Sunday, February 10, 2013

Managing Confidential Information





When you agree to accept another party’s confidential information several things occur. You accept the responsibility to manage the information as required by the discloser. You assume liability in the event the information is wrongfully disclosed. You also potentially subject your company to claims of misappropriation of trade secrets if you were to use that company’s confidential information for your own purposes. The management of the risks associated with the receipt of confidential information are managed in two ways. First in the terms you agree upon in agreeing to accept confidential information. The second is how you internally manage that information.

To manage it contractually:

1. You need a clear definition of what constitutes confidential information. That should be further limited to only information that meets the criteria for trade secret information:
a) The information is not generally known to the relevant portion of the public;
b) It provides an economic benefit to the discloser that is not generally known;
c). The discloser uses reasonable efforts (both internally and externally) to maintain its secrecy.
Confidential information should not include copyrighted or patented information as the discloser is already protected on those. It should never include all correspondence from the discloser.

2. It needs to be marked so there is no question that it is confidential and would be subject to the requirements of the agreement. Suppliers may not like the extra work for them of marking it, but that shouldn't create both increased management costs and increased risks for you that would occur if they don't. If you run into a company that doesn't want to mark information, they will generally want all the information shared to be considered confidential. As a recipient that's not something you would want as is dramatically increases the potential risks to your company.

3. If you are going to allow oral disclosures you need to keep the number of them limited so they will be managed. Your confidentiality agreement (CDA) or non-disclosure agreement (NDA) should require several things for oral disclosures. First, at the time of the oral disclosure the discloser must identify that information as confidential. That way the recipient knows that it is confidential and they will be able to manage it accordingly. Second, the agreement should also require the discloser to immediately send a notice confirming the disclosure and what was disclosed orally. That way it’s not just one person’s word against the other. That way if something was disclosed to an engineer, and the contract manager is the one that manages and documents the receipt of confidential information they will get that notice of the disclosure. The burden of confirming the disclosure should always be on the discloser, it’s their information to be protected.

4. I would limit the confidential information the discloser may provide based upon two criteria. It either must be requested by an authorized party of your company, or it must be provided only in situations where the recipient has the “need to know” the information to perform their obligations under the contract. The simple fact is the more information you receive the greater the potential risk you have for potential misappropriation of trade secret claims. The request by an authorized party is to limit individuals like engineers from asking for information that would increase your liability when they don’t need the information to perform their job. Think of a product as being like a black box that performs certain functionality. Many times an engineer may want to understand what goes on within the black box (which is confidential) when all they need to know is what goes into the black box and what comes out of the black box (which shouldn’t be confidential). The more information you receive the greater the potential risk to your company so managing the inflow of information is very important, especially to help avoid potential trade secret infringement claims.

5. As all confidential information provides the company an economic benefit for only a limited period of time, you need to end your obligation to maintain it as confidential by having a term after which you no longer have the obligation to maintain it as confidential. Most information has no real economic benefit more than 7 years after disclosure and frequently less.

6. If you need the ability to share the information and would get authorization to disclose information to:
(i) your employees and contractors who have a need to know;
(ii) any other party with the Discloser’s prior written consent.
In managing liability if the disclosure will be to a third party, you need that third party to meet the same obligations and indemnify your company against claims from the discloser for that third party’s failure or misuse or you need a separate confidentiality agreement between the discloser and the third party so you aren’t liable for their acts.

7. You need no obligation to maintain the information to expire if certain conditions exist:
(i) You already rightfully have the information without a nondisclosure obligation;
(ii) You develop the same or similar information independent of the Discloser;
(iii) The information publicly available when received, or thereafter becomes publicly available through no fault of the Recipient;
(iv) It is disclosed by the Discloser without meeting the disclosure requirements such as marking.
(v) It is disclosed by Discloser to a third party without a nondisclosure obligation.

8. It should address the potential for disclosures that are required by law. When you are required by law to produce a document you can’t not do that, as you would be violating the law. In these situations the best a discloser can ask for is a prompt notification of any orders to provide the information so they may seek to intervene to stop the requirement of production of the confidential information. Barring that you should be able to disclose the information.

Managing Confidential Information Internally

As receipt of confidential information creates potential significant liability for a company, to manage the risk you need to manage and control the information. Several ways to manage and control the information are:
1. Single point of access for the receipt of information where all information is logged.
2. Limiting access to the information to only authorized individuals that have a need to know.
3. Placing restrictions on copying of information and controls over further duplication of the information or excerpts of the information.
4. Management of the security of the information as required by the contract or as a minimum as required for your confidential information. For example if a specific way of managing the information isn’t specified you would use the same controls as you use to manage your own confidential information.

In managing the information there are two risks you are trying to manage. The first risk is to make sure that there in no breach of your obligation to manage the information as confidential. In most companies the even greater risk is managing against that information being spread throughout your organization where even inadvertent use could be the basis for a claim of misappropriation of the trade secrets included within that confidential information.

In a misappropriation suit you would need to prove that your information was independently developed and the best way to prove that it was independently developed is with strict controls and limited access to the information so only a limited number of employees are exposed to that information. It is also best that individuals that have been exposed to confidential information not be assigned to potentially competing work as they will always have the retained
Knowledge.

I’ve worked on projects where we had a single coordinator for both companies to manage the flow of confidential information and all disclosures and receipts had to flow through those individuals. The coordinator would limit access to only those authorized on a “need to know” basis. Copies were numbered and bound with instructions not to make any copies. Individuals had to sign for each access including what information they accessed.

When the obligation to maintain the confidential information has either expired or been excused we would collect all information and copies. Verify them against our log and records, and then depending upon the requirement of the contract either return or destroy all copies and if required certify the destruction of such materials.

Where managing confidential information is extremely important is when you may have development of products that may compete with the discloser or you do work with suppliers or subcontractors that compete with the discloser. It’s in those instances where you may need to show all the steps that you took to make sure that the information was protected as required and your product or your supplier or subcontractor’s products were independently developed with no involvement from your people that had access to the information and might have it retained in their minds.

The last reason for managing it contractually and internally is unlike other contracts most CDA’s or NDA’s have no limitation on the type of damages that may be claimed. They also don’t have limits on the amount of damages that may be claimed. In some locations, as a further deterrent to breaching the obligation of confidentiality, there may also be penalties that may be claimed. That means in most cases you have unlimited liability and that’s why most companies keep their confidentiality agreements separate from their other agreements in which there may be limits on both remedies and amounts of damages.