Safe Harbor Framework for EU to US Personal Data Transfers May Not Be “Adequate” After All

Posted on September 25, 2015 by admin

This week, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment in an ECJ case recommending that the ECJ find the US-EU Safe Harbor Framework to be invalid.

For US companies with European subsidiaries that regularly need to transfer data back to the US home office, one of the primary data privacy considerations is compliance with the EU’s Data Protection Directive. Each EU member state has adopted their own data protection law based on the Directive. The Directive covers personal data in the European Economic Area (the EU, Iceland, Liechtenstein and Norway).

Under Article 25 of the Directive, the transfer of personal data to a country or territory outside of the EEA is prohibited unless that country or territory can guarantee an “adequate” level of data protection in the eyes of the EU. In some cases, the EU will declare a country to have “adequate” protections in place (e.g., Canada based on their national PIPEDA data privacy law).

The US is one of the countries that is not deemed “adequate” by the EU. (The US does not have a comprehensive national privacy law like Canada or the EU, but instead uses a “sectoral” approach to regulate data privacy.) Because of this, the EU controller of the personal data must ensure that the US company receiving the data has an adequate level of protection for personal data to permit the data transfer. This can be achieved in a number of ways, including:

The Directive defines a number of situations in which adequacy is presumed statutorily, such as where the data subject consents to the transfer, the transfer is necessary for the performance of, or conclusion of, the contract between the data subject and data controller, or it is necessary to protect the vital interests of the data subject.
A company’s Board of Directors can adopt binding corporate rules requiring adequate safeguards within a corporate group to protect personal data throughout the organization.
The EU entity and US entity can enter into an approved contract (utilizing a model contract terms approved by the EU) with provisions ensuring data is adequately protected.
The transfer is to a US entity which participates in the Safe Harbor Framework, a program agreed upon by the US and EU in 2000 under which US companies that self-certify that their data protection policies and practices are in compliance the requirements of the Framework are deemed to have an “adequate” level of data protection for EU data transfer purposes. Over 5,000 companies have certified their compliance with the Safe Harbor Framework.

Edward Snowden’s revelations regarding US government surveillance programs and practices created many questions regarding whether the Safe Harbor Framework was truly “adequate” for EU purposes, since regardless of a company’s own policies and practices the US government could access the personal data of EU data subjects stored on US servers. This week, in a case brought by an Austrian student challenging the transfer of his data to the US by Facebook under the Safe Harbor framework, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment recommending that the ECJ find the Safe Harbor Framework to be invalid. The ECJ can ignore the Advocate General’s recommendation, but does so only rarely.

The language of the decision will be very important, as the potential for US government surveillance of and access to personal data of EU data subjects stored in the US goes beyond the Safe Harbor framework. A broad decision could create problems for the ability of US companies to achieve adequacy for EU data transfer purposes, regardless of the adequacy approach used — US government surveillance could be determined to trump any adequacy approach taken by US companies in the eyes of the EU. However, a finding that the US government’s surveillance practices call into question the adequacy the transfer of data to US companies in general could cause major headaches and disruptions for US businesses, and would have political and economic ramifications. It will be interesting to see how deep down this rabbit hole the ECJ is willing to go.

Companies which participate in the Safe Harbor Framework should immediately start looking at alternative choices for achieving “adequacy” in the eyes of the EU to allow for continued data transfers. Companies should also look at whether any of their vendors rely on safe harbor in the performance of obligations, and contact them regarding their contingency plans if Safe Harbor is found to be invalid. If the ECJ adopts the Advocate General’s recommendation, it is unclear whether they will provide any grace period to all companies to implement an alternative approach. Public reporting companies participating in the Safe Harbor framework may also want to consider whether this uncertainty should be cited in their risk factors for SEC reporting purposes.

