Category Archives: confidentiality

Updating Contract Language for the 21st Century

Holly Towle wrote an excellent article on the boilerplate contract language issues that might now exist in your contract language.  Read the article… consider the issues… review your templates.  Make some changes.  Of course, you can always just call me and I’d be happy to review your contracts for you.  😉

This Week on The Web 2009-10-04

These are the discussions that happened around the web this week – maybe you already read about them, maybe you need to again.  Come join the party on twitter (follow me here and you’ll participate in the conversation live.)

I also realized that many of you might have no idea what you’re seeing below.  Sorry.  These are “tweets”, 140 maximum character messages sent via Twitter.  Within the Twitterverse individual users follow others and have followers (think of it like overlapping Venn diagram circles).  To read a tweet, you have to wade through a bit of jargon used to make the most of the 140 character limitation.  “RT” for example, is shorthand for “Re-tweet” and the @____ is the username of some other individual on Twitter.  Combined together, then, “RT @_____” means that someone else wrote a tweet that I found important and I now want to forward along to my followers.  The URL’s are then also shortened by shortening services like bit.ly to make the most of the character limitation, too.  Lastly, you might see “hash” identifiers “#______” which are ways to tag tweets of a particular flavor for easy searching later and “<” which means that I am commenting on what came before it.

This Week on The Web 2009-09-06

The things that happened around the web this week – maybe you already read about them, maybe you need to again.

I also realized that many of you might have no idea what you’re seeing below.  Sorry.  These are “tweets”, 140 maximum character messages sent via Twitter.  Within the Twitterverse individual users follow others and have followers (think of it like overlapping Venn diagram circles).  To read a tweet, you have to wade through a bit of jargon used to make the most of the 140 character limitation.  “RT” for example, is shorthand for “Re-tweet” and the @____ is the username of some other individual on Twitter.  Combined together, then, “RT @_____” means that someone else wrote a tweet that I found important and I now want to forward along to my followers.  The URL’s are then also shortened by shortening services like bit.ly to make the most of the character limitation, too.  Lastly, you might see “hash” identifiers “#______” which are ways to tag tweets of a particular flavor for easy searching later and “<” which means that I am commenting on what came before it.

This Week on The Web 2009-08-16

The things that happened around the web this week – maybe you already read about them, maybe you need to again:

Confidentiality Exclusions versus Disclosures

When dealing with confidential information, one of the key areas of concern is where information that would otherwise be considered confidential loses its protection.  In most contracts, there are four situations where confidential information ceases to be confidential information and can be released.  Information that:

  • was in the public domain prior to, at the time of, or subsequently to disclosure;
  • was in the lawful possession by recipient prior to disclosure and was not already covered by a confidentiality provision;
  • is subsequently acquired by recipient through lawful means from a third party who is not under an obligation of confidentiality; or,
  • is subsequently developed by recipient without use of or reference to the confidential information.

For these four items, information that was confidential now is not.

There’s a fifth reason which would allow for disclosure, but I argue, shouldn’t change the nature of the information from confidential to non-confidential: disclosure pursuant to court order or legal process.

In this fifth scenario, we’re talking about a situation where a court of competent jurisdiction orders the release of information, usually to the court, as part of a judicial (or extra-judicial, like arbitration) process.  The information is going to be disclosed because of it’s probative value – that simply because it’s confidential doesn’t mean that the court shouldn’t consider it as part of whatever is the subject of the litigation.

But that doesn’t mean that I want that information to change status to non-confidential information.  Rather, what I want is to keep that information confidential even AFTER the judicial review.  This is possible through the use of protective orders and other legal procedures.  But if your contracts say that a judicial process will change the information’s status to non-confidential, a single well-strategized lawsuit can unintentionally release a lot of otherwise-confidential information into the public domain.

The best way to handle this is to make sure that your confidentiality provisions clearly segment release of confidential information pursuant to a court order from the other four reasons by which confidential information becomes non-confidential.  Additionally, include language that requires the disclosing party (the one responding to the court order) to:

  1. Notify the owner of the confidential information that such court order is being pursued/followed/responded to.
  2. Reasonably assist the owner of the confidential information in obtaining any available legal protections.
  3. Only disclose the specific confidential information requested by the court order (not just hand over everything).

Clear to Sell User Data

When Clear announced their intent to terminate operations, the big question was: “What’s going to happen to each users’ private data (things like, um, fingerprints and background checks)?”

Now we know.  They intend to SELL IT!  This is why I harp on making sure that you have the proper provisions in your contract(s) for confidentiality, indemnification, information security and limitation of liability

To Clear’s credit, they are saying that they’re going to continue to comply with their pre-existing privacy policy – and that the data can only be sold to another TSA-approved traveler program.  But what if that program is run by an organization you wouldn’t want to have your personal details?*

Interestingly enough, however, this violates the terms of that agreement (as it existed when I pulled it from flyclear.com on June 29, 2009) – boldings are mine:

3. ADDITIONAL LIMITATIONS ON APPLICANT AND MEMBER PERSONAL INFORMATION
A. We do not sell or give lists or compilations of the personal information of our members or applicants to any business or non-profit organization. We do not provide member or applicant personal information to any affiliated or non-affiliated organizations for marketing.
B. None of the information that we collect may be used for any purpose outside the operation and maintenance of the Clear Services.
C. We would only disclose personal information about members or applicants if required to do so by law or legal process.

