Many entrepreneurs think that running a business is likely the riskiest thing they’ve ever done. That is probably true, at least from the perspective of financial decisions. (Business failure is unfortunate but very survivable; sports and cars both kill a much higher fraction of users.)
Risk in business is manageable. That is one major reason why firms exist as a concept; they pool a source of risk (the business enterprise) and then separate the economic upside of undertaking the risk, the liabilities associated with the risk, and the actual duties of operating the business.
Incorporation is one way that internet businesses limit risk, by capping the amount the owners or investors are exposed to; liability for debts or damages or injuries to others should not, in general, flow from the business to the owners or investors. Businesses don’t like the prospect of losing all of their assets in the event of a lawsuit, though, so there are other mechanisms as well. We’ll talk about some of them.
Insurance is a way to transfer risk from the insured to the insurance company. The insurance company does this in return for guaranteed payments (“premiums”) from a large pool of insureds. Assuming the insurance company prices the insurance correctly or invests the premiums well before paying out, they profit from offering this service while their customers trade the uncertainty of a catastrophic loss for the certainty of a predictable insurance payment.
Businesses purchase a number of types of insurance. The overwhelming majority of policies (and share of payments) is for employment-related insurance, which is discussed in more detail elsewhere. A much smaller portion is for policies that protect the company.
Professional liability or errors and omissions insurance
Companies that produce software that interacts with businesses’ data or that businesses run or that work on systems owned by clients have relatively large exposures in the event of their software malfunctioning. A software upgrade that disrupts a midsized business can cost them tens or hundreds of thousands of dollars in lost revenue; they might decide to sue to collect. A contractor who accidentally drops the production database while doing testing could be held liable for all the costs for replacing it, which could be almost unbounded.
These risks are covered by professional liability insurance, sometimes called “errors and omissions” (E&0) insurance. The mechanics of the policy are simple: Pay a small amount of money every year (generally about $1,000 to start; it scales slowly with the number of employees or revenue of the company). If you don’t get sued, nothing happens. If you do get sued, you “open a claim” (forward the relevant details) to your insurance company. Liability for claims covered by your insurance shifts from you to your insurance company, to the extent described in your policy and subject to limits and deductibles. The insurance company will typically take over responding to the suit, which will frequently result in them offering a settlement to avoid the expense of trial. (Lawsuits are expensive; nobody wants to take one through the entire process.)
Very few software companies actually get sued. Insurance companies report in regulatory filings that the risk for small software development consultancies is less than 1% per year. Most companies that deal primarily with consumers limit their liability with contracts and by offering refunds if the software is not to the customer’s liking. It is incredibly unlikely that you’ll be sued just because someone is merely unhappy with your services.
That said, if your software materially damages a customer, which is quite plausible for B2B services, a lawsuit is a distinct possibility. This is particularly true in the US, which institutionally deals with many controversies via the legal system where they would be resolved by private negotiation in other countries. (This fact sometimes surprises entrepreneurs doing business internationally.)
Additionally, because sophisticated businesses know that having you interface with their systems exposes them to the possibility of expensive remediation, they will often require, as a term of doing business with you, that you carry an insurance policy.
The policy limits for E&O policies generally start at $1 million. Buying more is relatively inexpensive—$1 million is often sufficient for companies that are just starting out. You can (and should) renew your policy yearly. Renewal time is a great opportunity to think about whether you have adequate coverage for your exposures.
Business insurance in the US is generally sold by insurance company agents, who are a combination of sales representatives and professional advisors. Unsurprisingly, since they’re paid on commission by the insurance companies, their professional advice is often that you buy more insurance from them. Your lawyer or accountant can often suggest an appropriate level given your business’s degree of exposure.
General liability insurance
Virtually every business should carry “general liability” insurance if you have a physical presence in the United States. (If you don’t, you may elect to skip this if it is not the norm in your country.) General liability insurance is sometimes sold bundled with E&O insurance.
E&O insurance insures against the risks posed uniquely by the type of work you do. General liability is more diffuse; it insures against risks posed by the physical existence of your company. For example, if you have an office, it is theoretically possible that someone could slip inside or in front of the office, resulting in your company being liable for their (perhaps substantial) medical bills. This is relatively infrequent, but general liability covers enough distinct “relatively infrequent” sources of stress to be worth the peace of mind it brings to many entrepreneurs.
In addition to accidents at your physical location, general liability might protect you from employee malfeasance, having property stolen from your business, loss in the event of a fire, or the like. The exact insured risks will be listed in your policy, so read it carefully. You’ll typically only file a general liability claim when something extremely expensive has happened. You do not want to be told, “We don’t cover that very expensive thing that happened. Didn’t you read subsection D on page 22? It clearly says that... ”
Contrary to occasional grousing, insurance companies are generally not crooks. They’re extensively regulated in the United States, and the nature of the business is very detail-oriented, more similar to programming than creative writing.
You’ll purchase your general liability insurance through an insurance agent, likely the same one who sells you your E&O line. The policy might be combined with your E&O policy or sold separately. Expect to pay only a few hundred dollars a year for this.
Risk reducers for underwriting
As part of getting an insurance policy written, you will be asked questions by the insurer’s “underwriting” department, which needs to decide whether your business has a level of risk that can be profitably insured given the premiums the insurance company wants to charge you. It’s to your advantage to know how to answer questions from an underwriter in a professional and honest manner that will get your application approved.
Helpfully, knowing the sorts of things insurance companies look for is very useful, because they’re literally in the business of figuring out what choices end badly. You can alter some operations of your business to have more positive answers to their questions, both increasing your likelihood of getting covered at lower premiums and also removing sources of risk from your business.