FTC opens their nationwide tour to promote Start with Security

Posted on September 16, 2015 by admin

It’s not the latest group on tour with a band name and album name that needed a lot more thought. Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security. In June, they did just that, releasing a guide called Start with Security: A Guide for Business. It’s subtitled “Lessons Learned From FTC Cases” for a reason — it uses the 50+ FTC enforcement actions on data security to provide ten lessons companies should learn when approaching to security to avoid others’ missteps that led to enforcement actions, and practical guidance on reducing risks. The lessons are:

Start with security. The FTC has long advocated the concept of “privacy by design,” meaning companies should bake an understanding of and sensitivity to privacy into every part of the business, making it part of the design process for new products and processes. The FTC is advocating a similar concept of “security by design.” Guidance: don’t collect personal information you don’t need (the RockYou enforcement action); don’t use personal information when it’s not necessary (Accretive and foru International); don’t hold on to information longer than you have a legitimate business need for it (BJ’s Wholesale Club).

Control access to data sensibly. Keep data in your possession secure by controlling access to it – limit access to those with a need to know for a legitimate business purpose (e.g., no shared user accounts, lock up physical files). Guidance: don’t let employees access personal information unless they need to access it as part of their job (Goal Financial); don’t give administrative access to anyone other than employees tasked administrative duties (Twitter).

Require secure passwords and authentication. Use strong password authentication and sensible password hygiene (e.g., suspend password after x unsuccessful attempts; prohibit common dictionary words; require at least 8 characters; require at least one upper case character, one lower case character, 1 numerical character, and 1 special character; prohibit more than 2 repeating characters; etc.) Guidance: require complex and unique passwords (Twitter); store passwords securely (Guidance Software, Reed Elsevier, Twitter); guard against brute force attacks (Lookout Services, Twitter, Reed Elsevier); protect against authentication bypass such as predictable resource location (Lookout Services).

Store sensitive personal information securely (“at rest”) and protect it during transmission (“in motion”). Use strong encryption when storing and transmitting data, and ensure the personnel implementing encryption understand how you use sensitive data and can determine the right approach on a situation-by-situation basis. Guidance: Keep sensitive information secure throughout the data life-cycle (receipt, use, storage, transmission, disposal) (Superior Mortgage Corporation); use industry-tested and accepted methods (ValueClick); make sure encryption is properly configured (Fandango, Credit Karma).

Segment your network and monitor who’s trying to get in and out. Be sure to use firewalls to segment your network to minimize what an attacker can access. Use intrusion detection and prevention tools to monitor for malicious activity. Guidance: segment your network (DSW); monitor activity on your network (Dave & Buster’s, Cardsystem Solutions).

Secure remote access to your network. Make sure you develop and implement a remote access policy, implement strong security measures for remote access, and put appropriate limits on remote access such as by IP address and revoking remote access promptly when no longer needed. (The compromise of a vendor’s system via phishing, leading to remote network access, is how the Target breach started.) Guidance: ensure remote computers have appropriate security measures in place, e.g., “endpoint security” (Premier Capital Lending, Settlement One, LifeLock); put sensible access limits in place (Dave & Buster’s).

Apply sound security practices when developing new products. Use “security by design” to ensure data security is considered at all times during the product development life-cycle. Guidance: Train engineers in secure coding (MTS, HTC America, TrendNet); follow platform guidelines for security (HTC America, Fandango, Credit Karma); verify that privacy and security features work (TRENDnet, Snapchat); test for common vulnerabilities (Guess?).

Make sure your service providers implement reasonable security measures. Make sure you communicate your security expectations to your service providers and vendors, and put their feet to the fire through contractual commitments and auditing/penetration testing. Guidance: put it in writing (GMR Transcription); verify compliance (Upromise).

Put procedures in place to keep your security current and address vulnerabilities that may arise. Data security is a constant game of cat-and-mouse with hackers – make sure to keep your guard up. Apply updates to your hardware and software as they are issued, and ensure you are spotting vulnerabilities in, and promptly patching, your own software. Have a mechanism to allow security warnings and issues to be reported to IT. Guidance: update and patch third-party software (TJX Companies); heed credible security warnings and move quickly to fix them (HTC America, Fandango).

Secure paper, physical media, and devices. Lastly, while the focus these days seems to be on cybersecurity, don’t forget about physical security of papers and physical media. Guidance: securely store sensitive files (Gregory Navone, Lifelock); protect devices that process personal information (Dollar Tree); keep safety standards in place when data is en route (Accretive, CBR Systems); dispose of sensitive data securely (Rite Aid, CVS Caremark, Goal Financial).

