Managing risk

Consider adopting these practices to limit your exposure to risk.

Many entrepreneurs think that running a business is likely the riskiest thing they’ve ever done. That is probably true, at least from the perspective of financial decisions. (Business failure is unfortunate but very survivable; sports and cars both kill a much higher fraction of users.)

Risk in business is manageable. That is one major reason why firms exist as a concept; they pool a source of risk (the business enterprise) and then separate the economic upside of undertaking the risk, the liabilities associated with the risk, and the actual duties of operating the business.

Incorporation is one way that internet businesses use to limit risk, by capping the amount the owners/investors are exposed to—liability for debts or damages or injuries to others should not, in general, flow from the business to the owners/investors. Businesses don’t like the prospect of losing all of their assets in the event of e.g. a lawsuit, though, so there are other mechanisms as well. We’ll talk about some of them.

Insurance

Insurance is a way to transfer risk from the insured to the insurance company. The insurance company does this in return for guaranteed payments (“premiums”) from a large pool of insureds. Assuming the insurance company prices the insurance correctly and/or invests the premiums well before paying out, they profit from offering this service while their customers trade the uncertainty of a catastrophic loss for the certainty of a predictable insurance payment.

Businesses purchase a number of types of insurance. The overwhelming majority of policies (and share of payments) is for employment-related insurance, which is discussed in more detail elsewhere. A much smaller portion is for policies which protect the company.

Professional liability/errors and omissions insurance

Companies which produce software which interacts with businesses’ data, or who produce software which businesses run, or who work on systems owned by clients, have relatively large exposures in the event of their software malfunctioning. A software upgrade which disrupts a mid-sized business can cost them tens or hundreds of thousands of dollars in lost revenue; they might decide to sue to collect. A contractor who accidentally drops the production database while doing testing could be held liable for all the costs for replacing it, which could be almost unbounded.

These risks are covered by professional liability insurance, sometimes called “Errors and Omissions” (E&0) insurance. The mechanics of the policy are simple: pay a small amount of money every year (generally about $1,000 to start; it scales slowly with the number of employees or revenue of the company). If you don’t get sued, nothing happens. If you do get sued, you “open a claim” (forward the relevant details) to your insurance company. Liability for claims covered by your insurance shifts from you to your insurance company, to the extent described in your policy and subject to limits and deductibles. The insurance company will typically take over responding to the suit, which will frequently result in them offering a settlement, to avoid the expense of trial. (Lawsuits are expensive; almost nobody wants to take one through the entire process.)

Very few software companies actually get sued! (Insurance companies report in regulatory filings that the risk for e.g. small software development consultancies is less than 1% per year. You can dig this fact out of regulatory filings if you’d like to.) Most companies which deal primarily with consumers limit their liability with contracts and offering refunds if the software is not to the customers’ liking. It is incredibly unlikely that you’ll be sued just because someone is merely unhappy with your services.

That said, if your software actually materially damages a customer, which is quite plausible for B2B services, a lawsuit is a distinct possibility. This is particular true in the U.S., which institutionally deals with many controversies via the legal system where they would be resolved by private negotiation in other countries. (This fact sometimes surprises entrepreneurs doing business internationally.)

Additionally, because sophisticated businesses know that there exists the possibility that having you interface with their systems will expose them to expensive remediation, they will often require, as a term of doing business with you, that you carry an insurance policy.

The policy limits for E&O policies generally start at $1 million. (Lawsuits are generally substantially cheaper than the limits—they average about $40,000 in settlements and costs according to regulatory filings of one E&O company across all of their insured companies in the tech industry.) Buying more is relatively inexpensive; $1 million is generally sufficient for companies which are just starting out. You can (and should) renew your policy yearly; renewal time is a great time to think about whether you have adequate coverage for your exposures.

Business insurance in the U.S. is generally sold by agents of the insurance companies, who are combination sales representatives and professional advisors. Unsurprisingly, since they’re paid on commission by the insurance companies, their professional advice is often that you buy more insurance from them. Your lawyer or accountant can often give you a rough idea of what an appropriate level is given the level of exposure of your business.

General liability insurance

Virtually every business should carry “general liability” insurance if you have a physical presence in the United States. (If you don’t, you may elect to skip this if it is not the norm in your country.)

General liability insurance is sometimes sold bundled with E&O insurance.

E&O insurance insures against the risks posed uniquely by the type of work you do. General liability is more diffuse; it insures against risks posed by the physical existence of your company. For example, if you have an office, it is theoretically possible that someone could slip in or in front of the office, resulting in your company being liable for their (perhaps substantial) medical bills. This is relatively infrequent, but general liability covers enough distinct “relatively infrequent” sources of stress to be worth the peace-of-mind it brings to many entrepreneurs.

