Confidentiality agreement

Revision as of 17:01, 13 May 2019 by Amwelladmin (talk | contribs)


Also known, to those for whom the glass is half-empty, as a non-disclosure agreement. An agreement whereby you promise not to tell. If Robert Plant were writing one, he would write it like the box on the right.

Anyhoo. Here are the main parts of a normal financial markets confidentiality agreement.[1]

What’s in a confi?

Confis can be “one way”, where one party discloses and the other receives, or “two way”, where both parties disclose sensitive information. A broker’s template will tend to be far more generous when it is receiving only, than when it is giving information up. I know this may come as a shock to some of you.

Length

Firstly, let’s be blunt about this: there is a special place in hell for any advisor who serves up a confidentiality agreement more than 3 pages long. Even three pages is purgatorially tedious. GET TO THE POINT. It’s a goddamn confi, not the sale of your soul. Oh hang on.

Purpose

Why are the parties sharing the information in the first place? Typically, you’ll want to restrict use of the information to matters relevant to the project. This is likely to be defined as the “Purpose” or the “Project”. Expect to see this kind of definition, and this is somewhere you can let your sales guy go wild.

“So, legal eagles, what should I put for the “Purpose”?”
“I dunno, you tell me. What is the purpose?”
“What?”
“...You know, the purpose that you want the confidential information.”
“Ohh, right. [Pause] Well, looking at a sample portfolio to put some pricing together with a view to pitching financial services, I suppose.”
“Okay, so put that.”
“What?”
“Put that.”
“Just, that?”
“Sure.”
“Like, “looking at a sample portfolio to put some pricing together with a view to pitching a PB service, I suppose”?”
“Well, I woudn’t put, “I suppose”. but otherwise, yes.”

Sales will go away happy, any quietly believing he could have been a lawyer. And you know what? He probably could have.

What is in scope?

Parties give each other all kinds of information. Not all of it is sensitive. Seeing as an NDA imposes onerous obligations, you should carefully define the “confidential information” that’s in scope. Consider the following:

Personal information: Personal information about individuals is tricky in this age of big data and fake news. There may be additional provisions concerning storage, processing and rights to access and correct that information. Especially now the EU General Data Protection Regulation (GDPR) is in force. Hoo boy. Data protection is an area of law of which JC has assiduously steered clear over his career and he is not about to change that now.

Client-identifying information: some data is interesting and sensitive only as far as it can be associated with an person or entity. Trading data, for example. That a Vodafone trade was executed at close on the 1st of September at a price of 103 isn’t especially sensitive. It isn’t susceptible to copyright.[2] Not until you link it to the client who executed the order. Then it is sensitive. Market abuse and insider trading lie this way.

Proprietary IP and technology: Trading data tends to be valuable insofar as it relates to a given client. Other types of information (especially intellectual property: patents, copyrights, designs, trade secrets, secret sauce and so on) is valuable irrespective of the identity of the client.

What is out of scope?

What information that otherwise would be in scope, is out of scope? Even within the definition of confidential information, you’ll need to make exceptions for information the receiver already held, or receives or develops independently (and not in breach of a confidentiality undertaking) or with reference to information specifically disclosed

Information disclosed to a regulator is still confidential information

Don’t make the schoolboy error of excluding “information required to be disclosed to regulators or government authorities” from the definition of “confidential information”. Now, to be sure, this is a legitimate exception to a fellow’s general covenant not disclose confidential information to anyone[3] — but it shouldn’t disqualify the information from being “confidential informationaltogether. If it did, once you were required to give any information to a regulator, it would suddenly be open season and you could tell everyone about it. Not the intention.

One misconceived argument we have seen for this approach is as follows: “if I give information to a regulator then I cannot control what the regulator does with it. Regulators are all-powerful. They may publish sensitive information in the Luxembourger Wort for all I can do about it. Therefore your information, once I have rightly given it to a regulator, can no longer be treated as confidential.”

Not so fast: If you disclose my information legitimately to a regulator, and the regulator then discloses it to the world (whether or not legitimately) you have complied with the terms of your contract. Unless you have independently covenanted to procure that the regulator keeps it confidential (don’t do that: regulators are all-powerful, and you make yourself a hostage to fortune), you have not breached your NDA, and you cannot therefore be liable for resulting losses. They are regrettable externalities: obstreperous actions of impish third parties. On the other hand, if you disclose my information legitimately to a regulator, and then you separately disclose it to someone else, then you absolutely can and should remain liable for losses. If by disclosure to a regulator the information is deemed "no longer confidential" you would be free to disclose it to someone else without that sanction.

