Template:Nda confidentiality obligation summ
General terms of confidentiality obligations
Having defined what counts as confidential information, the question arises what can you do with it and what’s not allowed?
In order of stating the bleeding obvious:
Keep the confidential information confidential
Don’t disclose it except to the defined group of people set out in the agreement — and you may be required to ensure that these people only receive the information subject to an equivalent duty of confidentiality:
Inside the organisation: In a large organisation you may be restricted to a small group of people in the organisation, and they may be behind information barriers (for example, credit, legal or the on-boarding team). There may be specific restrictions on passing the information to trading desks and front office personnel who could profit from it (this may be illegal: it could be insider trading or market abuse), to rip a good idea off, end-run around the client to do the same deal with someone else or nefariously use it to curry favour with other clients.
Outside the organisation: you may be allowed to share it with professional advisers, regulators and quasi-regulatory authorities (stock exchanges etc) where required by law (or you reasonably consider it expedient). There may be some tiresome details about only giving what is reasonably necessary, and helping to prevent, challenge or minimise disclosures to regulators. Be aware of the schoolboy error of reclassifying information that must be disclosed to regulators as “no longer confidential”. This is wrong: It is still, in you hands, confidential. Obviously you cannot be blamed for miscreants in the public regulatory system who then misuse it, but you must still keep to your own word.
Only use it to carry out the “purpose” or “project”
This is somewhat hard to enforce — it’s nebulous, right? — and in practice, you’ll never know what goes on behind closed doors, but in the English law-speaking world this is pretty uncontroversial precisely because it isn’t practically actionable. But our North American cousins — and those on the private side of the investment banking wall — can get very worked up over it.
Not make unnecessary copies
Not the sort of thing to argue about, but not necessary either: you can xerox the information a thousand times if that floats your boat, and that won’t cause me any more damage than had you only xeroxed it once — unless you then give it to someone you shouldn’t. It is not the act of copying it that causes the loss, but your subsequent carelessness with the copies. But, still, would you strike that out of a draft? No.
Standard of care
You may see squirrelly types try to impose some “best efforts” conditionality on the receiver’s obligation to keep the confidential information safe. Have no truck with this.
The confidentiality obligation in an NDA is not sort of “well, Fluffy tries his best” exercise in special pleading: it is a plain, clear and absolute responsibility.
The very point of an NDA is the outright allocation of liability from discloser to receiver: it is to say, “in return for you kindly handing over your commercially sensitive information to me, I agree that if that information is misused, and you suffer loss — however it should come about, and regardless of the ill fate that befalls me — I am liable to you for your suffering.”
At the point of disclosure it is the receiver who controls the information, and therefore has the power to ensure it is safe and sound. If it fails in that covenant, however valiantly it tried not to, the discloser — who at this point has no control over its information, and is at the mercy of the cruel vicissitudes of your fortune as well as its own — still suffers a loss.