Caroline Hayward and Sharon Ng set out some key tips and reminders for inhouse counsel on what to look out for in confidentiality agreements as the recipient of confidential information.
Confidentiality agreements, also known as non-disclosure agreements, are a common tool to protect confidential and sensitive information from getting into the wrong hands or being used in unintended ways. In a commercial setting, they are often seen as just another formality – a box to check off before moving forward with a transaction or project. Many people fall into the trap of signing them quickly, assuming that they are just standard paperwork with little impact.
While it often appears in the form of a short and harmless-looking routine document, the devil is in the detail. Confidentiality agreements have the potential to impose significant obligations which can lead to unintended consequences if not carefully considered.
The next time you are faced with a confidentiality agreement and the question “Can we sign this?”, we invite you to consider the tips and reminders we have set out in this post before saying “Yes!”.
What is confidential information?
One of the first things to check is what constitutes “confidential information”. Typically, this includes anything that the disclosing party considers sensitive or valuable. It is often information which could cause damage to the disclosing party or give their competitors an advantage if leaked (e.g. trade secrets, client lists, business plans, etc).
That said, the definition of confidential information should not be overly broad. It should clearly state what needs to be kept confidential, which can vary depending on the specific transaction, project or purpose that the confidentiality agreement relates to.
Take the time to think about the nature of the information that will be disclosed, and who will be disclosing, receiving and using it.
The definition should also be subject to a few common exclusions:
- Information that is or becomes part of the public domain (except information that is or becomes so in breach of the confidentiality agreement or an obligation of confidence owed by any person to the disclosing party);
- Information that the receiving party can prove was independently developed by it or already known to it at the time of disclosure (unless such knowledge arose from a breach of an obligation of confidence); and
- Information that the receiving party obtains from another person who is lawfully in possession of that information and can disclose it without breaching an obligation of confidence.
By setting clear boundaries on what is considered confidential, you avoid being unnecessarily responsible for information that does not actually need to kept secret.
What are your obligations?
It is crucial to assess whether the obligations in the confidentiality agreement are reasonable and manageable – both legally and operationally. Some of them will depend on your organisation’s own risk appetite, policies and procedures.
Here are a few key things to keep in mind:
- Approved purpose
The agreement should spell out what the “approved purpose” is – in other words, why you are being given access to the confidential information. This sets the boundaries around the permitted use of the information. Make sure it is broad enough to cover everything that you need to do with the information. If the approved purpose is too vague or restrictive, it could interfere with your ability to carry out your work in the underlying transaction or project.
- Permitted disclosure and access
Often there will be provisions limiting disclosure and access to the confidential information. Check that those provisions do not make it too difficult or burdensome for you to involve the right people. Ideally, there should be carve outs that enable you to share the information with those who genuinely have a “need to know” (such as your employees, contractors, agents and professional advisers) and to the extent you are required to do so by law. Additionally, it is a good idea to ensure that you have separate confidentiality and data protection arrangements in place with third party recipients.
- Data protection and privacy
You might be required to take certain steps to protect the confidential information provided to you, such as complying with specific data security requirements (e.g. storing the information within a specific jurisdiction). It is important to ensure that those requirements are realistic and can be feasibly met by your organisation’s existing systems, resources and processes. You want to avoid being stuck with obligations that are too costly or tricky to implement, or those that do not align with good industry practice. Similarly, if the confidential information includes personal information, check that any references to privacy laws are those that actually apply to your organisation and dealings.
- Data breach notification
When it comes to data breach notifications, it is important to keep things realistic and aligned with your organisation’s capabilities. Take into account the time your information security team reasonably needs to assess the situation. Don’t forget to consider any legal obligations that you or the disclosing party (or both) need to comply with, such as notifications and statements relating to “eligible data breaches” under the Privacy Act 1988 (Cth).
- Return or destruction
If you are asked to return or destroy all confidential information upon demand or upon termination of the transaction or project, consider if any retention obligations apply. There might be a need to keep a copy of information to meet regulatory obligations or insurance requirements. It is also common to request an exception for information that is automatically stored in your organisation’s back-up servers, which are not easily accessible.
How long do the confidentiality obligations last for?
As the receiving party, it is important to understand that your confidentiality obligations typically do not have a fixed end date. In most cases, the obligations continue indefinitely or until the information is no longer considered confidential. Setting a specific time limit can be unrealistic because the confidentiality or sensitivity of the information may not diminish over time. Even if you return or destroy the information, your responsibility to protect what you have learned does not just go away.
- That said, there are instances where we encounter confidentiality agreements that have a set expiration date (e.g. 5 years from the execution date). This is usually the case when the confidential information is very specific and both parties agree that it will become public within a certain timeframe.
Damages may not be an adequate remedy
It is very common to see a clause stating that damages may not be an adequate remedy for breach, and that the disclosing party may seek a court order and other appropriate remedies. It might make you pause and wonder if it is stacking the deck in favour of the disclosing party.
Although it may sound mysterious and uninviting, it is actually a reasonable provision. What it simply means is that monetary damages might not fully compensate for the harm caused by a breach of confidentiality, especially if it leads to long-term damage to the disclosing party’s business or loss of competitive advantage. In these situations, the disclosing party may seek other remedies, such as injunctive relief to prevent further misuse of the information.
Governing law
The governing law is essentially the set of legal rules that will apply if a dispute arises. Choosing the right governing law is important as it determines how the confidentiality agreement will be interpreted and enforced.
Ideally, you would go with the jurisdiction where your organisation is based, so you’re dealing with a legal system that you are familiar with. Otherwise, consider a neutral jurisdiction that works well and is convenient for both parties.
Further information
If you need further guidance on confidentiality agreements or data protection, please reach out to your KWM contact or Michael Swinson and the Data Protection & Privacy team.
Check out other insights from the Office of General Counsel team here and subscribe to KWM Pulse using the button below to stay across upcoming articles in areas of interest.