28 Jan 2009 in Ethics and Compliance Offices, Information Integrity
This is the first in a series of "Thinking About Risk" posts directed at improving business processes among the growing number of government contractors facing the new federal compliance requirements which include mandatory disclosure regulations.
Non-Disclosure Agreements (NDAs) have become a ubiquitous part of doing business with the government and with other government contractors. Yet the proliferation of NDAs may have actually increased the risk of failure to protect and safeguard truly sensitive information such as trade secrets. While the use of NDAs provides evidence of an intent to comply with non-disclosure requirements, we must ask whether their overuse--often driven by an abundance of caution and the desire to assure the availability of a legal defense should it become necessary-- actually increases risk by undercuttting the true value of such instruments.
Non-Disclosure agreements (NDAs) facilitate the disclosure of sensitive information, such as trade secrets. A trade secret is defined as information that is valuable and tightly controlled. Information disclosed to third parties remains a trade secret if an NDA requires that the recipient not disclose it. Information disclosed without an NDA usually loses its trade secret status. In federal government contracting circles, any conversation beyond pleasantries may require an NDA. While theoretically NDAs have potentially great consequences, their very ubiquity has severely limited their effectiveness in the increasingly blended federal workforce.
Enforcement and Implementation
In the private sector, an NDA permits the discloser to sue the recipient for trade secret misappropriation if the recipient breaches the NDA. Further, because the information remains a trade secret, the discloser can sue third parties who misappropriate the information. Additionally, if the disclosed information is also patentable, an NDA may help defer the deadline to file a patent application. With these benefits deriving from NDA use, it’s easy to understand how NDAs have become standard operating procedure in mixed workforce environments. However, there are many downsides.
Operational Challenges to Managing Information Receipt
Companies need to manage, control and protect information they receive under an NDA. Specifically, employees must segregate controlled data from unrestricted information, know the applicable NDA restrictions, and manage their use and disclosure in accordance with those restrictions.
Realistically, most people can not do this.
Worse, too few small and mid-sized government contractors have any effective information management system. Without a system, the company can easily breach its NDAs and often employees inadvertently do so.
This problem is compounded by NDAs that restrict all shared information, whether exchanged formally or casually, where sensitive or not. These NDAs assume that employees cannot properly identify what information to disclose—thus, better to govern all information disclosures under an NDA than lose possible protections. But if employees can’t properly disclose information, how can they properly manage incoming information?
In the private sector, some companies avoid this problem by using one-way NDAs that protect only information they disclose (not information they receive). However, this is not an option for government contractors in a blended workforce. The risk to government contractors is that while they cannot disclose anything they learn from the government but the employees of other companies may not be bound to protect the proprietary information about other contractors-- often their competitors. While all contractors in a public sector blended workforce invariably expect equal treatment, information access in support of the government makes it impossible to consistently apply and enforce NDAs equitably. (For example, an acquisition or budget support contractor will have access to large volumes of sensitive competitive information but few companies have systems in place to segregate, control and protect such data nonetheless to prevent it from being used to competitive advantage.)
Avoid Disclosing Secrets
Athough it is extremely difficult, absent a whistle-blower, to identify that an information recipient has breached an NDA, in the event that a breach is discovered enforcement is limited to processes of debarment, suspension and litigation, all of which involve messy expensive disputes over what information was disclosed, when, under what terms, and how the recipient used it. For this reason, NDA violations are rarely pursued.
In the private sector companies can minimize their risk by not disclosing sensitive information in the first place. Working in the public sector as a government contractor, however, means nondisclosure is not a realistic option. In the blended workforce, a company must disclose its “crown jewel” information to the government and other contractors. These events should be noteworthy and handled carefully with strict controls and protections. The 'standard operating procedure' NDA is not adequate to protect truly sensitive information and overuse of such instruments may actually weaken protections.
How Much Information Is Really in Need of Protection and Control?
Surprisingly little unclassified information actually needs to be controlled carefully. Consider this acid test: given the expense and difficulty of enforcement, would the government or disclosing company sue to stop someone from using the information to be disclosed? Is it properly classified, proprietary or otherwise protected by law? If the answer is no, then an NDA probably is unnecessary. Usually an organization has a few core really valuable assets that meet that test, but most information disclosed in day-to-day blended workforce environment and related business relationships do not require NDAs.
Anti-Competitive Effects of NDAs
NDAs can handcuff competition. Say two indirect competitors sign an NDA while working for the same government agency. Company A discloses a future business or product plan to Company B under the NDA. Is Company B now foreclosed from pursuing that plan? While exceptions in the NDA may allow Company B to proceed without breaching the NDA, it has significantly more risk even if it proceeds legitimately. If Company B aborts a desired business or product plan due to having signed the NDA, the strategic consequences can be enormous. Thinking about associated risks should be a condition precedent to signing an NDA if NDAs are to retain any utility.
A Waste of Time?
Many people believe NDAs are an essential part of every relationship. But given their strategic and legal consequences, we suggest that signing an NDA should be anything but routine. Historically, some companies—notably Booz Allen Hamilton and IBM—refuse to sign NDAs unless they are required to receive confidential information, and only then for specifically identified information (not everything under the sun). Other companies—notably Intel and Microsoft—include “residuals” clauses that eviscerate NDAs by excluding from the NDA’s restrictions any information their employees remember.
Blended workforce personnel must train employees to identify when truly valuable information must be disclosed, require an NDA only in those cases, and to implement processes to protect and control sensitive information. Targeted information disclosure and NDA practices should speed up transactions by minimizing negotiations, reduce the overhead of managing and tracking NDAs, and reduce reliance on lawsuits to protect valuable government and corporate assets. Corporate counsel and compliance officers should recognize that actually managing the safeguarding and protection of sensitive information is more important than a check box compliance defense argument.
GM
From Andrew Mitton on
It probably sounds naive, but it's just good business to respect each other's confidential and proprietary information. Word gets out if someone breaches this trust. I wonder how much extra an NDA provides to the relationship. In fact it may harm it because it's underlying message is "I don't trust you, so sign this." I know it gives lawyers warm fuzzies.