In addition to accidents at your physical location, general liability might protect you from employee malfeasance, having property stolen from your business, loss in the event of a fire, or similar. The exact insured risks will be listed in your policy; read it very carefully. You’ll typically only file a general liability claim when something extremely expensive has happened; you do not want to be told “We don’t cover that very expensive thing which happened; didn’t you read subsection D on page 22? It clearly says that…”

Contrary to occasional grousing, insurance companies are generally not crooks. They’re extensively regulated in the United States. It is just, by the nature of the business, very detail-oriented, much more similar to programming than to creative writing.

You’ll purchase your general liability insurance through an insurance agent, likely the same one who sells you your E&O line. The policy might be combined with your E&O policy or sold separately. Expect to pay only a few hundred dollars a year for this.

Risk reducers for underwriting

As part of getting an insurance policy written, you will be asked questions by the insurer’s “underwriting” department, which needs to decide whether your business has a level of risk which can be profitably insured given the premiums the insurance company wants to charge you. It’s to your advantage to know how to answer questions from an underwriter in a professional and honest manner such that they approve your application.

Helpfully, knowing the sorts of things insurance companies look for is very useful, because they’re literally in the business of figuring out what choices end badly. You can alter some operations of your business to have more positive answers to their questions, both increasing your likelihood of getting covered at lower premiums and also removing sources of risk from your business.

Here are some questions you might be asked:

Do you use written contracts for selling services? The right answer is, unsurprisingly, “Yes.” Some underwriters will drill into specifics of the contracts, such as:

  • Do the contracts have wording limiting the scope of your guarantee or warranty with regards to work?
  • Do the contracts have heightened terms for the standard of care you’re required to bring, or are you given more discretion?
  • Do the contracts have mid-project checkpoints such as milestones with required sign-off from the customer, a defined payment schedule, etc?
  • Do the contracts limit damages that you could be assessed?
  • Does the contract envision a formal change order process where both parties have to agree in writing to changes in scope?

All of these allow underwriters to see that your contract has been drafted in the anticipation of it potentially being tested by a contentious project with a client.

Do you have substantial experience in the industry? More experience is better than less experience, naturally. It is generally to your benefit to write your description of your experience in a way which is absolutely truthful and easily comprehensible by someone who is not an expert in your field.

Click-through agreements and public policies

Certain sorts of standard contracts are relatively non-negotiable. You’ve almost certainly agreed to one-for example, if you’ve ever “accepted Terms of Use” or signed a contract with a cell phone company.

These contracts are used when a) negotiating individualized contract terms with every customer would be counterproductive and b) when the contracts can nonetheless meaningfully limit exposure of the company to risk.

You are highly likely to have some contracts which apply generally to folks doing business with you. You will additionally have some public written policies which aren’t contracts themselves, but rather are designed to clarify certain important details about doing business with you.

Depending on what your company does, you may want to have:

  • Privacy policy
  • Refund, warranty, and return policy
  • Terms of service/terms of use

Privacy policy

Every internet company collects data. Big, heaping mountains of data.

Consumers want to know that you’re not going to abuse personal information you collect. More importantly, government regulators want companies to tell consumers about the company’s data practices. There are overlapping and at times conflicting laws, regulations, and guidance about privacy disclosures, some of which vary by industry or by state (not to mention all of the foreign laws), but in general, you will need to have a written Privacy Policy available on your website or mobile app anywhere you do business.

Companies that collect personal data or handle user data online generally have a privacy policy. You may be legally required to post a Privacy Policy under certain state laws and/or laws which apply to specific industries, or if you engage in certain activities, like online advertising. There are a variety of counterparties, such as financial institutions and hosting providers, which would hold the non-existence of a privacy policy against you, even if you internally had the understanding “Well, we’re just doing the usual—no spam, Google Analytics, standard Nginx logs.” Also, if you sell to other businesses, your business customers will likely require you to post a Privacy Policy as a condition of doing business with you.

Privacy Policies are less a legal contract and more a semi-standardized way for you to communicate your plans about data with your customers. Having an inaccurate privacy policy may be worse in some respects than not having any at all. (Orrick, for example, has written in detail about seemingly harmless terms that were given strict scrutiny by regulators.)

The Privacy Policy is customarily written in non-technical plain language and is relatively short. Important points to cover in a United States privacy policy include:

  • What information do you collect
  • Who has access to it
  • Under what circumstances will you release it to 3rd parties
  • How you use data for advertising, including online tracking
  • How long do you store it for

Additional information may be required if you’re doing business wholly or partly outside of the United States, where more stringent data privacy laws may apply (e.g., the European Union).

Most internet companies do not list every single bit of information they collect, but rather use representative examples, largely because customers aren’t competent to evaluate the specifics. (If you are in a very privacy-conscious domain such as healthcare or if you collect children’s personal information, where there exist specific regulations, the specifics matter quite a bit and are outside the scope of this guide.)

If you don’t have a Privacy Policy ready, think about what information you collect, organize your thoughts internally, then adopt a pre-written privacy policy and customize it to make sure that it is accurate to the operations of your business, working with your lawyer where necessary. Automattic, the makers of WordPress, have generously released their privacy policy under a permissive license, so that you can make light edits to it and have a reasonably sane policy ready almost immediately.

