Contract Basics at
Indiana University
Office of the Vice President and
General Counsel
Presentation adapted from materials from
Lehigh University Office of General Counsel
What Is A Contract?
A contract is a legally enforceable promise.
2
A Contract May Be Written Or Oral
It can have many names:
• Agreement
• Purchase Order
• MOU
• MOA
• Ticket
• It may have no name at all
If it
quacks
like a
duck . . .
A binding contract can be formed via:
• Letter
• Telephone call
• E-mail
Elements of a contract: “What’s the Deal?”
 Offer
 Acceptance
 Consideration (legal value)
 Mutuality ("meeting of the minds")
4
Who Can Sign Contracts?
 Only the following individuals have the authority to
sign contracts on behalf of Indiana University:
Treasurer or specific unit officials who have received a
written delegation of authority to sign specific kinds of
contracts from the Treasurer
 Purchasing Agents


If you don’t have written signature authority, do not
sign contracts!

Unauthorized individuals who sign contracts on
behalf of the University expose themselves to possible
personal liability.
5
Contract Review
You should always read and understand all terms and provisions
of a contract before you sign it (if you have signature authority)
or before you send it on for signature (if you don’t have
signature authority).
If you do not understand a provision, strike it or seek
explanation.
- “Oh, that’s just boilerplate” is
NOT an explanation.
6
Standard Provisions








