There is a trend for people to demand the signing of confidentiality or non-disclosure agreement (NDAs).  An NDA is useful:

  • when someone needs access to an organisations confidential information or trade secrets, for example for the purpose of preliminary discussions and evaluations;
  • where a purchase of a company is contemplated;
  • where a joint venture is planned, or where an evaluation of a computer system by a prospective purchaser is being undertaken;
  • for the development of new products; or
  • where technical information about engineering and manufacturing processes is being imparted.

A purchaser may wish to impose non-disclosure terms on suppliers to cover its own proprietary information where prospective suppliers are investigating existing processes and procedures to determine how their products and services will meet the purchasers requirements. When companies are acquired and sold, the examination and valuation of intellectual property assets has become a key task in the “due diligence” exercise, a careful enquiry by the company’s purchaser, designed to identify, test and quantify this part of the purchase in relation to the price.

It is best to have an NDA in place

In all these circumstances, the use of NDAs is to try and provide some protection and to show that no general disclosure is intended. There are two issues I want to address in this article:

  1. Whether NDAs are worth the paper they are written on.
  2. If they are, how does one manage the risks of unauthorised disclosure from a practical perspective.

Whilst you feel you might be caught between ‘a rock and a hard place’, it is best to have an NDA in place, provided you have given careful thought as how you want to protect your confidential information in practice.

Is an NDA worth the paper it is written on?

In South Africa, there is currently no general law of privacy and therefore information disclosed in confidence will not necessarily be protected by law. The Protection of Personal Information Bill (POPI) which is currently being drafted by the South African Law Commission is such a general law, but it is not yet in force. See our post “Privacy: Will the wait soon be over?“.  There are, however, some statutes (for example the National Credit Act) that protect “confidential information“. For the rest, confidentiality clauses in non-disclosure agreements are the only way of protecting commercially confidential information. Once POPI becomes law, confidential information will form a part of the definition of “personal information” that will be protected by the law.

NDAs are often not worth the paper they are written on for three reasons:

  1. It is very difficult to identify the subject matter of the NDA: invariably the parties are seeking to protect confidential information and trade secrets. These are particularly slippery areas of IP (see our post “What makes up “IP”?), which the parties often fail to identify and label (mark) as “confidential”.  Confidential information is generally information that is only known to a certain number of people or the information “must be something which is not public property and public knowledge”.  This is an objective question of fact.  Trade secrets are confidential or secret and must have value in commerce. To be of value in commerce, the information must be capable of providing its owner with an advantage over its current or potential competitors (this is also referred to as the “springboard” requirement – “spring boarding” entails not starting at the beginning in developing a technique, process or product, but using, as the starting point, someone else’s technique, process or product).
  2. The only way to enforce the NDA is to go to court and get an interdict, which is not only a very expensive exercise nowadays, but the damages you might suffer are likely to be very difficult to prove in practice.
  3. An interdict by the courts to prevent further disclosure will often be too late as the harm will already have been caused. In the United Kingdom, confidential information has been described as “an ice cube … give it to a party who undertakes to keep it in the refrigerator and you still have an ice cube… give it to a party who has no refrigerator or who will not agree to keep it in one and by the time of the trial you just have a pool of water that neither party wants. It is the inherently perishable nature of confidential information that gives rise to unique problems” (see Burnet at page 9).

For me, the main criteria in determining whether or not an NDA should be entered into in the first place is:

  1. the level of trust that you have with the other party; and
  2. your business objectives behind getting the particular deal done (which depend on the circumstances and include factors such as the value of the deal, the importance of doing some work for a client strategically, given who they are and which of the parties holds the “power” in the relationship.).

A good example of the power (imbalance) are Venture capitalists (VCs) who are notorious (in the United States at least) for not being prepared to sign an NDA. The reason? At any given moment, they are looking at three or four similar deals and are not prepared to create legal issues because they sign a NDA and then find another, similar company – thereby making the paranoid entrepreneur believe the venture capitalist stole his idea (see Guy Kawasaki’s post “The Venture Capitalist Wishlist” where he also points that “if you even asked them to sign one, you might as well tattoo “I’m clueless” on your forehead!”).  Many businessmen I know are simply not prepared to go through the process of reading through the NDA and deciding if it has any problems, dealing with their lawyer to change it and then getting you to deal with your lawyer to accept or reject his requests.

Managing the Risks of Unauthorised Disclosure

If one does decide to go the route of an NDA, I invariably find that the level of diligence that companies adopt in putting an NDA in place before entering into discussions with a prospective business partner, is inversely proportional to the amount of thought and effort that goes into working out what needs to be put into the NDA to actually protect confidential information and minimise the risk of nondisclosure – which is what the whole exercise is about in the first place (the essential purpose of an NDA is to ensure that confidential information remains confidential and is not broadcast to competitors, disseminated to the general public, or exploited in competition with the owner).

The somewhat cavalier approach to the monitoring and enforcement of obligations must come to an end!

In my experience companies simply haul out that standard template and go through the motions of filling it in without giving any careful thought to the practical implications of the NDA: how to protect the confidential information that is about to be disclosed. Businessmen need to pay proper attention to monitoring the use of confidential information and its safe custody. This principle applies not only to paper-based documents but also to material provided electronically, on screen, via e-mail or by means of a memory stick, CD or DVD. The somewhat cavalier approach to the monitoring and enforcement of obligations must come to an end!

So how does one manage the risks of unauthorised disclosure?

If one does decide to go the route of an NDA, then probably the most important issue for me is how one goes about it practically.  It has everything to do with how it’s done and not what is done. By this I mean paying particular attention to:

  1. precisely what you disclose,
  2. how you disclose it (e.g. orally or in writing), and
  3. to whom you disclose it to in the organisation.

As part of this process, it is very important to properly identify the information that needs to be protected and plan disclosure. At a high level, you have to decide whether you want to:

  1. label all confidential information as “confidential”, or
  2. adopt a default position whereby any information disclosed is to be treated as confidential information?

The problem with the latter approach is that the NDA could be rendered meaningless and difficult to enforce (let alone prove damages) as a lot of the information disclosed might not be confidential information. You could find yourself wasting time and money on lawyers fees, only to find out that your case is paper thin: very little confidential information was in fact disclosed.

Regarding the identification of the information that needs to be protected, consider the following:

  • Grade the relevant information in terms of its ‘sensitivity’ and isolate confidential information or trade secrets;
  • label the information “confidential” (which will at least give you as owner certain limited rights in attempting to protect the information in law should you not sign an NDA);
  • Consider further security precautions for confidential information and trade secrets (e.g. only disclose it orally to certain people in a room who have no laptops or pen and paper on which to record the information being imparted to them – with 16GB memory sticks available, the sum total of someone’s entire library of customer lists can now walk right out the door without anyone knowing, let alone laptops with CD and DVD writers and 500GB harddrives);
  • limit access to a large database of information (many companies employ large databases as a storeroom at their most valuable information) by developing multiple levels of access rights to the confidential information;
  • Label or Mark confidential information as “confidential” as appropriate.

Regarding planning disclosure, consider the following:

  • Establish controls to restrict disclosure of confidential information internally and ensure that the recipient’s own employees are subject to appropriate confidentiality obligations;
  • Appoint one person to manage disclosure within your company;
  • Ensure that you enter into the NDA BEFORE (and not after) any confidential information is disclosed (attempts to apply to previously received information will normally be ineffective in law and, in any event, it will be difficult to identify such information accurately);
  • Devise a contingency plan to deal with leaks.