The 4 best things you can do to stop NDAs blowing up in your face
Non-Disclosure Agreements (NDAs) seem like a good idea, but if you’re not managing them properly, they can blow up in your face. Signing an NDA and not taking the appropriate subsequent steps in your business can leave you open to legal action from the other party to the agreement. This post is a short guide to the 4 things that any technology business can do easily to make sure that doesn’t happen to them.
NDAs are signed by lots of tech businesses and can be an essential part of protecting their confidential information. They give you some room to have discussions with potential collaboration partners, customers, suppliers or consultants and make sure that those parties don’t disclose or mishandle your confidential information. It sounds great. In fact, it is great! So great that almost every tech business out there has signed NDAs…lots and lots of NDAs.
But there’s a problem lurking on the other side of the agreement that many tech businesses are not prepared for and that can land them in hot water. The NDAs signed don’t only put obligations on your partners, they also put obligations on you. NDAs are often mutual, which means you’re also signing up to take great care with the other party’s confidential information. Are you confident you and your team are doing that? Are you confident there is a system in place to manage the NDAs you’ve signed? If not, when you consider the number of these agreements flying around and that they can be in force for many years, you could find yourself with a problem — one that can blow up in your face.
There are 4 things you can do easily in your own tech business that can significantly mitigate the risk.
- Keep a log of all NDAs signed
- Create a secure space to store the other party’s confidential information
- Review the log regularly and proactively terminate NDAs that are no longer relevant
- Educate your people
Keep an NDA log
It is important to keep a log of all the NDAs your tech business has signed with other parties. The log can be as simple as an Excel spreadsheet and should include basic information such as the name of the other party, the date the NDA was signed, how long the NDA is in force for, the definition of confidential information in the NDA and who is responsible for the agreement within your business. You can add more columns as you get more sophisticated, but taking care of those basics is a very good start.
Knowing what NDAs you have ongoing at any one time is the most important step in managing them and the potential risk they pose. If you don’t keep a log then you will always be at undefined risk.
Create a secure space for the other party’s confidential information
Your business will have signed up to take care of the confidential information of the other party to the NDA. Often, the requirement is for you to treat their confidential information as if it was your own. That means that if your confidential information is kept in a secure place (and it should be!) then the other party’s should too. When potentially confidential information is being emailed between different people in your company and the other party’s company, and samples may change hands etc., this can be challenging.
There is a point to make on education (see below) but you should also create a secure disk space on your IT system where secure documents can be held. Access to this disk space should be limited. For samples, a safe can be used, but a lockable cupboard should suffice.
All electronic confidential information received from the other party should be stored on the secure disk space and deleted from personal computers, and all samples locked away when not in use. This demonstrates that you are taking your obligations very seriously. It also means that, if you are required to destroy all confidential information (this is often required when the NDAs are terminated) then you are in a position to do that without having to trawl through your IT systems and look around the engineering shop floor!
Review the log
Often, NDAs are only required for a short period of time. For example, if the project goes nowhere or is completed in a few months or so. However, the NDAs themselves can remain in force for many years, sometimes as much as 8–10 years!
You should review the NDA log regularly, say every quarter or other period to suit you, in order to check that each NDA is still required. That is, to check that your business is still collaborating with the other party. If not then you should pro-actively terminate the agreement, destroy all the other party’s confidential information and insist that they destroy yours. This closes off many risks and not doing it will leave you open to issues in years to come.
Educate your people
If anyone in your tech business breaches the conditions of an NDA, the chances are that you are on the hook for it, not them. It makes sense to educate your people so they know what the risks are and how to handle confidential information passing over their desk. This makes sense for your own confidential information too, but that’s another blog post.
Tell your people that confidential information needs to be stored in the correct place and not held on their PC or laptop, that samples need to be locked away when not in use, and what the risks are of not doing these things. This can be done in email correspondence, lunchtime sessions and at induction when they join the company. In my experience, the trick here is little and often and if you’d like a sample slide deck then email firstname.lastname@example.org and I’ll send you one.
Also, have a select group of senior people who are authorised to sign NDAs on behalf of the company. Give them higher level training on how to understand the terms of the agreements so they can take necessary action. Also make them responsible for informing their own team members about the NDAs signed and what their responsibilities are.
NDAs are often drafted so broadly that complying with them fully is practically impossible, but taking these simple steps can really help and will give you peace of mind that you’re doing everything you can to manage things appropriately, and that you can prove it should the worst happen.