Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time. However, few companies have implemented policies stating why, when and how NDAs should be used. In Part 1 of this article, I talked about the “why” and the “when.” Part 2 covers the “how.”
HOW to use an NDA. Once you’ve figured out the why and the when, use the following tips and tricks as you work with NDAs:
- Keep them fair and balanced. While you always want to try to avoid getting bogged down in contract negotiations, this is especially true for NDAs typically entered into at the outset of a relationship or where disclosure of specialized information is needed to further a business purpose. Counsel should work with business leaders to ensure the NDA template is fair and balanced. If a potential partner or vendor insists on their NDA, consider whether it is fair and balanced – if it is, it may not be the best time for a battle over whose form to use.
- Make sure “purpose” is defined. NDAs should include a description of why the parties are sharing information (a potential business relationship between them, a potential business combination, to allow your company to participate in an activity, etc.) This is usually defined as the “Purpose.” Defining the Purpose, and restricting the recipient’s use of your CI to the Purpose, can help ensure contractually that information you disclose is not misused.
- Avoid sharing customer records or personally identifiable information under an NDA. Be very careful if you want to share customer or employee records or other personally identifiable information under an NDA. You generally need other security protections that aren’t in a standard NDA; your privacy policy might not allow it; you may not have the necessary permissions from the data subjects to share it; there may be specialized laws (e.g., HIPAA) that could be impacted; etc. If you need to share data to evaluate a new product or service, use dummy data.
- Ensure “Confidential Information” covers what you want to share. Make sure the definition of “Confidential Information” is broad enough to cover all of the information that you’re planning to share. Whether you are disclosing financial projections, business plans, network credentials, samples of new products, or other information, if it’s not covered by the definition the recipient has no obligation to protect it.
- Watch out for “residuals” clauses. One dangerous clause to watch out for (and avoid) in NDAs is the “Residuals” clause. “Residuals” are what you retain in memory after you look at something (provided you don’t intentionally try to memorize it). Residuals clauses let you use any residuals from the other party’s CI retained in your unaided memory. However, it’s next to impossible to prove that something was in someone’s “unaided memory.” Residuals clauses are a very large back door to NDA requirements.
- Understand the “marking requirements.” NDAs generally require identification of confidential information so that the recipient knows that it should be kept confidential. For example, you generally have to mark any information in written disclosures as “confidential” using a stamp, watermark, or statement in the header/footer (don’t forget to mark all pages of a document and its exhibits/attachments in case pages get separated). Some NDAs require that confidential information disclosed orally has to be summarized in a written memo within a certain period of time in order to fall under the NDA – don’t lose sight of this obligation, and consider steps to mitigate the risk if you have this requirement (e.g., a reminder in your lead management system to summarize when a note of a sales call is included). Other NDAs include a “catch-all” to keep confidential any information where, from the circumstances of disclosure, the disclosing party clearly intended (or the recipient can determine) that it should be kept confidential. This last clause is a double-edged sword – it ensures the broadest possible protection for you, but also for the other party
- Look at the “nondisclosure period.” Most NDAs have a defined period of time during which confidentiality obligations will apply to CI. Once the period ends, your CI is no longer considered confidential by the other party. If you are disclosing trade secrets, it’s important that they are kept confidential forever, or until the information enters the public domain through someone else’s acts or omissions. Also, consider language that requires the other party to securely dispose of your CI when there is no longer a business or legal need for them to possess it.
- Control onward transfer. Ensure you’re controlling the onward transfer of your CI. Generally, a recipient’s onward transfer of your CI should only be permitted when (a) the receiving party is a business partner of the recipient (a contractor, subsidiary, supplier, etc.); (b) the receiving party needs to know the CI in furtherance of the Purpose; and (c) the receiving party is bound by written confidentiality obligations at least as strong as those in the NDA between you and the recipient. Make sure the NDA holds the recipient liable for any improper disclosure of CI by the third party so you don’t have to go after the third party, and requires that data be transferred securely.
- Watch out for overlapping confidentiality obligations. As I noted in Part 1, it’s important to look out for duplicate confidentiality obligations governing the same confidential information. In some cases, a party may suggest that each party sign the other’s NDA. In other cases, a party might try to keep an NDA alive after a services or other agreement has been finalized and signed. You should avoid having different confidentiality obligations govern the same agreement, as it can easily lead to a big fight over what contractual obligations and provisions apply in the event of a disclosure, distracting you from dealing with the actual breach of your CI.
- Be mindful of your return or destruction obligations. In most NDAs there is a requirement for a recipient to return or destroy the discloser’s CI, either upon request and/or upon termination. Sometimes the discloser gets to pick between return and destruction, sometimes the recipient. In order to ensure compliance, make sure you limit disclosure of third party CI internally, and keep track of who has access to/copies of it. Without tracking that information, it’s very difficult to ensure return or deletion when the time comes.
- Be careful sharing access credentials. If you’re sharing any network or other computer access credentials as part of the Purpose, ensure the NDA contains additional security obligations to maintain appropriate safeguards to protect access credentials, to limit use of them (no onward transfer), notification in the event the credentials are (or are suspected to have been) compromised, and an indemnity if the security obligations are breached. Remember, the Target breach began with the compromise of a subcontractor’s network credentials.
- Consider using electronic signatures. As I described in my earlier blog post, using an electronic signature system for NDAs can make the nondisclosure process even more quick and efficient, letting your business team get to sharing information sooner.
There are other NDA issues as well, such as ensuring injunctive relief language is not too limiting or broad for your company’s needs. As always, consult an attorney with expertise in NDAs (and a business-savvy approach) to ensure your company, its confidential and proprietary information and its trade secrets are properly protected.