The termination of operation might be considered a “legal process” – but the way the language is written, 3.C. would not be valid as a result of the company’s dissolution.  Thus, they’re limited to 3.A. – which clearly states that they won’t sell the information to “any business.”  I wonder what the chance is now that they’ll only sell it to someone who’s TSA-approved.

*Not that the government doesn’t now already have your information as a result of the background check.  I’m just sayin’.

Notes from the “I told you so” file

Well, it didn’t take too long.  C-Net reports today that Google inadvertently shared some Google docs files with folks they weren’t supposed to be shared with.

Lifehacker ponders whether this is a “minor privacy blunder”.

Meanwhile, Google is busy blaming it on the user (italics are mine):  “We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”

Yeah, Lifehacker, this isn’t minor.  It never is.  Especially to those individuals who have data that was shared without knowledge.  Oh, and C-Net, you shouldn’t downplay this either – so while mentioning that lost laptops are a security risk, too, it doesn’t do anything to resolve the issue at hand.

Look folks, any breach of privacy, especially in a SaaS/cloud-computing environment is a HUGE problem.  Shore up your contracts today, please (confidentiality, IP indemnification, and exclusions for breach of confidentiality in your limitation of liability language).  Need help doing it?  Just give me a shout.

The non’s have it!

Within the span of the last decade or so, I’ve seen a lot of confusion and misunderstanding about a bunch of non’s.  Non-Disclosures, Non-Solicitation, and Non-Compete’s, just to non (sorry) a few.  In this day and age of contracts for everything, people are often asked to sign one of the Non’s as part of a preliminary discussion about a particular topic.  So, let’s take a few moments to discuss each of the Non’s to see what the fuss is all about.

[Side note:  The Non’s discussed below can be considered “individual” contracts.  They can be signed independently of ANY other term or condition (such as a software license or services agreement).  But signing an individual agreement for one of the Non’s does not necessarily mean that you have the contractual terms and coverage for actually closing the full deal.  Make sure that you don’t unwittingly provide work/software/services before a full SLA, SOW or WO is completed in addition to the agreement(s) below!]

Non-Disclosure (aka: Confidentiality Agreement or Confidential Disclosure Agreement)

The most common Non takes aim at the restriction of one’s ability to talk about a particular subject.  Used to protect what at least one side to the conversation thinks is secret, a NDA or CDA is used to reinforce the verbal promise to keep something quiet.  Generally speaking, if they’re not combined with other Non’s, they are 100% legal and enforceable in almost every jurisdiction. [This isn’t legal advice, though, so if you have a specific question about a specific NDA/CDA, find a lawyer in your area and ask them to read it and provide you with solid legal advice.]  The reason behind the general legality is that the conditions of the formation of a contract have been met and there isn’t some sort of reason to not generally enforce the terms.  If I promise to keep something secret and you tell me the secret thing, I should be held to the restriction to not tell someone else.

These documents typically cover the “what if” in the event that I don’t live up to my obligation to keep the secret.  Usually including some form of indemnification (if what I’m being told could affect a third party), the common remedy for breach of a NDA/CDA is the payment of damages required to put the cat back in the bag.  But be careful if there IS indemnification and if you’re going to be provided something REALLY secret (like Protected Health Information (PHI), social security numbers, etc).  Make sure that you understand what you’re getting (and speak up if you don’t want that kind of information) and what the potential ramifcations are for disclosure.

Be careful also about NDA’s that have no term limit.  Not only should the window for disclosing the secret have a term, but the length of time of which you must keep the secret should also have a term.  In other words, the NDA might only be valid for 2 years, in which you get a dozen bits of information.  After the 2 years, any new information provided would no longer be covered by the dead NDA.  But the previously-disclosed dozen bits of information have to be kept confidential for a DIFFERENT length of time, usually between 5 and 7 years (because from a business perspective, that’s about how long a real secret is valuable).  The only exception to this would be real Trade Secrets, as they’re defined in your state’s laws, which would be kept confidential so long as they are considered Trade Secrets.

Non-Solicitation (aka Non-Hire)

Sometimes confused with a Non-Hire clause/agreement, the Non-Solicitation is probably the easiest and least disruptive of the Nons.  Solicitation is the act of enticing someone to come work for you.  As a small business owner, you would be concerned about your large clients soliciting your services employees, for example, who were onsite at the client locations and providing excellent service (the large clients sometimes realize that they can get a cheaper service if they hire the workers directly).  So a Non-Solicitation clause in a contract is a promise to not entice the other party’s people away.

This doesn’t mean you won’t hire their people, which is where the confusion of the Non-Hire provision comes in.  There’s a big difference between soliciting and hiring.  Generally speaking, I never promise the more restrictive no-hire, as I simply don’t have that kind of control over my HR folks.  But I can promise that we won’t be talking with onsite service people about how great it is to work here.  However, if the service people think they’d like to work for us, I can’t stop them from applying to generally-posted positions from our website, for example.

