The Why, When and How of Confidentiality Agreements (Part 2)

Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time.  However, few companies have implemented policies stating why, when and how NDAs should be used.  In Part 1 of this article, I talked about the “why” and the “when.”  Part 2 covers the “how.”

HOW to use an NDA.  Once you’ve figured out the why and the when, use the following tips and tricks as you work with NDAs:

  • Keep them fair and balanced. While you always want to try to avoid getting bogged down in contract negotiations, this is especially true for NDAs typically entered into at the outset of a relationship or where disclosure of specialized information is needed to further a business purpose.  Counsel should work with business leaders to ensure the NDA template is fair and balanced. If a potential partner or vendor insists on their NDA, consider whether it is fair and balanced – if it is, it may not be the best time for a battle over whose form to use.
  • Make sure “purpose” is defined. NDAs should include a description of why the parties are sharing information (a potential business relationship between them, a potential business combination, to allow your company to participate in an activity, etc.)  This is usually defined as the “Purpose.” Defining the Purpose, and restricting the recipient’s use of your CI to the Purpose, can help ensure contractually that information you disclose is not misused.
  • Avoid sharing customer records or personally identifiable information under an NDA.Be very careful if you want to share customer or employee records or other personally identifiable information under an NDA. You generally need other security protections that aren’t in a standard NDA; your privacy policy might not allow it; you may not have the necessary permissions from the data subjects to share it; there may be specialized laws (e.g., HIPAA) that could be impacted; etc.  If you need to share data to evaluate a new product or service, use dummy data.
  • Ensure “Confidential Information” covers what you want to share. Make sure the definition of “Confidential Information” is broad enough to cover all of the information that you’re planning to share.  Whether you are disclosing financial projections, business plans, network credentials, samples of new products, or other information, if it’s not covered by the definition the recipient has no obligation to protect it.
  • Watch out for “residuals” clauses.One dangerous clause to watch out for (and avoid) in NDAs is the “Residuals” clause.  “Residuals” are what you retain in memory after you look at something (provided you don’t intentionally try to memorize it).  Residuals clauses let you use any residuals from the other party’s CI retained in your unaided memory.  However, it’s next to impossible to prove that something was in someone’s “unaided memory.”  Residuals clauses are a very large back door to NDA requirements.
  • Understand the “marking requirements.” NDAs generally require identification of confidential information so that the recipient knows that it should be kept confidential.  For example, you generally have to mark any information in written disclosures as “confidential” using a stamp, watermark, or statement in the header/footer (don’t forget to mark all pages of a document and its exhibits/attachments in case pages get separated).  Some NDAs require that confidential information disclosed orally has to be summarized in a written memo within a certain period of time in order to fall under the NDA – don’t lose sight of this obligation, and consider steps to mitigate the risk if you have this requirement (e.g., a reminder in your lead management system to summarize when a note of a sales call is included).  Other NDAs include a “catch-all” to keep confidential any information where, from the circumstances of disclosure, the disclosing party clearly intended (or the recipient can determine) that it should be kept confidential.  This last clause is a double-edged sword – it ensures the broadest possible protection for you, but also for the other party
  • Look at the “nondisclosure period.” Most NDAs have a defined period of time during which confidentiality obligations will apply to CI.  Once the period ends, your CI is no longer considered confidential by the other party.  If you are disclosing trade secrets, it’s important that they are kept confidential forever, or until the information enters the public domain through someone else’s acts or omissions. Also, consider language that requires the other party to securely dispose of your CI when there is no longer a business or legal need for them to possess it.
  • Control onward transfer. Ensure you’re controlling the onward transfer of your CI.  Generally, a recipient’s onward transfer of your CI should only be permitted when (a) the receiving party is a business partner of the recipient (a contractor, subsidiary, supplier, etc.); (b) the receiving party needs to know the CI in furtherance of the Purpose; and (c) the receiving party is bound by written confidentiality obligations at least as strong as those in the NDA between you and the recipient.  Make sure the NDA holds the recipient liable for any improper disclosure of CI by the third party so you don’t have to go after the third party, and requires that data be transferred securely.
  • Watch out for overlapping confidentiality obligations.As I noted in Part 1, it’s important to look out for duplicate confidentiality obligations governing the same confidential information.  In some cases, a party may suggest that each party sign the other’s NDA.  In other cases, a party might try to keep an NDA alive after a services or other agreement has been finalized and signed.  You should avoid having different confidentiality obligations govern the same agreement, as it can easily lead to a big fight over what contractual obligations and provisions apply in the event of a disclosure, distracting you from dealing with the actual breach of your CI.
  • Be mindful of your return or destruction obligations. In most NDAs there is a requirement for a recipient to return or destroy the discloser’s CI, either upon request and/or upon termination.  Sometimes the discloser gets to pick between return and destruction, sometimes the recipient.  In order to ensure compliance, make sure you limit disclosure of third party CI internally, and keep track of who has access to/copies of it.  Without tracking that information, it’s very difficult to ensure return or deletion when the time comes.
  • Be careful sharing access credentials. If you’re sharing any network or other computer access credentials as part of the Purpose, ensure the NDA contains additional security obligations to maintain appropriate safeguards to protect access credentials, to limit use of them (no onward transfer), notification in the event the credentials are (or are suspected to have been) compromised, and an indemnity if the security obligations are breached.  Remember, the Target breach began with the compromise of a subcontractor’s network credentials.
  • Consider using electronic signatures. As I described in my earlier blog post, using an electronic signature system for NDAs can make the nondisclosure process even more quick and efficient, letting your business team get to sharing information sooner.