As this guidance is based on what companies did wrong or didn’t do that led to FTC enforcement actions, it will be interesting to see how the FTC treats a company that suffers a data breach but demonstrates that they used reasonable efforts to comply with the FTC’s guidance. I suspect the FTC will take a company’s compliance with this guidance into consideration when determining penalties in an enforcement action. The guidance is very high-level, so companies must rely on their IT and Legal teams to determine what steps, processes and protocols need to be implemented in alignment with the FTC’s guidance.

In addition to publishing the guide, the FTC has embarked on a conference series aimed at SMBs (small and medium-sized businesses), start-up companies, and developers to provide information on “security by design,” common security vulnerabilities, secure development strategies, and vulnerability response. The first conference took place September 9 in San Francisco, CA; the second will take place November 5 in Austin, TX.

The FTC also announced a new website at which they’ve gathered all of their data security guidance, publications, information and tools as a “one-stop shop”. You can find it at http://www.ftc.gov/datasecurity.

Podcast – the in-house perspective on trade secrets, privacy, and other topics

Posted on September 4, 2015 by admin

I recently had the privilege of being interviewed for IP Fridays®, a podcast series by Ken Suzan (of counsel and a trademark attorney at the Minneapolis office of Barnes & Thornburg LLP, and Dr. Rolf Claessen, partner at Patent Attorneys Freischem in Cologne, Germany. We discussed the in-house perspective on a variety of topics, including trade secrets, copyrighting software code, and privacy. Head to IPFridays.com if you’d like to listen, or click here to head straight to the podcast.

Don’t Overlook Law Firms as Third-Party Data Storage Vendors

Posted on August 4, 2015 by admin

There are countless articles providing companies with tips and advice on what to look for, and what to look out for, when engaging with a vendor who will store, process and/or use company data and/or network credentials. Given recent high-profile data breaches attributable to vendors of major companies, there has been a focus on tightening controls on vendors. Many companies have put procedures and requirements in place to ensure that vendors storing company data and network credentials are properly vetted, meet IT and security standards, and commit contractually to protect the company’s valuable information.

Despite this, there is one group of vendors storing data that are overlooked by a large number of companies – law firms. Here are a few reasons why:

Engagements don’t follow the usual vendor procurement process. Law firms are generally engaged directly by the General Counsel, other senior attorneys, or senior management. They are usually engaged due to their specialized expertise in a particular area of law in which there is an immediate need, an existing relationship with a member of the legal or management team, or a recommendation by a trusted resource. Law firm engagements often happen at the same time there is a pressing need for their services (e.g., a pending response to a complaint) with little time for a selection process. Quite often, companies don’t use a formal bid process at all when engaging outside counsel.

Law firms don’t think of themselves as just another vendor. Law firms generally do not consider themselves to be like other vendors given their specialized role and partnership with companies to provide legal advice and counsel. They are like other service companies in some respects (for example, law firms need to comply with federal, state and local laws, rules and regulations applicable to other companies). Unlike other service companies, the lawyers providing services at a law firm are also bound by rules of professional responsibility with disciplinary measures for noncompliance. These rules include obligations to keep client information confidential. The Model Rules were recently changed to add obligations for law firms to use reasonable efforts to protect client data, and to keep abreast of the benefits and risks associated with relevant technology involved in the practice of law.

When a law firm suffers a major breach exposing customer data and notifies clients in compliance with state breach notification statutes, it will be interesting to see whether lawyers in that firm face disciplinary action under rules of professional responsibility for exposure of client data. If lawyers face discipline as the result of a security breach, it will bring security to the forefront of client-lawyer relationships overnight.

Other teams within a company consider law firm relationships as “off limits.” Legal often only reaches out to IT for assistance arranging secure transfer of files to and from law firms, and in connection with discovery requests. It’s very rare that procurement and IT teams reach out to Legal to ask them to run law firms through the same vetting process as other vendors handling company data or system credentials, and its’ equally rare for Legal to proactively request this review of the law firms it engages.

Things You Should Do. When your company engages a law firm, consider the following:

Proactively develop internal vetting requirements. Your Legal, IT, Security and Procurement teams should proactively develop a checklist of questions/action items/contractual requirements when engaging counsel. If engaging counsel in a hurry, make sure the firm realizes that your company will do this diligence as soon as possible following engagement.

