💬 Frequently Asked Questions

The standard of care defines how carefully you must protect confidential information. It is the yardstick courts use to determine if you breached the NDA.

Common standards (from least to most demanding):

  • Reasonable care: What a reasonable person or business would do under the circumstances
  • Same care as own information: Treat it like you treat your own confidential data
  • Same care, but not less than reasonable: The balanced standard - protects against parties with lax internal practices
  • Best efforts / highest degree of care: Effectively near-strict liability

Why it matters:

  • Determines what you must actually DO to comply
  • Affects whether you are liable if a breach occurs despite your efforts
  • Sets expectations for security investments
  • Influences litigation outcomes
Related Clauses
Standard of Care

Reasonable care is context-dependent. It considers what a prudent company of similar size and industry would do to protect similar information.

Factors that influence what is "reasonable":

  • Sensitivity of information: Source code requires more than marketing materials
  • Industry standards: Healthcare data requires HIPAA-level controls
  • Company size: A startup is not expected to have enterprise-level security
  • Known threats: Higher care after experiencing security incidents
  • Cost of protection: Measures should be proportionate to value at risk

Reasonable care typically includes:

  • Limiting access to need-to-know personnel
  • Password protection on files and systems
  • Encryption for sensitive data in transit
  • Employee confidentiality agreements
  • Secure disposal of confidential materials
  • Basic physical security (locked offices, secured laptops)
Practical Benchmark
Ask yourself: "How do we protect OUR most valuable confidential information?" That is generally the standard you should apply to information you receive under an NDA.

Specific security requirements provide clarity but create trade-offs:

Advantages of specific requirements:

  • Clear compliance standards
  • Easier to prove breach if standards are not met
  • Ensures minimum baseline protection
  • Aligns with your own security policies

Disadvantages:

  • Technology changes faster than contracts - requirements become outdated
  • May not fit receiving party's infrastructure
  • Creates compliance burden that may be resisted
  • Specific standards may limit flexibility in HOW to achieve security

Balanced approach:

  • Require compliance with industry standards (e.g., "SOC 2 Type II" or "ISO 27001")
  • Specify outcomes, not specific technologies
  • Include "or equivalent protection" language
  • Require encryption "using then-current industry standards"
Technology Trap
An NDA requiring "256-bit AES encryption" will still say that in 20 years when better standards exist. Consider: "encryption meeting or exceeding then-current industry standards for data of similar sensitivity."

Almost certainly yes. Most NDAs make you responsible for your employees' actions.

Standard language creates liability when:

  • Employee discloses confidential information without authorization
  • Employee uses information for unauthorized purposes
  • Employee fails to follow required security measures

Your defenses may be limited:

  • "I told them not to" is typically not a defense
  • Terminating the employee does not eliminate your liability
  • Employee's personal liability does not reduce yours

How to protect yourself:

  • Robust employee confidentiality agreements
  • Regular training on confidentiality obligations
  • Technical access controls
  • Clear policies on handling third-party confidential information
  • Exit procedures when employees leave
Common Scenario
A sales employee leaves for a competitor, taking customer lists they received under NDA. You are liable even though the employee violated your policies. This is why exit procedures and technical controls matter.

You can include audit rights, but receiving parties often resist them. Here is how to approach this:

Types of audit provisions:

  • Self-certification: Receiving party certifies compliance annually (least intrusive)
  • Third-party audit: Independent auditor reviews compliance
  • Direct audit: You or your representatives conduct the audit
  • For-cause audit: Only triggered by suspected breach

What receiving parties will resist:

  • Unlimited audit frequency
  • Access to their own confidential systems
  • Bearing the cost of audits
  • Short notice requirements
  • Audits by competitors

Negotiated compromises:

  • Annual audits maximum, with reasonable notice (30 days)
  • Use of mutually agreed third-party auditor
  • Disclosing party pays unless material breach is found
  • Audit scope limited to systems handling your information
  • Auditor bound by confidentiality regarding receiving party's information

