Your Secrets Are Safe with Me: Protecting Third Party Confidential Information
Protecting confidential information can be paramount to the success of an organization; and knowing this, most businesses and institutions will devote valuable time and resources for developing and implementing strict policies and procedures designed to help manage the flow of their proprietary information. Unfortunately, these efforts frequently fail to address an equally important, yet separate, category of sensitive information – that is, any third party confidential information which may have been entrusted to the organization pursuant to a confidential disclosure agreement (CDA).
Many business relationships begin as a matter of course with the signing of a CDA in order to allow for the sharing of proprietary information while evaluating a potential future relationship. CDAs have become so commonplace that it is not unusual for a company or institution to have literally thousands of them. As the receiver of third party confidential information, a duty of care is owed to the disclosing party (as is spelled out in the CDA) which, if breached, can result in potential litigation. Despite this risk, a fair number of organizations do not cover the proper handling of third party confidential information in their policies, employee confidentiality agreements and employee education programs, leaving them exposed to possible claims of breach.
The responsibility of preserving the confidentiality of third party information can challenge even the most well-intended employees and organizations. With this in mind, here are a few best practices intended to help organizations comply with the terms of a CDA:
- Appoint a CDA Manager
Designate one employee who is responsible on a macro level for managing your organization’s CDAs .
- Designate a ‘Guardian at the Gate’ for each CDA
The CDA manager should then entrust the lead employee working under a given CDA with the responsibility for complying with that particular agreement. This person must be someone who understands all of the terms in the CDA and who is capable of communicating the rights and obligations of the CDA to every employee with access to the covered confidential information. Additionally, this gatekeeper should regularly monitor all CDAs for which he or she is responsible to ensure that the purpose, scope and other essential terms are still accurate. In some cases, a CDA may need to be amended. Finally, in the event of a breach, the CDA lead should be responsible for immediately initiating the policy-driven steps for handling a breach.
- Implement Workable Policies
CDA compliance policies should be “right-sized” to suit the unique needs of an organization. That said, all policies should include certain core details, such as the specific steps required for proper handling of confidential information (ie., how to segregate and store confidential information physically or virtually; how such information should be labeled, etc.), as well as the protocol for addressing potential breach.
In the case of paper files, for instance, consider requiring storage in a fireproof cabinet, which must be locked at all times. When virtual databases are maintained, consider mandating two-factor authentication or other password protection, including the ability to track who has accessed the database, the date of access and whether or not anyone has downloaded the information. It’s much too easy in today’s digital environment for a well-intended employee to download information to a thumb drive or flash drive for a conference, meeting, or worse, to review on a personal computer. Failure to adopt workable CDA policies like these may result in third party confidential information being co-mingled with your organization’s own confidential information, making it virtually impossible to comply with requests to return or destroy a third party’s information and to certify having done so (a common right given to the disclosing party under a CDA).
- Avoid Known CDA Pitfalls
First and foremost, a CDA should always be in place before holding any meetings or engaging in conversation that will likely include the disclosure of third party confidential information. It only takes a few minutes to discuss this step with the other party; otherwise, inadvertent pre-CDA disclosure may result in costly and other negative consequences. Likewise, when signing a CDA, be sure the agreement specifically identifies the information to be kept confidential. CDAs which use broad descriptions such as “any and all information shared between the parties” can make compliance considerably harder for the receiving party. Finally, a CDA should include a specific length of time for the confidentiality obligation, along with specific instructions on what should happen to the information once the CDA expires, including whether or not archival copies are permitted.
- Adopt Specific Protocols for Remote Workers
The business world has changed a great deal over the past year and a half. With more employees working from home, and the possibility that this will become the “new normal,” it is imperative that remote employees are given specific guidelines on how to manage confidential information. For example, an employee’s home router should be protected with a personal password. In some cases, it may make sense for employees to have two routers at home – one for work, one for personal use. The same holds true for work computers—access to work computers should be limited to employees only; sharing with members of the family or anyone else should be prohibited. Similarly, any information downloaded on a thumb drive should never be uploaded to a personal computer.
- Address Third Party Information in Employee Confidentiality Agreements
An organization’s standard employee confidentiality agreement should include an obligation to keep secret all third party confidential information to which he or she has access. This obligation should continue beyond the term of their employment to prevent disclosure after they leave your organization.
- Include CDA Best Practices in Employee Orientation and Education
A proactive approach is always better than a reactive one. Arm employees with practical advice on how to avoid the accidental disclosure of CDA-protected information. For instance, remind them to be mindful in public spaces; discussing third party confidential information while on planes, trains, elevators or even in an airport lounge can have disastrous results, possibly leading to litigation and intangible costs such as damage to the organization’s industry reputation. Likewise, encourage employees who travel frequently to make security a top priority. A protective screen which blurs a laptop display from peripheral viewing is a simple yet effective way to avoid competitors from ‘looking over your employee’s shoulder.’
In light of the demands and frenetic pace of today’s business, it is easy for organizations to overlook the issues surrounding third party confidential information, leaving them vulnerable to the potential breach of a CDA. With the stakes high, it is critical that organizations take seriously their obligations arising under a CDA, starting with a coordinated approach to oversight and compliance as a component of their overall risk management efforts. If you would like to learn more about best practices for implementing policies and best practices for handling third party confidential information, or if you have questions about commercial transactions in general, please contact Michèle Linde at email@example.com or 302-256-4724.
Michèle Linde is a Member of our Mid-Atlantic team with more than 30 years of in-house and private legal practice experience in the life sciences industry, including work with branded and generic pharmaceuticals, medical devices, academia, cosmetics and the champagne industry. Prior to joining Outside GC, Michèle served as EVP, Global Corporate Governance, Chief Legal Officer & Corporate Secretary at Virpax Pharmaceuticals. She can be reached at firstname.lastname@example.org or 302-256-4724.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.