NDAs are most commonly entered into at the beginning of a transaction, when the parties to a proposed project wish to provide information to the other side or receive information from them. It may be commercially sensitive, but the information will enable the parties to determine whether or not to proceed with the project.
The commercially sensitive or confidential information could be in relation to a range of different issues, for example:
- A proposed new business venture involving both parties (such as the establishment of a joint venture or the purchase of one company by the other);
- The entry into a new market by one or both parties; or
- The technology and the related intellectual property underpinning a proposed transaction that is owned by one party but needs to be examined by the other.
Asking individuals, such as investors, to sign NDAs shouldnt put them off dealing with a business. If confidential information is being exchanged, NDAs are often used. If a business is hoping to attract investors, it can assume that the potential investors will want to examine the affairs of the company in detail, which will require the disclosure of sensitive and confidential information.
Most investors are sophisticated individuals who understand the purpose of NDAs and, in any event, NDAs tend to be relatively short documents, which can be executed quickly without delaying any proposed transaction.
In the light of the almost daily reports of cyber-attacks and cyber breaches, not to mention laws such as the Data Protection Act (which impose security obligations on organisations that process personal data), every enterprise should taking simple but practical steps to establish and maintain the confidentiality of both its own confidential information but also that which it is holding on behalf of any third party. In this regard, companies should:
- Restrict internal access to confidential information by implementing account management processes, including restricting physical access to certain areas and restricting online access to specific data and/or systems;
- Clearly mark all relevant documents as confidential and implement processes for how confidential documentation should be handled;
- Devise and implement appropriate internal training courses and policies to ensure their own staff comply with strict levels of confidentiality (including in relation to bring your own device (BYOD), passwords, etc.);
- Ensure that its own security policies (both in relation to physical and electronic security) are both proportionate and effective;
- Maintain appropriate records to identify the information accessible (and perhaps even accessed) by each employee or consultant; and
- In the specific context of NDAs, consider whether a staggered disclosure of information is viable, so the most sensitive information would be exchanged later in the process.
English law does not prescribe a uniformly consistent approach to NDAs. As a result, the parties to an NDA can (with limited exceptions in relation to certain pieces of legislation, such as the Data Protection Act) agree between themselves which parts of the information to be exchanged will be confidential, and which will not.
To avoid ambiguity or uncertainty, the parties should try to be as specific as possible in the NDA terms they agree. In particular, they should:
- Identify the confidential information that is to be protected under the NDA. Ideally, this should be as specific as possible, although parties often chose to draft the definition of Confidential Information more broadly in order to cover the disclosure of any information to the receiving party;
- State that the receiving party must keep the disclosed information secret and use it only for a specified purpose (e.g. evaluating whether or not to go ahead with the project);
- Clarify when the information may be disclosed to third parties (e.g. if required to do so by law or regulation, or if the information is no longer confidential); and
- Provide for the return or destruction of the confidential information if the project or transaction does not proceed.
If the NDA is governed by English law and the English courts have exclusive jurisdiction over disputes arising under the NDA, a party that believes the other party has breached the terms of an NDA may issue proceedings. The real issue however is usually one of timing: once confidential information has started to leak into the public domain, the most important thing is to plug the leak as quickly as possible. As noted below, although damages may be available following the breach of an NDA, English courts have a well-established process for enforcing interim injunctions, which will be the primary objective for most companies.
An NDA is a contract. Under English law, the default remedy for a breach of contract is to award damages to put the injured party in the financial position it would have been in if the contract had been properly performed (i.e. if no breach had occurred). However, damages may be an inadequate remedy in some situations, for example when the other side is leaking confidential information and the innocent party is more concerned about preventing any further leaks than about claiming damages for leaks that have already occurred. Practically speaking, it can also be difficult to prove that leaked information originated from one specific source.
In such an event, the innocent party may wish to seek an injunction preventing the other side from disclosing any further information, or an order for specific performance against the other side, requiring it to take certain positive steps to prevent the disclosure of confidential information.
The usual process would be to seek an interim injunction initially, something that can be obtained very quickly. Breach of an injunction can amount to a contempt of court, which is punishable by a fine or imprisonment.
Will this provide adequate redress to the innocent party The answer will vary from situation to situation.
NDAs are not a panacea. However, like Churchills observation about democracy being a very flawed system, but all the others being so much worse, so NDAs serve an essential purpose whilst not providing companies with absolute protection. If businesses are to discuss in detail the possibility of working together, they must accept that at some point, they are going to have to share sensitive information with each other. An NDA provides a level of comfort that most companies find acceptable.
NDAs are short, simple contracts that require little or no negotiation, enabling parties to move forwards in discussing potential commercial opportunities without being side-tracked by having to negotiate a full-form, long-term contract that may never be needed. NDAs provide parties with some legal remedies and also serve a purpose in relation to the business men and women who execute them, who become aware of the sensitivity of the information that may be disclosed to them.
Rhys Williams is partner in the Commercial Technology team at leading international law firm Taylor Vinters.