I’m currently working on Koncision’s first product, a line of confidentiality agreements. I’m being assisted by Koncision’s confidentiality agreement editorial board (go here [link no longer available] for their bios), but I expect to air issues on this blog routinely. And here’s one to get the ball rolling:
If Acme discloses confidential information to Widgetco and subsequently a rogue Widgetco employee discloses some of that information, Acme would likely want a remedy. How should Acme address that concern in its confidentiality agreement with Widgetco?
Here are some alternatives:
- Widgetco shall cause its Representatives not to disclose any Confidential Information other than as permitted in this agreement.
- Widgetco will be responsible for [or liable for ] any disclosure of Confidential Information by its Representatives other than as permitted in this agreement.
- Any disclosure by any of Widgetco’s Representatives other than as permitted in this agreement will be deemed to be disclosure by Widgetco.
- Widgetco shall indemnify Acme against any Losses arising out of any disclosure by any of Widgetco’s Representatives other than as permitted in this agreement.
Option 1 represents the most common approach, but I have a problem with it. Strictly speaking—and when it comes to contract language, that’s the only way to speak—saying X shall cause Y to … works only if Y is an instrumentality of X. For example, if Y is a subsidiary of X.
In the context at issue, Widgetco can’t cause a rogue employee not to disclose confidential information. Widgetco can instruct the employee not to disclose. Heck, Widgetco can even make it a condition to continued employment that the employee enter into a confidentiality agreement obligating the employee not to disclose. But that falls short of actually causing the employee not to disclose.
As for option 2—saying that Widgetco will be responsible for any disclosure—that leaves me wondering what the implications are. Widgetco will be responsible? What exactly does that mean? [Update, Dec. 4: See Mark Anderson’s comment and my reply.]
The same goes for option 3. And it seems to go overboard in establishing a legal fiction where one isn’t required.
That leaves option 4. I think it captures what’s going on. Widgetco can’t control the actions of employees so as to preclude them from disclosing. Instead, Widgetco will compensate Acme for any damages that Acme incurs due to unauthorized disclosure.
I can see some objections. One is that using shall cause is standard in this context. But the popularity of a given appreach has no bearing on its merit.
I have greater sympathy for other possible objections. That the issue of unauthorized disclosure is so fundamental that you don’t want to bury it lower down in the contract, in the indemnification provisions. That businesspeople don’t pay attention to indemnification provisions.
So that’s my initial take on this issue. What do you think?
Ken,
I think your objection to path 1 is based on he fact that you think X would be foolish to make the agreement if it didn’t control Y. But the language still works. I can covenant to cause any 3rd party to do or not do something. I may not be able to make it happen, but if I don’t, I’ve breached my covenant and you are entitled to damages. This seems perfect for the situation where you want Widgetco to be responsible for any disclosure by its representatives whether it can control them or not.
MAW
MAW: I’m leery of imposing on a party an obligation that it won’t be able to perform. For example, I could impose on Acme a duty to cause a government agency to issue a permit. Obviously, Acme wouldn’t be in a position to comply with that obligation; whether the agency issues a permit would be determined by other factors.
Imposing that obligation regardless could conceivably result in a court’s recharacterizing the obligation as something that makes more sense–a condition, perhaps. (Can anyone point me to any such caselaw?) But my broader issue is that by imposing an impossible obligation, you’re essentially engaging in a risk allocation that could be articulated more clearly.
The imposing-the-impossible factor is less evident in the case of option 1, but it’s still there.
Ken
I know we’ve discussed this in other contexts (e.g., the concept of representations made by a seller in a typical M&A contract), but I have to defend MAW’s position here as the correct one. Representations should not always be measured by whether or not they are necessarily possible — Using them instead as a benchmark of when one or the other takes responsibility is a valid tool, even if literal compliance with the statement as written is not possible. Here, it’s simply used to assign the risk of the rogue employee’s actions to one party versus the other, and that seems quite clear cut to me.
I also don’t like another aspect of some of your other examples — At least taken by themselves, the statements beg the question of what obligations are imposed on the Representatives, and through what mechanism those obligations are imparted on the Representatives. Making one of us responsible for harms caused “by its Representatives other than as permitted in this agreement” leaves open what ..the Representatives.. are permitted to do under this agreement (since, as you’ve pointed out, the Representatives themselves are not subject to the agreement).
(Again, that’s why I like Example 1, since by implication it suggests to Acme that it should take all reasonable steps to figure out, on its own, how to control the Representatives and their actions. I think, if Example 2 were the rule, that I might argue in WidgetCo’s place that since nothing in the agreement imposed a duty on the Representatives, that therefore the Representatives were by implication permitted to do anything they wished, and therefore it’s impossible to fault WidgetCo for anything that might happen, at least as a matter of that one sentence.)
