Talking Business podcast: a guide to non-disclosure agreements

Zum Mohammed: Sure. So NDAs, which I call them because I did grow up in America, have attracted bad press where they were traditionally used to suppress allegations of misconduct or settlement agreements when employment relationship ends, or I think, famously more when celebrities had affairs with people. But commonly and more legitimately they're now used in commercial transactions to protect sensitive commercial information of a business, and prevent others from exploiting that specific information.

Sophie Brookes: Okay. So tell me a bit more about how they're used in that sale process, then. Maybe we can look at sort of who they protect and what they protect. So let's focus on who they protect first. Can you talk about that?

Zum Mohammed: Sure. So one of the most important parts of the sale process is to due diligence investigation. It's a key part, really, and it's where the buyer has the ability to protect itself against unknown liabilities in a target, and kind of to decide whether they want to go ahead with the deal and on what terms. And that's based on the information that the seller is going to provide. It requires the seller to disclose a significant amount of information about the target's business so that the buyer can review. And I guess the main concern for a seller will be if the transaction doesn't go ahead. Or for example, if it turns out that the buyer was just fishing for information and not serious about the sale, and what happens with the information after they've provided it. So the seller won't want the buyer to use the information for its own commercial gain or to disclose information to others. So traditionally before the seller discloses any of that information, the parties will sign up to an NDA to protect the seller and the target business.

Sophie Brookes: Okay, so that's really helpful. So it's protecting the seller as the disclosure of the information and the target business whose confidential information is going to be disclosed. And so that leads on to, I guess, what the NDA is protecting there.

Zum Mohammed: It's the main thing, is really the confidential information about the target business, things like customers, suppliers, and finances. It can also protect that the parties are in discussions, and most sellers won't want people knowing that they're thinking about a sale, and it can normally have a really disruptive effect on their business and their trading partners, and the existence of the NDA itself, really, to allow people to know, especially in companies that, for example, are listed on the stock exchange.

Sophie Brookes: Yeah. So if people know that a company is subject to an NDA, it's sort of indicative that there's something going on kind of thing, which I guess just can be a little bit unsettling and disruptive to the business.

Zum Mohammed: Yeah, exactly.

Sophie Brookes: So you said there, that it protects the seller. So I guess one question is, well, what if the parties don't sign an NDA? So what happens with the seller then? Is it going to have any protection?

Zum Mohammed: They might have some protection by the law of confidence. A party can't take unfair advantage of information that they've received in confidence, provided that the information has the necessary quality to reach the confidence test. But the case law around this area is complex and quite uncertain. A formal written agreement provides certainty around what's protected, what a buyer can and can't do with the information, so it's clear for all parties.

Sophie Brookes: So it's that classic thing of, of two lawyers telling you to get it in writing basically. Yeah, great. So building on that theme of the protection for the seller then, let's start to kind of dive into the agreement, to the contents of the agreement a bit more. So what are the key points that the seller as the person disclosing the information should be thinking about covering in an NDA?

Zum Mohammed: Right. So some of the things that you really should be thinking about when thinking about an NDA is probably how you're defining the confidential information. You as a seller will want it to cover everything in any form, including oral disclosure, so conversations that you're having with the buyer, provided to the buyer or its advisors, including any information generated by the buyer, which is based on the confidential information that's provided, that the seller provides.

Sophie Brookes: Okay. So yeah, that's that springboard idea, almost, of the buyer being able to generate something that it can then use itself based on the confidential information given by the seller. And the idea there is well, okay, the buyer has developed it itself, but it would have never been able to do that if it hadn't had that information initially provided by the seller. So what about the key obligations that you would see on a buyer in an NDA then? What are the sort of key things that the buyer has to do?

Zum Mohammed: Sure. So you'll want to make clear some of the obligations on the buyer, things like they have to keep the information confidential. They can't disclose. They need to limit their internal disclosures to people that the seller permits. So for example, once you've sent them the information, it's more than likely that they'll want to send the information to their lawyers or their advisors, or even their funders. So you would want to control who the information can be sent to. And then also things like you want to make sure that they're only using the information to assess the target business. You don't want them to use it internally for any competitive advantage. And finally, you'd also want to make sure that they must return the information on request. So if you stop negotiations with them, you'll want to make sure that you can either request the information back or request that they destroy all the information they have.

