Non-Disclosure Agreements (NDAs), also referred to as Confidentiality Agreements, are common across industries and generally short, but that doesn’t mean they aren’t important. Confidential Information and how it is handled can be vital to the financial success of an enterprise, so there is still a lot to think about when reviewing these types of agreements. This article aims to shed light on some of the often-overlooked areas of concern from the perspective of both the Disclosing Party and Receiving Party of Confidential Information. Considerations that are mutual to the parties, and tend to arise when an NDA’s obligations are bilateral, are also explored.

From the perspective of a Disclosing Party you will want to be thoughtful of the following:

Most attorneys focus on defining Confidential Information, and while that is undoubtedly crucial, defining the purpose for which the Confidential Information is being shared between the parties is often overlooked or vaguely defined. For example, the purpose may be defined as “for discussion of a potential business transaction.” Which potential business transaction? When is the discussion? Specifying the purpose and then limiting use of the Confidential Information to the furtherance of the specified purpose is perhaps the best way to ensure that any misuse of the Confidential Information is avoided or is at least identifiable should it occur. Any concerns about setting forth the details of the purpose in the NDA (e.g., the dates, times, and topic of the discussion) can generally be addressed by ensuring that the definition of Confidential Information also includes the terms of the NDA. It is important to note, however, that one or both of the parties may not be able to agree to keep the existence of the NDA confidential as certain laws or regulations, such as public records and whistleblower protection laws, may conflict with such an obligation.

It may not be critical for every NDA, but where Confidential Information is extremely valuable and/or sensitive, it’s important to carefully specify in the NDA who the Receiving Party can disclose the Confidential Information to in furtherance of the defined Purpose. Sometimes, the parties will use the term “Representatives” to identify to whom the Receiving Party can permissibly disclose the Confidential Information, but either fail to define the term or define it in a less than optimal manner. For example, it can sometimes be difficult to determine whether “Representatives” encompasses contractors or merely “agents” of the Receiving Party as the contractor may not actually have an agency relationship with the Receiving Party. Furthermore, it is important to include criteria in the definition that are protective of the Confidential Information. For example, one well written definition states that “Representatives means Receiving Party’s directors, officers, employees, agents, contractors, subcontractors, consultants, attorneys, and accountants that (a) have a need to know the Confidential Information in order to further the Purpose, (b) are first apprised of the confidential nature of the Confidential Information prior to being granted access to it, and (c) prior to being granted access, are first subjected to written obligations of confidentiality and non-use with respect to the Confidential Information that are no less protective of it than the obligations of this Agreement.” It goes without saying, of course, that there should always be a provision within the NDA specifying that the Receiving Party shall be liable for the actions and omissions of its Representatives with respect to the Confidential Information.

It is typical that NDAs include a provision that obligates the Receiving Party to protect the Confidential Information with the same degree of care it protects its own Confidential Information, but in any event with no less than reasonable care. This provision may be appropriate where the parties are similarly situated in terms of size, industry, and nature of Confidential Information so have a general sense of the physical security and cybersecurity measures the other party may have in place. Where the parties are disparate, however, this may not be sufficient to adequately protect your organization’s Confidential Information. A better practice in such situations is to include additional security-related obligations for the Confidential Information, such as encryption, provisioned access controls, notice of any loss or misuse, and good faith, immediate remediation efforts should any loss or misuse transpire.

It is important that an NDA include an equitable remedies clause. It should, if possible, not only include an acknowledgement by the Receiving Party (or both parties if it is a mutual NDA) that that "any breach, or threatened breach, of the agreement will cause the other party immediate, irreparable, and significant harm that would be difficult to monetarily ascertain and would not be compensable by damages alone," but also an agreement that the Disclosing Party (or either party, if mutual) "shall have the right, in addition to any other rights and remedies that it may have at law or otherwise, to specific performance, a preliminary or permanent injunction, or other appropriate equitable relief, without posting bond, to protect its Confidential Information." While many NDAs include some form of an equitable relief clause, they often fail to include an agreement by the Receiving Party that the specific threshold requirements necessary to seek equitable relief will exist if the Receiving Party breaches or threatens to breach the NDA. If the Disclosing Party can negotiate in this language, it helps to remove a significant procedural hurdle should it need to pursue an equitable remedy with the courts.

