Obligation Clause

Standard of Care

Defines the level of protection and security measures required when handling confidential information.

Medium Risk

📚 Plain English Explanation

A standard of care clause specifies how carefully the receiving party must protect confidential information. It establishes a benchmark against which the receiver's actions will be judged if a breach occurs.

The most common standards are:

  • Same care as own confidential information: You must protect their secrets as well as you protect your own, but no less than "reasonable care."
  • Reasonable care: What a prudent business would do under similar circumstances - a flexible, fact-dependent standard.
  • Highest degree of care: The most stringent standard, typically reserved for highly sensitive information like trade secrets or national security matters.
  • Specific security measures: Some agreements require particular protections like encryption, access controls, or security certifications.

This clause is critical for determining liability. If a breach occurs, the question becomes: did the receiving party meet the required standard? Higher standards make liability easier to establish; lower standards give receivers more protection.

Why This Clause Matters

  • Liability Threshold: The standard directly affects when the receiving party is liable for a breach. Higher standards mean greater risk of being found in breach.
  • Practical Security: Specific requirements (encryption, training, access logs) can significantly increase operational costs and complexity.
  • Audit Rights: Some clauses include rights to verify compliance, which can be intrusive and disruptive.
  • Insurance Implications: Your cyber liability or professional liability insurance may have specific requirements that need to align with your NDA obligations.
  • Downstream Obligations: If you share with subcontractors or employees, you need to ensure they also meet the required standard.

🎯 Risk Factors

  • Absolute vs. Relative Standards: "Highest degree of care" is nearly absolute and very risky. "Same as own information" ties the standard to your actual practices.
  • Minimum Floor: Even "same as own" usually has a floor of "reasonable care" - you can't argue that you don't protect any information well.
  • Specific Technical Requirements: Requirements for specific encryption levels, certifications (SOC 2, ISO 27001), or technologies may be expensive to meet.
  • Personnel Training: Requirements to train all employees who access information add administrative burden.
  • Incident Response: Some standards require specific breach notification procedures and timelines that may conflict with legal advice in actual breaches.

📄 Clause Versions

Standard of Care The Receiving Party shall protect Confidential Information using the same degree of care it uses to protect its own confidential information of similar nature and importance, but in no event less than reasonable care. Without limiting the generality of the foregoing, the Receiving Party shall: (a) Limit access to Confidential Information to those employees, contractors, and agents who have a legitimate need to know for the Purpose and who are bound by confidentiality obligations no less protective than those contained herein; (b) Implement and maintain reasonable administrative, technical, and physical safeguards to protect against unauthorized access, use, or disclosure of Confidential Information; (c) Promptly notify the Disclosing Party upon discovery of any unauthorized access to or disclosure of Confidential Information; and (d) Cooperate with the Disclosing Party in investigating and mitigating any such unauthorized access or disclosure. Each party acknowledges that different types of Confidential Information may warrant different levels of protection based on the sensitivity and value of such information, and the Receiving Party shall apply appropriate safeguards accordingly.
Note: This balanced version uses the common "same care" standard with a reasonable care floor, requires practical safeguards without over-specifying technology, and includes breach notification without overly burdensome requirements.
Standard of Care The Receiving Party shall use reasonable care to protect Confidential Information from unauthorized disclosure, consistent with the Receiving Party's standard information security practices. The Receiving Party represents that it maintains reasonable security measures appropriate for a company of its size and industry, and agrees to apply such measures to the protection of Confidential Information received hereunder. The Receiving Party shall limit access to Confidential Information to personnel who have a need to know such information for the Purpose. The Receiving Party shall not be required to: (a) Implement security measures beyond those it uses for its own confidential information; (b) Conduct background checks or security clearances for personnel; (c) Maintain specific certifications, audits, or compliance frameworks; (d) Provide access logs, security audit results, or similar documentation; or (e) Segregate Confidential Information from its other business information. In the event of any security incident that the Receiving Party reasonably believes has resulted in unauthorized access to Confidential Information, the Receiving Party shall notify the Disclosing Party within a commercially reasonable time. The Receiving Party shall not be liable for any disclosure that results from causes beyond its reasonable control, including cyber attacks, despite the implementation of reasonable security measures.
Why this favors you: Simple "reasonable care" standard, extensive carve-outs for specific requirements, no audit or verification rights, flexible breach notification timing, and a force majeure-style exclusion for sophisticated attacks.
Stringent Protection Requirements The Receiving Party shall protect Confidential Information with the highest degree of care and shall implement the following mandatory security measures: Technical Requirements: (a) Encrypt all Confidential Information at rest using AES-256 or equivalent encryption; (b) Encrypt all transmissions of Confidential Information using TLS 1.3 or higher; (c) Store Confidential Information only on systems protected by multi-factor authentication; (d) Maintain comprehensive access logs for all systems containing Confidential Information; (e) Implement intrusion detection and prevention systems; (f) Conduct annual penetration testing by qualified third parties. Administrative Requirements: (g) Maintain SOC 2 Type II or ISO 27001 certification; (h) Conduct background checks on all personnel with access to Confidential Information; (i) Provide annual security awareness training to all such personnel; (j) Designate a security officer responsible for protecting Confidential Information; (k) Maintain a written information security policy and incident response plan. Audit and Verification: The Receiving Party shall, upon reasonable notice, permit the Disclosing Party or its designated auditor to inspect and audit the Receiving Party's security measures and compliance with this clause. Such audits may occur annually and upon any suspected breach. Breach Notification: The Receiving Party shall notify the Disclosing Party within twenty-four (24) hours of discovering any actual or suspected security incident involving Confidential Information, and shall provide daily updates until the incident is resolved.
Warning - Highly burdensome: "Highest degree of care" standard, specific technical requirements that may require significant investment, mandatory certifications, extensive audit rights, 24-hour breach notification, and daily updates during incidents. May be impractical and expensive to implement.

💡 Negotiation Tips

🔗 Related Clauses

Permitted Disclosures

Defines who can access confidential information.

Indemnification

Consequences for failing to meet the standard of care.

Limitation of Liability

Caps on damages that may apply to security breaches.