Everything You Wanted to Know About NDAs but Were Afraid to Disclose: When and why you need nondisclosure agreements and how to execute them

Wednesday, September 20, 2017 - 15:25

Nondisclosure agreements (NDAs) – also known as confidentiality agreements, confidential disclosure agreements and proprietary information agreements – are something most business leaders and attorneys deal with from time to time. However, few companies have formalized , and NDAs should be used. Different people at the same organization may have very different approaches to using them, resulting in inconsistent protection of a company’s confidential information and potentially jeopardizing company trade secrets.

Why Should You Use an NDA?

There are three primary (and sometimes overlapping) reasons to use an NDA: for protective purposes, for contractual purposes and for strategic purposes.

Protective: The most common reason for entering into an NDA is to ensure that there are adequate, binding protections in place before you share confidential information with another party. If your company has trade secrets, failing to put confidentiality obligations in place with third parties who have access to them can cost you your trade secret protection.

Contractual: An existing obligation to a third party may require you to put confidentiality obligations in place with any subcontractor or business partner with whom you need to share the third party’s confidential information for business purposes. If an existing agreement with your subcontractor or business partner doesn’t satisfy contractual requirements, a separate NDA may be needed.

Strategic: An NDA can also be used as a litmus test to gauge whether a party is truly interested and serious about discussions with your company. If you’re asked to sign an NDA well before confidential information will be exchanged, this might be the reason. Potential suppliers and vendors may be asked to sign an NDA before a request for proposal (RFP) is provided to them, even if there’s nothing confidential in the RFP. Requiring an NDA up front can also ensure that you don’t get down the road with a potential supplier, vendor or partner only to find that they are resistant to signing one.

If a third party questions why an NDA is needed, consider whether that should be a red flag in and of itself. They may not view confidentiality as a significant concern or priority, may not understand the importance of strong confidentiality practices, or may be trying to get you to reveal confidential information without an NDA in place.

When Should You Use an NDA?

Once you’ve determined that you need an NDA for one or more of the above purposes, you then need to determine when to use one. Keep these questions in mind.

What is confidential information? This is often the most important question a company can ask. To know when to use an NDA, you first need to know what information should be protected. What information is considered confidential or proprietary, and what information is a trade secret? Everything else should be considered non-confidential. Use this test: If you would have a problem with the information ending up in the hands of your competitors or showing up online, treat it as confidential information.

Look at your IT policies to see how data is classified at your company (many classify confidential information into levels), and use those classifications to determine which categories of information should be protected. If it’s information you include in your marketing brochures or on your corporate website, it’s not confidential or proprietary. Educate your sales and other internal business teams on what is considered confidential and when an NDA is required. Make sure to remind them that part of everyone’s job is to protect the company’s confidential information.

Who is disclosing what? Not every discussion about a potential business relationship requires an NDA. Look at what information may be disclosed, and by whom. If your company isn’t disclosing confidential information as part of the discussion, the onus should be on the other party to ask for an NDA.

There are two types of NDAs: a mutual NDA, used when both parties are sharing confidential information, and a unilateral NDA, used when only one party is doing the sharing. Consider which parties will be sharing confidential information through these discussions. If it’s only one party, consider whether to use a unilateral NDA. If both parties will potentially need to share information, consider whether to use a mutual NDA up front to avoid having to negotiate and execute a superseding agreement later.

Are there existing confidentiality terms? Sometimes an existing business partner or vendor will ask for an NDA before sharing information about a new product or service. Before you start to negotiate an NDA, check your existing agreement to see whether its confidentiality language is broad enough to cover the new information. If it is, push back on the need for a separate NDA. Avoid having multiple confidentiality terms governing the same confidential information. If they insist, make sure the new NDA is limited in its purpose and does not overlap with the existing NDA. Additionally, companies often have exploratory discussions with a potential partner, vendor, supplier or client whom they’ve talked with before. Prior to negotiating, check to see if there’s a still-valid NDA in place between the other side and your company.

When will sharing begin? Determine at what point in the sales cycle/vendor selection process you need to start sharing confidential information. That's your “NDA point.” Once you have determined your NDA point, make sure it's built into your business processes to minimize the chance that confidential information is shared without a valid NDA in place.

What is the right effective date? In business, the cart sometimes gets ahead of the horse when it comes to putting an NDA in place. If your company discloses confidential information without having the NDA agreed to first, ensure that the NDA applies retroactively by setting the effective date as the date on which confidential information was first disclosed, not the date on which the agreement was signed.

How Should You Use an NDA?

Once you’ve figured out the why and the when, use the following tips to improve the quality of your NDAs.

Keep them fair and balanced: While you always want to try to avoid getting bogged down in contract negotiations, this is especially true for NDAs typically entered into at the outset of a relationship or where disclosure of confidential information is needed to qualify a sales opportunity or further a business purpose. Counsel should work with business leaders to ensure the NDA template is fair and balanced. If a potential partner or vendor insists on their NDA, consider whether it is fair and balanced – if it is, consider whether a battle over whose form to use is worthwhile.

Make sure ‘purpose’ is defined: NDAs should include a description of why the parties are sharing information (a potential business relationship between them, a potential business combination, to allow your company to participate in an activity, etc.). This is usually defined as the “purpose.” Defining the purpose and restricting the recipient’s use of your confidential information to the purpose can help ensure contractually that information you disclose is not misused.

