Non-disclosure or confidentiality agreements (NDAs) have proliferated in recent years in the highly competitive IT sector, with its characteristics of continual innovation and technical complexity, including ever-expanding internet use.
The essential purpose of an NDA is to ensure that proprietary information, trade secrets or other commercially sensitive data to be disclosed remains confidential: for example, where a purchase of a company is contemplated; for the proposed collaborative development of new products or services; or where information about technological systems or processes is being imparted in advance of a joint venture.
NDAs are necessary because it is a question of fact in the particular circumstances whether information disclosed in confidence would be protectable in the absence of express written contractual provisions. Commercially sensitive information does not automatically constitute a trade secret which the courts will be bound to protect, whether it consists of a commercial method, customers’ details or marketing techniques.
NDAs should not be drawn up or signed merely as a matter of business expediency without properly understanding the implications. Written contracts are a main method for managing legal risk. A good NDA is therefore the best legal means to protect the disclosure of confidential information. Disclosing parties need to consider what confidential information they need unavoidably to disclose, and in what form, how the discloser will ensure that its confidentiality is brought clearly to the attention of the receiving party, how unintentional or unnecessary disclosures of such information can be avoided, and how disclosure will be evidenced if a claim is ever brought: in terms of identifying confidential information unambiguously, the adequacy of the security arrangements to support the confidentiality of the information, and the ability to monitor the dissemination, use and return of confidential information.
Key considerations include:
§ identifying the confidential information
§ the recipient’s commitments
§ what is excepted from the commitments
§ whether a realistic time-limit can be imposed
§ what administrative arrangements need to be in place to safeguard, track and monitor the information disclosed.
Identifying ‘confidential information’
Confidential information should be defined as specifically as possible, to recognise and distinguish it from other information. If information is so important that it should be treated with immense care, the owner must be able to identify it as such.
Identification of confidential information is easy when its content can be limited by description, when it is in written form and marked clearly as being confidential. But what about information disclosed verbally? It may be helpful to think about how evidence of unauthorised disclosure would be presented in the event of a claim: how was the information disclosed, what was disclosed, when, by and to whom, and so on. If questions such as these cannot be answered unequivocally, it will be impossible for the claim to succeed.
The best evidence for demonstrating that confidential information has been brought to the attention of the recipient is for it to be identified as such at the time of disclosure. This is most effectively achieved by a clear and visible notice on the documentation or, in the case of digital material or verbal disclosure such as during a site visit, by the recipient’s acknowledgement of the confidential nature of the information prior to access. Ideally any such verbal disclosure should be followed up with a written confirmation of the date of disclosure, the nature of the information disclosed, to whom and for what purpose. This will constitute good evidence if needed.
Sometimes attempts are made to find middle ground. Owners of confidential information will be nervous about a requirement by the recipient that oral information will be protected only if it has been confirmed in writing. They will argue that in the cut and thrust of intensive commercial activity, procedural niceties will be overlooked. Moreover, they may be anxious about committing confidential information to print. A suggested compromise may be to extend the definition of confidential information to include information which, by its very nature and the circumstances of disclosure, the receiving party should have realised was confidential. Unfortunately, there can be no certainty that information claimed to fall within this category would be accepted as such by a court of law. Clear and unambiguous criteria are always to be preferred.
There should always be a specified purpose stated for which the confidential information is being provided, to restrict the use which the recipient may make of it. This compels the parties to reflect on what is being agreed, and indeed to confirm that use of the information is actually necessary to achieve their business objectives.
The recipient’s commitments
The recipient will be required not to disclose the confidential information, and to give further associated undertakings. A phrase sometimes found is ‘to take all reasonable security precautions in the safekeeping of the confidential information and in preventing its unauthorised disclosure to third parties’. This is a subjective test and different organisations will have different standards of security. The recipient will wish to avoid giving an absolute undertaking. However, the owner of the information may need more than a qualified assurance, particularly if the information is very sensitive or valuable. As it stands, in the event of a dispute, it will be for a court or other arbiter to decide on the particular facts whether ‘reasonable security precautions’ were taken. One alternative is for the parties to stipulate expressly the way in which the confidential information will be held, for example in a safe or locked drawer or electronically under encryption.
Sometimes the recipient is expected to ensure that its employees are given access to the confidential information only on a ‘need to know’ basis, and even that they should be individually contractually bound to safeguard it. It is worth questioning how reasonable it is to expect employees to enter into individual personal undertakings in relation to confidential information. Employers control their employees and should not generally be willing to permit any direct form of contractual relationship between their employees and the customer or supplier. Certainly any departure from this principle should be an exception reserved for the most serious and sensitive of projects.
