Article by Daniel Garrie
Confidentiality/Non-disclosure agreements (“NDAs”) discuss how and when non-public information can be shared between parties and how and when such information may be disclosed to third parties, if at all.
Appropriately drafted NDAs focus on information that is valuable or protected and that is not already publicly available.
The information should have commercial value (such as non-obvious technical information, confidential commercial information, or information that would be considered a trade secret); alternatively, an NDA may concern information in a party’s possession that if disclosed to others could expose the party to criminal or civil liability.
The information protected by the NDA could be considered the company’s own confidential data as well as third-parties’ confidential data. Examples of such information might include non-public customer information, such as credit card or bank account information, the disclosure of which could subject an organization to financial loss and legal penalties (See 16 CFR § 313.3(o)(2)).
This might include potential liability for unauthorized disclosure of protected personal information, privileged communications (such as lawyer-client or doctor-patient communications), national secrets, or the trade secrets of the company or business partner. Several industries are subject to specific statutory definitions of confidential or nonpublic data, especially the health care and financial services industries.
HIPAA utilizes the concept of Protected Health Information (“PHI”), which is health information collected from an individual, created or received by a health care provider and (although simplified) the information either identifies the individual or created a reasonable basis to believe the information can be used to identify the individual ( See 15 CFR §160.103).
Financial firms are aware that the term “nonpublic personal information” means personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution (See 15 U.S.C § 6809(4)).
In addition to the definitions discussed above, other federal laws and regulations contain confidentiality and nondisclosure rules addressing different contexts. The federal government typically refers to NIST guidelines in government contracting. The Freedom of Information Act lists certain information not subject to disclosure, such as trade secrets and privileged or confidential commercial information (See 5 U.S.C. § 552(b)(4)).
The Federal Acquisition Regulations contains rules that bestow confidential treatment on certain contractor or other offeror information (See, e.g., 48 CFR § 9903.202-4 (If the offeror or contractor notifies the contracting officer that the Disclosure Statement contains trade secrets and commercial or financial information, which is privileged and confidential, the Disclosure Statement shall be protected and shall not be released outside the Government)).
This is the second part in a three-part series which comprise an abridged version of the article "Thoughts on Contracts and Information Security," written by Daniel Garrie and published in the Los Angeles Daily Journal Law & Forensics
Cross-posted from CIO Zone