To take a promising idea, or business, to the next level, a business typically needs to share its valuable secrets with prospective strategic partners or investors. Signing an effective non-disclosure agreement ("NDA") can therefore be a critical step in developing a new business relationship or opportunity by giving a growing business enough comfort to take that initial step. When parties are just beginning to discuss a potential arrangement or deal, an NDA may or may not be appropriate. However, as the parties dive deeper into due diligence and negotiations, they should put a formal NDA in place before exchanging sensitive information. The scope of an NDA depends on the type of information that is being disclosed, the purposes for which it is being disclosed, and the need for such information to remain confidential in the long term.
Here are some helpful do’s and don’ts when thinking about an NDA:
The Do’s of NDAs
1. Ensure key confidential information is covered
While it may seem obvious to say, confidential information can only include information that is already confidential. Consider the following list of factors in determining what type of information can properly be characterized as confidential:
- the extent to which the information is known outside the party's business;the extent to which it is known by employees and others involved in the party's business;
- the extent of measures taken by the party to guard the secrecy of the information;
- the value of the information to the party and its competitors; and
- the ease or difficulty with which the information could be properly acquired or duplicated by others through their independent effort.
Considered collectively, these factors can assist in determining whether information is confidential and the degree to which a party should attempt to protect it under an NDA.
2. Specify proper use
One of the most important features of an NDA is a specific description of the purposes for which confidential information may be used, paired with a blanket prohibition on using it for anything other than the prescribed purpose. These restrictions prevent the receiving party from making inappropriate use of valuable confidential information. Typical uses of confidential information may include: carrying out specified professional services (e.g., engineering, software needs assessment, management consulting engagement); conducting due diligence on an acquisition target company; exploring the terms of a potential joint venture or other business opportunity; etc.
3. Stipulate protective measures
Parties should consider the level of care that must be taken to avoid disclosing confidential information. Disclosing parties should insist on an objective standard, such as the use by the receiving party of commercially reasonably efforts to protect the information of the type being disclosed. A disclosing party may want to include specific protective measures such as: a requirement that information be kept in a secure location; specific security protocols for data systems where confidential information will be stored; notification of unauthorized disclosure/misappropriation; and limits on copying information or transmitting it electronically.
The Don’ts of NDAs
1. Don’t treat all information as confidential
Not all confidential information should be treated as confidential. There are two ways to exclude categories of possible confidential information: 1) by including exceptions to the definition of confidential information or 2) by adding carve-outs to the obligations that apply to confidential information. The second approach is generally more straightforward. Either way, the following should be excluded:
- Information developed by the receiving party prior to disclosure under the NDA (without reference to the confidential information);
- Information received by the receiving party lawfully from third parties (without breach of confidentiality obligations);
- Information derived independently by the receiving party (without reference to the confidential information) after disclosure under the NDA;
- Information already in the public domain, through no wrongful act or omission of the receiving party; and
- Disclosure compelled by law or court order.
2. Don’t ignore third parties
It is easy for parties to an NDA to focus solely on how they themselves treat the confidential information, but care should also be taken in defining who else can receive such information in furtherance of the permitted purpose. Often, there is a reasonable need to disclose information to employees or professional advisors (or even financing sources, affiliates or limited partners, etc.) but this should be considered on a case-by-case basis. Ideally, such recipients are identified by name, at a minimum they should be identified by class, and always on a "need to know" basis. The parties should also be clear about what confidentiality obligations must be imposed on such third parties as a prerequisite to them receiving confidential information (either through an existing employment agreement, retainer or entry into the NDA).
It also never hurts to be explicit in an NDA that information should never be disclosed to a party that competes with the disclosing party. This may be a particularly contentious issue where, for example, a potential buyer of a disclosing party also has (or could have in the future) interests in competitors of the target.
3. Don’t last forever
Parties should also consider how long information should remain confidential. Every disclosing party would prefer to have their information held confidential forever. More typically, confidentiality provisions in commercial transactions survive for around two years. Any personal information should be held in confidence indefinitely. Again, the appropriate sunset for confidentiality obligations will depend on the nature of the information. Parties should include a reasonable sunset, failing which a court may impose one on them. The NDA should also clarify the parties’ obligations upon the sunset being reached or the NDA being terminated. Usually, there will be an obligation to return confidential information, sometimes only upon receipt of written request, or to certify that all copies of same have been destroyed, sometimes in accordance with specific protocols (e.g., for truly deleting information from hard discs).
This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.