Proprietary information

If your definition starts with “information belonging to the discloser” or “proprietary information” then you have excluded most of the data you are seeking to protect. “Belonging to” implies “possession”, implies “property” implies “intellectual property”. Intellectual property subsists in creative works — copyright, patent and trademarks — but not in facts or raw data. To be yours, you have to have created it. Your trading data, your client lists, your employees — this is not information belonging to you. It is information relating to you which (QED) the receiving party wants but does not have, which is why it is worthy of protection by contract even though no intellectual property rights attach to it.

General terms of confidentiality obligations

Having defined what counts as confidential information, the question arises what can you do with it and what’s not allowed?

In order of stating the bleeding obvious:

Keep the confidential information confidential

Don’t disclose it except to the defined group of people set out in the agreement — and you may be required to ensure that these people only receive the information subject to an equivalent duty of confidentiality:

Inside the organisation: In a large organisation you may be restricted to a small group of people in the organisation, and they may be behind information barriers (for example, credit, legal or the on-boarding team). There may be specific restrictions on passing the information to trading desks and front office personnel who could profit from it (this may be illegal: it could be insider trading or market abuse), to rip a good idea off, end-run around the client to do the same deal with someone else or nefariously use it to curry favour with other clients.

Outside the organisation: you may be allowed to share it with professional advisers, regulators and quasi-regulatory authorities (stock exchanges etc) where required by law (or you reasonably consider it expedient). There may be some tiresome details about only giving what is reasonably necessary, and helping to prevent, challenge or minimise disclosures to regulators. Be aware of the schoolboy error of reclassifying information that must be disclosed to regulators as “no longer confidential”. This is wrong: It is still, in you hands, confidential. Obviously you cannot be blamed for miscreants in the public regulatory system who then misuse it, but you must still keep to your own word.

Only use it to carry out the “purpose” or “project”

This is somewhat hard to enforce — it’s nebulous, right? — and in practice, you’ll never know what goes on behind closed doors, but in the English law-speaking world this is pretty uncontroversial precisely because it isn’t practically actionable. But our North American cousins — and those on the private side of the investment banking wall — can get very worked up over it.

Not make unnecessary copies

Not the sort of thing to argue about, but not necessary either: you can xerox the information a thousand times if that floats your boat, and that won’t cause me any more damage than had you only xeroxed it once — unless you then give it to someone you shouldn’t. It is not the act of copying it that causes the loss, but your subsequent carelessness with the copies. But, still, would you strike that out of a draft? No.

Obligation to notify provider of regulator requests

This is a common and oft accepted provision: where you are obliged to disclose to a regulator, you must first notify the provider of the information, to allow them to make representations, or try to get an injunction, to prevent disclosure. However excitable your counterparty is on this point — and junior lawyers at real money firms can be quite exciteable — resist this. It is potty. When you step through it, it is hard to see any real-world cases where your counterparty could or would actually try to stop disclosure to a regulator, and plenty of benign circumstances where disclosure is a matter of course. To wit:

Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of MiFID/EMIR trade and trade reporting. We are not going to repeatedly tell the client that.

Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from a broker, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. It is unrealistic to accept Brokers to monitor which clients within that population have confis, much less a right to be specifically notified beforehand. Nor will they want to go to the trouble of getting all those consents. Why? BECAUSE LIFE IS TOO SHORT.

Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, it is likely the regulator will also have made equivalent disclosure requests to the client at the same time (or copied the client on those requests to the broker) — if the request is benign — and if it has not, the investigation is likely to be one where the regulator would not allow the broker to alert the client anyway, and indeed where such notification could be a criminal offence (market abuse, etc). Even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where the broker would have to give info about a specific client and the client doesn’t, but was entitled to know about it.

Commercial sensitivity: Lastly, the legitimate point of a confi is to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not to keep silent about behavioural turpitude; indeed a broker’s regulatory obligations may oblige it to report, without invitation, bad acts it observes, whether the client likes it or not and whether there is a confidentiality agreement or not. Generally, client information a broker holds is not legally or professionally privileged. Since, by definition, passing information to a regulator should not[4] prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator.

