[Owasp-leaders] Indemnity

Abraham Kang abraham.kang at owasp.org
Wed Aug 10 11:04:54 EDT 2011

Hi Christian,

I was part of the group which put together the revised bylaws.

I have gone to Law school.  The following is NOT legal advise but an
academic explanation of how indemnity usually works under corporations law.

Most companies have an indemnity clause in their bylaws because officers and
directors have a fiduciary duty to the company.  A fiduciary duty entails a
Duty of Loyalty and Duty of Care.

A duty of loyalty requires officers and directors to place the interests of
the organization above their own.  This implies that officers and directors
cannot usurp opportunities for themselves which could have be taken by the
organization unless notifying non-interested directors and getting approval
or if the organization would not be able to avail itself of the opportunity.
 If an officer or director breaches this duty they can be sued.  However,
the indemnity will only apply when the officer or director does not have an
adverse ruling against him/her in the proceeding.  If the officer or
director is found to have acted in bad faith they, individually, he/she will
be responsible for paying their attorney's fees (no indemnity and

An officer and director also has a duty of care to manage the business of
the company as a prudent officer/director.  If they breach this duty, they
could be sued.  Again, the function of indemnity will usually apply when the
officer or director is found to have acted reasonably.  If the officer or
director is found to have acted in bad faith they, individually, will be
responsible for paying their attorney's fees(no indemnity and

Members do not have a fiduciary duty to the organization per se.  However,
if a member is acting as an agent of the organization and the organization
has held the agent out as representing the organization or acknowledged the
agency relationship then the organization will be liable for the member's
actions (indemnity).  An example of agency would be were members set up
conferences like AppSec USA and sign contracts for the venue, food,
services, etc. on behalf of OWASP.  So there is indemnity of members in
certain cases.

But requiring OWASP to indemnify all of its members would be a tremendous
legal burden. Especially if the member is not acting as an agent for OWASP.
 This would open OWASP to potential liability for actions that any member
partakes (hacking government institutions, negligence, as well as other
criminal and civil torts).

I have to say this is an unreasonable request and it is not related to
Americans trying to control everything.

I attended this year's OWASP leadership conference in Lisbon, Portugal.
 This conference was not held in the states.  And although it was a pain
flying to Europe from the US I think we had good representation of members
outside of the US for leadership purposes.  This shows that OWASP is
globally centric and not US centric.

Come guys, OWASP wants to support and reach out to the world.

Abraham Kang

On Tue, Aug 9, 2011 at 10:53 PM, Christian Heinrich <
christian.heinrich at owasp.org> wrote:

> Dennis,
> On Sun, Jul 3, 2011 at 9:56 AM, Dennis Groves <dennis.groves at owasp.org>
>  wrote:
>> Well Jim,
>> How about this: If board members want responsibility then let it come with
>> accountability - why should there be a bylaw that gives them indemnity?? I
>> strongly disagree with lack of accountability for responsible parties. This
>> is always used for abuse of power and nothing else. The board is bias as
>> they are responsible but not accountable so why are they allowed to vote?
>> Surely this is a conflict of interest.
>> Everything I read claims GLOBAL values but is very USA centric; including
>> the formation of the bureaucracy that more resembles the very US Banks which
>> are among the most corrupt organizations in the world. And every time
>> somebody from outside the USA speaks up all the Americans gather together
>> like a pack of wolves to tear apart the ideas that seem to threaten the
>> power grab.
>> Don't get me wrong, I believe that governance is required and necessary in
>> any viable system - but we need to be improving or pioneering governance
>> systems not copying american centric models that support corruption.
>> --
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> dennis.groves at owasp.org
>>  <http://www.owasp.org/>
> "Article IV - Indemnity" within
> https://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf has been retained
> within https://www.owasp.org/images/a/ae/2012ByLawsFINAL.pdf
> That stated, the "indemnity" clause should include "members" in its scope
> and in which case legal action, such as defamation or public liability that
> occurs at OWASP can only be brought against the Foundation and *not* against
> individual member(s).
> Therefore, is there a legal roadblock prohibiting indemnity being extended
> to members? Tom (Brennan) might be able to address this?
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110810/a9b70ac2/attachment.html 

More information about the OWASP-Leaders mailing list