This is where the standard of care becomes critical. If you met the required standard, you may have a defense:

Under "reasonable care" or "same care as own":

  • You are not an insurer of the information
  • If you took appropriate measures and were still breached, you may not be liable
  • Sophisticated attacks against reasonable defenses may not constitute breach

Under "highest degree of care" or "best efforts":

  • Near-strict liability applies
  • Any breach, regardless of fault, may create liability
  • Very difficult to defend against claims

Critical actions after a breach:

  1. Notify the disclosing party immediately (per NDA requirements)
  2. Document your pre-breach security measures
  3. Preserve evidence of how the breach occurred
  4. Engage incident response and forensics experts
  5. Cooperate with the disclosing party's investigation
  6. Mitigate further damage
Documentation Is Key
If you are ever sued, you will need to prove what security measures you had in place. Maintain records of security policies, training, access controls, and security assessments.

"Need to know" limits information access to people who genuinely require it to fulfill the NDA's purpose.

How to determine "need to know":

  • Is this person actively working on the project that requires the information?
  • Can they perform their role without this specific information?
  • Is access necessary, or merely convenient or interesting?

Who typically has need to know:

  • Project team members directly working with the information
  • Their immediate managers for oversight
  • Legal counsel advising on the matter
  • Technical specialists required for evaluation

Who typically does NOT have need to know:

  • General management not involved in the project
  • Other project teams working on unrelated matters
  • Marketing or PR (unless specifically relevant)
  • Curious colleagues who are "just interested"
Common Mistake
Sharing confidential information in company-wide meetings or internal newsletters because it is "exciting news" often violates need-to-know requirements. Keep distribution narrow.

Named personnel lists provide control but create administrative burden. Consider whether the trade-off makes sense:

Advantages of named lists:

  • You know exactly who has access
  • Can screen for conflicts (competitors' former employees)
  • Creates clear accountability
  • Useful for particularly sensitive information

Disadvantages:

  • Administrative burden to maintain and update
  • Delays when new team members need access
  • May not reflect actual access patterns
  • Often ignored in practice, undermining the NDA

When to require named lists:

  • Source code or core technology disclosures
  • M&A due diligence (data room access lists)
  • Competitive situations with conflict risk
  • Regulatory requirements (defense/government contracts)

Alternative approaches:

  • Require receiving party to maintain access logs (your right to request)
  • Require notice if access expands beyond initial team
  • Limit by role/department rather than named individuals

Most NDAs require prompt notification of breaches or suspected breaches. Key considerations:

What typically triggers notification:

  • Confirmed unauthorized disclosure
  • Suspected or potential breach (even if unconfirmed)
  • Loss of devices containing confidential information
  • Cyber security incidents affecting relevant systems
  • Discovery that someone without "need to know" accessed information

Timing requirements:

  • "Immediately": Within hours of discovery
  • "Promptly": As soon as reasonably practicable, typically 24-72 hours
  • Specific timeframe (e.g., 24 hours): Clock starts when you become aware

What to include in notice:

  • Nature of the breach or suspected breach
  • Information potentially affected
  • Steps taken to contain the situation
  • Planned remediation measures
  • Contact person for follow-up
Over-Notify Rather Than Under-Notify
If you are unsure whether something constitutes a breach, err on the side of notifying. Failure to notify can be treated as a separate breach even if the underlying incident turns out to be minor.

Your NDA can specify post-breach obligations, though some are implied even without explicit language:

Common remediation requirements:

  • Cooperation: Assist in investigating the breach
  • Containment: Take steps to prevent further disclosure
  • Recovery: Attempt to retrieve disclosed information
  • Documentation: Provide written report of what happened
  • Cost-bearing: Pay for breach response costs

Enhanced remediation (requires explicit language):

  • Third-party forensic investigation at receiving party's expense
  • Credit monitoring for affected individuals (if personal data)
  • Notification to affected third parties
  • Specific technical remediation measures
  • Security improvements to prevent recurrence