There are other NDA issues as well, such as ensuring injunctive relief language is not too limiting or broad for your company’s needs.  As always, consult an attorney with expertise in NDAs (and a business-savvy approach) to ensure your company, its confidential and proprietary information and its trade secrets are properly protected.

The Why, When and How of Confidentiality Agreements (Part 1)

Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time.  However, few companies have implemented policies stating why, when and how NDAs should be used.  Quite often different people at the same organization take very different approaches to using NDAs, resulting in inconsistent protection of a company’s confidential or proprietary information (“CI”) — or worse, jeopardizing company trade secrets.  This two-part article provides a summary of the why, when and how of NDAs.  In Part 1, I talk about the “why” and the “when.”

WHY to use an NDA.  There are three primary, and sometimes overlapping, reasons why to use an NDA – for protectivepurposes, for strategic purposes, and for contractual purposes.

  • The most common reason for entering into an NDA is to ensure there are adequate (and binding) protections for your CI before you share sensitive information with another party.  If your company has trade secrets, failing to put confidentiality obligations in place with third parties who have access to your trade secrets can cost you your trade secret protection.
  • An NDA can also be used as a litmus test to gauge whether a party is truly interested and serious about discussions with your company.  If you’re asked to sign an NDA well before confidential information will be exchanged, this might be the reason.  An example is a requirement for potential vendors to sign an NDA before the RFP is provided to them, even if there’s nothing confidential in the RFP.  Requiring an NDA up front can also ensure that you don’t get down the road with a potential vendor or partner only to find that they are resistant to signing an NDA.
  • An existing confidential obligation to a third party may require you to put confidentiality obligations in place with any subcontractor or business partner with whom you need to share the third party’s CI for business purposes (more on this in Part 2).  If an existing agreement with your subcontractor or business partner doesn’t satisfy contractual requirements, a separate NDA may be needed.

If a third party questions why an NDA is needed, consider whether that should be a red flag in and of itself.  They may not view confidentiality as a significant concern or priority, may not be sophisticated about the importance of strong confidentiality practices, or may be trying to get you to reveal confidential information without an NDA in place.

WHEN to use an NDA.  Once you’ve determined that you need an NDA for one or more of the above purposes, you then need to determine when to use one.  Keep these questions in mind:

  • What is confidential information?In order to know when to use an NDA, you need to first know what needs to be protected.  This is often the MOST IMPORTANT question a company can ask.  What information is considered confidential or proprietary information, and what information is a trade secret?  Everything else should be considered non-confidential.  Look at your IT policies to see how data is classified at your company (many classify CI into levels) and use those classifications to determine what categories of information should be protected.  If it’s information you include in your marketing brochures or on your corporate website, it’s not confidential or proprietary information.  Use this test – if you would have a problem with the information showing up on the front page of your local paper or elsewhere for the world to see, or if it ended up in the hands of your competitors, you may want to treat it as confidential if it’s disclosed.  Educate your sales and other internal business teams as to what’s considered CI, and when an NDA is required — make sure to remind them that part of their job to protect your company’s confidential information.
  • Who is disclosing what? Not every discussion about a potential business relationship requires an NDA.  Look at what information may be disclosed and by whom.  If your company isn’t disclosing confidential information as part of the discussion, the onus should be on the other party to ask for an NDA.
  • Are there existing confidentiality terms? Sometimes an existing business partner or vendor will ask for an NDA before sharing information about a new product or service.  Before signing, check your existing agreement to see whether its confidentiality language is broad enough to cover the new information.  If it is, push back on the need for a separate NDA.  You should always try to avoid having multiple confidentiality terms governing the same confidential information (for more on this, see Part 2.)  If they insist, make sure the new NDA is limited in its purpose and does not overlap with the existing agreement.
  • When will sharing begin? Determine when in the in the sales cycle/vendor selection process you need to start sharing CI – that’s your “NDA point.”  Once you’ve determined your NDA point, make sure it’s build it into your SOPs and other business process documentation to minimize the chance that CI is shared without a valid NDA in place.
  • What is the right effective date?In business, the cart sometimes gets ahead of the horse when it comes to getting an NDA in place.  If your company gets out over its ski tips by disclosing CI without having the NDA in place first, ensure that the NDA applies retroactively to by setting the effective date as the date on which confidential information was first disclosed, not the date on which it was signed.