Many entrepreneurs think that running a business is likely the riskiest thing they’ve ever done. That is probably true, at least from the perspective of financial decisions. (Business failure is unfortunate but very survivable; sports and cars both kill a much higher fraction of users.)
Risk in business is manageable. That is one major reason why firms exist as a concept; they pool a source of risk (the business enterprise) and then separate the economic upside of undertaking the risk, the liabilities associated with the risk, and the actual duties of operating the business.
Incorporation is one way that internet businesses use to limit risk, by capping the amount the owners/investors are exposed to—liability for debts or damages or injuries to others should not, in general, flow from the business to the owners/investors. Businesses don’t like the prospect of losing all of their assets in the event of e.g. a lawsuit, though, so there are other mechanisms as well. We’ll talk about some of them.
Insurance is a way to transfer risk from the insured to the insurance company. The insurance company does this in return for guaranteed payments (“premiums”) from a large pool of insureds. Assuming the insurance company prices the insurance correctly and/or invests the premiums well before paying out, they profit from offering this service while their customers trade the uncertainty of a catastrophic loss for the certainty of a predictable insurance payment.
Businesses purchase a number of types of insurance. The overwhelming majority of policies (and share of payments) is for employment-related insurance, which is discussed in more detail elsewhere. A much smaller portion is for policies which protect the company.
Professional liability/errors and omissions insurance
Companies which produce software which interacts with businesses’ data, or who produce software which businesses run, or who work on systems owned by clients, have relatively large exposures in the event of their software malfunctioning. A software upgrade which disrupts a mid-sized business can cost them tens or hundreds of thousands of dollars in lost revenue; they might decide to sue to collect. A contractor who accidentally drops the production database while doing testing could be held liable for all the costs for replacing it, which could be almost unbounded.
These risks are covered by professional liability insurance, sometimes called “Errors and Omissions” (E&0) insurance. The mechanics of the policy are simple: pay a small amount of money every year (generally about $1,000 to start; it scales slowly with the number of employees or revenue of the company). If you don’t get sued, nothing happens. If you do get sued, you “open a claim” (forward the relevant details) to your insurance company. Liability for claims covered by your insurance shifts from you to your insurance company, to the extent described in your policy and subject to limits and deductibles. The insurance company will typically take over responding to the suit, which will frequently result in them offering a settlement, to avoid the expense of trial. (Lawsuits are expensive; almost nobody wants to take one through the entire process.)
Very few software companies actually get sued! (Insurance companies report in regulatory filings that the risk for e.g. small software development consultancies is less than 1% per year. You can dig this fact out of regulatory filings if you’d like to.) Most companies which deal primarily with consumers limit their liability with contracts and offering refunds if the software is not to the customers’ liking. It is incredibly unlikely that you’ll be sued just because someone is merely unhappy with your services.
That said, if your software actually materially damages a customer, which is quite plausible for B2B services, a lawsuit is a distinct possibility. This is particular true in the U.S., which institutionally deals with many controversies via the legal system where they would be resolved by private negotiation in other countries. (This fact sometimes surprises entrepreneurs doing business internationally.)
Additionally, because sophisticated businesses know that there exists the possibility that having you interface with their systems will expose them to expensive remediation, they will often require, as a term of doing business with you, that you carry an insurance policy.
The policy limits for E&O policies generally start at $1 million. (Lawsuits are generally substantially cheaper than the limits—they average about $40,000 in settlements and costs according to regulatory filings of one E&O company across all of their insured companies in the tech industry.) Buying more is relatively inexpensive; $1 million is generally sufficient for companies which are just starting out. You can (and should) renew your policy yearly; renewal time is a great time to think about whether you have adequate coverage for your exposures.
Business insurance in the U.S. is generally sold by agents of the insurance companies, who are combination sales representatives and professional advisors. Unsurprisingly, since they’re paid on commission by the insurance companies, their professional advice is often that you buy more insurance from them. Your lawyer or accountant can often give you a rough idea of what an appropriate level is given the level of exposure of your business.
General liability insurance
Virtually every business should carry “general liability” insurance if you have a physical presence in the United States. (If you don’t, you may elect to skip this if it is not the norm in your country.)
General liability insurance is sometimes sold bundled with E&O insurance.
E&O insurance insures against the risks posed uniquely by the type of work you do. General liability is more diffuse; it insures against risks posed by the physical existence of your company. For example, if you have an office, it is theoretically possible that someone could slip in or in front of the office, resulting in your company being liable for their (perhaps substantial) medical bills. This is relatively infrequent, but general liability covers enough distinct “relatively infrequent” sources of stress to be worth the peace-of-mind it brings to many entrepreneurs.
In addition to accidents at your physical location, general liability might protect you from employee malfeasance, having property stolen from your business, loss in the event of a fire, or similar. The exact insured risks will be listed in your policy; read it very carefully. You’ll typically only file a general liability claim when something extremely expensive has happened; you do not want to be told “We don’t cover that very expensive thing which happened; didn’t you read subsection D on page 22? It clearly says that…”
Contrary to occasional grousing, insurance companies are generally not crooks. They’re extensively regulated in the United States. It is just, by the nature of the business, very detail-oriented, much more similar to programming than to creative writing.
You’ll purchase your general liability insurance through an insurance agent, likely the same one who sells you your E&O line. The policy might be combined with your E&O policy or sold separately. Expect to pay only a few hundred dollars a year for this.
Risk reducers for underwriting
As part of getting an insurance policy written, you will be asked questions by the insurer’s “underwriting” department, which needs to decide whether your business has a level of risk which can be profitably insured given the premiums the insurance company wants to charge you. It’s to your advantage to know how to answer questions from an underwriter in a professional and honest manner such that they approve your application.
