Anyone in business knows that they will only stay there if they properly equate their potential returns with the legal and economic risks they are being asked to assume. Pretty basic, huh?

Not so much today-- even in the seemingly tranquil world of non-disclosure agreements (“NDA’s”). Some of these agreements can cause companies to unwittingly risk their net worth.

Traditionally, companies interested in doing business with someone would enter into an NDA which prevented recipients from sharing the confidential materials supplied by the discloser. Makes perfect sense to prohibit voluntary disclosures. However, in today’s world of hacking into electronic databases, this concept is often the subject of unprecedented discussion, as companies justifiably concern themselves with involuntary disclosures. As we have emphasized, companies possessing personal information pertaining to consumers (as specifically defined in various bodies of authority) have various obligations to safeguard it.

Such obligation applies to arrangements with third party vendors getting access to such material; proper contractual warranties, covenants and remedies are essential in a world where large scale hacks and burgeoning government involvement are the norm. Where things get messy is before doing business. We are seeing more and more NDAs with elaborate provisions of this nature. While these provisions may make sense in definitive agreements where each party has derived a contractual benefit of the bargain, such provisions make much less sense (or none at all) where there is no commitment to do anything more than discuss a proposed transaction with no guarantee of a financial return.

There are several things wrong, from the perspective of both parties, with such approach:

  • It usually complicates the review process of the party receiving the proposed agreement, prompting substantial discussion and delays over what is usually a fairly perfunctory ritual;
  • It may not be pertinent at all; a party should not agree to these types of obligations if it is not receiving any personal information. Not every proposed business relationship involves such materials at the discussion stage or ever! Asking a company to assume legal responsibility for receipt of such material which it is not receiving certainly complicates the process and may even invite disputes if the transferring party encounters its own data breach. Because information you don’t have cannot be breached, you may want to affirmatively prohibit in the NDA the transfer (and receipt) of personal information if it is not needed to evaluate a transaction.
  • At the NDA stage, these weighty obligations may put at risk a business without corresponding potential benefit. By definition, no definitive agreement has been struck, so the recipient’s potential return is uncertain or non-existent. Even where the topic is pertinent, providing uncapped indemnities and commitments to remedial action when there is no commitment to an actual transaction, let alone one of substantial size, is not the way to equate risk and reward. Of course, a different calculus applies where a deal is actually on the table.

What does all of this mean to Mr. or Ms. Businessperson on a day-to-day basis? Whatever your capacity, be reasonable about the risks which you are asking others to assume at early stages of relationships and do appropriate operational due diligence to satisfy yourself that you are dealing with someone who takes seriously their obligations. After proper review of proposed agreements – by us, of course! – make sure that the risk/reward comparison is prominently addressed in your discussions with your proposed counterparty.

Among other things, if you don’t expect to get personal information at the early stage of the transaction (or at all), say so in writing. This way the parties’ expectations are properly aligned and there is a proper ‘trail’ confirming them if new people enter the chain.