Contracts and Information Security Part 2: NDAs

Wednesday, June 13, 2012

Bill Gerneglia


Article by Daniel Garrie      

(part one here)

Confidentiality/Non-disclosure agreements (“NDAs”) discuss how and when non-public information can be shared between parties and how and when such information may be disclosed to third parties, if at all.

Appropriately drafted NDAs focus on information that is valuable or protected and that is not already publicly available.

The information should have commercial value (such as non-obvious technical information, confidential commercial information, or information that would be considered a trade secret); alternatively, an NDA may concern information in a party’s possession that if disclosed to others could expose the party to criminal or civil liability.

The information protected by the NDA could be considered the company’s own confidential data as well as third-parties’ confidential data. Examples of such information might include non-public customer information, such as credit card or bank account information, the disclosure of which could subject an organization to financial loss and legal penalties (See 16 CFR § 313.3(o)(2)).

This might include potential liability for unauthorized disclosure of protected personal information, privileged communications (such as lawyer-client or doctor-patient communications), national secrets, or the trade secrets of the company or business partner. Several industries are subject to specific statutory definitions of confidential or nonpublic data, especially the health care and financial services industries.

HIPAA utilizes the concept of Protected Health Information (“PHI”), which is health information collected from an individual, created or received by a health care provider and (although simplified) the information either identifies the individual or created a reasonable basis to believe the information can be used to identify the individual ( See 15 CFR §160.103).

Financial firms are aware that the term “nonpublic personal information” means personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution (See 15 U.S.C § 6809(4)).

In addition to the definitions discussed above, other federal laws and regulations contain confidentiality and nondisclosure rules addressing different contexts. The federal government typically refers to NIST guidelines in government contracting. The Freedom of Information Act lists certain information not subject to disclosure, such as trade secrets and privileged or confidential commercial information (See 5 U.S.C. § 552(b)(4)).

The Federal Acquisition Regulations contains rules that bestow confidential treatment on certain contractor or other offeror information (See, e.g., 48 CFR § 9903.202-4 (If the offeror or contractor notifies the contracting officer that the Disclosure Statement contains trade secrets and commercial or financial information, which is privileged and confidential, the Disclosure Statement shall be protected and shall not be released outside the Government)).

This is the second part in a three-part series which comprise an abridged version of the article "Thoughts on Contracts and Information Security," written by Daniel Garrie and published in the Los Angeles Daily Journal  Law & Forensics

Cross-posted from CIO Zone

Possibly Related Articles:
Enterprise Security
General Legal
Legal Compliance Enterprise Security Disclosure Confidentiality Liability Contracts NDA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.