Here are some questions you might be asked:
Do you use written contracts for selling services? The right answer is, unsurprisingly, “Yes.” Some underwriters will drill into specifics of the contracts, such as:
- Do the contracts have wording limiting the scope of your guarantee or warranty with regards to work?
- Do the contracts have heightened terms for the standard of care you’re required to bring, or are you given more discretion?
- Do the contracts have midproject checkpoints such as milestones with required sign-off from the customer, a defined payment schedule, etc.?
- Do the contracts limit damages that you could be assessed?
- Do the contracts envision a formal change-order process where both parties have to agree in writing to changes in scope?
These questions help underwriters see that your contract has been drafted in anticipation of it being tested by a contentious project with a client.
Do you have substantial experience in the industry? More experience is better than less experience, naturally. It is generally to your benefit to describe your experience in a way that is absolutely truthful and easily comprehensible by someone who is not an expert in your field.
Click-through agreements and public policies
These contracts are used when a) negotiating individualized contract terms with every customer would be counterproductive and b) when the contracts can nonetheless meaningfully limit exposure of the company to risk.
You are highly likely to have some contracts that apply generally to folks doing business with you. You will additionally have some public written policies that aren’t contracts but rather are designed to clarify certain important details about doing business with you.
Depending on what your company does, you may want to have:
- A refund, warranty, and return policy
Orrick, the global tech law firm, is the legal partner for Stripe Atlas. Experts at Orrick contributed their expertise to this section (see the disclaimer at the end of this guide), and Atlas users can access a more detailed Atlas Legal Guide written by Orrick.
Every internet company collects data. Big, heaping mountains of data.
- What information do you collect?
- Who has access to it?
- Under what circumstances will you release it to third parties?
- How do you use data for advertising, including online tracking?
- For how long do you store it?
Additional information may be required if you’re doing business wholly or partly outside of the United States, where more stringent data privacy laws may apply (e.g., the European Union).
Most internet companies do not list every single bit of information they collect but rather use representative examples, largely because customers aren’t competent to evaluate the specifics. (If you are in a highly privacy-conscious domain, such as healthcare, or if you collect children’s personal information, where there are specific regulations, the specifics matter quite a bit and are outside the scope of this guide.)
As always for contract-like documents, if you have any questions, ask a lawyer.
Refund and return policies
When ecommerce first started, people were terrified about sending money over the internet. What if the goods weren’t exactly to their liking? What if the 20 kB GIF didn’t show the color of the dress accurately? What if? What if? What if?
Refund policies are a great way to preemptively answer “What if?” in a way that increases your conversion rates, minimizes unhappy customers, and streamlines your operations. If you take payments online, your payments processor will require that you have a refund policy posted prominently; it is generally to your advantage to have it visible near the point of checkout because some customers will look.
In general, most internet businesses choose to be extraordinarily generous with refunds. This is particularly true of IP-based businesses that have relatively little hard costs for providing their goods and services, such as software or SaaS companies.
Many software companies would have the following as their full refund policy. (Feel free to use or adapt it, if you want.)
We want you to be thrilled with your purchase. If it isn’t satisfactory for any reason, we will happily refund the entire purchase price for up to 30 days after your purchase.
Refund policies for ecommerce companies are generally a little more complicated, particularly around returns of tangible goods, like clothing or other consumer products.
You should mention what the process is for requesting a return, where the returned item should be mailed to, whether the item can be returned if used, what the timelines are, who absorbs costs for shipping (and return shipping), etc.
One might wonder, “Why are even the most generous refund policies often time limited?” This is something your accountant will probably demand from you; an unlimited refund policy greatly complicates when you’re allowed to recognize revenue. Many companies will officially say that they only process refunds within the first 30 or 60 days while they (unofficially or semi-officially) actually will refund any purchase ever made, even years after the fact.
In some countries it is a legal requirement that the refund period extend from receipt of a product or performance of a service, not from the transaction date, in the case where the transaction occurs before the receipt. There may also be requirements that the refund period last at least a certain amount of time (e.g., 90 days). In general, one can simply adopt the most generous term; tightening your refund language is rarely the point of most leverage in your business.
They range from informal descriptions of what constitutes acceptable use of the site (often including terms like “no spamming,” “no uploading viruses,” and “no threats of violence”) to, for applications, full contracts specifying payment terms, limitation of liability, and more.
If you’re producing software for consumers or smaller businesses, you can probably adapt Automattic’s permissively licensed Terms of Service from their WordPress product. This will take you only a few minutes. Force customers to agree to it via a checkbox when signing up for your service, and record the time when the consent was given.
Will I ever need these things?
You may never find your policies tested in a court of law.
Having the policies is widely used as a check by businesses and regulators for whether you’re operating your business in a professional fashion.
You will likely not be approved by a financial institution to accept payments unless you have a ToS, refund policy, and returns policy (if you ship tangible goods).
For example, in the event of a chargeback filed against a purchase for your software, you can expect to lose almost automatically if the issuing bank says, “The customer says they didn’t agree to pay. Do you have a contract?” And your only answer is, “Well, they signed up for an account.” The right answer is, “Bob Smith signed up for an account on March 23. He affirmatively accepted our terms of service, a copy of which I’ve attached. The terms of service explicitly state that customers are obligated to pay for the service.”
You’ll still lose some chargebacks, even when you’ve documented everything correctly, but doing everything correctly gives you a chance.
Disclaimer: This guide is not intended to and does not constitute legal or tax advice, recommendations, mediation, or counseling under any circumstance. This guide and your use thereof does not create an attorney-client relationship with Stripe, Orrick, or PwC. The guide solely represents the thoughts of the author and is neither endorsed by nor does it necessarily reflect Orrick’s belief. Orrick does not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information in the guide. You should seek the advice of a competent attorney or accountant licensed to practice in your jurisdiction for advice on your particular problem.