🎯 Negotiation Overview

Receiving party obligations are among the most negotiated provisions in any NDA. The disclosing party wants maximum protection; the receiving party wants achievable obligations that don't create undue liability. Your negotiation strategy should depend on which side of the table you're on.

Key Principle

The best obligations are specific enough to be meaningful but flexible enough to be achievable. Vague standards create disputes; impossible standards create liability traps.

Standard of Care Comparison

The "standard of care" defines how carefully you must protect confidential information. This is often the most important provision to negotiate.

Standard Meaning Risk Level
Highest degree of care Essentially strict liability; any breach results in liability regardless of precautions taken Extreme Risk
Same care as own information Must protect as well as you protect your own similar information; ties standard to actual practices Moderate Risk
Reasonable care What a prudent business would do; flexible, fact-dependent standard Lower Risk
Commercially reasonable efforts What is customary in the industry; acknowledges practical limitations Lower Risk

Watch Out For

"Same care as own information" clauses often include a floor: "but in no event less than reasonable care." This prevents you from arguing that you don't protect any information well. Always check for this language.

🛠 Negotiation Strategies

Strategy 1: Tie Obligations to Existing Practices

Instead of agreeing to implement new security measures, negotiate for language that ties your obligations to your existing security practices.

"The Receiving Party shall protect Confidential Information consistent with the Receiving Party's standard information security policies and practices, which the Receiving Party represents are commercially reasonable for organizations of similar size and industry."

Strategy 2: Add Materiality Thresholds

Without materiality language, even minor technical violations could constitute breach. Add language that limits liability to material breaches.

"A breach of this section shall be deemed material only if it results in actual unauthorized disclosure of Confidential Information to a third party not otherwise entitled to receive such information."

Strategy 3: Limit Responsibility for Third Parties

Carve out responsibility for sophisticated attacks, rogue employees who violate policy, and other circumstances beyond your control.

"The Receiving Party shall not be liable for unauthorized disclosures resulting from: (a) sophisticated cyber attacks that overcome reasonable security measures; (b) actions of employees or contractors who violate the Receiving Party's policies despite reasonable training and oversight; or (c) causes beyond the Receiving Party's reasonable control."

Strategy 4: Resist Specific Technical Requirements

Requirements for specific encryption standards, certifications, or technologies lock you into particular solutions that may become outdated or may not fit your infrastructure.

Instead of: "Receiving Party shall encrypt all Confidential Information using AES-256 encryption." Negotiate for: "Receiving Party shall use industry-standard encryption appropriate for the sensitivity of the information."

Strategy 5: Extend Notification Timelines

24-hour breach notification requirements are often impractical. You need time to investigate, assess scope, and consult counsel before notifying.

"The Receiving Party shall notify the Disclosing Party promptly, and in no event later than seventy-two (72) hours, after confirming that an unauthorized disclosure of Confidential Information has occurred."

🚩 Red Flags to Reject

  • "Absolute" or "strict" liability language: Any language suggesting liability regardless of fault should be rejected or heavily negotiated.
  • Unlimited audit rights: Rights for the disclosing party to audit "at any time" or "without notice" are disruptive and may expose your own confidential practices.
  • Guaranteed security: Language that "guarantees" or "warrants" that no breach will occur creates impossible obligations.
  • Responsibility for all downstream recipients: Being responsible for breaches by every person who might access the information, including through no fault of yours, is unreasonable.
  • Specific certifications required: Requirements for SOC 2, ISO 27001, or similar certifications can cost hundreds of thousands of dollars to obtain and maintain.
  • No exceptions for legal requirements: You may have legal obligations to retain or disclose information that conflict with NDA obligations.

Walk Away Point

If the other party insists on "highest degree of care" combined with strict liability, unlimited audit rights, and specific certification requirements, consider whether the business relationship is worth the legal exposure. These terms are appropriate only for the most sensitive information (classified government data, critical trade secrets) and should come with appropriate compensation.

💰 Limiting Liability

Even with well-negotiated obligations, breaches can happen. Your second line of defense is limiting the consequences of any breach.

  • Liability caps: Negotiate a cap on total liability for breach of confidentiality obligations, often tied to fees paid or a specific dollar amount.
  • Exclusion of consequential damages: Push to exclude indirect, consequential, and punitive damages, limiting recovery to direct damages only.
  • Mutual obligations: In a mutual NDA, ensure that both parties have the same obligations and limitations - what applies to you should apply to them.
  • Insurance requirements: If required to maintain cyber liability insurance, negotiate for reasonable coverage limits that align with your existing policies.
  • Indemnification limits: If there's an indemnification clause, ensure it's subject to the same liability caps and damage exclusions.

Pro Tip

Connect receiving party obligations to the limitation of liability clause. Language like "Except for breaches of confidentiality obligations" in a limitation of liability clause can negate your caps entirely. Make sure confidentiality breaches are subject to your negotiated limits.

📝 What's Reasonable by Industry

Different industries have different norms for confidentiality obligations. Understanding these norms helps you identify unreasonable demands.

Industry Typical Standard Common Requirements
Technology/SaaS Reasonable care; same as own information Standard encryption, access controls, SOC 2 sometimes requested for enterprise deals
Financial Services Higher standards common; often regulatory-driven Specific compliance requirements (GLBA, SOX), audit rights more common
Healthcare HIPAA-level protections for PHI BAA requirements, specific security safeguards, breach notification timelines
Government/Defense Highest standards; often regulatory requirements Security clearances, specific storage requirements, NIST frameworks
General Commercial Reasonable care is standard Basic access controls, confidentiality agreements with employees

Checklist for Receiving Party

  • Standard of care is "reasonable care" or "same as own information" (not "highest degree")
  • Security measures tied to existing practices, not specific technologies
  • No mandatory certification requirements (SOC 2, ISO 27001)
  • Breach notification timeline is 72 hours or "prompt" (not 24 hours)
  • Responsibility limited to authorized Representatives, not all downstream recipients
  • Carve-outs for sophisticated attacks and causes beyond reasonable control
  • Audit rights limited or eliminated (if required: reasonable notice, annual frequency)
  • Liability cap applies to confidentiality breaches
  • Consequential damages excluded
  • Obligations are mutual (if mutual NDA)