However, it should be noted that a savvy Receiving Party will likely push back on the word “will,” changing it to “may,” redline out “threatened breach,” and may revise “to specific performance” so it reads “to seek specific performance.” These revisions convert the meaning of the sentence to a mere acknowledgement by the Receiving Party that it isn’t impossible that a breach could result in a situation where the threshold requirements necessary for the relief sought are met, meaning the Disclosing Party still has to prove them to the court. Disclosing Parties also sometimes fail to address the issue of posting bond. A bond is generally required to be posted by the plaintiff in a court case when it is seeking a preliminary injunction against the defendant. This type of bond indemnifies the defendant against loss if it is determined that the injunction should not have been granted. In short, if the Disclosing Party fails to adequately address both of these issues in the NDA, it can still seek equitable relief but it may be more expensive and challenging for the Disclosing Party to obtain it.

From the Disclosing Party’s perspective, in a unilateral NDA it is vital to include a solid Attorneys’ Fees provision that shifts the default American Rule to the British Rule, where the prevailing party is reimbursed its reasonable attorneys’ fees. Without such a fee-shifting clause, the Disclosing Party is further financially disadvantaged by the Receiving Party’s breach, or threatened breach, of the NDA. In drafting such a provision it is important to consider any applicable statutes or case law in respect to attorneys’ fees clauses. For example, California Civil Code § 1717 provides that such provisions are mutually applicable to the prevailing party even if drafted only to favor the other party, that the court shall determine who the prevailing party is for purposes of the clause, and that “reasonable attorney’s fees shall be fixed by the court” and “be an element of the costs of suit.” There is also a substantial body of case law in California that further interprets Civil Code § 1717.

From the perspective of a Receiving Party you will want to be thoughtful of the following:

To mark or not to mark, that is the question. One key consideration for a Receiving Party of Confidential Information is identifying it, particularly in the context of an existing business relationship where a large volume of information, some of which may not be confidential, has already been shared or continues to be exchanged on an ongoing basis. Some attorneys thus insist on a marking requirement, not only as a means of sorting the wheat from the chaff, but also as a means of limiting the amount of information that is supplied. Their thinking is that the extra effort incentivizes the Disclosing Party to only send the amount of confidential information that is actually necessary for the purpose, thereby limiting the extent of information the Receiving Party is obligated to protect. That said, some attorneys disagree with this assessment arguing that with document marking so easy to accomplish these days given advances in technology, it isn’t much of a deterrent. Moreover, the tendency for Disclosing Parties to add a reasonable person standard as a belt and suspenders hedge against negligence in marking can substantially undercut the value of marking from the Receiving Party’s standpoint. Much depends on the circumstances and the professional assessment of the attorneys involved, but whether to insist on a stringent marking requirement (that includes tangible non-document objects as well as verbally disclosed information subsequently reduced to writing) should always be a consideration.

The carve-outs to what constitutes Confidential Information are fairly standard across NDAs, but there are some nuances to consider when negotiating them from the perspective of the Receiving Party. One such nuance is found in the exception of information that becomes publicly known subsequent to disclosure to the Receiving Party through no fault of the Receiving Party. In fact, better language would replace “through no fault…” with “other than by reason of breach of this Agreement by Receiving Party”. This is because the Receiving Party may take action to disclose the Confidential Information that is not a breach of the NDA, but results in the information becoming publicly known, for example if the information is disclosed pursuant to a court order and the court does not afford the information protective treatment. Similarly, some of the standard exceptions are often accompanied with the requirement that the Receiving Party be able to demonstrate the exception, for example “with contemporaneous written evidence.” However this can be a high bar, so you may wish to consider revising the burdensome language to “competent evidence” as that standard should allow for the court to consider all allowable evidence, including verbal testimony, should this provision ever become an issue.