And that is borne out by the JC’s tawdry personal experience (anecdotal though it may be, it does span 22 years and three different investment banks): the JC has never ever, ever seen anyone even try to get an injunction to stop disclosure of confidential information to a regulator.

Cut-out-and-keep response

Try sending your counterpart something like this (put “dear —”, and “kind regards” around it, of course):


Disclosure to regulators

There are three main reasons a regulator might require confidential information from us relating to a client:

Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of Dodd Frank and other regulatory reporting regimes (for example MiFID/EMIR trade and trade reporting). You should assume we will do that.

Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from us, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. Given the benign nature of these requests, it is not practicable to obtain consents or make disclosures to all affected clients beforehand.

Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, either:

  • if the request is benign, the regulator is likely to have made equivalent disclosure requests to the client at the same time (or copied the client on those requests to the broker), or
  • if the request is not — that is, the investigation is one where the regulator would not allow us to alert the client anyway, we would not be able to, and such notification could be a criminal offence.

Thus, even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where we would have to give info about a specific client and the client doesn’t, but was entitled to know about it.

Lastly, a confidentiality agreement is designed to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not meant to be a tool to prevent regulatory disclosure. Generally, we will not be in a position to make demands as to how a regulator treats that information when we disclose it. Since passing information to a regulator should not generally prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator, and our experience is that no client has ever in fact attempted to do so.


The disclosing party will, of course, want to be able to conclusively get the confidential information back out of your sticky mitts at the end of the project. Hence the Return of information provision.

Return, or put beyond practical use?

In this modern era of distributed network computing, the usual entreaties to “return all copies of information” are faintly absurd: as if they’ve been kept in a manila folder in a filing cabinet somewhere, only inspected by chaperoned employees wearing white cotton gloves. Of course, everything will have been transmitted electronically, will exist in clouds, on blockchains and on servers all around the world, and the very action of attempting to “return” it will oblige it to be copied onto other servers etc. etc. Some of these copies will be stored for years under legally mandated document retention policies, but other entities will just be anal — or useless — about hoarding information.

So the real ask ought to be “to put beyond practical use” and have an exception for regulatory retention, and the practical realities of how information technology works: every internal email creates copies on all kinds of different servers and so on; non-magnetic erasures can in theory be undone. Theoretical eradication of a file is impossible; what matters is the practical removal of the information from persons in whose grubby fingers the poor discloser’s (cough) legitimate business interests can suffer.

Derived information

There’s also a conceptual issue with information the receiving party has derived from the confidential information.

Derived information, the fecund fruits of the receiver’s own creative juice and analytical energy, worked upon information given to the receiver by the discloser, is in no sense “proprietary” to the disclosing party,[5] and may indeed be as commercially sensitive[6] to the receiving party as the material the disclosing party gave, and on which it was based, it in the first place: think of Paul’s middle eight about having a shave and catching the bus in A Day in the Life. We are in danger of getting into the jurisprudential wisdom of treating intellectual endeavour as if it were tangible property — but let’s not go there just now.[7]

Actually, no: let’s do go there. If the information in question not, in the first place, mine — that is to say, it isn’t intellectual property in the first place, then the question arises why I should be able to stop you deriving your own intellectual property out of it. This boils down to whether it was just secret data, but didn’t have any proprietary qualities, or whether it can be somehow regarded as proprietary, owned information — the articulation of which required some kind of creative impulse.

If it is only data, it does not have the quality intellectual property at all, so the receiving party’s act in deriving some new type of creative work out of it is a novel thing, owes nothing to the discloser’s disclosure as such, builds upon no intellectual property of the discloser, and should not, therefore, be restricted at all. What loss could there be? The data still cannot be disclosed to anyone in a way that would betray the discloser’s confidence, but the derivation may well obliterate any confidentiality in the original document: say you give me a thousand characters of data (i.e. not intellectual property as such), on condition that I keep it confidential. And let’s say I rearrange the thousand characters into, for argument’s sake, a sonnet (which is prima facie susceptible of copyright protection — by me). Are there economic or legal justifications for obliging me to destroy that sonnet, or return it to you, under a confidentiality covenant? Humble report, sir, the answer is “no”.

On the other hand, if the information you have given me is copyrighted then the agreement you need is a licence, not an NDA. And, there, you can control, within limits, by the law of copyright, the licencee’s ability to derive new material from it.

