Indemnification FAQ

An indemnification clause typically makes you liable for three categories of costs if you breach the NDA's confidentiality obligations:

• Direct damages: The actual financial loss the other party suffers from your breach (e.g., lost business, remediation costs)
• Third-party claims: Lawsuits brought by customers, partners, or others affected by the breach. You pay their legal defense and any judgments.
• Legal fees: The other party's attorneys' fees, expert witness costs, and court expenses for pursuing claims against you

The scope varies significantly by clause. Broad clauses may include consequential damages like lost profits, reputational harm, and regulatory fines. Narrower clauses limit you to direct, proven damages only.

Real-world example: If you accidentally leak a client's customer database, you might be liable for: (1) the client's notification and credit monitoring costs, (2) defending lawsuits from affected customers, and (3) the client's legal fees for suing you.

Regular breach of contract typically limits recovery to direct, foreseeable damages between the two contracting parties. Indemnification expands this in several important ways:

• Third-party claims: Standard contract damages usually don't cover lawsuits from outside parties. Indemnification does.
• Defense obligations: You may be required to actively defend lawsuits, not just pay damages afterward
• Broader damage types: Indemnification often includes consequential and incidental damages that might be excluded under normal contract principles
• Attorneys' fees: Under the "American Rule," each side usually pays their own legal fees. Indemnification overrides this.

Practical impact: Without indemnification, if your breach causes a third party to sue your counterparty, that counterparty might not be able to recover those costs from you at all. With indemnification, you're on the hook for the whole thing.

This common phrase contains three distinct obligations:

• Defend: You must provide legal defense when claims arise - hiring lawyers, managing litigation, appearing in court. This obligation triggers immediately when a claim is made, before liability is determined.
• Indemnify: You must compensate the other party for losses - paying judgments, settlements, and damages that result from covered claims.
• Hold harmless: You promise the other party won't suffer any financial harm from the covered events. Some courts treat this as broader than indemnification, covering even the other party's own negligence.

Key distinction: The duty to "defend" is usually broader than the duty to "indemnify." You might have to defend a lawsuit that ultimately proves groundless, but you'd only indemnify for actual proven losses.

Cash flow impact: Defense obligations can be extremely burdensome because you're paying legal bills as they come in, potentially for years, before any final determination of liability.

This depends entirely on the specific clause language. There are three common scenarios:

• Capped: The indemnification is subject to the agreement's overall limitation of liability (e.g., "not to exceed $1M"). This is the safest for you.
• Uncapped but limited types: No dollar cap, but limited to certain damage types (e.g., direct damages only, no consequential damages)
• Fully uncapped: No limit on amount or damage types. Common language: "any and all damages, losses, and expenses of any nature whatsoever." This creates potentially unlimited exposure.

Watch for: Clauses that specifically "carve out" indemnification from liability caps. Language like "notwithstanding any limitation of liability" or "the limitations in Section X shall not apply" removes the safety net.

Real-world risk: If you breach confidentiality of a pharmaceutical formula, the damages could be hundreds of millions of dollars in lost market exclusivity. Without caps, you could be personally bankrupted.

Some aggressive indemnification clauses cover "any breach or alleged breach" - this is problematic. Here's why:

• Defense costs triggered immediately: Even frivolous allegations can force you to fund expensive legal defense
• No proof required: You might pay costs for defending claims that are ultimately dismissed
• Settlement pressure: Facing unlimited exposure, you may be pressured to settle even meritless claims

Better language: Look for clauses limited to "actual breach" or "proven breach" or that require the claimant to demonstrate breach before indemnification kicks in.

Negotiation tip: If you can't remove "alleged breach" language, at least negotiate that defense costs for unproven allegations are reimbursed if the claim is dismissed or you prevail.

Technically yes, but enforceability varies by jurisdiction and courts often limit such provisions:

• Express language required: Courts typically require clear, explicit language to indemnify someone for their own negligence. Generic indemnification language usually won't cover it.
• Gross negligence/willful misconduct: Most jurisdictions refuse to enforce indemnification for gross negligence, reckless conduct, or intentional wrongdoing as against public policy.
• Comparative fault: Some clauses reduce indemnification proportionally if the indemnified party contributed to the harm

Practical advice: If you're the disclosing party, include language requiring indemnification "regardless of any negligence" of your employees. If you're the receiving party, insist on carving out indemnification for the other party's own fault.