There should also be an exception to the definition of Confidential Information for information that is independently developed by the Receiving Party. On occasion, you may find that it includes qualifying language along the lines of “without access to the Confidential Information,” but that is arguably overbroad. Revising the language to “without reliance on” or “without reference to” the Confidential Information is more appropriate from the Receiving Party's perspective. Simultaneous discovery does happen. Finally, you may want to consider whether to carve out Confidential Information that, through furthering the Purpose, becomes information that must legally be disclosed for use to certain individuals or entities. For example, clinical trial data that is recorded in a human subject’s medical records must be disclosable and usable by the subject and anyone to whom the subject further discloses his or her medical records.

Most Disclosing Parties recognize that the Receiving Party will have legitimate reasons to retain one or more copies of the Confidential Information, but they may seek to limit it to the extent such retention is required by law. The Receiving Party will want to ensure not only that it has the ability to retain Confidential Information as necessary to comply with law, but also to the extent that it would be challenging to delete the information from its automatic backups of computer systems, must be maintained according to its internal records retention policies, or would be needed to track its obligations under the NDA. One archival copy of Confidential Information is often sufficient to achieve these purposes, and the Receiving Party should be willing to agree that the confidentiality obligations of the NDA shall remain in effect with respect to the retained archival copies and that they will be kept in a secure location.

What constitutes a Trade Secret is very broad these days. Under the Uniform Trade Secrets Act (UTSA), which has been adopted by 47 states, and the federal Defend Trade Secrets Act (DTSA) the information need only (i) have potential independent economic value that is derived from generally not being known to, or readily ascertainable through proper means by, others who can obtain economic value from its use or disclosure, and (ii) be subject to reasonable efforts to maintain its secrecy. And you may find NDA provisions that would require your organization to maintain the confidentiality of any of the Disclosing Party’s trade secrets for as long as they remain trade secrets (i.e., indefinitely). Where possible, it is best to negotiate out such provisions. Where that is not possible, the Receiving Party may be able to add contract language stating: "(a) the Disclosing Party must first notify the Receiving Party in writing of its wishes to disclose a trade secret under the NDA and the nature of the trade secret, and (b) the terms of the NDA shall not apply to such trade secret unless and until the Receiving Party specifically agrees in writing to receive such trade secret."

Carving out an exception for the disclosure of Confidential Information by the Receiving Party when it must legally do so is a fundamental component of an NDA. This is something both parties can agree on. However each may have a different viewpoint on how to draft such a provision and on what should or shouldn’t happen once the Receiving Party receives such a demand. A Disclosing Party will generally want to carefully specify what type of third-party demands fall under this disclosure exception, for example by clarifying that court orders shall be from a “court of competent jurisdiction.” Receiving Parties will want to ensure that disclosure exception language does not simply specify “court orders” or contain an exclusive list of potential demands that are covered by the exception. For example, the Receiving Party may wish to explicitly include those lawful demands made by applicable regulatory authorities (e.g., the FDA, SEC, etc.) and clarify that “subpoenas” includes any issued by Congress. More importantly, however, is the language, if any, that the Disclosing Party may add to this exception which dictates what the Receiving Party must do should it receive such a demand for the disclosure of Confidential Information by a governmental entity with the authority to compel such disclosure. Generally, this includes three obligations: (i) provide prompt notice to the Disclosing Party of the demand, unless legally prohibited from doing so; (ii) allow the Disclosing Party to seek, at its sole expense, an order to quash, a protective order, or to otherwise apply for confidential treatment for the Confidential Information to be disclosed, and (iii) only disclose the Confidential Information to the extent required by the lawful demand.

