In part 1 of this article we focused on defining confidential information, exceptions to confidentiality, and restrictions on use. In this part 2 we look at some final considerations in reviewing or preparing an NDA, such as which employees or representatives get to see the information, injunctions and damages, and “governing law roulette”.
This can work both ways – restrictive (favorable to the disclosing party) e.g. “only those employees of the recipient that are actively involved in the purpose and have a need to know the Confidential Information”; or permissive (favorable to the receiving party) e.g. “its subsidiaries and successors, assigns, legal representatives, affiliates, employees, agents, advisors, attorneys, accountants and consultants (‘Representatives’)”. As a practical matter for a receiving party, it’s important to get this right where information habitually needs to be shared within a company group or with an external contractor. However, once again, the laundry list of possible recipients was drafted by someone who doesn’t know your business and it can seriously dilute confidentiality and your control over where the information will go. Will every one of these really sign a written agreement substantially similar to these terms? No they won’t, so an obligation to provide only on similar terms of confidentiality and restricted use should be sufficient.
There should be some specific permitted disclosures: e.g. to professional advisers/consultants under similar duties of confidentiality. Mandatory filings with stock exchanges or regulators may be necessary (e.g. material contracts may need to be notified – though it is debatable whether most NDAs are truly material). Almost no NDAs ever expressly permit disclosure to potential investors or purchasers of the business of the receiving party, and this seems to be tolerated (for patentable information it really shouldn’t be).
Residuals & Non-competition
Often (larger) receiving parties will try to impose a “residuals” exception i.e. their staff are not breaching the non-use obligation if they are using confidential information remaining in their “unaided memories”. This has some practical foundation – as famously stated in a Delaware case (see Martin Marietta Materials, Inc v. Vulcan Materials Co.): “Once things are learned and done, it is difficult to unlearn and undo them” and of course this is super-hard to police. But if you are the disclosing party, this leaves a door wide open to allowing your information to be used, forever. If you are communicating inventions or ideas important to your business please delete this clause now (it may even be lurking in your own standard template obtained from somewhere or other – check it now).
Exactly the same applies to acknowledging that “each party may be working on potentially similar and/or competitive products and nothing in this Agreement prevents that”. If you are the one receiving the information, great for you. If you are the one sharing it, this is most likely not compatible with your inventions remaining patentable (or with commercial good sense).
Similar considerations go for feedback not being treated as confidential, though this benefits the disclosing party – if the receiving party makes comments or even improvements then the intent is to make them free to use for the discloser. If as a receiving party you have to accept this clause then the “simple” answer would be don’t give any feedback. Once again, however, it is always preferable not to commit to this type of management issue on your side.
So monetary damages wouldn’t be a sufficient remedy for the irreparable harm caused by unauthorized disclosure of your confidential information. This is not just legal verbiage but most likely also true in practice. What you need is an injunction to stop the unauthorized use. So far, so equitable, and in many US jurisdictions this type of wording appears, if not crucial, then at least an effective tool to break down opposition to an injunction.
Generally, however, to agree that a party is “entitled” to an injunction and especially without any bond or security or other limitations is simply not the way things work. Inevitably, the decision is for a judge who will ignore this and look at the actual criteria for granting or refusing the injunction (remembering we might be applying for one in a far-off place with different rules). A court won’t allow you to tie its hands in this way – although in the US at least we shouldn’t dispense with this clause and of course we will argue very strongly that the other side has accepted that an injunction must be granted – but it doesn’t come with any conclusive guarantee of the actual results.
A huge penalty/liquidated damages for breach of confidentiality without needing to prove damage sounds like a great idea, in theory in order to concentrate the minds and ensure good care is taken of your information. In England this could easily be deemed a penalty and unenforceable but there are jurisdictions such as the Netherlands where an agreed penalty is perfectly valid and customary. This one may fall into the “who do you think you are” category: if you are Apple and handing out pre-launch samples of the new iPhone to a privileged group then you could ask for this and you would probably be right to do so. If not, then expect this to be deleted every time as damages for loss should always have to be proved and a penalty will tend to overcompensate the disclosing party (the only times it will stay is where no-one actually read the agreement – or possibly where we can limit it to cases where there is significant damage to the disclosing party and something more than mere negligence on the part of the receiving party).
Some NDAs demand indemnification for all losses (damages, costs and expenses) arising out of a breach of the agreement. The actual effects of agreeing an indemnity as opposed to a merely leaving damages “at large” (i.e. whatever the law says they are) probably provide enough material for a whole separate article. For the purposes of this one, simply note that this is likely to be disclosing party friendly and if you are the receiving party then you are probably giving up various defences and arguments that would potentially reduce the level of damages. Ultimately the main remedy is the injunction. However, if the information is truly valuable, then as the receiving party you may want to resist this – the argument that actual damage caused by the breach should be calculated based on applicable law seems highly reasonable. Conversely, excluding indirect and consequential losses can have the effect of seriously limiting the damages that can be claimed – much of the harm caused may be indirect or economic in nature and the disclosing party will argue that this leaves them with nothing.