Ask the firm about their security safeguards. When discussing an engagement with prospective counsel, ask them what their technical, administrative and procedural safeguards are for protecting your information (and, if you give them network access, your network credentials). Find out how big their information security team is, and what kind of systems they use. You’re relying on their security safeguards to keep your data safe, so it’s appropriate for you to ask questions about how they secure your data.

Law firms have historically been reluctant to talk about their information security practices.If a firm can’t give you solid information about their information security practices, or can’t give you the name of a person who can answer your IT and security questions, strongly consider looking for alternative counsel.

Ask about cyber insurance. Ask whether the firm carries cyber insurance to cover security breaches (more and more firms have it). If they do, ask them to add you as an additional insured as you would with other vendors holding your data.

Add a security rider to your law firm engagement letter, security language to your outside counsel guidelines, or both. Add a short rider to your law firm engagement letter with the security language you came up with in advance with your IT and security teams. Consider addressing topics such as security and confidentiality safeguards, requirements to rapidly deploy security patches to their hardware and software, and confidentiality of login credentials to your network.Ensure they are protecting you if there is an unauthorized disclosure of your company data stored through a third party system or provider they use.

Companies often ask counsel to comply with their outside counsel guidelines, and many ask clients to agree to compliance as part of the retainer letter. Include core security language in your engagement letter, and include an paragraph in the retainer letter requiring the law firm to follow the terms of your outside counsel guidelines (and resolving conflicts in favor of the guidelines).

It’s a matter of if, not when, a law firm announces a major security breach. Once that happens, it will cause a seismic shift in how law firms approach data they hold, and how prospective clients engage with them. Law firms that take a proactive approach and make their commitment to data security part of their core client values, and are willing to share their commitment with prospective clients, will find themselves with a leg up on the competition.

Six Tips for Working Efficiently and Effectively With Your Attorney in Contract Negotiations

Posted on July 20, 2015 by admin

Some people dread having to go to their legal counsel with a contract for review and negotiation. “It’s the department of business prevention”; “we’ll never get it done”; “my attorney doesn’t understand what the business needs.” Quite the contrary. In-house counsel want to partner with you to facilitate the company’s business objectives and help the company succeed, while at the same time managing risk to our client – the company. Ensuring you and your attorney work together as effectively and efficiently as possible is key to this process. Here are 6 tips to keep in mind when working with your attorney in contract negotiations.

Contract negotiation is a partnership, not a handoff. Contracts contain both legal and business terms. We will largely defer to you on the business terms (unless it’s something we’ve seen before that we know is a problem), and will focus on ensuring the legal terms are in order. You need to be a part of the negotiation process to provide guidance and approvals on business terms as they are negotiated. If you submit a contract for review and then just wait for an email saying it’s done and signed, it will slow down the process as we’ll have to reach out to you, or worse, make assumptions about what your business needs are or what you are OK agreeing to in the contract.

Negotiations can take time – don’t wait until the last minute to engage Legal. Negotiations can take time, but attorneys don’t want to drag them out – we have a lot of work on our plate, and we want to enable you to start working with the company or vendor so you can meet our corporate objectives. However, part of our job is also to negotiate terms that protect the company, and to help you navigate around the pitfalls and mountains. If you come to us at the last minute and there are major issues (e.g., risks we can’t accept without high level approval), it’s a no-win situation – we feel you’re not giving us time to do our job as attorneys, you’re unhappy because the agreement can’t get done by your desired completion date, your boss is unhappy because you missed your deadline, others whose work depends on the negotiated partnership or vendor relationship are negatively affected, etc.

Build time for the legal review process into your project timeline, and if you’re unsure ask your attorney how much time they think it will take before you even get to the contract phase. Engage Legal with questions on business terms or legal terms early in the process if it will help streamline the negotiation later on — we can help you structure business terms up front while they are being negotiated, to make the negotiation process go more smoothly.

Provide complete business terms when you submit your contract request. Unless you are requesting a standard form agreement on your company’s paper, we need to know as much detail on the business terms as you can provide when you submit a contract request to Legal. Otherwise, we may have to make assumptions about what you’re looking for, and if we’re wrong it will mean redrafting work which will slow down the process. If you have a term sheet, attach it. If not, summarize the business terms in the request with as much detail as you can provide. Include the full legal name of the other party, and their street address. We’ll call you to flesh out any terms on which we have questions or need more information or detail. Also, read the draft carefully before you forward it to the other side. If the contract doesn’t match the business terms that were discussed, we’ll stumble right out of the gate on the contract negotiation.

