A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA) or secrecy agreement (SA), is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. (source Wikipedia).

One comes across confidentiality agreements in one guise or another all the time. Examples would be between you and your doctor, your bank and you, or you and your solicitor. After all, you wouldn’t expect anything less. Non-disclosure agreements also exist for financial settlements for whistle blowers (referred to often as non-compromise agreements) but these are not addressed in this article and we do not cover the misuse of NDAs being used as gagging orders where employees have suffered.

In business, clients request the signing of non-disclosure agreements for tenders and new business projects on a daily basis. Such commercial NDAs are often signed on behalf of organisations by CEO’s, legal departments, commercial managers and senior members of the team with the power to do so. They are often the first step in establishing a commercial relationship. NDAs are often very similar or templated and signed as a matter of course without too much due diligence on behalf of the party agreeing to perform the work or service delivery. Client NDAs are simply treated as a standard part of doing business.

It is therefore timely for us to be reminded that a non disclosure agreement is legally binding and there can be serious repercussions should breaches occur.

If you or a member of your team signed an NDA on behalf of your organisation, how are you managing its effectiveness or your organisation and employees’ adherence to its clauses? Have your team members actually seen the clauses they are being bound by? If not how do they know what they can and cannot divulge to others – if anything? What happens if they do form an internal process perspective?

Let us consider some standard clauses often found in a typical NDA. The provider of the NDA seeking to protect their intellectual capital with offer something akin to:

“Proprietary Information” includes any confidential commercial, financial, technical or operational information, and any intellectual property not publicly known or available, which by its nature is confidential, and information that has been or may be disclosed or otherwise made available in whole or in part to a receiving Party or any Representative in any form or medium.  Such information may include hardware, software, component design, manufacture, inspection, and/or repair and overhaul, business information relating to supplies, pricing, costs, profits, business plans and strategies, customer or vendor lists and legal or financial advice.”

Such NDA statements attempt to be all encompassing for good reason as there are many ways in which sensitive trade assets and IP can be compromised.

“Proprietary Information may only be used by the receiving Party for the Purpose, unless otherwise expressly permitted in writing by the disclosing Party.  The receiving Party will, at its sole cost and expense, ensure that the nondisclosure obligations of this Agreement are known, understood by and complied with by all recipients of the Proprietary Information including its Representatives permitted to receive the Proprietary Information.  The receiving Party will be liable for any and all breach of confidence including any breach by its Representatives.  The receiving Party may only disclose Proprietary Information to such of its employees and Representatives as are directly concerned with the Purpose and whose knowledge of the Proprietary Information is necessary for the Purpose.”

Let’s stress the point once again, how is your organisation actively ensuring that the terms of such a statement are being enforced as “are known, understood by and complied with by all recipients of the Proprietary Information including its Representatives“? Indeed how are your employees being kept up to date with all new NDAs coming into play?

Business is of course highly competitive and there are always those wishing to gain a business advantage. One way they can gain such an advantage this is through the activities of employees and the information they simply ‘give away’. This naturally presents you with a risk.

Social media is fabulous for building a team of organisation brand advocates and apostles who sing the praise of your organisation activities and their involvement. New, keen employees will take to advertising their new positions online in a plethora of social arenas with gusto. Very quickly this finds its way into their social posts as they build a professional ‘brand’ themselves. Indeed social media is the perfect vehicle for people and organisation self-publicity. However – just because employees can post about where and when and what they are involved with, doesn’t always mean they should. What have you offered by way of training and compliance in this so far?

Examples of this issue on Facebook, Instagram or Linked-in may involve reference to visiting clients, work they are performing, projects they are involved in, the use of client logos in their posts and photos or via posts directly related to tasks and work they have recently been engaged in. Alongside this is the increasing prevalence of photos posted by employees that are clearly taken on client premises using mobile phones.

These posts may appear innocent enough (perhaps team photos, group occasions, meetings, whiteboards etc) but what are these photos incidentally revealing by accident (perhaps on a screen or in a background) and causing a potential NDA breach? As a quick test take a look at the work-related posts of connections on your favourite media platforms and see how many potential breaches you can spot. In all likelihood it won’t take you very long to find examples. So who is perfoming the due diligence on this content regarding the NDAs your own organisation has in situ?

