.

At a high level, rights of indemnification are additional or extraordinary contractual rights of the parties in addition to general legal rights and remedies arising from a breach of contract. Parties involved in reviewing and negotiating Information Technology (IT) contracts and confidentiality or non-disclosure agreements are increasingly faced with the decision of whether to include indemnity clauses in their contracts.

Whether you are legal counsel, a business owner, a corporate executive or your organization’s contract manager, understanding the purpose and implications of indemnity clauses is important before signing any agreement, whether it includes such a clause or not.

In this Insight, we explore what indemnification clauses are, why some parties insist on including them and why others may be hesitant to agree to their inclusion in commercial agreements.

What is an indemnity clause?

An indemnity clause is a contractual provision where one party (the indemnifying party) typically agrees to defend and compensate the other party (the indemnified party) for any losses, claims or damages suffered or incurred that arise from specific events or situations.

These clauses typically impose two main obligations on the indemnifying party:

1. The obligation to indemnify
   • This requires the indemnifying party to compensate the indemnified party for losses, damages or related costs arising from the specified event or circumstance
2. The obligation to defend
   • This requires the indemnifying party to compensate the indemnified party for legal costs if a third party brings a legal claim against the indemnified party that is related to a covered event or circumstance
   • Often, this obligation also gives the indemnifying party the right to take control over the legal defence of the claim

In addition to the above, parties will often include additional terms that provide for a clear indemnification process outlining the steps both parties are required to take in the event a party makes a claim for indemnification under the contract. This will often include terms addressing either party’s right to settle any claim without the involvement/approval of the other party.

Indemnity clauses in IT agreements

Indemnity clauses are common in technology or IT contracts, where they reduce uncertainty and help define the responsibilities of each party.

Some common examples include:

• A software vendor or provider might agree to indemnify a customer against third-party claims of intellectual property infringement related to the customer’s use of the software
• A managed service provider may agree to indemnify the customer for losses and/or damages from downtime or failure to meet agreed-upon service levels
• A cloud service provider might indemnify a client for losses, damages or third-party claims resulting from a data or security breach

Indemnity clauses in confidentiality and non-disclosure agreements

Non-disclosure agreements (NDAs) and confidentiality agreements are typically contracts between two parties:

• A disclosing party, who shares sensitive or confidential information
• A receiving party, who receives that information and agrees to protect the information and not disclose it to the public or any other unauthorized third party

Given the potentially significant consequences associated with a breach of confidentiality, the disclosing party will often seek to include an indemnity clause that requires the receiving party to compensate them for any claims, losses, damages or expenses resulting from a breach of the NDA or confidentiality agreement. Furthermore, an indemnity clause may stipulate that the receiving party compensate the disclosing party for any expenses, legal or otherwise, associated with enforcing the NDA or confidentiality agreement.

Common examples include:

• A company hires a software developer to build a proprietary application for them. The developer agrees to indemnify the company for any losses and/or damages resulting from the negligent handling of, or unauthorized disclosure of, the company’s source code, technical documents or other proprietary or confidential material.
• If a cloud service provider gains access to sensitive client data during integration or support, the service provider may agree to indemnify the company against any damages, losses or third-party claims resulting from the unauthorized access or disclosure of client data stored or processed on the provider’s systems.
• A company collaborates with a financial or health technology partner and provides them with access to sensitive personal information (e.g. personal health information or personal financial information). The company may want to be indemnified by the partner against any regulatory penalties, third-party claims or damages resulting from the unauthorized use of, or disclosure of, personal information.

Why include indemnity clauses?

Risk management

Indemnity clauses are highly customizable. Parties can negotiate which events, claims or circumstances will trigger indemnification. Through negotiation, they may allocate risk based on their capabilities, risk tolerance and relative bargaining power. The inclusion of these clauses assists each party in understanding and planning for the risks they are responsible for, which can often be addressed or partially mitigated by securing insurance or implementing preventive measures to avoid triggering an obligation to indemnify.

Legal clarity

A well-drafted indemnity clause that clearly outlines each party’s rights and responsibilities reduces the likelihood of disputes and makes it easier for the courts to assign liability if a conflict between the parties arises. It also gives both parties clarity about which risks they are, and are not, responsible for.

Hesitations about inclusion

Broad exposure

Since the scope of the indemnification can be defined broadly, the indemnifying party may end up being responsible for a wide range of damages, losses or claims. As a result, a party may be reluctant to include an indemnity clause due to the potentially broad financial and legal exposure it creates. However, these risks can typically be addressed or reduced through the drafting of careful and appropriate limits on the scope of an indemnity clause.

Financial uncertainty

The exact cost of defending a potential claim or paying a settlement as a result of indemnifying another party is often unknown at the time of contract negotiation. This financial uncertainty can make parties wary of agreeing to indemnity clauses. Additionally, indemnity clauses may require a party to take responsibility for events and circumstances beyond their control, which may add to a party’s reluctance to include them. To address these risks, parties will often look to “cap” their total liability under an indemnity clause through the use of limitation of liability provisions or the use of certain “sole remedies” – such as modification, replacement or contract termination – in connection with a claim for indemnification.

Complexity and disputes

Indemnity clauses can be difficult to interpret and understand without legal expertise. Disagreements between parties can arise over the interpretation of the clause, which specific events are covered or the rights and responsibilities under the clause. To avoid this risk and legal uncertainty, some parties may choose to avoid indemnity clauses altogether. However, it is important to emphasis that indemnity clauses, like any other contractual provision, serve an important risk mitigation function when used appropriately. A blanket rejection of all indemnity clauses prevents a party from taking advantage of the benefits these types of provisions can offer from both a legal and business perspective.

The importance of legal advice

With proper legal guidance, indemnity clauses can serve as effective tools for managing risk and providing legal certainty for the parties to the contract. However, the addition of these clauses is not without risk. Before agreeing to a contract that includes an indemnity clause, parties should:

• Understand which events will trigger indemnification
• Know their rights, responsibilities and risk exposure under the clause
• Seek legal advice during review and negotiation to avoid unintentionally accepting broad or unfair risk

For more information on technology contracting or assistance with advising on and negotiating indemnification clauses, please contact the Technology, Intellectual Property and Privacy Group at MLT Aikins.

Share