When you get a draft or get back redlines, add your comments on the business terms before submitting it to Legal. If you send a draft on the other side’s paper or you receive redlines from the other side, go through it before you send it to Legal and mark it up with your comments and edits to any business terms. If you need to reach out to internal business owners for their input or approval (e.g., Finance on payment terms, IT on SLAs, etc.), either do it before sending the draft to Legal, or indicate in the draft that you’re following up on an open business point before you send it to Legal. Otherwise, the internal discussion draft you get from Legal will just include notes on where you need to provide input on business terms, slowing down the process.

Listen to your lawyer’s suggestions – we’ve done this before. We have been in many contract negotiations, and have seen most contract provisions before. We often know what provisions work with the company’s internal processes and requirements, and how third parties are likely to negotiate and come out on a given provision. If you come in with a business term or a position on an open point that we think may be a tough sell to the other party or is “out of the box” from an internal process perspective, our experience can help you avoid going down dark alleys or dead ends in the negotiation. Good attorneys don’t just spot problems, but also offer alternatives to try to find a workable solution. We may be able to offer an alternative provision or wording that meets your business needs, works for the other party, and satisfies your internal processes.

Attorneys usually have a sense as to which approach to contract negotiation (exchanging redlines right away, hopping on a call with the other side right away, exchange redlines first then get on a call, etc.) will be most effective for a particular contract or third party. Your instinct may be to jump on a call with the other side as soon as you send or receive a draft, but in some cases that may end up unintentionally slowing down the negotiation. Tech-savvy attorneys may also suggest leveraging technological tools to increase speed and efficiency, e.g., WebEx online conferencing to make edits to the draft in real-time as if all parties are sitting in a conference room together.

Attorneys will advise on the risks and share their opinion, but the business needs to “call the ball.” Every contract involves risks and rewards. My job is to shift as much risk as I can (e.g., through contract terms), and to help explain how to mitigate risks (e.g., through internal process or procedure to control it). Any remaining risk needs to be accepted (we understand but the benefits are worth it) or rejected (the benefits aren’t worth it) by the business. Unless something is illegal or there’s simply too much pure legal risk to proceed, the attorney isn’t the one who should be making that risk decision. We may share our opinion, but we can’t make the decision. You (or someone higher up in the company) needs to make the risk decision after weighing the pros and cons. If no one wants to be the decision-maker, the negotiation will grind to a halt.

The Why, When and How of Confidentiality Agreements (Part 2)

Posted on June 5, 2015 by admin

HOW to use an NDA. Once you’ve figured out the why and the when, use the following tips and tricks as you work with NDAs:

