I recently found myself once more poking around the entrails of confidentiality agreements. The issue related to one of the core obligations, namely the obligation not to disclose confidential information. (The other is the obligation not to use confidential information except as specified.)
The issue is that the obligation not to disclose can be expressed in two ways. One way is, well, by means of an obligation not to disclose. Here’s a random example from EDGAR (emphasis added):
Mr. Hawk agrees that he will not, during his service on the Board, or at any time thereafter, make any disclosure or use of any Confidential Information, except as may be reasonably necessary in performing his duties for the benefit of the Company or as part of a good faith report or related disclosures to any governmental agency or entity regarding potential violations of applicable federal, state or local law or to take other actions protected as whistleblower activity under applicable law.
The other way is by means of an obligation to keep information confidential:
In consideration of the furnishing of Confidential Information by the Discloser, Recipient agrees that it will hold the Confidential Information in strict confidence and will use the Confidential Information only in connection with the negotiation and consummation of the Transaction.
Many confidentiality agreements contain both kinds of obligation.
The problem lies with the second obligation. If I agree to keep information confidential, that could mean that I won’t disclose it, but it could also mean that I’ll protect it against becoming public by some other means, for example by being hacked.
I did a highly unscientific poll on Twitter.
More than half of those participating said they thought this kind of obligation is indeed confusing.
So here’s what I recommend you do: include the obligation not to disclose but omit the obligation to keep information confidential and instead include a standard the recipient must comply with in protecting confidential information:
The Recipient shall take precautions to prevent disclosure or use of Confidential Information other than as authorized in this agreement. Those precautions must be at least as effective as those taken by the Recipient to protect its own Confidential Information or those that would be taken by a reasonable person in the position of the Recipient, whichever are more effective.
That would make it clearer that the concern isn’t the recipient electing to disclose.
Why am I thinking about this? Because I’m retooling some sifters from the time before I became a LegalSifter advisor. As part of that I’ve created a new sifter called, at least for now, Confidential Information: Standard for Protecting. It will look for this sort of provision, flag if it’s present or missing, and offer help text, either LegalSifter’s or yours.
Progress isn’t arrived at through AI smoke-and-mirrors. Instead, it involves specialists (in this case, me) and data scientists doggedly plugging away.