Helpfully, knowing the sorts of things insurance companies look for is very useful, because they’re literally in the business of figuring out what choices end badly. You can alter some operations of your business to have more positive answers to their questions, both increasing your likelihood of getting covered at lower premiums and also removing sources of risk from your business.
Here are some questions you might be asked:
Do you use written contracts for selling services? The right answer is, unsurprisingly, “Yes.” Some underwriters will drill into specifics of the contracts, such as:
- Do the contracts have wording limiting the scope of your guarantee or warranty with regards to work?
- Do the contracts have heightened terms for the standard of care you’re required to bring, or are you given more discretion?
- Do the contracts have mid-project checkpoints such as milestones with required sign-off from the customer, a defined payment schedule, etc?
- Do the contracts limit damages that you could be assessed?
- Does the contract envision a formal change order process where both parties have to agree in writing to changes in scope?
All of these allow underwriters to see that your contract has been drafted in the anticipation of it potentially being tested by a contentious project with a client.
Do you have substantial experience in the industry? More experience is better than less experience, naturally. It is generally to your benefit to write your description of your experience in a way which is absolutely truthful and easily comprehensible by someone who is not an expert in your field.
Click-through agreements and public policies
These contracts are used when a) negotiating individualized contract terms with every customer would be counterproductive and b) when the contracts can nonetheless meaningfully limit exposure of the company to risk.
You are highly likely to have some contracts which apply generally to folks doing business with you. You will additionally have some public written policies which aren’t contracts themselves, but rather are designed to clarify certain important details about doing business with you.
Depending on what your company does, you may want to have:
- Refund, warranty, and return policy
Every internet company collects data. Big, heaping mountains of data.
- What information do you collect
- Who has access to it
- Under what circumstances will you release it to 3rd parties
- How you use data for advertising, including online tracking
- How long do you store it for
Additional information may be required if you’re doing business wholly or partly outside of the United States, where more stringent data privacy laws may apply (e.g., the European Union).
Most internet companies do not list every single bit of information they collect, but rather use representative examples, largely because customers aren’t competent to evaluate the specifics. (If you are in a very privacy-conscious domain such as healthcare or if you collect children’s personal information, where there exist specific regulations, the specifics matter quite a bit and are outside the scope of this guide.)
As always for contract-like documents, if you have any questions, ask a lawyer.
Refund policy/returns policy
When e-commerce first started, people were terrified about sending money over the internet. What if the goods weren’t exactly to their liking? What if the 20kb gif didn’t show the color of the dress accurately? What if? What if? What if?
Refund policies are a great way to pre-emptively answer “What If?” in a way which increases your conversion rates, minimizes unhappy customers, and streamlines your operations. If you take payments online, your payments processor will require that you have a refund policy posted prominently; it is generally to your advantage to have it visible near the point of checkout because some customers will look.
In general, most internet businesses choose to be extraordinarily generous with refunds. This is particularly true of IP-based businesses which have relatively little hard costs for providing their goods/services, such as software or SaaS companies.
Many software companies would have the following as their full refund policy. (Feel free to use or adapt it, if you want.)
Refund Policy We want you to be thrilled with your purchase. If it isn’t satisfactory for any reason, we will happily refund the entire purchase price for up to 30 days after your purchase.
Policies for e-commerce companies are generally a little more complicated, particularly around returns of tangible goods, like clothing or other consumer products.
You should should mention what the process is for requesting a return, where the returned item should be mailed to, whether the item can be returned if used, what the timelines are, who absorbs costs for shipping (and return shipping), etc.
One might wonder “Why are even the most generous refund policies often time-limited?” This is something your accountant will probably demand from you; an unlimited refund policy greatly complicates when you’re allowed to recognize revenue. Many companies will officially say that they only process refunds within the first 30 or 60 days while they (unofficially or semi-officially) actually will refund any purchase ever made, even years after the fact.
In some countries it is a legal requirement that the refund period extend from receipt of a product or performance of a service, not from the transaction date, in the case where the transaction is before. There may also be requirements that the refund period be at least a certain period of time (e.g., 90 days). In general, one can simply adopt the most generous term; tightening your refund language is very rarely the point of most leverage in your business.
They range from informal descriptions of what constitutes acceptable use of the site (often including terms like “no spamming”, “no uploading viruses”, and “no threats of violence”) to, for applications, full contracts specifying payment terms, limitation of liability, etc.
If you’re producing software for consumers or smaller businesses, you can probably adapt Automattic’s permissively licensed Terms of Service from their WordPress product. This will take you only a few minutes. Force customers to agree to it via a checkbox when signing up for your service; record the time when the consent was given.
Will I actually ever need these things!?
You may never find your policies tested in a court of law.
Having the policies is widely used as a check by businesses and regulators for whether you’re operating your business in a professional fashion.
You will likely not be approved by a financial institution to accept payments unless you have a ToS, refund policy, and returns policy (if you ship tangible goods).
For example, in the event of a chargeback filed against a purchase for your software, you can expect to lose almost automatically if the issuing bank says “The customer says they didn’t agree to pay. Do you have a contract?” and your only answer is “Well they signed up for an account.” The right answer is “Bob Smith signed up for an account on March 23rd. He affirmatively accepted our Terms of Service, a copy of which I’ve attached. The Terms of Service explicitly says that customers are obligated to pay for the service.”
You’ll still lose some chargebacks, even when you’ve documented everything correctly, but doing everything correctly gives you a chance.