Example carveout: "The Receiving Party shall not be obligated to indemnify the Disclosing Party to the extent any claim arises from the Disclosing Party's own negligence, willful misconduct, or breach of this Agreement."

Almost certainly yes. Standard NDA indemnification clauses make you responsible for anyone who receives confidential information through you:

• Employees: Their breaches are your breaches under respondeat superior and explicit NDA language
• Contractors/consultants: If you shared information with them, you're typically liable for their misuse
• Agents and representatives: Anyone acting on your behalf
• Subprocessors: Vendors who handle confidential information you shared with them

Mitigation strategies:

• Limit who can access confidential information to those with genuine need-to-know
• Ensure all recipients sign confidentiality agreements with comparable protections
• Train employees on confidentiality obligations
• Implement technical controls (access logs, DLP systems, encryption)

Negotiation tip: Try to add language making indemnification conditional on having implemented "reasonable security measures" - this creates a defense if you acted responsibly.

Standard business insurance often does NOT cover contractual indemnification obligations. Here's the breakdown:

• General Liability (CGL): Typically covers bodily injury and property damage from your operations, NOT pure financial losses from confidentiality breaches
• Professional Liability/E&O: May cover claims arising from professional services, but often excludes intentional disclosure or breach of contract claims
• Cyber Liability: Most likely to cover data breach-related indemnification, but policy terms vary widely
• Contractual Liability Coverage: Some policies include endorsements for contractual indemnification - check if yours does

Critical issue: Many policies exclude "assumed liability" - obligations you voluntarily took on by contract that you wouldn't have otherwise. Indemnification is classic assumed liability.

Action items: Review your policies with your broker before signing NDAs with significant indemnification. Consider requesting a "contractual liability" endorsement.

If you're on the receiving end of valuable confidential information, requiring the receiving party to maintain insurance can be valuable - but has limitations:

Common requirements:

• General liability: $1-2M per occurrence
• Professional liability/E&O: $1-5M depending on industry
• Cyber liability: $2-5M for tech companies handling sensitive data
• Umbrella/excess: Additional coverage above primary limits

Limitations to understand:

• Insurance existence doesn't guarantee coverage for your specific claim
• Policy exclusions may apply
• Other claims may exhaust limits before yours
• Insurance companies can dispute coverage

Better approach: Request to be named as an "additional insured" on relevant policies. This gives you direct rights under the policy rather than having to collect from the other party.

The ideal insurance portfolio depends on your business, but for companies regularly handling confidential information:

• Cyber Liability Insurance: Essential for any company handling digital confidential information. Covers data breaches, notification costs, regulatory fines, and often third-party claims.
• Professional Liability (E&O): Covers claims arising from your professional services, including failure to protect confidential information in client work.
• Technology Errors & Omissions: Specifically designed for tech companies, covers software failures that could expose confidential data.
• Media Liability: If you might inadvertently publish confidential information, covers defamation, privacy violations, and IP infringement.

Coverage amounts: Should match or exceed the indemnification caps in your contracts. If you sign unlimited indemnification, even high limits may be insufficient.

Cost consideration: Cyber liability insurance typically runs $1,000-5,000/year for $1M coverage for small companies. Much cheaper than a single breach.

Yes, if you're sharing highly valuable confidential information and the NDA includes indemnification obligations. Here's what to request:

• Certificate of Insurance (COI): Standard document from their insurer confirming coverage exists
• Policy declarations page: Shows actual limits, effective dates, and named insureds
• Additional insured endorsement: Adds you as a protected party under their policy
• Notice of cancellation: Requires insurer to notify you if coverage lapses

When this matters most:

• Trade secrets worth millions of dollars
• Customer data subject to regulatory requirements
• Proprietary technology that competitors would exploit
• Dealing with smaller companies that might not survive a judgment

Practical reality: Many counterparties will push back on insurance requirements for "just an NDA." Reserve this request for high-stakes disclosures.

