Who can I share it with? - OneNDA Provision
The “permitted disclosures” provision.
OneNDA commentary
“Legally required”
Some disquiet from institutional legal eagles that “legally required” is a little narrow:
The Receiver may share the Confidential Information if required by law or regulation but must promptly notify the Discloser of the requirement if allowed by law or regulation.
There are many occasions where regulators ask — firmly — but don’t require disclosure of information as such: for example, for a review in the context of a competition review of a proposed merger of exchanges.
If we take it as a given that the regulators are there as a force for good — even if their well-meant interventions don’t always work out that way — there should never going to be a case where a counterparty has anything material to lose by having its data disclosed, confidentially, to regulators. Besides, even if the disclosure is only “requested” it is the sort of thing we should expect parties in a commercial relationship to be adult about: where the material is genuinely touchy and it can be disclosed, a broker with an interest in protecting its commercial relationship would consult its customer in any case — as indeed the clause goes on to contemplate. As t0 that:
“Promptly notify”: The JC’s general preference is to tone down the need to notify, or god forbid, seek permission when making a regulatory disclosure (see below for obligatory essay) but there is a balance, and we think OneNDA strikes this balance fairly well. Also, if you notify the disclosure, then the question about whether you were strictly speaking entitled disclose becomes a bit moot.
Disclosure only “for the purpose”
A doyen of drafting writes:
So you’re allowed to disclose only if you’re somehow able to see into the future and know that the further recipient will only use it for the permitted purpose? That makes no sense.
Now a common conceptual problem with confidentiality arrangements — if not necessarily a practical one — grows out of our fixation with doing things vicariously. Since modern management orthodoxy obliges one to find someone as cheap and stupid as possible to carry out each molecule of a process, it is scarcely thinkable that a receiver will carry out all modes of the purpose by itself.[1] It will share the information with all manner of agents just to accomplish the purpose.
But once your agent has it, it is out of your hands and beyond privity of the contract. All other things being equal the discloser cannot sue your agent for malfeasance; but it can sue you.
To be sure, over time legal eagles have developed various ruses intended to control information in the hand of unbound third parties: covenants on the receiver to impose equivalent confidentiality arrangements on its agents; requirements that the agents are joined to the contract, or otherwise pegged directly with contractual liability to the discloser. Most of these, if they work at all, are more trouble than they are worth; none really respect the contractual chain.
OneNDA solves this conundrum, by making the receiver responsible, personally, for its agents’ malfeasance. If the agent respects the purposes, so good. If it does not, your disclosure is a breach of your contract. In using an agent, the receiver casts its fortune into the lap of the Gods.
It is the receiver’s problem, in other words, to make sure its agents are not clowns.
We are surprised that so magisterial an authority on contract phrasing should struggle with this idea. That is want contracts are for: to allocate the risk of future events, however hard they may be to see at the time of signing. In saying “you may pass the information to your agents, but only for the purpose” OneNDA makes it clear that if your agent uses the information for another purpose, that is on you.
If you don’t like that kind of indeterminacy, then be careful who you chose as agents.
General
Information disclosed to a regulator is still confidential information
Don’t make the schoolboy error of excluding “information required to be disclosed to regulators or government authorities” from the definition of “confidential information”. Now, to be sure, this is a legitimate exception to a fellow’s general covenant not disclose confidential information to anyone[2] — but it shouldn’t disqualify the information from being “confidential information” altogether. If it did, once you were required to give any information to a regulator, it would suddenly be open season and you could tell everyone about it. Not the intention.
One misconceived argument we have seen for this approach is as follows: “if I give information to a regulator then I cannot control what the regulator does with it. Regulators are all-powerful. They may publish sensitive information in the Luxembourger Wort for all I can do about it. Therefore your information, once I have rightly given it to a regulator, can no longer be treated as confidential.”
Not so fast: If you disclose my information legitimately to a regulator, and the regulator then discloses it to the world (whether or not legitimately) you have complied with the terms of your contract. Unless you have independently covenanted to procure that the regulator keeps it confidential (don’t do that: regulators are all-powerful, and you make yourself a hostage to fortune), you have not breached your NDA, and you cannot therefore be liable for resulting losses. They are regrettable externalities: obstreperous actions of impish third parties. On the other hand, if you disclose my information legitimately to a regulator, and then you separately disclose it to someone else, then you absolutely can and should remain liable for losses. If by disclosure to a regulator the information is deemed "no longer confidential" you would be free to disclose it to someone else without that sanction.
Obligation to notify provider of regulator requests
This is a common and oft accepted provision: where you are obliged to disclose to a regulator, you must first notify the provider of the information, to allow them to make representations, or try to get an injunction, to prevent disclosure. However excitable your counterparty is on this point — and junior lawyers at real money firms can be quite exciteable — resist this. It is potty. When you step through it, it is hard to see any real-world cases where your counterparty could or would actually try to stop disclosure to a regulator, and plenty of benign circumstances where disclosure is a matter of course. To wit:
Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of MiFID/EMIR trade and trade reporting. We are not going to repeatedly tell the client that.
Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from a broker, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. It is unrealistic to accept Brokers to monitor which clients within that population have confis, much less a right to be specifically notified beforehand. Nor will they want to go to the trouble of getting all those consents. Why? BECAUSE LIFE IS TOO SHORT.
Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, it is likely the regulator will also have made equivalent disclosure requests to the client at the same time (or copied the client on those requests to the broker) — if the request is benign — and if it has not, the investigation is likely to be one where the regulator would not allow the broker to alert the client anyway, and indeed where such notification could be a criminal offence (market abuse, etc). Even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where the broker would have to give info about a specific client and the client doesn’t, but was entitled to know about it.
Commercial sensitivity: Lastly, the legitimate point of a confi is to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not to keep silent about behavioural turpitude; indeed a broker’s regulatory obligations may oblige it to report, without invitation, bad acts it observes, whether the client likes it or not and whether there is a confidentiality agreement or not. Generally, client information a broker holds is not legally or professionally privileged. Since, by definition, passing information to a regulator should not[3] prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator.
And that is borne out by the JC’s tawdry personal experience (anecdotal though it may be, it does span 22 years and three different investment banks): the JC has never ever, ever seen anyone even try to get an injunction to stop disclosure of confidential information to a regulator.
Cut-out-and-keep response
Try sending your counterpart something like this (put “dear —”, and “kind regards” around it, of course):
Disclosure to regulatorsThere are three main reasons a regulator might require confidential information from us relating to a client: Trade/transaction reporting: Brokers will be obliged to disclose a lot of trade-specific client information to regulators and exchanges every day on account of Dodd Frank and other regulatory reporting regimes (for example MiFID/EMIR trade and trade reporting). You should assume we will do that. Ad-hoc general information requests: Outside trade/transaction reporting, when regulators ask for ad hoc information from us, it is usually for a wide-ranging data set across whole trading books and sectors, covering multiple clients. Given the benign nature of these requests, it is not practicable to obtain consents or make disclosures to all affected clients beforehand. Ad-hoc client-specific information requests: Where a regulator specifically asks for data on a single client, either:
Thus, even where the notification clause carves out where “notification being illegal” this leaves the empty set of circumstances where we would have to give info about a specific client and the client doesn’t, but was entitled to know about it. Lastly, a confidentiality agreement is designed to respect the client’s legitimate interest in protecting the commercial value of non-public information. It is not meant to be a tool to prevent regulatory disclosure. Generally, we will not be in a position to make demands as to how a regulator treats that information when we disclose it. Since passing information to a regulator should not generally prejudice the commercial value of that information, it is hard to see when client would have a valid reason to seek injunctive relief to prevent disclosure of information to a competent regulator, and our experience is that no client has ever in fact attempted to do so.
|
Court proceedings
Is it any different for court proceedings? Now, my friends, we are deep in anally retentive territory here.[4] If you should find yourself even broaching the question of what one must do when compelled by sub poena or court-mandated discovery to submit another fellow’s confidential information into the hands of your combatants in connection with an unrelated civil proceeding, then the game is up, this is a ditch you might, if you insist on it, die in, and for the betterment of all you should really just surrender and move on, but for what it is worth, it is arguably different from compulsory disclosure to a regulator:
On one hand:
- A (third party) litigant may be the disclosing party’s competitor, and its intentions may not be as pure as driven snow — a disposition which one can (or has little choice but to) take as read for a regulator;
- The discovery request may thus be an abusive use of a court progress to fish out some commercial material. So one should be on one’s guard and ready to defend it, to the advantage of the disclosing party;
On the other hand:
- It is a compulsory legal process and, at the limit, you can’t stop it;
- A civil litigation between you and some other dude, even if it somehow involves the disclosing party’s confidential information, is generally sensitive and may not be the sort of thing you want the disclosing party to know about: there is a “clash of the confidentialities” here
- As a litigant you will be generally incentivised to resist wider disclosure than is absolutely necessary and so shouldn’t need to have to promise this to the disclosing party. But it is not inconceivable that this confidential agreement is exactly the ammunition you need to shut down the litigation, so your interests may favour disclosure, while the “discloser’s” may not. You don’t want your confidentiality agreement to crimp your ability to show your best you to the court process.
When all is said and done, these are all extraordinarily remote and implausible hypotheticals. They neatly illustrate the fatuity of obsessing over the minutiae of an imponderable future, and it pains me to even talk about them. However, it is in just such a fatuous neck of the woods that the legal eagle likes to build its nest so — unless you want to die in a ditch in that fatuous neck of the woods (some do; there is no accounting for taste) — you might just take a view and nod along.
References
- ↑ Indeed, if you take the corporate veil literally, even the directors and officers of a corporation represent an agency problem.
- ↑ See also permitted disclosure and permitted disclosees.
- ↑ Absent a severe dereliction of the regulator’s duty, and in that case there’s not really much the broker can be expected to do about it, is there?
- ↑ This may seem a rather unsavoury metaphor, but it seems apposite.