Confidential information notes

Confidentiality provisions are used in many agreements, including standalone nondisclosure agreements. This section discusses some of the major and minor issues that can come up in negotiating such provisions.

Whose confidential information should be protected?

In negotiating confidentiality provisions, one of the first questions to be tackled is whether the agreement should protect the information of both parties, or just one party. Here’s an argument the disclosing party might make for a one-way confidentiality provision:

We want it clear that only our information will be treated as confidential. If you happen to disclose your information to us, we’re not necessarily going to use it or disclose it. But we don’t want to be contractually obligated to treat your information as confidential — that’s one more obligation we’d have to manage, and we don’t want to do that.

Some lawyers, however, strongly prefer two-way confidentiality provisions; here’s a counter-argument the receiving party might make:

We don’t know for sure that we won’t need to disclose our own information to you. If that happens, we need for our information to be treated as confidential, too.

Besides, with a two-way agreement, it should take us less time to work out a mutually-agreeable set of terms and conditions. Each of us will have to live with the same rights and restrictions that it asks the other side to accept. That should make both of us more inclined to be reasonable in the negotiations.

Heads-up: Even in a two-way provision, a good drafter can slant the language in favor of the role he [or she] thinks his client will be playing.

Affiliate information

The disclosing party might plan on disclosing not only its own confidential information, but also that of its subsidiaries and other corporate affiliates as well.

On the other hand, the receiving party naturally wants to know in advance from whom its personnel will be receiving confidential information, and to which companies it owes confidentiality obligations. It could well be dangerous for the receiving party’s personnel to be given information by an affiliate of the disclosing party, in a context that has nothing to do with the Agreement, and then later to be ambushed with a claim that the information was confidential under the Agreement.

Instead of categorically excluding affiliate information from protected status, the interests of both parties can be balanced by requiring affiliate information to be “conspicuously” identified as confidential in order for it to be protected.

Disclosure period — how long?

In standalone nondisclosure agreements, one year seems to be a fairly typical time for the parties to exchange confidential information (although shorter- or longer periods are not at all uncommon.

Disclosures occurring after the disclosure period are normally unprotected unless the parties agree to extend the disclosure period, or unless applicable law separately imposes a confidentiality obligation.

Marking: Should confidential information be required to be marked as such?

In confidentiality provisions (for example, in nondisclosure agreements), disclosing parties and receiving parties often have opposing desires about whether to require that confidential information must be marked as such in order to be protectable.

Here’s an example of an argument that the receiving party might make in favor of a marking requirement:

Look, you’re going to be giving us information that’s confidential, but also information that isn’t. We don’t want our employees to have to guess which is which, or what they can do with particular information. Suppose you gave us information that wasn’t marked at all. Or suppose you let us see and copy unmarked information. We shouldn’t have to worry about whether someday you might sue us for using the information.

Also, we also like our people to get ‘just-in-time training’ reminding them of their confidentiality obligations.

So if you consider information to be confidential, we need you to mark it as such before you give it to us. Otherwise, we don’t want the information to be subject to any confidentiality obligations.

Here’s an example of an argument that the disclosing party might make against a marking requirement:

Look, we don’t necessarily mark all our internal information as confidential. We don’t want to have to take on the operational burden of making sure everything we give you is marked. This would be especially true if we were to let you look at and copy our internal files. So we need you to treat any information you get from us as confidential until you can prove it’s not.

Editorial comment

Disclosing parties have a practical motivation for marking their protected information:

In court, the disclosing party claiming that its information is confidential will usually tout its marking of information as indirect evidence of confidentiality.
Conversely, courts can sometimes interpret the disclosing party’s failure to mark information as indirect evidence that the disclosing party didn’t really consider the information to be confidential.

Thus, agreeing to a marking requirement might not be that big a deal for the disclosing party after all.

Catch-up marking

If the disclosing party is going to have to mark its confidential information as such as a prerequisite for protection, it will normally want a catch-up marking period for any confidential information it might disclose without a marking, either inadvertently or out of a desire to move the parties’ business along.

But then the issue becomes: What’s the disclosing party’s deadline for doing catch-up marking, after which the unmarked information becomes fair game for the receiving party to use without restriction?

The bright-line approach: Mark within X days, or else

Some confidentiality clauses require catch-up marking to be completed within a stated time — typically five to ten business days, but often as much as 30 days. This is a bright-line approach that favors the receiving party, because if the disclosing party fails to mark it by the stated deadline, the information’s confidentiality restrictions evaporate.