Michael: I’m not convinced. By your logic, instead of stating that an insurance company will pay benefits if your home burns down, it would be appropriate for an insurance policy to contain the following: “InsuranceCo shall prevent the Insured’s home from being damaged by fire.” If you want to allocate risk, it’s clearer to do so directly, rather than by making an obligation something that’s out of the control of the party in question. Ken
Ken
Another common formulation is: “Widgetco shall procure that its Representatives do not disclose any Confidential Information other than as permitted in this agreement”. This formulation is similar to “shall cause” but imports less of an instrumentality implication. In an Australian context, it would be common to object to the inclusion of any indemnification language in an NDA on the basis that the common law adequately governs the applicable damages principles. I would prefer the first option, either in its “shall cause” or “shall procure” forms.
AAG: I’d be delighted to have you (or anyone else) supply me with an analysis of “shall procure.” To my ear, the distinction between “shall procure” and “shall cause” is far from obvious. Although this is the first time I’ve encountered it, I’m inclined not to touch it with a ten-foot pole! But I’ll keep an open mind.
I agree that there’s no need for indemnification if an action for breach of contract would be available. But the indemnification language in option 4 would be appropriate because there’s no Widgetco breach on which you could base a claim for damages.
Ken
@MAW – True, but if I’m representing Acme I’d rather have the broader relief provided by an indemnity, as opposed to the more limited damages available under a breach of contract claim. (However, since I generally represent Widgetco, no way am I agreeing to that degree of exposure!)
OTC: I don’t see that a breach-of-contract claim necessarily limits the damages. What the damages are is a function of the circumstances, whether you’re dealing with a contract claim or a claim for indemnification. They’re two routes to the same end. But I’m no litigator, so I invite you all to show me that I’m wrong. Ken
Rarely, if ever do I see a “compensation” clause in an NDA other than to state “a violation may cause irreparable injury”, and allow “legal remedies” (boy that’s specific) and injunctive relief. So if “indemnify” indicates compensation therefore should there not be a $ amount, and/or a cap? Generally, I see a more generic “each party agrees to take reasonable measures–to protect …as they would their own most confidential”…Then, of course you have the issue of what is “reasonable” and how do you really enforce it all anyway – IMHO NDAs are only a finger in the levee – sooner or later it will leak.
CS: Indemnification just says that there’s a monetary remedy–it doesn’t say the amount, although you can elect to build in limits. Note that if you impose on the recipient an obligation to use reasonable efforts to keep information confidential and it complies with that obligation, without more the disclosing party doesn’t have a remedy for disclosure by a recipient representative. Ken
I have had disputes with opposing counsel on requesting an indemnification provision for unauthorized release of confidential information and have had to rely on the law in order to deal with it. Under local law (Israeli) an employer would be responsible for the behaviour of his employee anyway under most situations, and would be responsible to take “reasonable steps” to protect confidential information or be deemed negligent. The recent wikileaks fiasco appears to be a gargantuan case of negligence.
Ideally of course I would prefer option, but in the real world if I manage to get option 1 I consider it satisfactory, as it means knowingly taking on the responsibility and taking reasonable steps to ensure.
Of course, if I was signing… I would argue to delete in its entirety…using the rationale that it is taken care of by law or alternatively, would undertake only to get my employees to sign NDA’s similar to this.
Beverly: As I noted in a reply to an earlier comment, obligating the disclosing party to use reasonable efforts to protect information provides less protection than does indemnification for all unauthorized disclosure. But I agree that whether you can get indemnification depends on your negotiations. Ken
my routinely approach is to have option 1 (i.e., stating the obligation of the recipient) and 4 (stating the consequence of the breach). Do I miss something?
R: They cover the same territory. Ken
I agree with your dislike of “shall cause” (and similarly “procure…”, or “ensure…”). It does get you there (as per MAW’s comment) and I wouldn’t object heavily if presented with it by another party, but (i) it’s roundabout and therefore more likely to cause arguments and (ii) as Robertor982 notes, it does not specify what the remedy would be (damages? injunction?).
The indemnity version would potentially affect the available remedy (by having damages assessed on an indemnity basis). This does not make it wrong, but is this how disclosures by Widgetco itself are treated? If not, why should they be different? Is an indemnity actually the remedy to focus on, rather than an injunction? (Though admittedly I don’t recall ever seeing a version that enabled the disclosing party to have an injunction served on a third party disclosee – is it realistic to require Widgetco to do this at Acme’s option?)
