Nondisclosure Agreements, or “Confidential Disclosure Agreements” as they are sometimes called (biotech companies seem to prefer the “CDA” designation), are some of the most common types of business contracts. Although they are often signed with only a cursory review, each one should involve as much review and reflection as any other contract.
This is because each NDA could be the basis of a trade secret lawsuit. Trade secrets require “reasonable efforts at secrecy”, and NDAs are a primary method of maintaining that status. Each NDA or CDA has its own language, and I would recommend having an attorney read each one. However, as a way of getting oriented, these are what I perceive as the most common variables:
(1) One-way or mutual? Are both parties disclosing information, or just one? If only one party is disclosing, and it has more bargaining power, then it should ask for a one-way.
(2) Definition of “Confidential Information”. This is perhaps the most important term that defines the scope of what might be disclosed and what should be protected. There is roughly three ways to handle this:
(a) Kitchen Sink: Everything Is Confidential. This is the most frequently used, and takes the form of a lengthy list. I always like to search for the phrase “mask works” when I first open an NDA in Word. Its presence gives a sense of how much though went into its drafting. “Mask works” are specific designs for manufacturing semiconductors, which essentially don’t make sense outside of that context. If your NDA contains the phrase “mask works”, and you’re not manufacturing semiconductors, it’s pretty clear you have a “kitchen sink” definition on your hands. A kitchen sink definition makes life easier for the discloser(s) because they don’t have to worry about anything slipping through the cracks. It can make life difficult for the recipient, because you cannot control what the other party is disclosing to you in advance. It’s possible they might give you secret information that is similar to something you were going to develop yourself later, but (after receiving their similar confidential project) doing so might be infringing on their trade secrets. If you Google “why I won’t sign your NDA”, there are many blog posts from VCs, programmers, and others about how a fear of constraints on their business causes them to avoid NDAs, except in close relationships. A separate issue is that you may also not know what, of the things the discloser is giving to you, is actually meant to be confidential, a problem that is solved by (b) and (c) below. Frequently parties with less bargaining power that are primarily the receiver of information sign a super-broad NDA. If bargaining power is equal, I think it usually only makes sense in a close collaboration where the nature of all the information cannot be determined in advance.
(b) Only what’s labeled. Another option for defining “Confidential Information” is to limit it only to those things that are labelled in writing as “CONFIDENTIAL”. This limits the possible universe of confidentiality, and puts you on notice about what those things are. It can be more burdensome on the discloser since they have to label stuff or send emails saying “that thing I sent/told you last week is confidential”. This is a good compromise where you can’t know all the information in advance, but you’re not entering into a close collaboration where the labeling gets to be burdensome.
(c) Specifically described secrets. This is the best option. Ideally the parties would sit down, carefully describe the types of information then plan to exchange, and then put in careful wording that describes those types of information. However, this often requires more time and legal fees than most business people are willing to put in. The most frequent usage I see for this is if there is just a one-off thing that is confidential that needs to be disclosed: a process or recipe, some source code files, a molecular structure.
(3) Duration of Exchange Period. This is usually the term of the contract. So the NDA will say that it terminate after one year, or something similar. This is the time period during which new confidential information can be provided by a discloser to a recipient. Usually there is a window of business opportunity that sets a particular exchange period, like the exploration of some type of deal. If the exploratory period goes well, then some other contract will take over that has further provisions for confidentiality. If the exploratory period doesn’t go well, you probably don’t want the other side randomly emailing you additional confidential proposals.
Sometimes exchange period is just blurred into one time period with the confidentiality obligation, which is described below in point (4). I prefer to separate them if possible, to create a clear end point on the exchange window.
(4) Duration of Confidentiality Obligation. The confidentiality obligation can last for a fixed period of time, or forever. Most information will almost certainly expire in usefulness at some point: financial information goes out of date, software code is superseded by newer technology, et cetera. As the discloser, forever is always going to be the safest option. For the recipient, though, that becomes a perpetual liability of a trade secret lawsuit. You could get sued in 2035 for information that was disclosed to you in 2015. Data gets copied and backed up to various places, laptops stolen, accounts hacked, people say something they shouldn’t have. There is always a background risk for even the most careful data custodian. So knowing that the risk goes away after a few years is nice.
Forever is probably the most frequently-seen duration of confidentiality obligations, since NDAs are most frequently drafted by corporate disclosers, not the recipients. Forever is also necessary to protect trade secrets that have lasting value. Sometimes there is a separate (forever) duration for trade secrets. That’s fine as far as it goes, but there can be a kind of “chilling effect” if there is no clear definition of which part of the “confidential information” is a “trade secret”.
One year would be very short; about three years seems the next-most-common after forever; and five years or longer comes up occasionally, more often in biotechnology and other secrecy-heavy industries especially where information may not go stale that quickly. If you don’t see a termination provision in your NDA, it probably goes forever.
(5) Governing Law and Venue. The “governing law” is which state’s law pertains to disputes. The venue (or “forum”) is the location where disputes are handled. Dealing with litigation outside your home state can be more inconvenient and expensive, and outside your home country even more so. They may also give the other side a “home court advantage”. If both parties are in the same state, then usually it is a non-issue. If the parties are in different states, those are advantages you want for yourself, if you can get them. So if possible it is best to specify your home state’s law, and courts close to your business.
There are also compromises, if the parties cannot agree on a governing law and venue. Two common ones are deleting venue entirely from the agreement, or drafting a clause where the defendant always gets its jurisdiction. The pros and cons of those are a topic for a future post!