NDAs and Confidentiality Agreements

An NDA (non-disclosure agreement, also called a confidentiality agreement or CDA) is a contract restricting disclosure of confidential information. It's also the most over-requested document in commercial practice: asked for when it doesn't help, drafted as a template when the deal needs custom terms, and treated as a guarantee against disclosure when it's really just a basis for damages after disclosure happens.

What an NDA actually does

An NDA does three things: defines what information is confidential, restricts the recipient from disclosing or using it beyond the agreed purpose, and provides a basis for damages and injunctive relief if the recipient breaches. It does not prevent disclosure. It changes the legal consequences of disclosure.

An NDA also serves a quieter function: it creates a written record that the discloser shared specific information in confidence. This matters for trade-secret protection under the Defend Trade Secrets Act (DTSA) and state Uniform Trade Secrets Act (UTSA) equivalents, where "reasonable steps to maintain secrecy" is a required element — NDAs are usually the most-cited reasonable step.

One-way vs mutual vs multi-party

One-way (unilateral) NDAs apply to one party only. Used when only one side will be disclosing — for example, when a company shares confidential information with a potential investor who isn't sharing anything back.

Mutual (bilateral) NDAs apply to both parties. Default for most business discussions where both sides will share something. Mutual NDAs negotiate slightly faster because each party has the same incentives on each clause.

Multi-party NDAs cover three or more parties — used in joint ventures, M&A transactions with multiple bidders' advisors, or syndicated deals. These need clearer rules about disclosure among the named parties versus to outsiders.

When NDAs are useful

• Genuine confidential information being shared. Customer lists, source code, financial projections, unannounced products, M&A targets, technical specifications, pricing not publicly available.
• Required for trade secret protection. To enforce a trade secret claim, the holder must show reasonable steps to maintain secrecy. NDAs with employees, contractors, and vendors form a key piece of that evidence.
• Negotiating with potential acquirers or investors. Standard precondition to detailed diligence.
• Engaging advisors with access to sensitive data. Lawyers and accountants have ethical confidentiality obligations independent of NDAs; consultants and other advisors don't, so the NDA fills the gap.
• Employee and contractor agreements. Confidentiality is a standard provision in employment and contractor agreements; a separate NDA may be appropriate for project-specific access.

When NDAs don't help

• Pitching ideas to potential customers or partners. Most established companies will refuse to sign an NDA before hearing a pitch — they don't know yet whether your "confidential" idea is something they're already working on. Insisting on an NDA at the pitch stage often kills the meeting.
• Sharing already-public information. Marking a public document "confidential" doesn't make it confidential; the exceptions clause excludes information that's already public.
• Protecting ideas vs implementations. An NDA can protect specific information, not the abstract idea after the recipient has heard it. If your moat is the idea itself rather than execution, an NDA won't save you.
• Replacing IP protection. NDAs are not a substitute for trademarks, patents, or copyright registration. They restrict disclosure; they don't create exclusive rights.
• After disclosure. Signing an NDA after sharing the information doesn't retroactively make the prior disclosure confidential. Sign first; share second.

Standard NDA structure

1. Recitals. Names of parties, effective date, purpose of disclosure ("evaluating a potential business relationship").
2. Definition of Confidential Information. What's covered (technical, financial, customer, employee information, marked or labeled, or disclosed orally and confirmed in writing within X days).
3. Exceptions. What's not covered (already known, independently developed, received from a third party without restriction, required to be disclosed by law).
4. Obligations. Restrictions on use (only for the defined purpose), restrictions on disclosure (only to recipients with need-to-know who are bound by similar confidentiality), standard of care (typically "the same care as recipient's own confidential information of similar importance, but no less than reasonable care").
5. Term. How long the agreement lasts and how long the confidentiality obligation survives.
6. Return or destruction. What happens to confidential information on request or termination.
7. Remedies. Acknowledgment that damages are inadequate and equitable relief (injunction) is available; sometimes liquidated damages.
8. Boilerplate. Governing law, no license, no obligation to do business, no warranty, severability, entire agreement, assignment.

