It is common practice to sign Non-Disclosure Agreements (NDA) before one reveals sensitive business information to another party. The NDAs are often rather standardized, and you should normally be able to sign them without too much prior negotiation (in fact – negotiating a template NDA too hard might scare your potential future business party away!). However, there are some “gotchas” to be aware of, and you should make sure the NDA you´re about to sign suits the parties´ needs in the particular context. If you are on a tight budget and don´t want to spend money on asking a lawyer to review your NDA, here is a “DYI” guide on what to look for. One final word of caution: a breach against an NDA is often hard to prove, and your best protection is therefore never to share sensitive information with parties that you don´t trust.
———————————————————————————————————
Evolution
Back in prehistoric times (the 1990s), people had conversations without an NDA to determine if there was anything worth talking about that warranted signing an NDA. If there was, they signed an NDA that covered business issues, and if things looked interesting after those discussions, another NDA that would cover technical discussions amongst the engineers. A couple years ago, a client asked me to review an NDA from another company, and when I asked what they were going to talk about I was told “they won’t tell us until we sign the NDA!”
Today, everyone has an NDA form, and they are exchanged as freely as business cards. Many companies, out of an abundance of caution have an attorney review every NDA that is signed. Less fortunate, or more frugal businesses, can’t afford that luxury. This post is intended to take a step back and give some guidance around NDAs and ways in which they might be viewed by non-attorneys. We’ll start with an assumption that either someone has redlined your NDA, or insists that you sign their NDA.
Context
As described above, NDAs, like medicine, used to be prescribed to fit the specific condition. Out of expediency, the trend is to a one-size-fits-all form. Nevertheless, it’s important to understand the context. While the NDA may be “mutual,” is it likely that you will be giving more information than you are getting? What information are we talking about? Most NDAs are used to cover a sales pitch where the sell side is likely to be disclosing pricing and perhaps some new product features. The buy side may be seeking a solution to a common problem (e.g. CRM applications) or perhaps disclosing some specific needs and parameters (e.g. a customized solution, or specifications to a manufacturing supplier). What is the half-life of the information? Is this something that will be public at the next trade show, or something that should be protected as confidential for several years? Would disclosure of your information be inconvenient (e.g. sales prices are probably already known by some competitors) or catastrophic (e.g. a radically new product design/ feature that is several months from market)? Put in more dramatic terms, would you file suit if you could prove the other side disclosed the information?
In addition to considerations around the nature of the information being disclosed is the issue of why it is being disclosed. If the disclosures and surrounding discussions are all leading to the parties entering into a contract (definitive agreement), then unless there is some extraordinarily long sales cycle, the NDA is going to cover several weeks or months of discussions. The definitive agreement should have terms that address confidentiality and the protection of information. It can be bad legal drafting practice to refer back to the NDA and incorporate it in the definitive agreement. Remember, the NDA was a general one-size-fits-all form and covered some preliminary discussions. When the contract is being negotiated, the information to be protected is known and one side may be much more at risk than the other.
What to Look for When Reading an NDA Mutual?
The first issue is whether or not the NDA is mutual. If it isn’t, my recommendation is to ask for the mutual version. Every company has one and it will be faster than trying to modify a unilateral version. If the other side is refusing to use a mutual form, and you can’t walk away, then your side has no protection (and you should tailor what you share accordingly), but will have whatever obligations are imposed by the unilateral NDA. When an NDA is one-sided, the provisions and obligations are less kind than when it is mutual.
Definitions. If there are defined terms in the NDA, pay close attention to make sure the definition is not radically different than the plain dictionary meaning of the term. If it is, some caution is needed in reading the form.
Marking Requirements. Often an NDA has language to the effect that if confidential information is disclosed verbally, or visually, it is only confidential if the disclosing party summarizes the disclosure in a writing sent to the receiving party within “X” days of the date of disclosure. This language is a benefit if you receive lots of verbal or visual information and are especially worried someone will claim you stole their ideas. It is often used to avoid frivolous claims and cut down on litigation. However, if you were a very sales-focused company, and most of your NDAs covered sales presentations with lots of discussions, questions, and whiteboard activity, putting this clause in your NDA, or accepting it in someone else’s NDA, means designating someone at each meeting to take notes and send summaries. In short, an administrative nightmare, and forgetting to follow up could leave important information unprotected.