In any case, you should not have to offer up derived information to the discloser.Query whether it should have to even be destroyed or put beyond practical use. I mean, can you imagine a world without a McCartney middle eight, just because Lennon had the hump?

Fussy elaborations

If your game is to engage in a protracted round of pointless horse-trading, you could try imposing some arbitrary formalities upon compliance with this clause: a 14 day period within which to comply, for example; an obligation for a director or officer of the recipient to certify that the clause has been complied with.

No representations or warranties

Another one for the “I never said it was” file, a clear disclaimer that when giving you this information, I never said it was accurate or good for anything. so you can’t sue me if you rely on it and lose money. So must your NDA have a term? Some insist on a hard stop, say two years, after which confidential information ceases to be confidential. This seems to us to be artificial. Others may mediate this by “execution of final transaction documents”.

It is not clear why going live on a transaction should suddenly set the negotiating parties free to spill private beans about each other that they learned in its formation. The theory is possibly that the final deal docs will themselves contain confi provisions which will be more sophisticated and can govern — but at least in the derivatives world, typically they don’t. Go figure.

Why have a term at all?

Good question.

Many negotiators declare themselves immutably bound to a term, usually by internal policy. They would sooner be broken upon a wheel than let this one go. This policy, they will intuit, dates from the days of the First Men, possibly was the result of a misunderstanding, but in any case subsequently has hardened, encrusted, calcified, petrified, and finally fossilised itself into a layer so deep in the firm’s organisational substrate that there is no known means of questioning it. In the very act of questioning it invites some kind of opprobrium. If anyone ever did really understand what the issue was, they have long since moved on, or been moved on, and no-one remains who can recall, much less articulate the original reason for this policy, or why it is still needed now.

Furthermore, in the ensuing thirty odd years, generations of employees have left that firm (some voluntarily, many not), taking this deep personal conviction with them, and have circulated the market, wherever they go inculcating a strong sense that some ineffable calamity would befall them, their firm, the market or, indeed, the entire industry should this sacred covenant ever be breached.

Thus the “mandatory confidentiality term” has now become part of the folklore of the financial services markets. You have to have a term, and it can’t be longer than two years at the most.

Now perhaps the JC is that long-prophesied seal of the forthcoming apocalypse (actually that might explain a few things, come to think of it) but, personally, he has never been able to understand what this “term” covenant could possibly achieve? Why, after a couple of years, should I suddenly be entitled to blare all your darkest secrets out from the minarets around town, without so much as a by-your-leave?

While the commercial value of much information does go stale over time (blueprints for a BetaMax, anyone?), this isn’t universally true — a client list is valuable however long you hold it — and the usual justification for the hard stop (“we just don’t have the systems to indefinitely hold information subject to confidence and don’t want indeterminate liability for breach”) is a canard — a palpably false one at that, for a regulated financial institution. Whatever information security systems you do have don’t suddenly stop working after three years. And as for indeterminate liability — well, no harm no foul: if the information really is stale then no loss follows from a breach, right? No loss, no damages.

In any case, it seems to the JC that a term creates more questions than it answers. When does it run from? The date of the NDA itself, or the date of disclosure of the information in question? If the former, and the point is to exclude stale information, why is the NDA date a relevant point? If the latter, who is monitoring what is disclosed when? What is meant to happen when the term expires? Why are we even having this conversation?

What a confi shouldn't have

The following often make their way into a confi agreement, though none really have any business being there.


Special AKA

The same as a:

See also

References

  1. If you are a Harvey Weinstein type who expects to turpitudinously, to hush up people you have triggered, I’m afraid you have come to the wrong place. this is about the good kind of NDA.
  2. There’s no copyright in a price, you see.
  3. See also permitted disclosure and permitted disclosees.
  4. Absent a severe dereliction of the regulator’s duty, and in that case there’s not really much the broker can be expected to do about it, is there?
  5. If the disclosed information ever was proprietary in the first place, that is — if it doesn’t qualify as intellectual property it isn’t, or course.
  6. And more deserving of intellectual property protection: applying some analytics to raw trading data may convert it from un-ownable data to creatively juicy intellectual property, of course.
  7. Those who can’t resist the siren call, start with Lawrence Lessig’s fabulous Code: Version 2.0.