Sophie Brookes: Great. And is there anything else that the seller should be thinking about or might be concerned about with this concept of basically the buyer coming in and investigating its business, looking through its business?

Zum Mohammed: I think that they'll want to make sure that the information that they're providing is confidential, but also that things like their staff and their customers are protected. One of the things that you will be doing when you're going through a process of due diligence is providing, normally, your customer lists and employee lists. And even if those are done on a little bit of a reductive basis, which might be something that we talk about later, it is information that is going to go to the buyer at one stage or another. So especially if they're a trade competitor, they may have an interest in poaching any key employees or approaching your customers. So for trade competitors in particular, you may want to include some restrictive covenants to prevent them from soliciting any employees or dealing with any customers. These restrictions would normally apply during the negotiations and for a fixed period, sometimes for example, 12 months after negotiations terminate.

Sophie Brookes: Great. Okay. So that's a really useful summary of the sorts of things that the seller as the discloser of information needs to think about in the context of an NDA. So let's flip it around now and think about, well, what about the buyer? So the buyer, remember, is going to be the person receiving the information. So what kind of things do they need to think about when they're perhaps negotiating or looking at an NDA?

Zum Mohammed: I think as a buyer, you should think about things like narrowing the definition of confidential information. So thinking about things like should we exclude the conversations that you're having between the parties, because it's too uncertain whether that information constitutes confidential information? Should you exclude information that's already been disclosed before the agreement? Again, it might be uncertain whether that information was confidential because it wasn't being given to you on a confidential basis. Or things like only include information that's genuinely confidential rather than just everything provided by the seller. So maybe exclude the information that the buyer is already aware of that's in the public domain or that they've legitimately obtained from a third party that wasn't breaching the NDA. They also might want to limit the return of the information. So things like making sure that you're being given reasonable notice when the information is requested to be returned. The buyer or the advisors may need to retain a copy for regulatory reasons, or there shouldn't be a requirement to return or destroy internal information that you've generated, things like spreadsheets that you've generated whilst looking at the financial information of the company.

Also, make sure that you can actually destroy the information, because most buyers will have backup servers, which they can't delete the information from. So by simply not deleting the information on your backup servers, you could technically be in breach of the NDA. Also ensure permitted purpose covers what the buyer needs to do. What if the deal structure changes from a share deal to an asset deal? You might need to vary the NDA so that you're still allowed to have the information, and you're not falling foul of it. And also ensure things like forced disclosures are permitted, so where you're required by law or regulations to make a disclosure, that you're allowed to do that.

Sophie Brookes: That's great, really useful summary of what the buyer as the recipient of the information needs to think about. So we've looked at it from the seller's perspective, we looked at it from the buyer's perspective. How long do NDAs normally last? How long do those confidentiality obligations carry on for?

Zum Mohammed: So the seller will want an unlimited duration obviously, but the buyer will not want the practical burden of kind of policing the obligation forever. I think it really depends on the nature of the information. If you think about financial and trading information, that's probably quite out of date. So maybe three to five years, because the market as a business will move quite quickly. But things like trade secrets, know-how, technical information, patient designs, actual knowledge of how to create things if you're a manufacturing business, that information could last much longer and for even an indefinite period. So I think it depends on the type of information that you're disclosing and looking at it in the round.

Sophie Brookes: Yeah, I think that's a really good point, the point that you make about financial information going out of date. You can imagine a set of internal accounts or projections kind of thing. That is going to go out of date pretty quickly, maybe in a matter of months, certainly probably within a year. But if what the seller is looking to sell is something like Coca-Cola, then the recipe for Coca-Cola say is always going to be confidential and have that element of secrecy around it that needs protecting as a really key thing.

So I guess the next question is, well, okay, we've got our NDA. We've signed that agreement between the seller and the buyer, so the seller feels a little bit more confident about disclosing its information to the buyer. But what happens if the buyer breaches these obligations that it's signed up to? Obviously we hope when entering into an agreement that the parties are going to abide by it, but what if the buyer doesn't and the buyer does end up breaching those obligations?