Exclusions. Some information that might fit the definition of “Confidential Information” may be excluded. The common exclusions are that the information was already public, that the recipient already had it or got it from a third party that wasn’t in breach of a confidentiality obligation, or it was independently developed by the recipient. Sometimes the NDA just has the list of exclusions. The better practice is to include “. . .that the Recipient can show by written records . . .” The point here is that if there is a dispute, which party is going to have the burden of proof? That is, if I’m going to say you breached the NDA, my position is that you are going to have to show whatever you disclosed fell within one of the listed exceptions. You have the burden of proof. And I’m also going to want to make sure that you have something more than an employee claiming that he or she knew the information before I disclosed it.
This is especially important around the exception for independent development. In cases where the parties are in similar businesses, or there is reasonable concern over “borrowing” the language is often: “is independently developed by the receiving party without reference or access to any Confidential Information of the disclosing party as evidenced by the contemporaneous written records of the receiving party.”
Legally Compelled Disclosures. One other exception is for disclosures that are compelled by law. This might mean a regulatory requirement by a governmental agency (e.g. disclosure of material agreement by the Securities and Exchange Commission or adverse reactions or other problems with FDA-regulated products or medical devices), or it might be a judicial process such as a subpoena. This really shouldn’t be an exception to the obligation of confidentiality but should be in a section of the NDA by itself. If Confidential Information falls within an “exception,” the information isn’t confidential and there is no obligation to protect the information anymore. However, if your information is disclosed in response to a legal process, my assumption is that for all other purposes you still wanted it treated as confidential, and the fact that the receiving party had to turn it over to the court doesn’t mean the receiving party can now treat it like publicly available information without any obligation of confidentiality.
Also, in this section, there is often language requiring the receiving party to give notice to the disclosing party before complying with legal process to disclose information and there may also be obligations to seek protective orders or cooperate with the disclosing party in such activity. This language is almost always mutual, and if it isn’t, then my recommendation is to question the other side for the rationale.
Warranties. Usually, an NDA disclaims any warranties regarding the information and leaves that for any definitive agreement. An exception is a warranty that you have the right to disclose the information, which isn’t an unreasonable request. However, if you are being asked to warrant the accuracy of the information or provide a warranty against infringement or any other matters, and you can’t remove those warranties, you should consider very carefully what is going to be disclosed, who is making the disclosures, how much control the company’s senior management will have over both documents and verbal disclosures, and how much liability the company is willing to take in that context.
Licenses. Information being disclosed under an NDA should be in the context of deciding on a business arrangement with the other side. It isn’t a license agreement and doesn’t have language appropriate for a license. Most NDAs will have language making clear that no license is being created by the NDA and the receiving party can only use the information for the stated purpose of the NDA or for evaluation purposes. One caveat is that for software a proper software license should be used rather than an NDA.
Residuals Clauses. A residuals clause is something like: “Notwithstanding anything in this NDA to the contrary, the receiving party may use Residuals for any purpose, including without limitation, use in development, manufacture, promotion, sale, and maintenance of its products and services. ‘Residuals’ means any information retained in the unaided memories of the receiving party’s employees who have had access to the disclosing party’s confidential information pursuant to the terms of the Agreement.” If you think the plain English meaning of this clause is “If I happen to remember all your confidential information the NDA doesn’t count” you are quite correct. If you make no other change, my recommendation is to delete this language unless all your employees are incapable of speech and only the other side could possibly provide information. If you can’t negotiate the removal of this language, then it is important to be aware of the limited protection available under the NDA and factor that into deciding what information you wish to disclose at this particular stage of the discussions.
