The Overuse of Indemnities

by David Tollen

Many IT contracts feature a strange clause. One party (usually the customer) asks the other for an indemnity against, “any third party claim resulting from SuspectCo’s breach of this Agreement,” or words to that effect. That indemnity doesn’t just cover claims about data incidents or personal injury or IP. It covers all claims, so long as the indemnitor allegedly breached the contract. (In our trainings, I call it a “nuclear indemnity” because it destroys all in its path.)

This clause imposes tremendous risk on the indemnitor. And while the indemnified party certainly benefits, it might not negotiate an optimal deal if it considers a super-broad indemnity necessary.

You don’t need an indemnity for liability

Often, the all-claims indemnity results from a misunderstanding: from the idea that indemnity means liability. But you don’t need an indemnity to hold the other party liable for losses resulting from its breach. Typical contract damages generally do that job. And yes, those damages could include compensation for the costs of a third party lawsuit.

I don’t mean to suggest the super-broad indemnity has no advantage over breach damages. It has two advantages for the non-breaching party. First, an indemnity generally requires that the indemnitor spend upfront on the defense and on any judgment paid to the third party plaintiff. So the indemnified party doesn’t have to pay those costs itself and then demand reimbursement. That’s particularly valuable because full reimbursement isn’t certain. Second, the indemnity usually operates outside the contract’s limit of liability. So the indemnitor could pay more.

Those advantages, however, don’t render the indemnity necessary to hold the breaching party liable.

Indemnities against third party claims make the most sense for specific types of claim

I think an indemnity makes the most sense when one party’s activities create a clear risk of third party claims against the other. (BTW, those lawsuits don’t have to result from the indemnitor’s breach. In an IP indemnity, for instance, the vendor protects the customer against intellectual property claims even if they’re not valid – even without actual infringement or breach.)

In any deal, then, you should ask what third party suits the relationship could generate. Tech contracts almost always include IP indemnities because the customer’s use of software or other tech carries a recognized risk of patent, copyright, and other IP suits. And the parties generally agree that IP claims result from the vendor’s activities: its sale of products and services that tend to generate those claims.

That logic fits a cloud vendor’s decision to indemnify its customer against third party claims related to data breach. That’s a recognized risk too, and it (arguably) results from the vendor’s activities: providing cloud-based technology. That logic also fits an indemnity from the customer against privacy claims resulting from its failure to get permission to upload personal information to the vendor’s computers. And it fits a vendor indemnity protecting the customer against compensation claims by vendor employees and subcontractors.

All possible claims, however, doesn’t fit.

The indemnified party’s position

If you receive an all-claims indemnity, great. But remember that you don’t need it to impose liability for breach. That knowledge could give you more options. What if you could swap an extremely broad indemnity for a couple narrower ones and better terms somewhere else in the contract (price, limit of liability, etc.)?

Recognition that you don’t need an all-claims indemnity for breach liability can also save you from walking away when you should stay. It can save you from leaving a good deal because you didn’t get that super-broad indemnity, where staying still offers greater advantages than leaving.

The indemnitor’s position and the insurance comparison

How do you avoid the all-claims indemnity if you’re the would-be indemnitor? It could help to remind the other party that you’re not an insurance company, assuming you then explain what you mean.

An indemnity against all claims resulting from your breach gives you an insurance-like obligation because it’s so broad (even though insurance doesn’t require the indemnitor’s breach). Insurance companies have two ways to manage that risk, neither of which is available to you if you are, for instance, a humble IT vendor.

First, an insurance company can pretty accurately assess the odds of a claim against the customer. It can demand lots of information for use in making that assessment. You, on the other hand, probably can’t get that information. And you almost certainly lack the insurer’s expertise at assessing risk.

Second, an insurance company can require that its customer take precautions to avoid claims. You almost certainly can’t do that either.

You don’t have to answer an all-claims indemnity request with a flat “no.” You can offer more limited indemnities. And you can point out that no indemnity for a given loss doesn’t mean no liability. Just by signing the contract, you’re accepting liability for breach of contract.

For more on indemnities, check out two of our courses: The Tech Contracts Master Class, course 3 (Key Liability Terms), and The Indeminar: Indemnities in IT Contracts.

THIS ARTICLE IS NOT LEGAL ADVICE. IT IS GENERAL IN NATURE AND MAY NOT BE SUFFICIENT FOR A SPECIFIC CONTRACTUAL, TECHNOLOGICAL, OR LEGAL PROBLEM OR DISPUTE, AND IT IS NOT PROVIDED WITH ANY GUARANTEE, WARRANTY, OR REPRESENTATION. LEGAL SITUATIONS VARY, SO BEFORE ACTING ON ANY SUGGESTION IN THIS ARTICLE, YOU SHOULD CONSULT A QUALIFIED ATTORNEY REGARDING YOUR SPECIFIC MATTER OR NEED.

? 2025 Tech Contracts Academy, LLC