Keep them fair and balanced. While you always want to try to avoid getting bogged down in contract negotiations, this is especially true for NDAs typically entered into at the outset of a relationship or where disclosure of specialized information is needed to further a business purpose. Counsel should work with business leaders to ensure the NDA template is fair and balanced. If a potential partner or vendor insists on their NDA, consider whether it is fair and balanced – if it is, it may not be the best time for a battle over whose form to use.
Make sure “purpose” is defined. NDAs should include a description of why the parties are sharing information (a potential business relationship between them, a potential business combination, to allow your company to participate in an activity, etc.) This is usually defined as the “Purpose.” Defining the Purpose, and restricting the recipient’s use of your CI to the Purpose, can help ensure contractually that information you disclose is not misused.
Avoid sharing customer records or personally identifiable information under an NDA. Be very careful if you want to share customer or employee records or other personally identifiable information under an NDA. You generally need other security protections that aren’t in a standard NDA; your privacy policy might not allow it; you may not have the necessary permissions from the data subjects to share it; there may be specialized laws (e.g., HIPAA) that could be impacted; etc. If you need to share data to evaluate a new product or service, use dummy data.
Ensure “Confidential Information” covers what you want to share. Make sure the definition of “Confidential Information” is broad enough to cover all of the information that you’re planning to share. Whether you are disclosing financial projections, business plans, network credentials, samples of new products, or other information, if it’s not covered by the definition the recipient has no obligation to protect it.
Watch out for “residuals” clauses. One dangerous clause to watch out for (and avoid) in NDAs is the “Residuals” clause. “Residuals” are what you retain in memory after you look at something (provided you don’t intentionally try to memorize it). Residuals clauses let you use any residuals from the other party’s CI retained in your unaided memory. However, it’s next to impossible to prove that something was in someone’s “unaided memory.” Residuals clauses are a very large back door to NDA requirements.
Understand the “marking requirements.” NDAs generally require identification of confidential information so that the recipient knows that it should be kept confidential. For example, you generally have to mark any information in written disclosures as “confidential” using a stamp, watermark, or statement in the header/footer (don’t forget to mark all pages of a document and its exhibits/attachments in case pages get separated). Some NDAs require that confidential information disclosed orally has to be summarized in a written memo within a certain period of time in order to fall under the NDA – don’t lose sight of this obligation, and consider steps to mitigate the risk if you have this requirement (e.g., a reminder in your lead management system to summarize when a note of a sales call is included). Other NDAs include a “catch-all” to keep confidential any information where, from the circumstances of disclosure, the disclosing party clearly intended (or the recipient can determine) that it should be kept confidential. This last clause is a double-edged sword – it ensures the broadest possible protection for you, but also for the other party
Look at the “nondisclosure period.” Most NDAs have a defined period of time during which confidentiality obligations will apply to CI. Once the period ends, your CI is no longer considered confidential by the other party. If you are disclosing trade secrets, it’s important that they are kept confidential forever, or until the information enters the public domain through someone else’s acts or omissions. Also, consider language that requires the other party to securely dispose of your CI when there is no longer a business or legal need for them to possess it.
Control onward transfer. Ensure you’re controlling the onward transfer of your CI. Generally, a recipient’s onward transfer of your CI should only be permitted when (a) the receiving party is a business partner of the recipient (a contractor, subsidiary, supplier, etc.); (b) the receiving party needs to know the CI in furtherance of the Purpose; and (c) the receiving party is bound by written confidentiality obligations at least as strong as those in the NDA between you and the recipient. Make sure the NDA holds the recipient liable for any improper disclosure of CI by the third party so you don’t have to go after the third party, and requires that data be transferred securely.
Watch out for overlapping confidentiality obligations. As I noted in Part 1, it’s important to look out for duplicate confidentiality obligations governing the same confidential information. In some cases, a party may suggest that each party sign the other’s NDA. In other cases, a party might try to keep an NDA alive after a services or other agreement has been finalized and signed. You should avoid having different confidentiality obligations govern the same agreement, as it can easily lead to a big fight over what contractual obligations and provisions apply in the event of a disclosure, distracting you from dealing with the actual breach of your CI.
Be mindful of your return or destruction obligations. In most NDAs there is a requirement for a recipient to return or destroy the discloser’s CI, either upon request and/or upon termination. Sometimes the discloser gets to pick between return and destruction, sometimes the recipient. In order to ensure compliance, make sure you limit disclosure of third party CI internally, and keep track of who has access to/copies of it. Without tracking that information, it’s very difficult to ensure return or deletion when the time comes.
Be careful sharing access credentials. If you’re sharing any network or other computer access credentials as part of the Purpose, ensure the NDA contains additional security obligations to maintain appropriate safeguards to protect access credentials, to limit use of them (no onward transfer), notification in the event the credentials are (or are suspected to have been) compromised, and an indemnity if the security obligations are breached. Remember, the Target breach began with the compromise of a subcontractor’s network credentials.
Consider using electronic signatures. As I described in my earlier blog post, using an electronic signature system for NDAs can make the nondisclosure process even more quick and efficient, letting your business team get to sharing information sooner.

There are other NDA issues as well, such as ensuring injunctive relief language is not too limiting or broad for your company’s needs. As always, consult an attorney with expertise in NDAs (and a business-savvy approach) to ensure your company, its confidential and proprietary information and its trade secrets are properly protected.