Data Security
Insurance
Assignment
Merger
Force Majeure
No Waiver
Severability
Termination
7
Data Security
“Never try to teach a pig to sing. It only frustrates you and
annoys the pig.”
We currently have a very extensive boilerplate Data
Security Provision:
Standards for Secure and appropriate use, handling
and disposal of Confidential Data
Each Party shall treat all data that it receives from the other Party , is otherwise exposed to within Confidential Data systems,
or that is provided by an individual user of VENDOR’s service under this Agreement Confidential Data with the highest degree
of confidentiality and in compliance with all applicable federal and state laws and regulations and IU policies.
Each Party shall employ commercial best practices for ensuring the security of all Confidential Data, Confidential Data
whether in electronic or paper form, which it accesses, uses, creates, maintains, disposes of, or otherwise handles
(hereafter “data activities”) in the course of its performance under this Agreement. The responsibility for ensuring the
security of Confidential Data extends to any subcontractors or other contractors, including but not limited to web hosts or
other service providers, who may, in the course of such data activities, view, process, or otherwise have access to
Confidential Data. Without limiting the foregoing, each Party represents and warrants that all machines, systems, and
networking equipment that receive, process, interact with, transmit, or store Confidential Data shall meet or exceed the
physical, network, and system security requirements specified in Indiana University’s University-wide IT Policies: IT-12,
Security of IT Resources; IT-12.1, Mobile Device Security Standard; and DM-01, the Data Management Policy for
Management of Institutional Data (http://protect.iu.edu/cybersecurity/policies); or otherwise conform to the standards
identified by the National Institute of Standards and Technology (NIST) applicable to the type of data and activities
covered by the Agreement (available at http://csrc.nist.gov/publications/PubsByLR.html). In the event of conflict
between the requirements of IU’s policies and NIST’s standards, Indiana University’s requirements will apply.
Data Security, continued
Significant deviation from these standards or requirements must be approved by IU’s University Information Security Office. VENDOR will notify IU promptly of any nonconformity of its machines, systems, or
networking equipment to applicable standards and requirements, whether such nonconformity exists at the time of execution of this Agreement or arises thereafter.
Each Party represents and warrants to the other Party that it shall only use Confidential Data for the purpose of fulfilling its duties under this Agreement and shall not further disclose Confidential Data to any third
party without the prior written consent of the other Party or as otherwise required by law. Confidential Data shall not be provided or made available for targeted marketing purposes; however, VENDOR may use
aggregated and anonymized data that it derives from Confidential Data within the course and scope of its data activities to enhance the quality of its performance under this Agreement or the functionality of the
service VENDOR provides, provided that such Confidential Data does not constitute protected health information (“PHI”), as that term is defined and used in the Health Insurance Portability and Accountability
Act (“HIPAA”). Each Party acknowledges and agrees that all Confidential Data provided or made available to it by the other Party is and remains the property of the Providing Party.
Upon termination or expiration of this Agreement, each Party will either return or confirm the destruction of all the other Party’s Confidential Data provided or made available to the Receiving Party under this
Agreement, at the election of the Providing Party and in accordance with specifications for return or destruction that Providing Party shall specify at the time.
Each Party represents and warrants that it shall employ sufficient administrative, physical, and technical data security measures to meet the requirements under the specific federal and state laws applicable to all
such types of Confidential Data that received, which may include but are not limited to:
Student Education Records: The Family Education Rights and Privacy Act (FERPA), 20 USC 1232g et seq., and related regulations at 34 CFR Part 99;
Social Security Numbers: Indiana Code 4-1-10, 4-1-11, and 24-4-9; and
As applicable, VENDOR shall also have a program in place, documented in writing, to identify, detect, and address warning signs of identity theft, pursuant to the FACT Act, 15 USC 1681 et seq., and corresponding
“Red Flag Rules.”
Immediately upon becoming aware of a breach of the VENDOR’s or any of its contractors’ or subcontractors’ security that reasonably may have resulted in unauthorized access to Confidential Data, VENDOR shall
notify IU and shall cooperate fully with IU’s investigation of and response to the incident. Except as otherwise required by law, VENDOR shall not provide notice of the incident directly to the persons whose
Confidential Data were involved without prior written permission from IU.
To facilitate the investigation of security incidents, VENDOR will retain and provide to IU, upon request, all authentication and other relevant system logs, including relevant logs from any contractors or
subcontractors, for a minimum of 60 days from the creation of such logs.
Notwithstanding any other provision of this Agreement, and provided that the University has not modified the VENDOR’s software in any manner, VENDOR shall reimburse the University in full for all direct
costs, expenses, and liabilities incurred by the University as a result of VENDOR’s failure to comply with the above data confidentiality and security requirements. This obligation shall include reimbursing the
costs or expenses incurred by University in providing any notices to parties whose data may have been subject to unauthorized access as a result of VENDOR’s failure to comply with the above data confidentiality
and security requirements, as well as defending, indemnifying, and holding the University harmless from any third-party claims or causes of action of any kind arising from or relating to the VENDOR’s use,
maintenance, or handling of Confidential Data received in connection with its performance under this Agreement. These remedies shall be in addition to any other remedies provided within this Agreement or
otherwise available under law.
Each Party shall ensure that its employees who perform work under this Agreement have read, understood, and received appropriate instruction to as to comply with the foregoing data protection provisions of
this Agreement. Any subcontractors used by VENDOR to perform work under this Agreement that involves access to or use, processing, maintenance, transmission, storage, or disposal of Confidential Data, must
be approved in advance by IU, and their subcontracts must contain the same data protection provisions for Confidential Data specified above.
Each Party reserves the right to require the other Party to provide the results of:
*an audit of security policies, practices, and procedures on an annual or biennial basis, to be performed by a third party approved by the Receiving Party;
* vulnerability scan, performed by a scanner approved by the Providing Party, of the Receiving Party’s systems that are used in any way, or that interact with systems used in any way, for the performance of this
Agreement and/or receive, use, process, maintain, transmit, store, or dispose of Confidential Data;
*a formal penetration test, performed by a process and qualified personnel approved by the Providing Party , of the Receiving Party’s systems that are used in any way, or that interact with systems used in any
way, for the performance of this Agreement and/or receive, use, process, maintain, transmit, store, or dispose of Confidential Data.
Remember What I Said About Boilerplate?
“Oh, that’s just boilerplate”
is NOT an explanation.
Insurance
 INLOCC has a comprehensive insurance boilerplate
exhibit identifying insurance requirements that may
be needed for professional services agreements.
 Insurance requirements will vary based on the kind
of contract. For example, if no one is driving, no
auto liability is necessary.
 “Builder’s Risk” insurance is never needed in a
professional services contract.
Remember What I Said About
Teaching Pigs to Sing and Boilerplate?
“Never try to teach a pig to sing. It
only frustrates you and annoys the
pig.”
“Oh, that’s just boilerplate”
is NOT an explanation.
Contract Provision Library
Data Security
 FERPA
 HIPAA
 Credit Card
Insurance
 Auto
 Workers Comp
 Dram Shop (alcohol service)
Example—Catered Event, Cash Bar
Data Security
 FERPA
 HIPAA
 Credit Card
Insurance
 Auto
 Workers Comp
 Dram Shop (alcohol service)
Assignment
 Sample: Neither party may assign this
Agreement without the prior written consent
of the other party.
 Rationale: Ensures that the party you
contracted with will remain in place for
duration of the contract; prohibits the other
party from delegating (or selling) its duties
(or rights) to a 3rd party
15
Merger, or “Integration”
 Sample: This Agreement sets forth the entire
understanding between the parties relating
to the subject matter hereof and supersedes
all prior understandings and agreements,
whether written or oral.
 Rationale: Prevents drafts of the Agreement,
email correspondence, telephone calls, onsite conversations from being invoked when
there is disagreement.
16
Force Majeure (“Superior
Force")
 Sample: Neither party shall be liable for any
failure to perform as required by this Agreement to the extent such failure to perform is
due to circumstances reasonably beyond such
party's control, including, without limitation,
labor disputes …. acts of God, ….material
shortages, disease, or other such occurrences.
 Rationale: Excuses performance for
reasons outside of parties' control.
Watch out for inclusion of circumstances
that are fully within party's control.
17
No Waiver
 Sample: A waiver by either party of a
breach or violation of any provision of
this Agreement will not constitute or be
construed as a waiver of any subsequent
breach or violation.
 Rationale: Preserves the right to hold the
other party accountable for breach of a
provision, even if we didn't do so for an
earlier breach.
18
Severability
 Sample: If any provision of this
Agreement is declared to be invalid,
illegal or unenforceable, such
declaration shall not in any way affect
the validity or enforceability of any
other provision.
 Rationale: Preserves the operation of a
contract in which one or more
provisions might be found invalid.
19
Termination
 For cause (breach): gives aggrieved
party the right to terminate because
other party did something “wrong”