As always for contract-like documents, if you have any questions, ask a lawyer.

Refund policy/returns policy

When e-commerce first started, people were terrified about sending money over the internet. What if the goods weren’t exactly to their liking? What if the 20kb gif didn’t show the color of the dress accurately? What if? What if? What if?

Refund policies are a great way to pre-emptively answer “What If?” in a way which increases your conversion rates, minimizes unhappy customers, and streamlines your operations. If you take payments online, your payments processor will require that you have a refund policy posted prominently; it is generally to your advantage to have it visible near the point of checkout because some customers will look.

In general, most internet businesses choose to be extraordinarily generous with refunds. This is particularly true of IP-based businesses which have relatively little hard costs for providing their goods/services, such as software or SaaS companies.

Many software companies would have the following as their full refund policy. (Feel free to use or adapt it, if you want.)

Refund Policy We want you to be thrilled with your purchase. If it isn’t satisfactory for any reason, we will happily refund the entire purchase price for up to 30 days after your purchase.

Policies for e-commerce companies are generally a little more complicated, particularly around returns of tangible goods, like clothing or other consumer products.

You should should mention what the process is for requesting a return, where the returned item should be mailed to, whether the item can be returned if used, what the timelines are, who absorbs costs for shipping (and return shipping), etc.

One might wonder “Why are even the most generous refund policies often time-limited?” This is something your accountant will probably demand from you; an unlimited refund policy greatly complicates when you’re allowed to recognize revenue. Many companies will officially say that they only process refunds within the first 30 or 60 days while they (unofficially or semi-officially) actually will refund any purchase ever made, even years after the fact.

In some countries it is a legal requirement that the refund period extend from receipt of a product or performance of a service, not from the transaction date, in the case where the transaction is before. There may also be requirements that the refund period be at least a certain period of time (e.g., 90 days). In general, one can simply adopt the most generous term; tightening your refund language is very rarely the point of most leverage in your business.

Terms of Service/Terms of Use

Most web sites operated commercially, and substantially all web applications, will have a Terms of Use. (These are sometimes called “Terms of Service”, and abbreviated TOU or TOS.)

They range from informal descriptions of what constitutes acceptable use of the site (often including terms like “no spamming”, “no uploading viruses”, and “no threats of violence”) to, for applications, full contracts specifying payment terms, limitation of liability, etc.

Many companies who do not directly charge for their website choose to publish a more informal terms of use. If you take signups to your site, you can require that customers accept the terms of use via checking a box during signup. Record the date/time of the acceptance, in case you are asked about it later.

If you are selling software or software as a service, your terms of use is probably a full-fledged contract, though a short one. A lawyer can draft one for you, but this is probably unnecessary unless your software operates in a market which is likely to require a high degree of attention to compliance or liability concerns. (Healthcare, financial services, and the like come to mind—ask your lawyer if you’re curious.)

If you’re producing software for consumers or smaller businesses, you can probably adapt Automattic’s permissively licensed Terms of Service from their WordPress product. This will take you only a few minutes. Force customers to agree to it via a checkbox when signing up for your service; record the time when the consent was given.

Will I actually ever need these things!?

You may never find your policies tested in a court of law.

Having the policies is widely used as a check by businesses and regulators for whether you’re operating your business in a professional fashion.

You will likely not be approved by a financial institution to accept payments unless you have a ToS, refund policy, and returns policy (if you ship tangible goods).

For example, in the event of a chargeback filed against a purchase for your software, you can expect to lose almost automatically if the issuing bank says “The customer says they didn’t agree to pay. Do you have a contract?” and your only answer is “Well they signed up for an account.” The right answer is “Bob Smith signed up for an account on March 23rd. He affirmatively accepted our Terms of Service, a copy of which I’ve attached. The Terms of Service explicitly says that customers are obligated to pay for the service.”

You’ll still lose some chargebacks, even when you’ve documented everything correctly, but doing everything correctly gives you a chance.

Companies can benefit from the practice of drafting a Privacy Policy as it forces you to think critically about your data practices, understand the regulatory landscape (which can involve some weird – and costly – rules and regulations), and establish policies and procedures that will benefit your company in the long term. Establishing good privacy practices from the get-go helps to ensure you maximize the value of your data assets, avoid regulatory pitfalls, and mitigate the risks (and consequences) of a data breach.

Getting minimally compliant with these policies can usually be done quickly and efficiently, particularly in light of the benefits. You will need to review and update these policies (particularly your Privacy Policy) as your business changes and grows, and can expect to do a deeper dive in the future when you have more resources. With that said, depending on where you’re doing business and what your business is, these documents may need to be changed more often. For example, if your business involves handling data provided by kids, then there’s a patchwork of different state laws that currently apply and the regulatory landscape is constantly changing; if your business is a subscription service, various states have (and others may adopt) laws that require you to put certain additional disclaimers in your terms of use regarding automatic renewals.

Back to guides