If you’ve been a Devant client for a while, you’ll know that we have fairly firm views on indemnities. These can be summed up in one word: no!

As you’d expect from us, we review and revisit this position periodically, to see if things have changed in case law or insurance cover, and if we need to update our advice. This note is the result of our most recent update on indemnities, following an in-depth review with a specialist Professional Indemnity Insurance provider.

This legal update explores:

• what an indemnity is
• a practical example of a potential indemnity claim
• why your Professional Indemnity Insurance won’t help
• how to deal with indemnity requests from customers

What is an indemnity?

An indemnity is a promise to protect someone from the consequences of a particular event, like a contract breach. You might have seen the phrase “hold harmless”. If you agree to indemnify someone against your breach of a particular contract term (like an obligation to hold personal data safely, for example), then you’re agreeing to protect them against any consequences of your breach. 

An example of an especially broad indemnity could be:

‘The supplier hereby agrees to indemnify the customer against any and all losses, direct and indirect, including reasonable attorney’s fees, arising from or in connection with the supplier’s performance or non-performance of its obligations hereunder.’

More focussed indemnities could include indemnities against infringements of third party intellectual property rights, or indemnities against claims for breach of GDPR or other data protection laws. These are becoming increasingly common, so understanding this topic will help you resist them!

A practical example of a potential indemnity claim

How would this work in practice? Let’s say you host a client’s e-commerce website. Their customers provide personal data when they want to buy products from your client, and you store it in a database to enable the client to fulfil the order. You’re obliged to use appropriate security measures to prevent unauthorised access to the data, and have indemnified your client against any costs resulting from your breach of that obligation.

If the database was hacked, and the hackers used the stolen data to steal funds from your client’s customers, there would clearly be a loss of personal data. Whether this constituted a breach of your obligations under the contract would depend on the quality of your security measures, and whether the Information Commissioner’s Office (if the database is stored in the UK) felt you (and your client) had done everything you reasonably should have. Let’s say that the ICO decided your client should have undertaken penetration testing, to check the security was good enough, and because they hadn’t done so, it imposed a fine of £2million on your client. 

Your obligation to indemnify your client against loss or damage as a result of your breach of data protection obligations could enable them to claim:

• The £2million fine
• Your client’s costs in contacting the data subjects to let them know of the breach
• Any damages the client was required to pay to the data subjects because of the breach
• The cost of any remedial public relations work the client had to undertake to protect their reputation
• The cost of fixing the database security to prevent any recurrence of the breach
• Any legal costs the client might have incurred in dealing with the ICO and with the data subjects
• Your client’s management costs in dealing with the matter

You can see how this can quickly add up, and why we might be less than enthusiastic about you agreeing to indemnify anyone for anything!

Why your PI insurance won’t help…

PI cover exists to protect professionals from negligence claims. If you are negligent when delivering your service, and a customer makes a damages claim as a result, this is exactly what your PI insurance is for (subject otherwise to the policy terms and market standard exclusions).

All PI policies have, as a general rule, an exclusion for liability arising from ‘onerous contractual clauses’. The principle is that if you have agreed to a contractual clause that imposes a higher level of obligation upon you than would exist at English law without the clause, the insurer may refuse to service the claim, and/or to create some element of uninsured loss in respect of claims made under that particular clause. The presence of such a clause would not invalidate the entire policy – it would only affect claims brought under that clause.

Indemnities are usually assumed to fall under the category of ‘onerous contractual clauses’, and therefore excluded from PI cover. Our insurance specialist’s advice is always to ‘just say no’, if at all possible.

Their initial argument is that the matters that would be covered by the indemnity are already covered under the general rules of negligence – so, for example, infringement of 3rd party IP rights would be a negligent act, giving rise to a claim for damages. There’s no need for an additional indemnity – it’s redundant. The customer would be covered at law without it (and you would be insured as a result!).

While the specific drafting of the indemnity provision may vary, insurers would generally see them as reducing their options when it comes to defending any claims. If a customer brings a claim against you, and you seek to use your PI cover to settle it, your insurers will seek to either defend the claim or, at the very least, minimise the amount they have to pay out as a consequence. The more options they have to defend the claim or mitigate the costs, the better. If you’ve granted the customer a contractual indemnity, you’ve taken away the insurer’s ability to mitigate its costs.

How to deal with indemnity requests from customers

We know these are highly technical, and it can get a bit overwhelming trying to get your head around how indemnities work and their potential consequences. But that’s why you’re an Inner Circle member – you have Devant to help deal these on your behalf!

In the first instance, advise your client that you are not permitted to give contractual indemnities because they are not covered by your insurance, which means that both your business and the client themselves would be heavily exposed by any claim. Explain that they are much better off making a straightforward claim for damages, which would give them access to your insurance, rather than an indemnity claim (which you would have to pay out of the funds you have in the bank – almost certainly a lot less than you have in your insurance limit!).

Over the years, many of Devant’s clients have experienced significant push-back to this argument. We’ve been told that “you just need to increase your insurance”, or “find a policy that will cover this”, or even that “your position can’t be right, everyone else agrees to give indemnities”.

Unfortunately, just because “everyone else agrees to it”, that doesn’t mean that “everyone else” is protected by their insurance. It’s not a question of “finding a better policy” – it is highly unlikely that you will be able to find an insurer who is willing to cover you for contractual indemnities you’ve given. 

From time to time, policies that appear to offer this cover will come onto the market. Inevitably, the underwriters drop them after a while because of the high cost of servicing them. Given that most insurance is on a ‘claims made’ basis, meaning that the policy terms that are in force at the time you make your claim are the ones that matter (not the ones that were in force when you took out the original policy, and agreed to the original contract), this can be problematic. If a claim is brought against you a few years after you entered into the original contract, you may find that the provision you were relying on no longer exists in the policy you have at the time. So you’re left high and dry, just when you need cover the most!

In our experience, we can almost always negotiate your way out of having to give contractual indemnities. Intelligent, commercially aware counterparties will generally understand the legal and commercial arguments, and will appreciate that the indemnity doesn’t serve either you or them. If it’s not possible to exclude indemnities altogether, your Devant team will help you to mitigate the risks posed by them by ensuring they’re drafted as tightly as possible.

So if “just say no” isn’t effective in getting rid of indemnities, call us. We’re here to help you keep your business (and your customers) safe!