Consequential Damages. In many commercial agreements, there is a provision that disclaims or excludes damages termed consequential, punitive, indirect, special, incidental, etc. These are different than direct damages because they tend to be speculative (e.g. lost profits), and business prefers certainty when it comes to risk exposure. Direct damages are, for example, the cost of the car repair in an auto accident, or the sale price of products lost by the shipping company, less the cost of manufacture. A business evaluating the risk of a transaction can more easily assess direct damages than indirect damages. However, in the case of confidential information, to make a party “whole,” direct damages are not adequate. If for example, your source code is on a thumb drive, and the receiving party loses the thumb drive and the source code is published, do you want the ten dollars for the drive (direct damages) or the million dollars in lost sales from publishing the source code? For this reason, most NDAs do not contain a disclaimer or exclusion of consequential damages, and if you see one, you need to think carefully about the value of information you will be disclosing and what harm you will suffer if it is wrongfully disclosed.
Period of Confidentiality. The NDA has, or should have, a provision specifying the time period for which the parties have an obligation to keep the information confidential. Again, context determines the “right” answer for you. In my opinion, information should be confidential for the term of the NDA and some number of years afterwards. A recent trend has been to a rolling period of confidentiality. For example, two years after the date of disclosure. If your company tracks the dates of disclosure and dates of receipt of all confidential information coming in and out of your company, you might want to reassess your business priorities or staffing levels. Another trend has been “X” years from the Effective Date of the NDA where “X” tends to be two or three years. If we consider a typical business relationship, at the outset the parties to the NDA are not likely to share highly confidential information, but over time, as the relationship develops, the nature of the confidential information may be more sensitive. In this scenario, as the sensitivity and value of the confidential disclosures increase, the period of protection decreases. This might be acceptable to cover a very short sales cycle but otherwise seems a disincentive to sharing useful information.
Regardless of the agreed period of confidentiality, if appropriate, consider adding language such as: “except for trade secrets or source code, which will remain confidential for such time as the information remains a trade secret, or in the case of source code, until one of the exceptions in Section “X” applies” where “X” are the exceptions to confidentiality. The discovery of trade secrets is not a planned event. If intellectual property is identified, and your company decides trade secret protection is best, then language needs to be clear to ensure it remains protected beyond two, three, five or whatever number of years might be appropriate for last months’ sales figures.
With today’s concern about data privacy and the protection of such information, it is appropriate to call out such information and the special treatment that is required for the protection and handling of such information, not the least of which being the obligation to protect it in perpetuity, or to certify deletion of all copies upon termination or some other point in time.
Remedies. NDAs often have language specifying the disclosing party’s remedy in the event of a breach. It might read: “Unauthorized Disclosure. Each party acknowledges that the unauthorized use or disclosure of the disclosing party’s Confidential Information may cause the disclosing party to incur irreparable harm and significant damages, the degree of which may be difficult to ascertain. Accordingly, each party agrees that the disclosing party will have the right to seek immediate equitable relief to enjoin any unauthorized use or disclosure of its Confidential Information, in addition to any other rights and remedies that it may have at law or otherwise.” In some cases, the word “may,” italicized above, is “will” and the word “seek,” italicized above, is omitted so the essence is: “a breach will cause harm and the disclosing party is entitled to injunctive relief.” You may or may not have enough information to know if a breach will cause the other side harm, and you may not want to concede that the other side is automatically entitled to an injunction. Injunctive or other equitable relief is an extraordinary remedy and most courts will require some showing of harm before granting an injunction regardless of what the contract says. If this was the only issue in an NDA, I wouldn’t redline it or make a fuss. But, if you have out a red pen already, and have a jaded opinion of the judicial system, making the change gives some assurance that a court won’t take the concessions at face value and quickly grant the injunction or any other awards.
Summary
As noted at the beginning, context is everything when reviewing an NDA. The “right” answer is very fact specific and is not necessarily the same for both sides, and it certainly isn’t the same for every NDA. A breach of an NDA is hard to prove and litigation (or arbitration) are costly and time-consuming remedies. Signing an NDA has become a necessary precursor to doing business, but it is not a revenue bearing agreement, and because a breach may be hard to prove, it is of limited value in protecting your confidential information. In that framework, you should consider how much time and effort to spend negotiating changes. Finally, if you are faced with an NDA that is discouraging you to share useful information, it doesn’t hurt to point out to the other side that such barriers are counter-productive if the goal of the NDA is to cover exchanges that lead to a mutually beneficial business relationship.