“The single biggest problem in communication is the illusion that it has taken place.”
— George Bernard Shaw
The conversation begins,
“Can you keep a secret?”
“Yes, of course,” they say.
What happens next? Naturally, you tell them what it is that you are going to trust them with.
That’s the way it happens in personal relationships. In business, it’s usually more complicated. And it depends a lot on who you’re talking to.
Let’s first consider the employee confidentiality agreement. In some smaller businesses, especially in the “low tech” economy, employee non-disclosure agreements (NDAs) may not be necessary, because workers neither create nor are they exposed to company secrets. But if you’re making things from a private recipe, or if employees learn sensitive information about customers, it’s a good idea to have these contracts. And if you’re in a knowledge-based industry, they’re more or less essential.
With the NDA (and related agreements like invention assignments) in place, the employer feels comfortable sharing all the information that the employee needs to know to do their job. But what do these agreements actually say about what the confidential information is? In other words, what do they tell the employee about what it is that they’re supposed to be protecting?
The answer usually is “not much”. Crafted by lawyers or copied from a form, employee NDAs can be hilariously broad, citing categories of data that have no relationship to what the person is actually doing. It’s common to see a definition of “confidential information” that “includes but is not limited to” 30 or more topics ranging from “ideas” to “techniques” to “samples” to “know-how” to “sketches” to “formats” to “business models” to “documentation” to “research”. Got it? I didn’t think so.
Despite the ubiquity of employee NDAs, and their usefulness – in the abstract – as a reminder that the relationship is confidential, some courts have started reading them closely and finding some that sweep too broadly to be enforceable. After all, unless restrained by a noncompete agreement, an individual should be free to take another job and use their accumulated general knowledge and skill. And yet, it’s not possible as a practical matter to customize the NDA for each of hundreds or thousands of employees whose job responsibilities are likely to change over time.
So, what’s an employer to do? The answer lies not so much in the contract – although there’s probably room to increase clarity of expression. Instead, the most appropriate way to communicate to employees about what they are expected to protect is through training. This instruction can take many forms, including published rules, online tutorials and in-person lectures and role playing. The goal is to imbed understanding of what kinds of information provide the company with its competitive advantage, the security risks that the business confronts, and what employees can do to reduce those risks.
Ideally, training extends beyond early orientation and continues, in varied contexts, throughout the period of employment. Well informed about what the company believes to be its most important data assets and how they may be threatened, the employee will be far more likely to proactively protect those assets. And they will be less likely to confuse the employer’s secrets with the personal skill they are entitled to take to the next job.
But it’s not just the workforce that needs clear communication about secrets. In the modern economy businesses have to entrust sensitive information to vendors, for example, to enable design and manufacture. And customers may be given early access to unreleased products. In these relationships, we find some of the same communication problems as can occur with employees. But instead of the definition of what’s confidential, the issue is more often about what they’re supposed to do with the information.
One of the more common provisions of a commercial NDA requires the party that receives the secret simply to protect its confidentiality in the same way that it protects its own. That sounds good, but way too often the disclosing company has no idea what the recipient’s information protection program is, or how well it is executed. So rather than just accept the “boilerplate” language and assume that everyone treats their secrets as you do, it may be more prudent to state specifically what controls you expect them to use, and what mechanism (such as an audit) you can invoke to ensure compliance.
And then there is the collaboration partnership or joint venture, where two organizations have swooned over their compatibility and the synergies that promise a successful outcome to the project. The mutual infatuation can lead to dangerous assumptions about division of responsibility and particularly about ownership and control of innovations, or at least credit for them. Remember that these relationships are designed to be temporary, and the inevitable divorce has to be negotiated at the same time as the impending marriage. It helps to be clear-eyed about these things and to discuss them in advance.
But by far the most common sources of misunderstanding are potential acquisitions and license transactions. Here, the parties have a legitimate need to share information in confidence, but an equally legitimate basis to fear that it will lead to trouble. For the acquisition target or potential licensor, there is the risk that the suitor will take a close look at the technology and then walk away in favor of another target or an internal project. And on the other side there is always concern that looking too closely at these external opportunities will contaminate your best engineers or scientists with unwanted information, making it difficult for them to prove that what they develop later was done independently.
The level of risk, on both sides, varies with the intensity of the due diligence that is required to inform the transaction. And this is where robust communication comes in. It’s to the advantage of both participants to discuss risk openly, and to explore ways in which they may be able to reduce it, for example by exposure to the secrets in small steps. If a no-go decision can be made based on access to a smaller dataset, then the two sides can more easily part ways without the threat of litigation.
\The common theme in all these situations is the need to work towards a clear and common understanding. Even in a close, trusting personal relationship we know it’s a mistake to assume that our partner knows what we’re thinking. In business, if you’re going to allow someone access to important information, it is usually a good idea to help them understand what it is that you consider to be sensitive.