Do watch out for an overly-broad damages clause, though.  In the event that you DO solicit, there’s a chance that you’re going to owe the other side a significant amount of money (some clauses like to say that the solicitor will pay the other the cost of the hiree’s first-year salary!).

Non-Compete

The most stringent of the Non’s (and the most controversial), is the Non-Compete.  A non-compete agreement or clause in a broader agreement usually says that the employee agrees not to work in the particular field of employment, or in a particular geographic region, for a specific period of time, in the event that they leave the employ of the current employer.  In other words, it’s a promise to not work against the current employer if the employee thinks the grass might be greener somewhere else.

The problem with non-compete’s is pretty obvious.  You’re agreeing, to get a job with a new employer, to not go work somewhere else if you leave this new employer.  You’re really at your most vulnerable (in terms of negotiation positioning) because you want the new job, and, above all, you’re giving up your ability to work in your chosen field if the new job just doesn’t work out.  Wow.

For this reason and others, courts are starting to take a REALLY hard look at non-competes.  In the last decade, non-competes went from very loose to very restrictive.  In those states that allow them, they have to be extremely limited in scope (what you do and where you do it) as well as duration (how long you can’t compete).  In California (as of the moment of this article), they’ve been all but rejected as against public policy and are now unenforceable, even if signed.

My general rule of thumb is to NEVER sign a non-compete unless you’re SIGNIFICANTLY financially compensated up front (ie: they give you a starting bonus about the size of the salary required to cover you for the time you can’t work).


Stop the Insanity!

Anyone out there remember Susan Powter?  She was a blond, cropped hair diet guru from the 90s.  Her catchphrase was “Stop the Insanity!” and it was all about controlling your own behavior.

One of the most common contracts people end up tossing over the fence to the other party is a non-disclosure agreement (NDA).  Also known in some circles as a confidentiality agreement, the basic purpose of the document is to promise that whatever one side shows, the other will keep secret.  There are two basic forms of this document, the one-way NDA and the mutual NDA.

We negotiate these agreements because a business owner feels that there may be secret information shared between the parties.  OK.  It’s possible.  But not likely.

Yet we keep going through the motions.

We need to stop the insanity, too.  But we won’t (remember, in most cases, we’re advisors, not decision makers).  So, here’s my two-part advice for making the NDA a painless formality that will require virtually NO time that could be spent on better things:

1.  Draft/configure a Mutual NDA.  And I mean 100% mutual.  Each party promises to keep the other party’s stuff secret for a fixed period of time (about 5-7 years) after the deal is done or the contract is terminated.  If you have to include something special in the language because of your regulated industry (insurance, utilities, banking, government), do so only to the extent necessary and state in each required section the cause of the language.

For example:  “Section 9: In compliance with _____ Act, and as applicable, the parties agree to…” making the obligations mutual again.  Remember, however, that although you might be bound to follow one of these regulations, the other side might not, which is the reason for the “as applicable”.  Check with your counsel on the specific language you will need to add.

2.  When needed, send it to the other side and tell them that you’ve drafted it with 100% mutuality in mind and the goal of not having to discuss it at all (this is the kind way of saying that it’s non-negotiable).  If they fight you on the regulation-required language, point out the “as applicable” clause.  Total non-starter.

Ta-da!  🙂


Confidentiality Disclosure Exception Issue

So I’m talking with a potential vendor who has asked for the ability to disclose confidential information for a reason I’ve never heard of before (at least not quite in this manner): they want either party to have the ability to disclose the other party’s confidential information if such party reasonably believe that the other has violated any criminal law.

Well, at least it was mutual.

But it’s a request I simply can’t agree to because it’s an exception that I think you can drive a truck through. More specifically, there are two key phrases in this exception: “reasonably believe” and “violated any criminal law.”

Reasonable belief
My first question is one of practicality. Who is the person who gets to “reasonably believe” that the behavior of the other is violating any laws? Bill down in sales? Carol in legal? And upon what grounds does this belief have to be based? Reasonableness is a test that judges and legislators like to use – but I’m simply not convinced that a reasonableness standard is appropriate here.

Violated any criminal law
This question is bigger for me and, for whatever reason, I have a more visceral reaction to this. I guess I just have some level of faith in our criminal justice system and in criminal procedure laws. It offends me that these laws would somehow not apply to this type of situation – that the other party simply wants to be able to hand over our confidential information without limitation and without the protections afforded under our criminal procedure processes.

Related to this is the fact that I already give a standard exception for “disclosure pursuant to legal process” which allows for disclosures (with notice and with help in the obtaining of a protective order) if so required by a court of competent jurisdiction (ie: through a subpoena appropriately requested by a prosecutor and authorized by a judge). Apparently, however, this isn’t good enough and the vendor states that there are laws (which they haven’t provided citations for) that would require them to disclose confidential information immediately and without limitation. Heck, even the Patriot Act is bound by some modicum of criminal procedure.

But I’m willing to be wrong. So, thoughts from the rest of the world on this? Would you allow your opponents to have this exception? How would you modify it?