NDAs: Worth the Effort?
Confidentiality or nondisclosure agreements ("NDAs") are widely used but often poorly reasoned or inadequately implemented. When are they worth the effort? How can they be made more effective in protecting a company's secrets or the secrets of others for which it is responsible?
My seatmate on a recent cross-country flight was an entrepreneur who has established an innovative and successful online financial services business. “I never use NDAs,” he insisted. “Too much trouble, and too hard to enforce, anyway.”
That’s not an uncommon view of confidentiality or nondisclosure agreements (NDAs), at least outside the context of employment and independent contractor agreements, where they are routine and well accepted. It’s easy to understand why an employer would want to ensure that employees are cautioned to keep trade secrets secret, for example. With an employee confidentiality agreement, the employer can more credibly threaten termination and a possible lawsuit that does not have to rely on implied duties under general tort or contract law, or the more remote prospect of criminal sanctions for theft, fraud, or commercial espionage.
But in business or technical discussions with potential investors, customers, suppliers, licensors, franchisees, or joint venture partners, it is often very difficult to determine how much needs to be disclosed and exactly who “owns” which information and ideas. Were the parties just brainstorming? Did they independently develop a similar approach to a problem? Litigation over NDAs can be costly, public, and ultimately unsatisfactory to the party claiming a breach, especially if it is hard to prove the intended scope of the agreement and the actual source of information.
So, when is it worth using NDAs, and how can they be made more effective?
Protecting Secrets
First, it must be emphasized that NDAs properly concern only information that is valuable or protected and that is not already publicly available. Patents are public, so it normally makes no sense to sign an NDA covering the substance of a patent claim (although an NDA could cover implementation issues, for example, or the substance of a planned patent filing or extension).
The information should have commercial value as a party’s trade secrets, either non-obvious technical information (such as the formula for COCA-COLA beverages) or confidential commercial information (such as the party’s business plans, internal organization, and nonpublic operations and financial records).
Alternatively, an NDA may concern information in a party’s possession that, if disclosed to others, could expose the party to criminal or civil liability. This might include potential liability for unauthorized disclosure of protected personal information, privileged communications (such as lawyer-client or doctor-patient communications), national secrets, or the trade secrets of a business partner. Often, information could be classed as the company’s proprietary and confidential data and also protected information of a third party – a customer list including credit card details would be an example. In such cases, there are multiple reasons to take contractual and operational measures to protect the information.
Anglo-American common law traditionally recognized civil liability based on “breach of confidentiality,” “misappropriation,” or “unfair competition” when one party made improper use of another party’s commercial secrets. Many of the underlying principles are now statutory, as is the case with fair trade practices under the US Federal Trade Commission Act and parallel state laws.
More specifically, nearly all US states and the District of Columbia have enacted a model law called the Uniform Trade Secrets Act (UTSA). This restates common law principles of misappropriation of trade secrets and provides an extensive range of potential remedies, partially preempting remedies based on tort law or equitable restitution. These statutory remedies include the following:
· injunctions against misappropriation or disclosure
· injunctions compelling protective actions such as the return or deletion of documents and data
· compensatory damages for injury to the plaintiff
· damages for unjust enrichment by the defendant
· payment of reasonable royalty fees (if compensatory damages cannot be proven)
· exemplary (punitive) damages for “willful and malicious” conduct
· attorney’s fees in cases of willful and malicious misappropriation or bad-faith litigation tactics.
Liability is based on proof that the defendant has “misappropriated” trade secrets by acquiring them through “improper means.” Breach of an NDA is one example of improper means. USTA also recognizes other improper means that do not depend on breaching an NDA, such as theft, bribery, misrepresentation, inducement to breach a confidentiality agreement, and electronic espionage.
In order to protect trade secrets under UTSA or common law, a party must demonstrate that it exercised “reasonable efforts” to maintain secrecy. This typically includes using (and enforcing) NDAs with employees, agents, business partners, and others with access to the information, as well as taking such protective measures as locking up or encrypting sensitive documents, controlling access to computer files, and training employees to protect company secrets.
Thus, the NDA is an important means of preserving trade secrets claims and remedies, as well as reducing liability exposure for disclosing the secrets of third parties such as customers, employees, business partners, or governments.
Making NDAs More Effective
A company with trade secrets or protected information always has to balance the advantages of collaboration (such as efficiencies in outsourcing, shared research and development, new sources of investment, expanded markets, a potential sale of the company or its ideas) against the risks that the collaborating party will carelessly disclose the company’s secrets, misappropriate them, or claim that the company has in fact misappropriated the collaborating party’s ideas.