Practical limits:

  • Cannot require impossible tasks (truly retrieving disclosed information)
  • Disproportionate costs may be challenged
  • Cannot require receiving party to admit liability

This depends on your NDA's purpose limitation and use restrictions. Generally:

Typically NOT permitted:

  • Training materials that reproduce confidential information
  • Case studies using specific confidential details
  • Benchmarking against confidential competitive data
  • Research using the other party's proprietary methods

Gray areas:

  • General skills and knowledge retained by employees
  • High-level concepts without specific details
  • Industry practices observed (not specific implementations)

The Residuals Clause issue:

Some NDAs include a "residuals clause" that permits use of information retained in unaided memory. If your NDA has this, general knowledge applications may be permitted. If it does not, be very careful about any use beyond the stated purpose.

Related Clauses
Residuals Clause Purpose Limitation

These are two separate obligations that often appear together:

Confidentiality (Non-Disclosure):

  • Promise NOT to reveal information to unauthorized parties
  • Focuses on keeping information secret
  • Violated by sharing, publishing, or disclosing

Non-Use:

  • Promise NOT to use information except for the permitted purpose
  • Focuses on how you employ the information
  • Violated by using information for competitive advantage, product development, etc.

Why both matter:

You could violate non-use without violating confidentiality. For example, you keep a competitor's trade secret completely secret but use it to improve your own product. You never disclosed it, but you used it improperly.

The Distinction in Practice
A company receives a competitor's customer list under NDA for a potential acquisition. They never share the list externally (no confidentiality breach), but they use it to target those customers (non-use breach). Both obligations were in play; only one was violated.

Electronic security should be addressed both in NDA drafting and practical implementation:

NDA provisions to consider:

  • Encryption requirements for data at rest and in transit
  • Secure transmission methods (no unencrypted email)
  • Access control and authentication requirements
  • Logging and monitoring obligations
  • Secure deletion requirements

Practical measures for sharing:

  • Virtual data rooms: For large document sets, especially in M&A
  • Encrypted file sharing: Services with access controls and audit logs
  • Password-protected files: Share passwords through separate channel
  • Watermarking: Track document sources if leaked
  • View-only access: Prevent downloading where possible

What to avoid:

  • Unencrypted email attachments
  • Consumer-grade file sharing (personal Dropbox, Google Drive)
  • USB drives that can be lost
  • Printing without tracking

This is a negotiation issue that should be addressed before signing:

Common conflicts:

  • NDA requires encryption you do not support
  • Audit requirements conflict with your policies
  • Specific retention periods differ from your standards
  • Required certifications you do not have

How to address:

  1. Identify conflicts early: Review NDA against your actual capabilities
  2. Negotiate modifications: Propose equivalent alternatives
  3. Document exceptions: If disclosing party agrees to lesser measures, get it in writing
  4. Implement required changes: If you commit to specific measures, actually implement them

What NOT to do:

  • Sign with requirements you cannot meet
  • Assume flexibility that is not in the agreement
  • Rely on "they'll never check"
Real Consequence
If you sign an NDA requiring SOC 2 certification and you do not have it, you are in breach from day one. If information is later compromised, your misrepresentation strengthens the other party's claims.

Employee departures are high-risk moments for confidentiality breaches. Both parties should be prepared:

Receiving party obligations:

  • Remind departing employee of ongoing confidentiality obligations
  • Revoke access to systems containing confidential information
  • Retrieve company devices and materials
  • Conduct exit interview addressing confidential information
  • Consider enhanced monitoring of systems during transition

What to document:

  • Employee's acknowledgment of continuing obligations
  • Return of all materials
  • Deletion of confidential information from personal devices
  • List of confidential projects/information the employee accessed

Disclosing party protections:

  • Right to notification when key personnel with access leave
  • Requirement for exit certifications
  • Right to remind departing employee of obligations directly

Special concern: If the employee is going to a competitor, take extra precautions and document thoroughly.

Related Clauses
Return or Destruction