(This assumes confidentiality isn’t separately required by applicable law, for example by HIPAA or the Gramm-Leach-Bliley Act.)

Bright-line tests can be advantageous in business contracts. They make life easier on the people who actually have to do the work, and they promote predictability, which is prized in the business world. But this particular bright-line approach has the potential to damage the parties’ business relationship (assuming one exists). And it’s not clear how much good this bright-line approach will actually do for the receiving party.

Put yourself in the disclosing party’s shoes: If you slip up and forget to mark particular information, the receiving party might claim that you’ve lost all right to control the use of the information. It doesn’t matter whether the receiving party would suffer any prejudice by belated marking. The receiving party asserts that the information is no longer confidential, period. If the parties’ relationship is supposed to be a collaborative one, this won’t be a good thing.

The reasonable-time approach

For collaborative relationships, another approach is to allow catch-up marking within a reasonable time. Sure, that can lead to uncertainty about what “a reasonable time” might be. But that very uncertainty can usefully encourage the parties to try to work things out, which in turn can help them preserve their business relationship.

In any case, in a collaborative relationship it’s not a bad thing for the receiving party to call up the disclosing party and ask: Hey, you didn’t mark Document X as confidential; did you intend to do that, or did it just slip through the crack? The disclosing party gets a chance to protect its information, and the receiving party scores points for being a “good” business partner.

Written notice of catch-up marking

If the disclosing party wants to retroactively change the status of particular information from unprotected to protected, the receiving party likely will want to have its attention specifically called to that fact, so that later on it doesn’t unwittingly treat the information as still being unprotected.

Time limit (”sunset”) for confidentiality obligations?

Receiving parties who are given information subject to a confidentiality obligation will sometimes want a “sunset” on the obligation, so that after a stated period of time they will be free to use or disclose the information as they see fit. Disclosing parties, naturally, often have a different view. The receiving party might argue for a time limit on its confidentiality obligations along the following lines:

We need a ’sunset’ on our confidentiality obligations. The information you’re going to be giving us doesn’t seem like the crown jewels. It’s likely to lose its value over time. After a certain time has passed, we shouldn’t have to worry any more whether we need to treat the information as confidential.

Besides, if applicable law like HIPAA or Gramm-Leach-Bliley requires continued confidentiality, then the information won’t be subject to the confidentiality time limit in any case, regardless what this Agreement says. So you shouldn’t have anything to worry about on that score.

The disclosing party might respond as follows:

We can’t know in advance that any particular information will lose its value over time. For all we know, something we tell you might turn out to be the equivalent of the Coca-Cola^® formula. So we need for your confidentiality obligations to remain in place unless and until the information in question falls within an exclusion category.

Regulatory disclosures

The receiving party might want the right to disclose the disclosing party’s information in its SEC filings, as long as it first consults with the disclosing party. It might argue for that right as follows: “We’re a publicly-traded company. If things go well with our business relationship, this Agreement might turn out to be a ‘material agreement’ for us. If that were to happen, we might be required by law, or by Nasdaq- or NYSE rules, to file information about the Agreement. We might even have to file a copy of the Agreement itself. It wouldn’t do either of us any good for us to be in violation, so this clause protects us both by giving us a reasonable safe-harbor procedure for doing so.”

Subpoenas, etc.

Many confidentiality provisions categorically exclude subpoenaed information from the definition of “protected information.” That’s often ill-advised, because it might well entirely wipe out the confidentiality status of disclosed information, even if the subpoena had provisions to protect confidentiality.

A better approach is simply to require the receiving party to alert the disclosing party to any such event and to provide reasonable cooperation if the disclosing party elects to try to quash the subpoena, etc. (Realistically, that’s usually what the disclosing party would most want in such a situation anyway.) Some clauses of this type specify that the receiving party’s cooperation in the disclosing party’s attempts to seek protection from a subpoena will be at the disclosing party’s expense. That will often be appropriate (and perhaps usually so), but it seems unnecessary to lock the parties into this requirement in advance.

Return-or-destruction requirement — is it worth the trouble?

Some confidentiality provisions state that the receiving party must return or destroy all protected information upon termination of the agreement or at some other specified time. In many situations, however, the receiving party won’t remember to comply with the requirement, and the disclosing party won’t remember to follow up on it.