Where possible, it is best to share secrets only with parties that have sufficient motivation and capability to protect your secrets. Give them reasons to believe that they will share in the success if the ideas or data are protected and ultimately commercialized, perhaps in the form of a royalty-free or discounted license, an exclusive sublicense in a particular sector or geography, a lucrative supply contract, a joint venture, or an equity stake. An expressly nonbinding letter of intent may be enough to help them visualize the “carrot” of potential profits. If a company hires a technical consultancy as an independent contractor, the contractor is getting paid and should be subject to a “work for hire clause” as well as NDA provisions. If the company wants to collaborate with an academic, it can raise the idea of a possible consulting contract if the idea appears to merit more development and offer to collaborate in preparing an article for publication in a scholarly journal when some of the concepts can be made public. The point is, there are very often ways to align the interests of the parties in maintaining confidentiality for mutual gain and joint risk management.
As for the “stick” of potential liability for breach of the NDA, consider above all the description of the confidential material to be covered. You don’t want to leave loopholes, but a vague or broadly drafted NDA is less likely to be enforced by a court. It may even be challenged as an attempted restraint of competition, rather than a focused effort to protect trade secrets.
Some NDAs between potential business partners or research collaborators are written to cover only documents or data expressly marked as “Confidential,” while others concern both oral and written information about a defined subject matter. In the former case, it is important to maintain the discipline of marking documents, emails, meeting minutes, and memoranda of lab visits, field tests, or other instances of information exchange as “Confidential, subject to NDA dated ____.” A lapse may be viewed as a waiver. It is also useful to place a copyright notice on documents furnished in the course of the collaboration, to help establish authorship and make additional remedies available under copyright law. Or consider using a wiki or FTP site, similarly marked, to keep documents and messages subject to the NDA in one place. All of these techniques serve to remind the parties of what they are doing under the NDA and aid in establishing proof if there is a dispute.
Where there is concern about maintaining the confidentiality of discussions as well as documents, it may be convenient to describe the subject matter as nonpublic information exchanged relating to a pending patent application or provisional patent application. Otherwise, where the description cannot be effected in a sentence or two, consider attaching a schedule to the NDA describing the subject matter in more detail. The schedule can be updated by mutual consent, without having to redraft the entire NDA.
If the company has a trade name or brand name in mind, add a clause to the NDA in which other parties agree not to use that name for a trademark or domain name without the company’s consent.
Meanwhile, the company should assiduously maintain an inventor's log if it contemplates an eventual patent application. If it comes to litigation over misappropriation of trade secrets, it can be very powerful to document and compare the sequence of invention with the sequence of disclosures.
A useful clause to include in the NDA is one requiring prompt notice if at any time a party intends to rely on the NDA clause excluding coverage for information or ideas related to the subject matter but developed independently or obtained from another source. This gives the company some advance notice of potential problems and makes it harder for the other party to assert plausibly that it already had the information or idea at a much earlier date.
It may also make sense to insist on a non-circumvent clause if the party will be introducing companies or individuals to each other or to potential suppliers, licensees, or consultants. This makes it harder for them to bypass the introducing party in future dealings with those companies or individuals.
And in some cases it makes sense to pursue R&D collaboratively in the context of a government program or an industry standards body, developing standards to which others contribute and which others will use. These projects typically involve their own NDAs and agreements concerning intellectual property ownership and licensing. That approach may ultimately give your company a larger market for goods and services that it can sell based on a standard – USB and Bluetooth are recent examples. Collaboration then takes the form of a contract with a government agency or national laboratory, or chartering a work group or technical committee within an existing standards body, or possibly establishing a new nonprofit industry association to develop specifications. As other companies become invested in the standard, they may also be willing to share the legal costs of protecting it against infringers or infringement claims.
Finally, a company sharing secrets should look to technical as well as legal protections. Establish that the counterparty is security conscious, and insist that it classify and safeguard your secrets as it does its own. It may also be appropriate to use electronic date and time stamps, tag lines, embedded code, digital certificates, watermarks, or metadata to mark material as “Confidential” and also help prove the source and timing of documents exchanged in a collaboration. Using secure email channels, secure FTP and wiki sites, and document encryption are other means of protecting sensitive data – and also proving later, if need be, that the company did indeed exercise reasonable efforts to maintain confidentiality.
* * *
So, in answer to my airline seatmate: Some NDAs are pointless because there are not well-defined secrets to protect, or the parties have not done their homework concerning their mutual interests, or they are not sufficiently disciplined to implement the NDA effectively. But foregoing the NDA may mean foregoing legal remedies as well as an opportunity to educate the parties on what should be protected, and how.
UPDATE: Since first posting this blog entry, I have been referred to an insightful article by Professor Eric Goldman discussing the challenges of managing information under an NDA, at