Avoid sharing customer records or personally identifiable information: Be very careful if you want to share customer or employee records or other personally identifiable information under an NDA. You generally need other security protections that aren’t in a standard NDA, plus your privacy policy might not allow it, you may not have the necessary permissions from the data subjects to share it and there may be specialized laws (e.g., HIPAA) that could be impacted. If you need to share data to evaluate a new product or service, use dummy data.

Ensure ‘confidential information’ covers what you want to share: Make sure the definition of “confidential information” is broad enough to cover all of the information that you’re planning to share. Whether you are disclosing financial projections, business plans, network credentials, samples of new products or other information, if it’s not covered by the definition, the recipient has no obligation to protect it.

Include required language for employee, independent contractor and consultant NDAs: In 2016 Congress passed the Defend Trade Secrets Act (DTSA), which, among other things, provides immunity to whistleblowers who disclose a company’s trade secrets in connection with reporting a suspected violation of law to a government entity. It also authorizes disclosure of trade secrets to the whistleblower’s attorney and to the court under seal in certain circumstances in connection with a retaliation lawsuit. It also requires companies to provide their employees, independent contractors and consultants with notice of the DTSA’s whistleblower immunity protections (or a cross-reference to the company’s reporting policy for violations of law). Companies that do not provide this notice or reference may not be able to recover exemplary damages or attorney fees from an employee, independent contractor or consultant for misappropriation of trade secrets. Ensure that your employee and independent contractor NDA templates contain a notice or reference that satisfies the DTSA’s requirements.

Watch out for ‘residuals’ clauses: One dangerous clause to watch out for (and avoid) is the “residuals” clause. Residuals are what you retain in memory after you look at something (provided you don’t intentionally try to memorize it). These clauses let you use any residuals from the other party’s confidential information retained in your unaided memory. However, it’s next to impossible to prove that something was in someone’s “unaided memory.” Residuals clauses can be a very large back door to NDA obligations but can also serve as a protection against a party unfairly restricting another party’s ability to use general know-how.

Understand the ‘marking requirements’: NDAs generally require identifying confidential information so that the recipient knows what should be kept confidential. For example, you generally have to mark any information in written disclosures as “confidential” using a stamp, watermark or statement in the header/footer (don’t forget to mark all pages of a document and its exhibits/attachments in case pages get separated). Some NDAs require that confidential information disclosed orally has to be summarized in a written memo within a certain period of time in order to fall under the agreement. Don’t lose sight of this obligation and consider steps to mitigate the risk if you have this requirement (e.g., a reminder in your lead management system to summarize when a note of a sales call is included). Other NDAs include a “catch-all” to keep confidential any information where, from the circumstances of disclosure, the disclosing party clearly intended (or the recipient can determine) that it should be kept confidential. This last clause is a double-edged sword. It ensures the broadest possible protection for you, but also for the other party.

Don’t forget the ‘nondisclosure period’: Most NDAs have a defined period of time during which confidentiality obligations will apply to confidential information. Once the period ends, your information is no longer considered confidential by the other party. If you are disclosing trade secrets, it’s important that they are kept confidential forever, or until the information enters the public domain (other than due to a breach of the NDA). Also, consider language that requires the other party to securely dispose of your confidential information when there is no longer a business or legal need for them to possess it.

Control onward transfer: Ensure that you’re controlling the onward transfer of your confidential information. Generally, a recipient’s onward transfer of your confidential information should only be permitted when 1) the receiving party is a business partner of the recipient (a contractor, subsidiary, supplier, etc.); 2) the receiving party needs to know the confidential information in furtherance of the purpose; and 3) the receiving party is bound by written confidentiality obligations at least as strong as those in the NDA between you and the recipient. Make sure the NDA holds the recipient liable for any improper disclosure of confidential information by the third party so you don’t have to go after the third party, and requires that data be transferred securely.

Watch out for overlapping confidentiality obligations: As noted above, it’s important to watch out for duplicate confidentiality obligations governing the same information. In some cases, a party may suggest that each party sign the other’s NDA. In other cases, a party might try to keep an NDA alive after a services or other agreement has been finalized and signed. You should avoid having different confidentiality obligations govern the same agreement, as it can easily lead to a big fight over which contractual obligations and provisions apply in the event of a disclosure, distracting you from dealing with the actual breach of your confidential information.

Be mindful of your return or destruction obligations: In most NDAs, there is a requirement for a recipient to return or destroy the discloser’s confidential information, either upon request or upon termination. Sometimes the discloser gets to pick between return and destruction, sometimes the recipient. To ensure compliance, make sure you limit disclosure of third-party confidential information internally and keep track of who has access to or copies of it. Without tracking that information, it’s very difficult to ensure return or deletion when the time comes.

Be careful sharing access credentials: If you're sharing any network or other computer access credentials as part of the purpose, ensure that the NDA contains additional security obligations to maintain appropriate safeguards to protect access credentials, to limit their use (no onward transfer), and to provide for immediate notification in the event the credentials are (or are suspected to have been) compromised and an indemnity if the security obligations are breached. Remember, the Target data breach began with the compromise of a subcontractor’s network credentials.

Consider using electronic signatures: Using an electronic signature system, such as Adobe Document Cloud or DocuSign, can make the nondisclosure process even quicker and more efficient, letting your business team get to sharing information sooner.

As always, consult an attorney with expertise in nondisclosure agreements (and with a business-savvy approach) to ensure that your company, its confidential and proprietary information and its trade secrets are properly protected.