The Why, When and How of Confidentiality Agreements (Part 1)

Posted on June 1, 2015 by admin

Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time. However, few companies have implemented policies stating why, when and how NDAs should be used. Quite often different people at the same organization take very different approaches to using NDAs, resulting in inconsistent protection of a company’s confidential or proprietary information (“CI”) — or worse, jeopardizing company trade secrets. This two-part article provides a summary of the why, when and how of NDAs. In Part 1, I talk about the “why” and the “when.”

WHY to use an NDA. There are three primary, and sometimes overlapping, reasons why to use an NDA – for protective purposes, for strategic purposes, and for contractual purposes.

The most common reason for entering into an NDA is to ensure there are adequate (and binding) protections for your CI before you share sensitive information with another party. If your company has trade secrets, failing to put confidentiality obligations in place with third parties who have access to your trade secrets can cost you your trade secret protection.
An NDA can also be used as a litmus test to gauge whether a party is truly interested and serious about discussions with your company. If you’re asked to sign an NDA well before confidential information will be exchanged, this might be the reason. An example is a requirement for potential vendors to sign an NDA before the RFP is provided to them, even if there’s nothing confidential in the RFP. Requiring an NDA up front can also ensure that you don’t get down the road with a potential vendor or partner only to find that they are resistant to signing an NDA.
An existing confidential obligation to a third party may require you to put confidentiality obligations in place with any subcontractor or business partner with whom you need to share the third party’s CI for business purposes (more on this in Part 2). If an existing agreement with your subcontractor or business partner doesn’t satisfy contractual requirements, a separate NDA may be needed.

If a third party questions why an NDA is needed, consider whether that should be a red flag in and of itself. They may not view confidentiality as a significant concern or priority, may not be sophisticated about the importance of strong confidentiality practices, or may be trying to get you to reveal confidential information without an NDA in place.

WHEN to use an NDA. Once you’ve determined that you need an NDA for one or more of the above purposes, you then need to determine when to use one. Keep these questions in mind:

What is confidential information? In order to know when to use an NDA, you need to first know what needs to be protected. This is often the MOST IMPORTANT question a company can ask. What information is considered confidential or proprietary information, and what information is a trade secret? Everything else should be considered non-confidential. Look at your IT policies to see how data is classified at your company (many classify CI into levels) and use those classifications to determine what categories of information should be protected. If it’s information you include in your marketing brochures or on your corporate website, it’s not confidential or proprietary information. Use this test – if you would have a problem with the information showing up on the front page of your local paper or elsewhere for the world to see, or if it ended up in the hands of your competitors, you may want to treat it as confidential if it’s disclosed. Educate your sales and other internal business teams as to what’s considered CI, and when an NDA is required — make sure to remind them that part of their job to protect your company’s confidential information.
Who is disclosing what? Not every discussion about a potential business relationship requires an NDA. Look at what information may be disclosed and by whom. If your company isn’t disclosing confidential information as part of the discussion, the onus should be on the other party to ask for an NDA.
Are there existing confidentiality terms? Sometimes an existing business partner or vendor will ask for an NDA before sharing information about a new product or service. Before signing, check your existing agreement to see whether its confidentiality language is broad enough to cover the new information. If it is, push back on the need for a separate NDA. You should always try to avoid having multiple confidentiality terms governing the same confidential information (for more on this, see Part 2.) If they insist, make sure the new NDA is limited in its purpose and does not overlap with the existing agreement.
When will sharing begin? Determine when in the in the sales cycle/vendor selection process you need to start sharing CI – that’s your “NDA point.” Once you’ve determined your NDA point, make sure it’s build it into your SOPs and other business process documentation to minimize the chance that CI is shared without a valid NDA in place.
What is the right effective date? In business, the cart sometimes gets ahead of the horse when it comes to getting an NDA in place. If your company gets out over its ski tips by disclosing CI without having the NDA in place first, ensure that the NDA applies retroactively to by setting the effective date as the date on which confidential information was first disclosed, not the date on which it was signed.

Litigation Management for the In-House Generalist and Business Leader (Part 6)

Posted on May 27, 2015 by admin

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.” Recently InsideCounsel Magazine published the last in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator. Part 6 in the series provides twelve discovery best practices to keep in mind, and closing thoughts. Click here to read the article. I hope you have enjoyed this article series!