Defining confidential information

Two approaches.

Broad scope: "All information disclosed by the disclosing party, in any form, related to its business, products, finances, customers, or operations". Favored by the discloser because it covers everything.

Marked or designated scope: "Only information labeled 'Confidential' at time of disclosure, or oral information identified as confidential at the time and confirmed in writing within 10 days". Favored by the recipient because it's manageable.

Most negotiated NDAs land closer to the broad scope but with exceptions that make the recipient's position workable. The marking requirement protects the recipient against later disputes about what was actually shared but creates administrative burden — in practice, parties often don't mark every document they share, then dispute later whether marking was required.

Term length

Two clocks: the term of the agreement (how long new disclosures are covered) and the survival period for confidentiality (how long obligations last on information already disclosed).

Standard ranges:

• 2–3 years for general business NDAs, M&A discussions, and routine vendor confidentiality.
• 5 years for more sensitive information (financial details, customer lists, product roadmaps).
• Perpetual for trade secrets, source code, or information that retains value indefinitely. Many recipients resist perpetual obligations and counter with a long fixed term (10 years) or perpetual only for explicitly designated trade secrets.

Long confidentiality terms create administrative burden: the recipient must track confidential information for the full term, segregate it, restrict access, and handle it on return/destruction. Five years of obligation on every diligence document the recipient ever received is operationally heavy.

Standard exceptions

Five exceptions appear in essentially every NDA:

1. Already known. Information the recipient already possessed before disclosure, demonstrable from written records.
2. Publicly available. Information that's in the public domain at the time of disclosure or that becomes public through no breach by the recipient.
3. Independently developed. Information the recipient develops independently without reference to the disclosed information.
4. Received from a third party. Information received from a third party that wasn't itself subject to a confidentiality obligation.
5. Required by law. Disclosure required by court order or regulatory authority — usually with a notice-to-the-discloser requirement so the discloser can seek protective order.

The "required by law" exception interacts with subpoenas, SEC reporting, FOIA requests if a government agency is the recipient, and discovery in litigation. The standard formulation is that the recipient must give the discloser prompt notice and cooperate with reasonable efforts to seek confidential treatment.

The residuals clause

A residuals clause permits the recipient's employees to use general knowledge, skills, and experience retained in unaided memory after exposure to confidential information — even if that knowledge came from the disclosure. The clause exists because employees can't unlearn what they've seen, and a strict reading of "no use" would prevent the recipient's employees from ever working on similar projects.

Recipients want residuals clauses. Disclosers (especially with highly technical information) resist them because they can swallow the confidentiality obligation. Compromise positions: residuals limited to memory of individuals not deliberately attempting to recall; residuals not applied to source code, technical specifications, or trade secrets; residuals available only after employment by the recipient has ended; residuals subject to non-use for a specified period.

Remedies and enforcement

NDAs typically provide three remedies: monetary damages, injunctive relief, and (in some forms) liquidated damages.

Monetary damages require the discloser to prove the disclosure caused identifiable financial harm — often difficult. Lost customers, lost contracts, or competitive disadvantage can be hard to quantify and even harder to attribute to a specific disclosure.

Injunctive relief is often the meaningful remedy. The NDA typically includes a stipulation that breach causes "irreparable harm" and that equitable relief is appropriate, which helps the discloser obtain a temporary restraining order or preliminary injunction quickly. Courts vary in how much weight they give the contractual stipulation.

Liquidated damages — a stipulated dollar amount per breach — are sometimes included for NDAs covering particularly sensitive information. Liquidated damages must be a reasonable estimate of difficult-to-calculate actual harm; amounts treated as penalties are unenforceable. Liquidated damages are uncommon in routine NDAs.

Attorneys' fees provisions (loser pays) are sometimes included. Without one, each side bears its own legal costs even in clear-breach cases.