Another area where NDA breaches can unwittingly occur is with the increasing number of employees entering the speaker circuit for trade shows. These shows are ubiquitous in many sectors and involve a request for industry speakers followed by employees volunteering and putting together presentations that represent their own knowledge and as a bi-product their organisation. As it is down to an individual speaker to generate their content often without any organisational vetting, it is sometimes the case that the speaker draws upon illustrative examples of clients and their projects. It may even include client logos and images but one must ask the question -has anyone checked whether they breach an existing NDA?

Business is of course highly competitive in most sectors and organisations try very hard to protect their brand, their image, their IP and their assets. Engaging a 3rd party means they have to protect these assets from misuse or divulgence by the 3rd party. That is part of the purpose of an NDA. Breaches may have explicit consequences.

Take a look at the following non-disclosure clause:

“The receiving Party acknowledges and agrees that damages alone may not be an adequate remedy for any breach of the provisions of this Agreement by the receiving Party or its Representatives and accordingly, the receiving Party agrees that the disclosing Party may be entitled, without proof of special damage, to the remedies of injunction, specific performance and other equitable relief.”

And what about after client work has completed? The NDA will have set time limits agreed to that extend beyond the work itself however for many organisations, as soon as work has been completed it may become instant reference material or case study content without checking against the terms of the in situ NDA. How are employees being reminded that the NDA remains in place and continues to apply?

“This Agreement will expire automatically three years from the date of this Agreement. Notwithstanding the expiry of this Agreement, the nondisclosure obligations of the Receiving Party with respect to Proprietary Information shall survive into perpetuity or until the Proprietary Information falls into the public domain through no fault of the Receiving Party.”

Just because an employee leaves your organisation does not mean they are then exempt from revealing all about both your organisation and your clients to their next employer or to the world at large. They too may well still fall under the terms of a legacy NDA. In which case how are they being reminded of their non-disclosure obligations at the point of employment termination? The chances are that they are not. This creates a risk.

What about the potential repercussions of a breach of a non-disclosure agreement for you, your organisation and your employees? First, you may lose existing, hard won client business; then you may lose other potential business from this or other clients. This could damage to your industry reputation and affect your trading position in a competitive marketplace.

Breaching any NDA, depending on the conditions set forth, can lead to a monetary penalty, a lawsuit or even the termination of employment. Whichever way one looks at it consequences of violating an NDA can be severe. At the very least, lawsuits are extremely costly and time consuming and you or your organisation may face criminal penalties, depending on the information revealed. For example if the information revealed is sensitive, leading-edge and proprietary, once disclosed it cannot be un-disclosed. The damage is done and the damage is permanent. It could close down an organisation even if the disclosure appears relatively innocent (e.g. a diagram, a screenshot, a process). One should therefore expect repercussions on the party that breached to be serious.

Sadly, all too often employers do little about misappropriation and take few measures against wayward employees due to the impact of time and cost. This is what we would describe as flying by the seat of ones pants – it is certainly a high risk strategy in the current litigious economy. Is it worth the risk and what can be done as a remedy to protect yourself, your employees and your organisation?

First it is necessary to use a people compliance solution to communicate and distribute the key NDA policy and standards information regarding your clients and the NDAs that exist as well as the importance of NDAs in your organisation. It would be wise to summarise and train your teams in the key clauses of a typical NDA, what they mean and what the repercusisons are of a breach to them and to the team, particularly with regards to client information.

Your organisation should also communicate a clear policy on what is and what is not acceptable to post in social media regarding organisation activities and those involving your clients and their marques. Training should be proactive in this matter and your employees should be asked to sign to say they comply to rules regarding non-disclosure (as that give may you some legal standing should a breach occur). As with all key policies, training should be refreshed at regular intervals and the terms of non-standards NDAs communicated well and iteratively. This will actively reduce your organisation’s exposure to risk.

Your organisation should also include the importance of client NDAs and protecting client IP as part of both your on-boarding and off-boarding processes. Signarus offers Orchestra Read and Comply™ and Orchestra On-Boarding for these purposes.

The bottom line is, a lot of effort goes in to winning business and signing agreements. Ensuring those agreements are exposed to as little risk as possible so that commercial relationships grow is absolutely essential and the success of both your own organisation as well as that of your clients may well be in your hands.

For more information on Signarus compliance solutions for Office 365 and Azure contact us on (UK) 020 7 788 9445.

document compliance solutions