Non-disclosure agreements (NDAs) are some of the most “plain vanilla” technology agreements around. They are usually short, and don’t vary dramatically in content from one set of boilerplate to another. Technology companies sign NDAs all the time with little or no negotiation.
In fact, despite their brevity and simplicity, NDAs are significant obligations that recipients of information should avoid. But they are also a fact of life. Think of them as a chronic disease you can’t get rid of, but have to manage.
The name of an NDA can be misleading. NDAs usually contains both non-disclosure and non-use provisions. It may be workable to avoid disclosing documents given to you, but it is harder to avoid disclosure of information given to you, whether the information was communicated in documents or oral discussions. And it is a tricky task not to use information given to you. You can’t “unlearn” information. So while the agreement is called a non-disclosure agreement, complying with the non-use requirements is the harder task. This problem is sometimes referred to as taint — being exposed to information you can’t forget but you can’t use, even if you might have come up with it independently.
To make it worse, NDAs are intrinsically expensive contracts to breach. Whereas most commercial agreement contain limitations on liability, the point of an NDA is to put the recipient on the hook for legal liability. So, violating an NDA can expose you to high damages.
Most NDAs specify a limited purpose for use of information. Most often, that purpose is to negotiate a more detailed agreement. But sometimes, the purpose is to evaluate technical or business information for a more specific purpose. Receiving technical information under NDA is more risky than receiving general business information. So while you may sign NDAs routinely to negotiate commercial deals, think carefully about your risks under NDA if you intend to evaluate a product, particularly if you will be exposed to software source code or detailed technical specifications that you may plan to independently develop. That can place you in the difficult position of “proving a negative” — that you did not use the information in breach of the NDA.
To be safe, you should talk to a lawyer before signing an NDA — but that’s easy for a lawyer to say. In the real world, legal review costs money and time. If you are presented with an NDA to sign, particularly if you are a startup, you may not have the resources to have a lawyer review the agreement. Even if you could engage a lawyer, you might not have any bargaining power to negotiate the NDA terms. That’s particularly true when you are using the NDA to negotiate your first big customer deal.
Here are some tips for managing the chronic disease that is NDAs.
- Ask for a 2-way NDA. Some companies have 1-way and 2-way forms, and as you might imagine, the 1-way forms are more aggressive in favor of the company presenting the NDA to you. Reciprocal terms are not always fairer, of course. In any NDA, one party will act more in the role of discloser and one will be more in the role of recipient, so equal terms won’t have an equal effect. Even most 2-way NDAs are written somewhat in favor of the discloser or recipient , and clever companies will have two different 2-way forms to present to you, depending on which side they expect to be on. But 2-way obligations tend to “keep people honest” and avoid some of the most draconian terms that appear in 1-way forms.
- Segregate the information. When you receive information that will be subject to the NDA, store it in a special-purpose location (password protected) that is only accessible to those who need to see it. Do not make copies. This can be more challenging than it sounds — remember that email cc’s and routine backups can result in lots of copies. If you make paper copies, shred them after use. Or, refuse to accept electronic copies. If you do get electronic copies, avoid forwarding them to personal email accounts where they might persist. Delete them after you do not need it any longer (including from desktop trash cans and email deleted-items folders.) Give similar treatment to the notes you take transcribing orally disclosed information. When you delete the copies, keep a record that you did so, such as a note to file or a note to the other side saying you have done so.
- Limit what you receive. Avoid receiving information that might overlap with your product roadmap. If you unexpectedly get information that you are concerned will “taint” you, return or destroy it and tell the other side in writing that you have done so. Or best, ask first what information the other side plans to send, and if you think it will taint you too much, decline to receive it.
- Implement a Document Retention Policy. Keeping all documents forever is not a good idea, and a systematic plan to routinely delete unused documents is an important shield against trade secret claims. But deleting documents when you know a legal claim is looming is usually unlawful, so you should have a policy for deletion of documents that is content-neutral. That way, confidential information of others will be less likely to persist for too long, even if you fail to delete it when the NDA requires you to.
- Use special-purpose consultants for risky reviews. If you have to review high-risk information, instead of receiving it under NDA, you might agree with the discloser to engage a third party consultant to do the review. There, the consultant, and not you, would be subject to the most significant obligations of the NDA, and would only communicate to you the results of the review.
You, Too, Can Learn to be a Lawyer
If you want to learn more about how to review and negotiate NDAs, you can learn to do it the same way lawyers learn. Any smart and diligent person can learn to review NDAs, and in fact, reviewing NDAs is a common task for junior lawyers as they cut their teeth on technology transactions practice. Below is a quick summary of the most common issues in NDAs. If you have the opportunity to negotiate some of these points, give it a try. But you may want to tread lightly: a fierce negation over an NDA can sour follow-on negotiations. Your potential business partner may — rightly or wrongly — consider them “standard” agreements to which no one should object. (If you want to see an example of a standardized NDA, take a look at the Waypoint NDA.)