Heads-up: The receiving party therefore should be cautious about agreeing to a return-or-destroy requirement. Arguably, such a requirement does only two things: (1) it creates a compliance burden for the receiving party — especially if the receiving party’s notes and similar documents must also be returned or destroyed; and (2) it gives the disclosing party ammunition with which to brand the receiving party as unreliable or even a scofflaw: “Ladies and gentlemen of the jury, the receiving party obviously didn’t take its return-or-destroy obligations seriously; we have no reason to think they took their other obligations seriously either.” In many situations, the parties might be just as well served by omitting a return-or-destroy obligation.

Backup media recycling

If the parties are going to agree on a return-or-destroy clause, the receiving party will want to include a carve-out for normal recycling of backup media. Without it, the disclosing party might try to force the receiving party to retrieve, search, and purge its email backup tapes, which likely would be very burdensome (not to mention expensive).

Outside-counsel retention of archival copies

If the receiving party were scrupulous in giving archival copies of all the disclosing party protected information it received to its outside counsel, the archival copy could prove useful in arguing that it never had access to a particular piece of information. But doing this might not be worthwhile unless protected information were disclosed exclusively in suitably marked writings, or through narrow channels such as an M&A data room. For less-formal disclosures, the fact that particular information wasn’t contained in the outside counsel’s archival copy might not mean much, and so allowing outside counsel to retain archival copies might not provide much benefit.

Residual use rights

A residuals clause, allowing the receiving party’s people to use whatever protected information they happen to remember, might be appropriate in an agreement where the parties have a long relationship with lots of everyday exchanges of confidential information, and it might be difficult for people to keep track of who owned what. Microsoft has been known to insist on a clause similar to this one in its confidentiality provisions — at least in confidentiality provisions where it would not be disclosing its own confidential information. (In October 2006, however, I heard a credible source within Microsoft say publicly that the company had been reconsidering whether it would continue to do this.)

Miscellaneous confidentiality-language notes

Protected information not limited to owned information

Protected information should not be limited to information “owned” by the disclosing party; it should also include information of a third party that the disclosing party makes available to the receiving party.

Subpoenas and exclusions from protected status

Confidential information should not be excluded from protection merely because it comes within the scope of a subpoena or other compulsory legal process — the disclosure might be subject to restriction by virtue of a court order or other governing requirement.

In connection with this Agreement

The receiving party’s confidentiality obligation should be limited to confidential information that is in its possession in connection with the Agreement. There may be situations in which information is disclosed outside the purview of the Agreement (the right hand doesn’t know what the left hand is doing) and in which the disclosed information should not be deemed protected.

HYPOTHETICAL EXAMPLE: Suppose that a different division of the disclosing party furnished information to the receiving party, but no one involved knew of the agreed confidentiality obligations and never contemplated that the information would be treated as confidential. In that situation, the confidentiality obligations of this section would not apply. On the other hand, if the receiving party were simply to steal the disclosing party’s confidential information, without making use of any information access granted by the disclosing party pursuant to the Agreement (for example, by hacking into the disclosing party’s computer network), then the general law would apply just as it would to any other confidential-information “thief.”

In possession

Protected information should include not only information proactively disclosed by the disclosing party, but also information simply made available by the disclosing party, for example, information that the receiving party happens to acquire while working on-site at the disclosing party’s premises or on its computer network. Moreover, protected information should include information disclosed by an intermediary, for example a third party that itself received the information in question from the disclosing party under an obligation of confidence.

Responsible precautions

A drafter might specify that the receiving party will take either “responsible” or “reasonable” precautions to safeguard the disclosing party’s protected information. The former term ought to have a more conservative connotation, the idea being that receiving parties should be fairly conservative in their handling of the disclosing party’s confidential information.

Combinations of unprotectable information items can be protectable

In litigation, the receiving party’s counsel might try to argue to the judge or jury that all the individual “component parts” of the confidential information were well-known or otherwise not confidential, “and so where’s the beef?” An optional clause, stating that even combinations of nonconfidential information can itself be confidential, can give the disclosing party’s counsel some ammunition with which to counter that kind of argument.

Reporting obligation: Alerting the disclosing party of unauthorized access attempts

The disclosing party naturally wants to know if anyone is trying to make unauthorized use or -disclosure of its protected information. (This includes governmental authorities issuing a subpoena or search warrant, or a third party issuing a subpoena.) It’s often not unreasonable for the receiving party to agree to alert the disclosing party of any such incidents that come to its attention. Of course, this may not be possible in some circumstances, for example if the receiving party is prohibited by law from revealing the existence of a government investigation.

Recent Posts

100 Feet Up