It is unfortunate that information protected under the Official Secrets Acts does not necessarily fall into this category. Information received under the umbrella of this legislation covers an extremely wide range, often including information of a character that would not be regarded as confidential in normal commercial circumstances, yet carries with it an absolute obligation of confidentiality within the precise terms of disclosure. Breach may result in criminal sanctions. An appropriate level of security clearance for the recipients as individuals is generally required before information subject to this legislation is released. Companies wishing to do business with some Government departments will find it a non-negotiable prerequisite that the employees involved must first undergo appropriate levels of security vetting and individually sign documents under the Official Secrets Acts.
Official Secrets Acts aside, responsible employers should not, as a matter of good practice, expose their employees to any form of direct individual liabilities towards customers or other third parties with whom they have dealings. Employees should not be placed in a position of being required to sign NDAs in a personal capacity. IT service and support engineers are especially vulnerable to such requests, and may feel pressured to sign or may simply wish to help their customer and get the job done. Of course, employees cannot be protected from criminal or (some) tortious acts but contractual performance issues should always remain the sole responsibility of the employer.
Exceptions
Exceptions to the scope of confidentiality are normally identified in the agreement. The recipient may have to comply with legal demands in respect of the information, for example, associated with some form of court action in the course of commercial litigation or statutory enforcement proceedings, where the information is needed as evidence. The agreement may require notice to be given of any such intended disclosure. This is to give the owner of the information the opportunity to challenge the demand and to obtain an interim order preventing disclosure pending adjudication on its legitimacy.
For IT-related confidential information, it may be reasonable to exempt material developed independently by the recipient, or which relates to general concepts of information technology. This is to cover the situations where different expressions of similar ideas may exist, or where general industry know-how needs to be distinguished from genuinely confidential information owned by the discloser.
In fast-moving technology industries, it may be prudent to acknowledge that the recipient who develops or supplies processes, techniques or technology of a similar nature to that disclosed will not be restricted in its activities, provided that such development is accomplished without the use of the confidential information.
In disclosing confidential information, owners should never intend to convey any rights in the information to the recipient, warrant the information in any way, or enter into any implied obligation to transact further business. It may be helpful to state these exclusions expressly. If any of these are required, they should be the subject of other agreements expressly dealing with those matters and incorporating all the terms and conditions of the transaction, including the consideration for whatever is conferred or provided.
Time-limits
Much confidential information needs to be kept secret only for a limited time. The arguments in favour of setting a time-limit in the agreement are that at some time the information will be obsolete and no longer important to the owner and, since the recipient is following special procedures to ensure confidentiality, it should be obliged to do so only to the extent to which it actually matters. Setting boundaries in this way is also easier for evidential purposes.
If the owner anticipates that the information really needs to remain confidential beyond a foreseeable period, it is generally preferable not to insert any time-limit. However, given the problems associated with monitoring and policing the security of the confidential information, particularly as time goes by and the individuals involved move on and are replaced, open-ended obligations should be reserved for exceptionally sensitive information which is unlikely to become desensitised over the foreseeable future.
Three or five years is normally the maximum term agreed, but the periods of time may vary from one part of the IT industry to another.
Administrative arrangements
A cavalier approach to the administrative aspects of NDAs can be a costly mistake for both discloser and recipient. In the event of a claim, in addition to establishing that information disclosed in confidence has been compromised in breach of contract, a discloser will have to be able to demonstrate that it has appropriate rules and controls in place to protect its confidential information: if the discloser does not think such steps are necessary, a court is hardly likely to be persuaded that the information in question was confidential for the purposes of the NDA. Similarly, a recipient who does not operate a credible system of controls will be in some difficulty when attempting to defend a claim that the terms of the NDA have been breached. Authorised signatories of both parties should sign an NDA only if they are satisfied that adequate administrative processes are in place within their respective organisations to manage the confidential information.
Information that is genuinely confidential and essential for the business transaction or relationship contemplated, should be treated seriously and made the subject of an enforceable NDA.
Paul Klinger is Sole Principal at Paul Klinger and Company and General Counsel at Speed-Trap Holdings Limited.
Rachel Burnett is a partner and heads the IT/IP team at the firm of Paris Smith LLP.
The third edition of Paul Klinger and Rachel Burnett’s Drafting and Negotiating IT Contracts has recently been published by Bloomsbury Professional.