- Definition of Confidential Information. The broader the definition of Confidential Information, the more favorable the NDA is to the discloser. Most NDAs define Confidential Information with a long laundry list of items that is meant to be broad. But a few NDAs are limited to cover specific types of information for the particular deal, for example, source code, product designs, or customer lists.
- Writing requirements. One of the biggest variations in NDAs is called a writing requirement. Writing requirements are very favorable to recipients. They mean that the NDA does not cover any information that is disclosed orally, such as at meetings, unless it is embodied in a document or summarized in writing promptly after the meeting. Disclosers will be concerned that failing to write down all confidential information is a “foot foul” that will cause valuable information to escape coverage. Examples are of clauses implementing a writing requirement are:
- Confidential Information must be communicated in writing.
- Oral disclosures must be reduced to writing within 30 days after disclosure.
- Exceptions. All NDAs make exceptions to confidentiality. These are sometimes styled as exceptions to the definition of Confidential Information, and sometimes as exceptions to the confidentiality obligation. These exceptions roughly track the limits of misappropriation in trade secret law. They exclude from coverage information that:
- was publicly known to the recipient prior to disclosure
- became publicly known after disclosure other than due to the fault of the recipient
- was already in the possession of recipient at the time of disclosure
- was disclosed to the recipient by a third party without a duty of confidentiality
- is independently developed by the recipient — note here that deleting the information in a timely was will help you prove that you have engaged in independent development
- Screened Disclosure. As noted in the “chronic care” points above, some NDAs specifically say that any disclosure can only take place after a written request describing the information, and the written consent of Recipient.
- Exceptions to Disclosure. NDAs often expressly allow certain kinds of disclosure:
- Upon court order or subpoena, but recipient must cooperate to give the discloser has opportunity to challenge the order or seek confidential treatment
- As required by law (such as SEC filings), but recipient must cooperate to seek confidential treatment or redaction of the information in public filings
- To accountants or attorneys operating under their own NDA or an equivalent duty of confidentiality, in connection with due diligence or audits (note that accountants and financial auditors often have a higher duty under law than would be imposed by an NDA)
- To affiliates, but may require recipient to have the authority to bind them to the NDA terms
- Disclosure to potential acquirors and investors, under their own NDA
- Degree of Care to Keep Confidential. These terms usually track the requirements for treatment of information to qualify for protection under trade secret law.
- No less than reasonable measures to protect against disclosure
- At least those measures that the recipient takes to protect its own similar information
- Prompt notice of any unauthorized use or disclosure and assistance in stopping it
- Residuals. This is the single most significant variation in NDAs (short of omitting the non-use provision entirely, which is rare, but always worth checking). A residuals clause is extremely favorable to the recipient. It says that the recipient may use ideas, information and understandings retained in the memory of the recipient’s personnel. It is usually an exception to the non-use requirement, but not the non-disclosure requirement. Residuals clauses are written in many different ways and need to be reviewed on a case-by-case basis.
- Parties. Pay attention to how the parties to the contract are defined. If the parties include affiliates or other parties, the sphere of disclosure might be broader. (For example, “Recipient means Company XZY and all its affiliates.”) If you are disclosing, consider limiting disclosure to a single recipient entity. Also, NDAs normally do not allow disclosure certain categories persons:
- Those with a need to know for the defined purpose
- Employees who are bound to confidentiality agreements or equivalent obligations
- Contractors who sign confidentiality agreements (often subject to approval of the agreement by discloser)
- Duration. In a sense, all NDAs have two durations. One is the period during which information will be exchanged. This is sometimes called a capture period and is often the same as the term of the agreement. Although some NDAs continue indefinitely, many are limited to a capture period of one year. The other duration is the period during which information, once disclosed, must be kept confidential. These range from indefinite to short, typically 2-5 years. Keep in mind that, as a discloser, you may not be able to protect your information from use by other parties once it is free for unrestricted use by any one party. 2-5 year limits work for information that has no value after that time; business plans and customer information may be stale after that time. However, technical information can often have value for a much longer period.
- Warranty Disclaimer. Disclosure of information is usually made as-is, with no warranties as to quality or accuracy.
- Return of Materials. NDAs usually require return or destruction of the information upon termination of the disclosure period, or earlier upon discloser’s request. Disclosure of information under NDAs is usually voluntary, which means that a sudden termination of the disclosure period is usually not considered an issue.