I’ve got an NDA, so I'm covered. Right?

By Nicole Kim, Technology Transactions Group

Like many companies, yours may be familiar with NDAs (Non-Disclosure Agreements) or Confidentiality Agreements and may also be good about getting potential clients or vendors to sign one before sharing sensitive information. But what happens next? Once it’s signed, you don’t have to worry about the other side spilling the beans, right?. Not exactly. Here are a few quick items to check against before sharing information you would not want to end up in the wrong hands.

1. Mutual vs One Way - When you originally signed the NDA with the other party, it may have been a one-way NDA, meaning only one side had the obligation to protect the other side's confidential information (CI). So, if your NDA says you'll be the one protecting their information, and not the other way around, your company's information isn’t being protected. Either get another NDA protecting your information or better yet, make it mutual from the start.

2. Timeframe. - You've checked that your company's information is protected, that's great. Is the NDA still in effect, or has it expired? Make sure to check the timeframe of disclosure that the NDA protects. Some NDAs are set to expire after a set amount of time from the signature date while others expire when an engagement is entered into under a service agreement or other type of agreement. If the NDA is replaced by a commercial agreement (e.g., Services Agreement), that agreement will likely have its own confidentiality provisions, which will control. As a side note, it makes sense to limit the timeframe of the NDA, however, it's best practice to continue to protect trade secrets for as long as they are considered a trade secret (especially if you think you have something that could be of great potential value).
   

3. Scope and Purpose - Commonly, NDAs will have a limited scope or purpose. A limited scope NDA is often used when two companies are evaluating a potential commercial engagement.

EXAMPLE: Company X, which provides staff augmentation services, is speaking to Company Y about providing extra qualified personnel for a big project Company Y just landed. They enter a limited scope NDA for the limited purpose of deciding whether or not Company X is the right fit for Company Y's project. They decide to engage. A year later, Company Y confirms the original NDA is not expired or terminated yet and discloses its “secret sauce” technology to Company X in order to evaluate possibly developing new software together. Unfortunately, the original NDA was limited to the scope of the staffing engagement, so Company X has just exposed its key tech without protection.

Takeaway: Be careful limiting the scope of your NDAs, especially if there's a possibility that the business relationship might evolve in the foreseeable future.

Additional Thoughts

Although NDAs and Confidentiality Agreements are fairly standard and simple contracts types out there, you should look out for a few of these pitfalls:

1. NDAs with Competitors - When you're engaging with competitors or potential competitors, you will want to confirm that your NDA has not only non-disclosure obligations but usage restrictions as well. It’s a good idea to be explicit on this point in your NDAs, especially when sharing particularly sensitive information with competitors. Ambiguity in the drafting could allow your competitors to use the information you provided in order to build a more competitive product or service for themselves or use information about your relationship with your clients or vendors to lure them over to their side.

2. Return or Destroy - The party receiving CI is often required to return or destroy that CI at termination or expiration of the underlying NDA. This makes sense. But what about your recordkeeping to meet compliance requirements, under your tax records policies, under privacy and security policies, and the like? And what about data that’s automatically archived or backed up and would be an administrative nightmare to find and destroy? To avoid a possible quibble when that time comes (especially if things go sour), it's better to include a carveout at the onset that excludes from the deletion and return requirement, copies required for legal recordkeeping purposes, and archived or backup copies.

3. PHI/PII/Personal Data - It's good to take some extra precaution when you're planning on disclosing any personally identifiable information (or Personal Data) as defined under the data privacy and data protection laws, which I'll call "PHI/PII" for the sake of brevity here. Although there are common exceptions to what's considered confidential information, those exceptions should not apply to PHI/PII. For example, information in the public domain and information previously known to the recipient prior to being disclosed would often be excluded from the definition of CI, however, you will want to make sure all confidentiality protections are afforded to the PHI/PII and all mitigating duties are taken by the other side (e.g. obligation to stop the bleeding), regardless of the standard exclusions.
   

4. Definition of Confidential Information - Finally, too broad or too narrow of a definition of CI may also introduce headaches. If it's too broad, you may inadvertently be blamed for a breach of confidentiality (with possibly unlimited liability), or you may be subject to an unnecessary level of audits or inspections that you didn't realize you had signed up for. An overly broad definition could also increase the number of notifications you'd have to give to the other side. If, for example, there's a data breach that could trigger a duty to report under your NDA. Better to take a few measures now to tailor your NDA and safeguard against headaches than have to deal with it when damage is done or the relationship becomes sour.

While they are one of the most common contracts businesses deal with day to day, NDAs are not without their potential pitfalls. Make sure you understand all the underlying provisions, especially when your company’s core intellectual property or proprietary information is on the line.

About the author: Nicole Kim is an experienced technology transactions and commercial counsel who applies extensive business and legal expertise to provide corporate legal strategy and advice. She possesses extensive experience structuring and negotiating contracts and policies, including SaaS, Licensing, Services, Data Protection agreements, EULAs, and Privacy Policies (in compliance with HIPAA, GDPR, and CCPA/CPRA). She has worked with companies at all different stages, from startups to publicly traded companies across industries, including government, financial, advertising and marketing, health, retail, and the metaverse. Most recently she’s worked as General Counsel and Vice President of Finance and Administration at a high-growth healthcare technology company. (see more here)