Most lawyers feel comfortable and confident in pulling out a well-used precedent when drafting an agreement. Every once is a while, however, circumstances change that render the tried-and-true completely inappropriate.
Almost daily we see confidentiality or non-disclosure agreements (“NDAs”) that impose obligations that are not possible to meet, but which business people, nevertheless, happily agree to, apparently oblivious to the potential consequences. Fortunately, it seems that the party that stands to benefit from those obligations is equally unaware of the fact that the other party will not likely perform its contractual obligations. As a result, the breach generally goes undetected and both sides proceed in blissful ignorance.
NDAs are utilized in a great variety of circumstances, including covering the exchange of information in merger and acquisition transactions, private equity and debt financing due diligence, and joint venture agreements. In almost all cases, confidential information is provided by one party to another on the critical condition that it will be used for certain limited purposes and then either returned or destroyed. The problem in this age of electronic data transfer and storage is that the return or the destruction of the confidential information is not practicable on any sort of commercially reasonable basis and may be, therefore, virtually impossible. Yet senior executives routinely sign documents in which they certify that all confidential information received by them has been either returned or destroyed.
The reason for this discrepancy between theory and reality lies in the fact that information transmitted and stored in electronic form is exceedingly difficult to contain and control. The most obvious example, at least one that will be obvious after some reflection, is that most businesses routinely create backup copies of all data on their servers on a daily or even hourly basis. Data is archived in secure offsite facilities, sometimes in “hotsites” that provide almost immediate access to the data and sometimes in “coldsites” where access requires a disk to be physically installed in a server.
Nevertheless, confidential data that is provided in electronic form is routinely copied and saved outside the immediate control of the recipient and probably without their knowledge. As a practical matter, when parties seek to destroy copies of confidential information, rarely do they consider destroying the copies that are stored in these archived files. Moreover, even if they were to consider doing so, the task would be daunting and unlikely to be successful. A less obvious example occurs when information is stored on hard drives, floppy disks, recordable compact discs or DVDs, flash cards, smart sticks and data management systems. Merely executing a delete function in most major operating systems, such as Windows, only means deleting the file system’s “pointer” to a file’s contents. The underlying data is not actually destroyed; it is merely more difficult to access. The well-meaning executive seeking to comply with an obligation to destroy confidential information will likely believe the obligation has been satisfied once the data is deleted.
The more diligent will go a step further to execute a “wipe” function which actually overwrites the contents on the disk with random or dummy data. However, even that step is not likely to be completely effective in destroying the data. It is important to consider this issue from the perspective of both the recipient of the confidential information and the disclosing party. If the disclosing party truly is concerned to ensure that all confidential information is either returned or destroyed, the NDA should contain terms that very strictly control the media on which the information is copied. Hard copies are relatively easy to track and control but in many cases not a practical solution. Providing a limited number of identifiable DVDs, floppy disks, smart sticks or flash cards might be a better option. Another alternative may be to post data to secured virtual data rooms and to prohibit any copying. Of course, these options will not be effective to prevent cheating if a party is inclined to be dishonest. However, it does at least allow the party who wishes to honour its obligations to do so.
If the recipients of confidential information are bound by an obligation to return or destroy that information, they need to be vigilant in ensuring that electronic copies do not find their way into various desktop hard drives or corporate data management systems where backup copies are likely to be made. Failure to do so could expose them to significant expense if the disclosing party wishes to insist on strict compliance with the letter of the NDA.