Quite apart from the widespread but disturbing notion that we can just change the governing law of an agreement without any knock-on effects on its terms or effectiveness, in practice “governing law poker” is a common game where the parties are in different legal systems. The players usually each start from the position that their home law must create an advantage for them (in theory because they know that the agreement is enforceable and any definitions of protectable interests are watertight; but in practice because they think there is a familiarity and costs advantage for them and this may also disincentivize the other party from actually suing). They may change it back and forth a few times until someone gets worn down. However, if we start to consider that we are talking about the need to actually enforce any injunction etc. in the place where the other party is using the confidential information then the stakes are different: if we are the person disclosing the most valuable information we may actually welcome the law and courts of the receiving party. If we are the receiving party then even if we are sued in the other party’s home jurisdiction they must still at their own risk and cost enforce the decision across borders to prevent us from doing what they are objecting to. If things are more or less balanced then a fair thing might be “the jurisdiction of the defendant” – if you misuse my information I can sue you at your place and if I misuse yours you can sue me at mine. Compromising on a neutral venue (with Switzerland a stereotypical favorite) actually suits no-one unless the idea is to make it so difficult to sue that no-one ever will (and an arbitrary choice like this is not so much governing law poker but governing law roulette as in the absence of an expensive consultation we are merely hoping the ball has landed in a place which leaves the terms and enforceability of our agreement intact). Arbitration is another superficially fair but nonsense compromise (arbitration won’t get you an urgent injunction).
An agreement should have a term; an NDA often gets two terms. Firstly, a disclosure period during which the parties are exchanging information. From the disclosing party’s point of view this does require some management – if the term expires we need to extend it before disclosing further information. If in doubt, a generous term is clearly better. And secondly, a confidentiality period during which the information remains confidential. In a fast moving technological sector two or three years may be more than enough. Trade secrets and registered intellectual property should usually be subject to confidentiality and non-use until they are no longer legally protected. In this case rather than negotiating over a 25 year term (which recipients understandably will be concerned about managing) it may be simpler to say that the non-disclosure (and non-use) obligations remain in effect until any of the exceptions apply or the trade secrets cease to be secret.
Return or destroy on demand/at end of term.
Whatever, as long as we have a well defined confidentiality period. But an “affidavit”? Not going to happen. Certificate from an officer? Maybe we can get you that (if you are Apple).
No license / no warranty / no obligation
This is an important one from the disclosing party’s point of view – the information is given “as is” and no particular warranty or representation is made regarding is its accuracy, completeness, currentness, non-infringement etc. etc. To the extent that the purpose of the agreement is to evaluate entering into a business relationship with the disclosing party, the information could conceivably be seen as an inducement / misrepresentation so we want to ensure that this is excluded. We also want to exclude any implied license being given to use it for any purpose outside the purpose expressly agreed. In some ways this is just reinforcing the other non-disclosure and non-use provisions of the agreement but implied licenses can arise and so this makes good sense (and this clause ought to be 100% uncontentious for the receiving party). No obligation to enter into any further agreement is an interesting one – in most normal situations it already sounds like a stretch to imply that this would be the case. For a standard agreement it seems reasonable but probably rarely critical.
I always err on the side of simplicity and brevity. However, I am also advocating thinking through about what goes in to each agreement (particularly if we have the luxury of starting from scratch on your own standard document). The NDA is a self-standing agreement and possibly the only agreement entered into between the parties if talks break down. So what about the miscellaneous clauses seen at the end of most commercial agreements (again often in various pix and mix random combinations)? Sorry, toner weenies but I’m going to say that they’re probably necessary from the disclosing party’s point of view. If we are the receiving party then we could happily omit them but it would be hard to make a very convincing case for deleting them:
(1) amendment only in writing: we want to be able to avoid the “yes, but you said this was OK to disclose” argument – so this one goes in;
(2) no waiver: as with any agreement that is essentially a limited licence and where we might need an injunction to enforce it, failing to act immediately or tolerating a breach in one case shouldn’t prevent us from enforcing it later. For patents and trade secrets this is a little inconsistent as we always need to be vigilant in not tolerating any misuse. But the reality is that we might not always strictly enforce our rights every time or rush to put our relationship with the other party on a confrontational footing – so this one also goes in;
(3) entire agreement: so no representations or warranties or amendments given orally (see above) – also goes in;
(4) no assignment: considering we have specified more or less precisely the permitted recipients, it seems counterintuitive to allow this to be circumvented by assigning or transferring the agreement and/or any of the parties’ rights and obligations. So this also goes in. We would want the agreement to follow a sale of the business of the receiving party but as this implies the transfer also of the confidential information to a third party who might be a competitor or otherwise unsuitable we as disclosing party generally want to approve the assignment without any restriction.
There are more ideas out there (see this article setting out 45 things to look for!) but this and part 1 aim to give some practical food for thought in handling these types of agreements. In an ideal world we might want two standard NDAs – one as receiving party and one as disclosing party – with different drafting in each. However, in practice a mutual version and a one-way (which equates to the one where we are disclosing party) may be the most we can realistically expect to have as standard. And inevitably we will be faced with agreements from others that are of varying quality and suitability. However, throughout part 1 and part 2 of this article what we are saying is always to think about what you are signing. At the risk of repetition, in tech businesses, rights are often your key assets and so deserve handling with care, particularly (again at the risk of repetition) if any patentable inventions might be involved.
READ THIS NEXT: What information should we include in our email footers?