Virtually every business will possess information that is both of high value to them and commercially sensitive. The protection of that information depends on it being kept secret from the world at large. However, there will be times when a business needs to disclose that information to another party. Where disclosure is necessary, it will be protected only if it is disclosed under circumstances importing an obligation of confidence.
English law protects such information in certain circumstances, even in the absence of any contractual confidentiality provisions. However, the scope of what is protected and how far protection applies is not always clear, which makes it difficult to enforce when disputes arise. Best practice is to put a non-disclosure agreement (NDA) in place before any commercial or technical know-how is disclosed.
This is particularly important if the information may comprise one or more patentable inventions, since one of the criteria for patentability is that the invention is novel, in that it has not been made available to the public before an application is filed. Technology-based businesses need to be alert to this issue and ensure they agree appropriate NDAs each time any disclosure is going to be made; whether to a potential investor, research partner, customer or other third party.
So what should businesses be considering when disclosing information under an NDA?
Tip one: Forever and ever?
One of the most important terms to get right is the duration of the NDA. Is the secret to be kept for the duration of a particular project, say 2-5 years, or indefinitely?
If a fixed duration is agreed, plan carefully to ensure that the NDA does not expire when the project is still on-going – do you need a provision allowing for renewal?
There is no legal limit as to how long an NDA can last, but in reality most companies will be very reluctant to agree perpetual secrecy, since it becomes harder and harder as time goes along to keep track of information flows, with employees changing roles, departing or joining. However, where the information is in a tangible form, such as source code, there may be no reason for most employees to ever access or disclose it to third parties. If so, perpetual secrecy may be appropriate.
Where the information is business-critical, such as the famously secret recipe for Coca-Cola, then it is worth putting in place stringent arrangements to ensure that it remains secret indefinitely. This is something which should be thought through and agreed at the outset, since it only takes one slip for a secret to be disclosed, and its value potentially lost forever.
Tip two: Secrecy, and what else?
Since NDAs are common, there are many standard forms in use and a company will often be asked to sign up to another party’s standard terms. Although the principles of an NDA are unlikely to be contentious, it is nevertheless important to review these standard terms carefully since they may contain onerous or inappropriate clauses. For example, provisions granting the disclosing party ownership of any intellectual property rights arising from the use of the disclosed information, or disclaimers as to the accuracy of the information being disclosed.
Tip three: Secret, except when it isn’t
All NDAs should include a clause excluding certain information from the requirement of absolute secrecy. This will include any information which the recipient is able to demonstrate was already in the public domain, or in its possession, before receiving the disclosure. Another standard exclusion is for any disclosure required by law, for instance in legal proceedings or a regulatory investigation.
However, the disclosing party may still want provision in the NDA to enable them to manage the process of such a disclosure and mitigate its impact. For instance, by being given notice in advance of the compulsory disclosure taking place in order to seek a confidentiality order from the court or obtain a legal opinion as to what information is absolutely subject to the compulsion and minimise the disclosure of anything else.
Tip four: When something goes wrong
Before entering into an NDA, consider what form of remedy will be required if the NDA is breached. The most common remedy for breach of contract is financial compensation, but in the case of confidential know-how this may not be the key. An injunction, preventing further disclosure or use, may be far more important.
Indeed, it may be helpful to include an express statement in an NDA that damages will not be an adequate remedy for a breach of confidentiality, as this will be one of the key questions that an English court would look at when considering an application for injunctive relief.
However, the question of jurisdiction will need careful consideration. A clause giving exclusive jurisdiction to the English courts may actually be a hindrance if the information is being evaluated, and so most likely to leak, in another jurisdiction. Having to get an English court order and then ask the foreign court to enforce it will inevitably slow up the process by weeks, if not months.
Similarly, while arbitration clauses are increasingly common in intellectual property agreements, arbitration is unlikely to be the best solution if an urgent injunction is required, since even convening a panel of arbitrators can take some time. If an arbitration clause is appropriate, it may be prudent to include a carve-out for urgent injunctive relief. The right solution will depend on the particular circumstances in each case.
Tip five: Which clause counts?
In many cases, the NDA is a preliminary step towards a potential larger project, and if this goes ahead, a further agreement or suite of agreements may be signed. If so, it is important to address the question of which confidentiality terms take precedence. If there are even slightly different provisions in effect, then ambiguity and possible disagreement about the scope of the confidentiality obligation can arise.
Tip six: Track and trace
Once the NDA is in place, there is a danger that it can be forgotten about. But if the information really is valuable and worth protecting, then the NDA should be only the beginning.
It is no use passing the receiving party a bundle of information – in written, electronic or oral form – and assuming that it will all be kept strictly separate from their own information and traceable if at the end of negotiations it is necessary to get it all back. A company disclosing information should keep as detailed records as possible of what has been disclosed subject to the NDA, and require the recipient to record what copies have been made and where disseminated. With this information, “putting the cat back into the bag” at the end of the project is more likely to be achievable. Without it, it may be next to impossible, despite the best intentions of both sides.
A related point is to consider where in a group of companies the information might go once disclosed, to make sure that the right corporate entities are party to the NDA and that it can be enforced against them.
Tip seven: Does it really matter?
Finally, and critically from the point of view of enforcing the NDA, it is essential to think in advance as to what information really is to be kept confidential.
The tighter the description of information which really is both secret and valuable compared to the totality of information which is going to flow between two parties in the heat of discussions, the more favourably the court will look upon an application for an injunction.
It can be tempting to describe confidential information broadly with terminology such as “all information relating to the business” because it is easy and gives the impression of providing the widest protection. However, this impression can be misleading. Courts are well aware that companies are teeming with information which may not be known to the outside world, but which is not really either core to the business or of any substantial value. The courts will be unwilling to impose the draconian remedy of an injunction to protect such information and may in those circumstances conclude that the NDA has no real effect at all.
Better to put in more time and effort up-front to understand what really needs to be protected, and get that defined, than risk having the whole effort held to be ineffectual.