Zum Mohammed: So the standard remedy for breach of contract is damages. And the seller will need to show that they suffered a loss and they're under a duty to mitigate that loss, to make sure that it's not increased. The seller will also have to prove that the information was disclosed by a breach of the buyer, which can oftentimes be really difficult. And the seller may prefer things like an injunction, which are the more high profile remedies, which you'll hear about in the news. But that's really just to stop the buyer disclosing. And you can only get an injunction if the buyer is about to breach, rather than once they already have breached. Once the information is already disclosed, the injunction is worthless.

Sophie Brookes: Yeah, okay. So I guess thinking about it again from the seller's point of view, because it's the seller who's bearing the risk and is exposed here, so is the NDA, is that a good protection? Is that a complete protection for the seller or is there something else that the seller should be thinking about?

Zum Mohammed: It's a good protection, but it's not the be-all and end-all protection. It can't guarantee information is protected, especially if you are engaging with a buyer that has no intention of complying with the NDA. And once the information is out into the ether, into the public domain, you can't almost put it back and make it confidential again. So the seller's only remedy will really be damages. And that may not be adequate enough, especially if, for example, the information has future rather than current value. Limitations and inadequate remedies might mean that the seller thinks the NDA is part of an entire package to protect information.

And also things like making sure that you're aware of GDPR. So one of the things that we've seen an increase of is GDPR, that's General Data Protection, breaches in the news. And sellers should be mindful that where the information is going. So if the information is being sent to a country that doesn't have similar data protection laws in place, they may want to make sure that they're putting extra protections in place so that they don't fall foul with GDPR laws here, and also making sure that they take extra precautions such as redacting information.

Sophie Brookes: Yeah. I mean, that's a really good point, isn't it? The redacting the information, because as you say, once you've handed that information over, if the buyer for whatever reason breaches the obligations, then as you say, you can't put the information back in the box. If it gets out into the public domain, then that's it. Coming back to my Coca-Cola analogy, if the buyer discloses the recipe for Coca-Cola, well, that's out, and everybody knows it and you can't make it secret. And it loses a lot of the value to you, and you're just left with a damages claim, which as you say, might not be enough. You mentioned, redacting information there is something that you can do. So that's kind of blanking out the key sensitive or personal information in there. Is there anything else that the seller can do? Thinking of these, as you say, an NDA should form part part of a package of measures to protect the seller's information, what else could they be thinking about?

Zum Mohammed: Yeah, so I think it's about thinking about your process as a whole, so maybe withholding highly sensitive information until later in the sale process or even waiting until after completion. I know more recently we've had, in bigger entities, where they've redacted employee information and only provided unredacted employee lists actually on the date of completion or after completion. And that's just to protect the information of their employees. Things like disclosing via electronic data rooms, so they can control and monitor and access. There is an increasing amount of AI being used in sale processes. And there are really great data rooms that can actually encrypt the information that's being provided so it can't be downloaded and printed very easily. Specifying a single point of contact who can control and monitor the information flows, so maybe your corporate finance advisor or your financial director, keeping adequate records of what has been disclosed so it's easy to track where the information is going, to who and to when and whether information was disclosed orally.

Also one really great thing is marking all information as confidential. And just going back to the data room, use of the data room. That data room's technology is really great that a lot of the times you can actually make sure that each piece of information that is being downloaded has encryption on it and has watermarks on it that says confidential and the name of the person who's downloading it. And also finally, probably seed some traceable information within the confidential information to help kind of evidence a future breach. So almost planting something in the confidential information, which you know if was leaked would be easily identified as something that you actually put into the information.

Sophie Brookes: I love that. Yeah. I had a client who a long time ago put their granny's details in their customer list so that when they were disclosing information, if then subsequently one of their granny's started receiving mail shots or information or being pestered by people to whom the information had been disclosed, then they knew that it was because the information was being misused, because they're granny hadn't signed up to receive it. So obviously, it's a really sneaky, but very clever idea, actually. That's really great, Zum. Thanks ever so much for that. A really useful summary of the practicalities and pitfalls of NDAs. Why lawyers are always saying yes, you should have one, but why also they aren't necessarily the be all and end all. And as you say, we need to think about them as part of a package of wider measures.

Thank you for listening to Talking Business. To find out more about the series, please visit gateleyplc.com/podcast/talkingbusiness. From there, you can subscribe for all updates, meet our speakers, and get more information on all of the topics being discussed.