I agree that option 2 is too vague.
I actually like option 3 the best because it does answer the question of what the consequence of a disclosure by a Widgetco Representative would be – the same as one by Widgetco. This is especially true if the consequences of a disclosure by Widgetco are set out in the agreement. I have no problem with establishing legal fictions in this way – it seems clearer than repeating the provisions applicable to disclosures by Widgetco itself, or having different remedies applicable. However, option 3 does not get Acme any further in terms of an injunction.
One related point – I think an elephant trap in these clauses is simply asking for Widgetco to ensure that each Widgetco Representative has entered into an equivalent confi with Widgetco. Either Widgetco needs to promise to enforce that agreement, or the confi should be with Acme (which would also fix the injunction issue).
W: I agree that the notion of the disclosing party getting an injunction against a recipient representative is problematic. (Although I’ll have to research this.) A more likely alternative would be requiring the recipient to get an injunction, based on breach of the recipient’s confidentiality agreement with the representative, assuming there is such an agreement. So the lack in options 2, 3, and 4 of any reference to injunctive relief shouldn’t be considered a shortcoming.
One shortcoming to option 3 is that it doesn’t make it clear that the only remedy against the receipient is necessarily damages.
Regarding having each recipient representative enter into a confidentiality agreement with the disclosing party, I’ll be providing that as an option in Koncision’s confidentiality-agreement templates, but my inquiries suggest that it’s rare that anyone agrees to such an arrangement.
Ken
I agree with your dislike of “shall cause” (and similarly “procure…”, or “ensure…”). It does get you there (as per MAW’s comment) and I wouldn’t object heavily if presented with it by another party, but (i) it’s roundabout and therefore more likely to cause arguments and (ii) as Robertor982 notes, it does not specify what the remedy would be (damages? injunction?).
The indemnity version would potentially affect the available remedy (by having damages assessed on an indemnity basis). This does not make it wrong, but is this how disclosures by Widgetco itself are treated? If not, why should they be different? Is an indemnity actually the remedy to focus on, rather than an injunction? (Though admittedly I don’t recall ever seeing a version that enabled the disclosing party to have an injunction served on a third party disclosee – is it realistic to require Widgetco to do this at Acme’s option?)
I agree that option 2 is too vague.
I actually like option 3 the best because it does answer the question of what the consequence of a disclosure by a Widgetco Representative would be – the same as one by Widgetco. This is especially true if the consequences of a disclosure by Widgetco are set out in the agreement. I have no problem with establishing legal fictions in this way – it seems clearer than repeating the provisions applicable to disclosures by Widgetco itself, or having different remedies applicable. However, option 3 does not get Acme any further in terms of an injunction.
One related point – I think an elephant trap in these clauses is simply asking for Widgetco to ensure that each Widgetco Representative has entered into an equivalent confi with Widgetco. Either Widgetco needs to promise to enforce that agreement, or the confi should be with Acme (which would also fix the injunction issue).
I am not sure that “shall cause” is standard.
A possible approach is “The Receiving Party shall [be responsible for taking reasonable action to] ensure that its directors, employees, and professional advisers comply with the provisions of this Agreement [and shall be liable to the Disclosing Party for any breach of this Agreement by its directors, employees, and professional advisers].”
Be responsible for is not the same as be liable for. The former could mean that the Receiving Party rather than the Disclosing Party is the only one entitled to bring proceedings against, for example an employee of the Receiving Party. In some ways, this helps to ensures that the employee is not exposed to direct action by the Disclosing Party.
If I have to choose one of your 4 alternatives, I would go for alternative 4. But I would prefer to avoid language of indemnification, as I think it adds a layer of complexity – I would just say liable for.
Mark: Regarding your suggested language, the representatives aren’t party to the contract so I don’t think they can be said to have breached it.
I agree that “liable for” is clearer than “responsible for,” for I’ve added it to option 2. But I might be inclined to say “liable to Acme for.”
But when you come down to it, the difference between those two alternatives is pretty negligible. I think that indemnification is the narrower, and more apt, concept than liability, which applies in all sorts of contexts. How does indemnification add complexity?
Ken
What happened to vicarious liability vis a vis employee actions? The only way a recipient corporation can disclose confidential data is through an employee? I do know that in mainland China to have a successful claim under the CA / NDA, one must have a CA with each and every employee. Is that where this is headed? Stan
Stan: Relying on vicarious liability may be too narrow, in that it requires a tortious act by the employee. I can imagine a circumstance in which an employee discloses confidential information without being aware that it’s covered by a confidentiality agreement. Ken