There are a variety of different variations of these obligations that are problematic from the standpoint of a Receiving Party. Some NDAs have language that dictates notice must be immediate and that the Receiving Party cannot disclose the Confidential Information until the Disclosing Party has been notified in writing or only after the Disclosing Party has failed to gain a protective order. This is obviously a problem for the Receiving Party in the context of a surprise government inspection or search warrant or where a delay in receipt of the demand by the Receiving Party requires that it immediately respond or risk sanctions. In some cases, there may be language requiring the Receiving Party to challenge the demand or seek protective treatment for the Confidential Information, which is arguably unwise for both parties. Finally, there may be NDA language specifying that the Receiving Party shall only disclose the Confidential Information to the extent that the Disclosing Party determines it is required by the demand, which is yet another way in which the Receiving Party can find itself in hot water with the government. In short, it's recommended the Receiving Party consider whether the language relating to this disclosure exception will be operationally feasible under the potential circumstances and/or unfairly burden it, and then revise the language accordingly.

Both parties, particularly when reviewing mutual NDAs, should consider the following:

Unless the Disclosing Parties are aware that Confidential Information will be shared with the affiliates of the Receiving Parties, a non-assignment clause is generally to the benefit of both parties. In the event affiliates will need to receive Confidential Information, it is important to specifically identify each of the affiliates by name and include such affiliates (and their respective directors, officers, employees, contractors, agents, etc.) within the definition of “Representatives." Where an argument can be made that the NDA must be assignable, the Disclosing Party can negotiate to limit such assignment language to the extent possible. For example, if the clause allows for assignment of the NDA by the Receiving Party to its affiliates, one can condition the assignment on the occurrence of certain circumstances (such as a merger, acquisition of substantially all of the Receiving Party's assets, or change in control). The terms “Change in Control” and “Affiliates” can further be defined in the NDA.

One way in which both parties can limit their potential liability is to avoid defining the term of the NDA as an arbitrary period of time, often one year. A better practice is to tailor the term of the NDA in a way that minimizes the amount of time that the Receiving Party will have the Confidential Information (other than archival copies) in its possession. For example, the parties could state that the NDA terminates “one year from the Effective Date or upon written notice by either party, whichever is first to occur.” I tend to use the Effective Date of the NDA as the anchoring point on the assumptions that: (a) the organization hasn’t accidentally disclosed Confidential Information prior to the execution of the NDA, and (b) it is easier to track the Effective Date of the NDA than the disclosure date of the Confidential Information, which may be disclosed over several data transfers, emails, or communications over several days and by a variety of individuals within the organization.

Conversely, some NDAs leave the term of the agreement indefinite (i.e., it exists until it is terminated by either party with thirty days’ notice). I eschew this type of strategy for a couple of reasons. First, there is the potential for the parties to forget to terminate the agreement, which means the Receiving Party can use and disclose the Confidential Information as permitted under the contract while the NDA is in effect and, particularly where the purpose is ill-defined, this broadens the window during which the Confidential Information may be misused, disclosed for unauthorized purposes, or lost. Second, language in NDAs regarding the return and/or destruction of Confidential Information is sometimes written in such a way that it is only triggered at termination of the NDA, as opposed to by the written demand of the Disclosing Party. If that’s the case, and the Receiving Party breaches its duties under the NDA, the Disclosing Party is not going to want a 30-day notice period for termination.

You are the best judge of what makes sense for the NDAs executed by your organization, but one thing on which virtually all experienced commercial attorneys agree is that the confidentiality obligations of the NDA should survive for some period of time beyond the term of the Agreement, at least in respect to any archival copies of the Confidential Information retained by the Receiving Party if nothing else.

After negotiating an NDA it is important to consider how a subsequent agreement that might arise related to the Confidential Information will address the Confidential Information, particularly if the term of the subsequent agreement’s confidentiality provisions will extend beyond the term of the NDA. The drafter is generally looking to achieve seamless confidentiality coverage of the Confidential Information, but may be faced with inconsistent confidentiality obligations between the agreements and/or potential confusion as to which contract’s obligations apply to the information. If not handled thoughtfully, it could be both!