Party in breach often given the
opportunity to "cure" the breach and
continue the contract
 For convenience: contract can be
cancelled because we want to do so

Usually at least 30 days’ notice is required
20
Frequently Negotiated Contract Provisions





Choice of Law and Venue
Indemnification
Confidentiality
Termination
Dispute Resolution
21
Contract “Negotiations”
Governing Law and Venue
 Sample: This Agreement shall be construed and governed in
accordance with the laws of the State of Indiana,
without giving effect to conflict of law provisions. Any suit arising
out of this Agreement must be filed in the appropriate state or
federal court in the State of Indiana and the parties submit to its
jurisdiction without regard to rules governing conflicts of laws.
 Rationale: Allows parties to choose the state law they wish to
govern their contract and where any lawsuit may be filed.
23
Choice of Law “Go-By’s”

Indiana or silent is always good!

If “Indiana or silent” fails, we will accept: Ohio, New York, Delaware

We’re not thrilled about: Michigan, Maine

We NEVER accept:
California, Louisiana, or the “Commonwealths” : Kentucky*, Maryland,
Virginia, Pennsylvania
*Kentucky is “special.” If it’s a
contract for IUS with the State of
Kentucky, we’ll accept it.
24
Indemnification/Indemnify:
Definition:
To restore a party that incurs a loss, in whole or in part, by payment,
repair, or replacement. To make good; to compensate
Rationale:
Allows parties to agree to shift and allocate risks between the parties,
sometimes without regard to either party's relative degree of fault
Watch Out for:
•
•
•
“except to the extent”
“even if indemnify Party is negligent”
“for gross negligence or intentional act of omission”
25
Indemnification
Sample (Generic):
“Each party (the "Indemnifying Party") agrees to defend,
indemnify and hold harmless the other party and its respective
directors/trustees, officers, employees, and agents (collectively,
the "Indemnified Party") from and against any and all claims,
actions, damages, liability, cost and expenses (including
reasonable attorneys fees) including death, bodily injury or
damages to property (collectively, a "Claim") arising from any
negligent or intentional wrongful act or omission of the
Indemnifying Party, except to the extent that such Claim arises
from the negligent or intentional wrongful act or omission of
the Indemnified Party.”
● Try to take these out – we can fight about it later.
26
Tort Claims Act Language
Specific Language to Request for IU Agreements:
PROVIDED, HOWEVER, that University’s obligations hereunder shall be limited
in substance by statutes and constitutional provisions designed to protect the
exposure and liability of University as an instrumentality of the State of Indiana
(e.g., actions and conditions as to which Indiana University is immunized by the
Indiana Tort Claims Act, dollar limits stated in such Act, exemption from punitive
damages, the continued ability to defeat a claim by reason of contributory
negligence or fault of claimant), so that its liability to indemnify, defend and hold
harmless shall not exceed what might have been its liability to a claimant if sued
directly in Indiana by the claimant and all appropriate defenses had been raised
by Indiana University.
 Don’t make it a deal-breaker
Confidentiality
 Requires one or both parties to keep the other party’s
information confidential for a defined period of time.
 The challenge: IU is a public entity and cannot meet typical
commercial expectations of confidentiality because of its
obligations under the Indiana Access to Public Records Act.
Open Records Language
Consultant acknowledges and agrees that the University is a state agency subject
to the provisions of the Indiana Open Records law, I.C. 5-14-et seq., and that
disclosure of some or all of the information identified as “Proprietary
Information” under this Article 6 of this Agreement, or of the Agreement itself,
may be compelled pursuant to that law. In the event that the University receives a
request for a disclosure pursuant to the Indiana Open Records Act, or any other
law, of Consultant’s Proprietary Information, the University shall promptly notify
Consultant, confer with Consultant regarding whether there are legitimate
grounds to narrow or contest such disclosure, and only disclose that information
that the University, in the opinion of the University’s legal counsel, is legally
obligated to disclose.
Dispute Resolution
 Negotiation: Parties work dispute out between themselves with no
assistance/input from an outside 3rd party. Resolution can be in writing.
 Mediation: Parties agree to have an independent 3rd party assist the parties
to agree on a resolution. Agreement to mediate does not bind the parties to
reach resolution, but any resolution that is reached should be in writing.
 Arbitration: Parties can agree to either binding or non-binding arbitration.
The dispute is put before a 3rd party decision-maker, often a panel of 3
arbitrators. The arbitrator will issue a written decision.
 Litigation: You know.
30