Follow the procedures specified in the NDA carefully - failure to do so can forfeit your rights. Typical steps:

• Prompt written notice: Notify the indemnifying party immediately upon learning of a claim. Most clauses require "prompt" or notice within a specified period (e.g., 30 days).
• Describe the claim: Include all relevant details - who's claiming what, basis of the claim, damages sought
• Document everything: Preserve all evidence of the breach, your damages, and the underlying claim
• Cooperate: Provide information the indemnifying party needs to defend or settle

What your notice should include:

• Identification of the NDA and indemnification provision
• Description of the breach or triggering event
• Copy of any third-party complaint or demand
• Statement that you're invoking indemnification rights
• Request for defense and/or reimbursement

The consequences depend on the specific clause language:

• Harsh clauses: "Failure to provide timely notice shall forfeit all indemnification rights." You're completely out of luck.
• Moderate clauses: Late notice doesn't forfeit rights but may reduce recovery by any actual prejudice caused by the delay.
• Lenient clauses: Notice is required but failure doesn't excuse indemnification unless the indemnifying party was actually harmed by the delay.

Types of prejudice from late notice:

• Lost opportunity to participate in early defense
• Settlement reached without indemnifying party's input
• Evidence lost or unavailable
• Larger damages than could have been mitigated

Best practice: Always provide notice immediately, even if you're not sure indemnification applies. Better to give unnecessary notice than miss a deadline.

This is heavily negotiated because control affects outcomes significantly:

If the indemnifying party controls:

• They choose lawyers and strategy
• They can settle claims (usually with limits on admitting fault)
• The indemnified party can usually participate at their own expense
• Risk: They might prioritize cost savings over your reputation

If the indemnified party controls:

• They choose lawyers and strategy
• The indemnifying party just pays bills
• Risk: No incentive to control costs; might run up huge legal bills

Common compromise: Indemnifying party controls defense, but cannot settle in a way that (1) admits fault by the indemnified party, (2) requires the indemnified party to take or refrain from action, or (3) doesn't fully release the indemnified party, without consent.

Depends on the clause. Watch out for these scenarios:

Dangerous language: "The Indemnified Party may settle any claim in its sole discretion and the Indemnifying Party shall reimburse all settlement amounts."

• Gives them complete freedom to settle
• No limit on settlement amount
• Could settle for far more than litigation would cost
• Could settle claims that have no merit

Protective language to negotiate:

• "The Indemnifying Party's consent shall be required for any settlement exceeding [amount]"
• "No settlement shall be binding on the Indemnifying Party without prior written consent"
• "Settlement amounts shall be commercially reasonable given the nature of the claim"

Your leverage: If you're paying, you should have a say. Push for consent rights or at least consultation requirements before any settlement.

It's worth trying, but success depends on leverage and context:

Arguments for removal:

• "This is just an NDA for preliminary discussions - indemnification is overkill"
• "Standard breach of contract remedies are sufficient"
• "We're both sophisticated parties who can bear our own risks"
• "Indemnification is appropriate for a services agreement, not a simple NDA"

When you're unlikely to succeed:

• You're receiving extremely valuable trade secrets
• The other party has much more leverage
• Industry-standard NDAs in your sector include indemnification
• You've already signed similar clauses with others

Fallback positions: If you can't remove it, negotiate: (1) mutual indemnification, (2) caps tied to insurance or deal value, (3) limitation to third-party claims only, (4) "material breach" trigger requirement.

Caps are essential to making indemnification manageable. Here are common approaches:

Fixed dollar cap:

• Simple and clear
• Appropriate for defined-scope relationships
• Example: "Total indemnification shall not exceed $500,000"

Formula-based cap:

• Ties to economic reality of the relationship
• Example: "Not to exceed amounts paid under related agreements in the preceding 12 months"
• Common in SaaS/services contexts

Insurance-based cap:

• "Limited to amounts recoverable under Party's applicable insurance policies"
• Ensures you're not paying out of pocket
• Other party may require minimum insurance levels

Negotiation tip: Link your cap to the value at stake. If they're sharing $10M trade secrets, a $50K cap may not fly. If it's just preliminary product discussions, a modest cap is reasonable.

Certain misconduct is typically "carved out" from liability caps because the policy goal of caps (fair risk allocation) doesn't apply to intentional wrongdoing:

• Willful misconduct: Intentional breaches shouldn't have a price cap - that just lets them pay to breach
• Gross negligence: Reckless disregard for confidentiality obligations
• Fraud: Intentional misrepresentation about confidentiality practices
• Criminal conduct: Theft, espionage, or other criminal misappropriation
• Unauthorized disclosure to competitors: The most damaging type of breach

Sample carve-out language: "The limitations set forth in this Section shall not apply to (a) willful misconduct or gross negligence, (b) breach of confidentiality obligations through intentional unauthorized disclosure, or (c) violations of applicable data protection laws resulting from failure to implement required security measures."