DTSA and trade secret protection

The federal Defend Trade Secrets Act of 2016 (DTSA) created a federal cause of action for trade secret misappropriation, complementing existing state UTSA claims. To qualify as a trade secret, the information must be valuable because not generally known and the holder must take reasonable measures to maintain secrecy. NDAs are usually presented as a primary "reasonable measure" in trade secret litigation.

The DTSA includes a whistleblower immunity provision (18 U.S.C. §1833(b)): employees cannot be held liable under federal or state trade secret law for confidential disclosures to government officials or attorneys for the purpose of reporting or investigating a suspected legal violation. Employers must include notice of this immunity in any contract or agreement with an employee that governs use of trade secret or other confidential information — or lose the ability to recover exemplary damages and attorneys' fees in any subsequent DTSA action against that employee. Standard practice is to include the DTSA notice in employment and contractor agreements that contain confidentiality provisions.

Common redlines

If you're the recipient (or your customer is asking you to sign their NDA), these are typical redline targets:

• Narrow the definition of confidential information. Require marking, or limit to specific categories.
• Cap the term. 3 years is reasonable for most B2B NDAs; perpetual is overreach absent specific trade secrets.
• Mutual obligations. Convert one-way to mutual.
• Add residuals clause. Particularly important if the recipient does similar work for others.
• Carve out independent development. Required to allow ordinary parallel work.
• Limit return/destruction obligation. Allow recipient to retain copies required by law, backup tapes, or board materials, subject to continuing confidentiality.
• Narrow the purpose. "For the purpose of evaluating X" rather than "for any business purpose".
• Reject specific liquidated damages. Push back on fixed-dollar liquidated damages unless the discloser has a defensible basis.
• Governing law and venue. Your home jurisdiction, or neutral.

Common mistakes

• Signing an NDA without reading it. NDAs are often presented as routine but include non-compete-like restrictions, broad assignment language, or unfavorable jurisdiction clauses.
• Asking for an NDA at the wrong time. At a pitch meeting, asking for an NDA often signals overconfidence and ends the conversation.
• Sharing before signing. Information shared before the NDA is executed isn't protected by it.
• Treating an NDA as a non-compete. NDAs restrict disclosure of specific information; non-competes restrict competing activity. They're different documents with different enforceability.
• Failing to mark documents as confidential. When marking is required by the NDA but inconsistently done, recipients dispute coverage later.
• Forgetting return/destruction obligations. Both ways: discloser doesn't request return on schedule, recipient doesn't comply when requested.
• Missing the DTSA whistleblower notice. Employers losing the ability to recover enhanced damages in trade secret cases against employees, because the required notice wasn't in the agreement.

FAQ

How much does an NDA cost? Free with a template; $200–$1,000 for an attorney-drafted custom NDA. Most companies have a standard form they reuse.

Can I enforce an NDA against someone I didn't sign one with? Generally no. NDA obligations bind only the parties. If a third party receives the information from the recipient and discloses it, the discloser's claim is against the recipient (for breach) and may have a tort claim against the third party (tortious interference, trade secret misappropriation).

Is an NDA enforceable against a former employee? Yes, if the agreement was valid and the disclosed information meets the contractual definition. Practical enforcement is hardest when the former employee joins a competitor; the disclosure often happens informally and is hard to prove. Trade secret claims under DTSA/UTSA are often the better avenue.

Can an NDA prohibit reporting illegal conduct? No. The DTSA whistleblower immunity protects disclosures to government officials and attorneys investigating legal violations. Several states have enacted laws restricting NDAs in harassment and discrimination settlement agreements.

What's the difference between NDA, CDA, and confidentiality agreement? Nothing substantive. The three terms are used interchangeably.

Should every employee sign an NDA? Confidentiality obligations should be in every employment agreement or offer letter. A standalone NDA may be appropriate for employees with access to particularly sensitive information.