Litigation Management for the In-House Generalist and Business Leader (Part 5)

Posted on May 12, 2015 by admin

Understanding the basics of litigation management is essential for in-house counsel, and can give business leaders more perspective on playing the “litigation card.” Recently InsideCounsel Magazine published the fifth in a six-part article series entitled “Litigation Management for the In-House Generalist” co-authored by myself and Michael Geibelson, a partner at Robins Kaplan LLP and a top-notch litigator. Part 5 in the series discusses discovery and the core discovery types – written, oral, and visual. Both in-house counsel and business leaders can benefit from having an understanding of what discovery entails as it is the aspect of litigation that intrudes the most into a company’s day to day business operations. Click here to read the article, and enjoy.

The Pros, Cons, Do’s and Don’ts of Competitor Keyword Bidding

Posted on May 4, 2015 by admin

Companies regularly bid on their own keywords, and generic terms related to their business, as part of their overall paid search strategy. Bidding on competitors’ keywords (company name, brand names, product names, etc.) in paid search advertising is also a common practice. Google has allowed companies to bid on third party trademarked terms since 2008. Plaintiffs have had an increasingly difficult time in recent years winning trademark infringement cases involving competitor keyword bidding. Many companies appear to have adopted an “if you can’t beat ’em, join ’em” approach. So should your company be bidding on competitors’ keywords too?

The answer, as is often the case, is, “maybe.” There are many pros and cons to bidding on competitors’ keywords, and do’s and don’ts, to keep in mind.

PRO: Bidding on competitors’ keywords targets your company’s market and promotes brand awareness. Companies can use competitor keyword bidding to advertise to persons looking for similar products and services, helping to ensure your products are reaching the broadest possible market.
PRO: Bidding on competitors’ keywords presents alternatives in the marketplace. Competitor keyword bidding helps ensure your company’s name and brand is presented as an alternative to someone searching for a competitor’s products. This provides consumers with choices on available products and levels the playing field (especially when your competitors are bigger than you).
PRO: Bidding on competitors’ keywords is often less competitive. Competitors’ keywords are generally less competitive than generic terms, as fewer companies bid on them.
CON: Bidding on competitors’ keywords could trigger a bidding war. If your competitor isn’t already bidding on your company’s keywords, it may take an “eye for an eye” approach and start bidding on your company’s keywords, driving up your own paid search listing fees.
CON: Competitors’ keywords generally result in a low click-through rate, which can have consequences. The click-through rate (CTR) for listings triggerest by a competitor keyword can be low. For Google, failing to achieve a strong CTR on an ad campaign can affect your company’s AdWords Quality Score (QS), driving up the company’s overall Cost Per Click (CPC) for paid search listings.
CON: While litigation over competitor keyword bidding is unusual these days, it’s not unheard of if you don’t carefully follow the rules.

If you decide that the pros outweigh the cons and want to dive (or wade) into competitor keyword bidding, here are some Do’s and Don’ts to consider:

DO differentiate your company in the ad creative by including a clear offer or unique selling point to draw potential customers away from the company they were looking for. Find a way to differentiate yourself and present a value proposition in your ad to get a potential competitor customer to look at you instead.

DO always mention your company’s name advertisements served via competitor keyword bidding.

DO check competitors’ keywords for alternate meanings (e.g., through Google Suggest and Google Search). Other meanings could mean serving ads to persons searching for an alternate meaning, resulting in a low CTR.

DON’T use dynamic keyword insertion for a campaign involving a competitor’s keywords. Not only is it a violation of Google’s AdWords policy, it can potentially expose you to trademark infringement claims.

DON’T mention a competitor’s name in your own ad copy served through competitor keyword bidding, or use it in a way that could cause a consumer to think you’re somehow associated with or sponsored by your competitor.

DON’T be deceptive, confusing or misleading, or make unsubstantiated claims, in your advertising creative or design (it’s never a good idea to try to trick someone into clicking on your ad).

Finally, DON’T try to outbid your competitors for their keywords. Try to be #2 or #3 on the search results page to avoid a higher bounce rate and Quality Score impact. Avoid starting a keyword bidding war — there’s never a winner, and the 1982 movie WarGames said it best (“the only winning move is not to play.”)

Notes from the Trenches

Articles, thoughts, tips, and tricks from an veteran in-house counsel

Author Archives: admin