I’m currently working on Koncision’s terms of use. One point I’m making is that although the document-assembly engine will be protected by robust security measures, Koncision can’t guarantee absolute confidentiality of the information you provide when you complete a questionnaire. So if confidentiality is essential, you should use codes for party names, product names, or any other sensitive information.
Now that I’m thinking about this subject, I’d be interested to hear when and how you, dear reader, use codes for purposes of contract drafting. To get you in the mood, click here to go to a recent Reuters article on the subject. And of course, Blue Horseshoe loves Anacott Steel.
You’ve touched on one of my pet peeves about using internet-based services in a legal environment, illustrated by the following: The main website says “your data is protected by lasers, dogs, and the most powerful encryption known to man.” That sounds like an express warranty to me. But, then the Terms of Service say “The Service is provided without warranty of any kind, whether express or implied.” How can I use that service and still claim to be taking due care to maintain the confidentiality of my clients’ information?
So, here’s my suggestion: IN YOUR TERMS, say that you’ll take reasonable care to prevent unauthorized disclosure of my information, and list out several security methods that you’ll use to do it. I’m not looking for a promise that your security will never be breached; just a promise that you have security.
Chris: I promise a no-BS set of terms along the lines you suggest. Ken
Ken: I’m looking forward to seeing what you do with your TOS, and I’m glad they’ll be BS-free. I agree with Chris that we should move the ball forward here. Although there are limits to what software and web-based service providers can do as far as providing warranties, indemnities, meaningful service level agreement remedies, and the like, the typical TOS and EULA documents don’t reflect a rational allocation of business and legal risks.
Ken: I’ve only seen code names in M&A and stock offering deals, not in commercial transactions. Assuming my experience is typical, assigning project names–along with designing deal toys–is handled by investment bankers rather than lawyers. Maybe it’s because they tend to be more creative….
I like the idea of encouraging people to use codes for party names and other sensitive information for security purposes. It’s a simple and elegant way to reduce risk.
For purposes of commenting on contract drafting, this is one of the various codenames I’ve used.
Last year NYSBA released an Ethics Opinion on the use of online service providers to store client information: http://www.nysba.org/AM/Template.cfm?Section=Ethics_Opinions&CONTENTID=42697&TEMPLATE=/CM/ContentDisplay.cfm
Among other things, the opinion advises attorneys to make sure that the online service provider has an “enforceable obligation to preserve confidentiality and security.” Ken, its good to see that you’re sensitive to this issue.
Gus: I’m tickled to be addressing liability for disclosure of confidential information in the context of use of a confidentiality agreement document-assembly template that itself addresses such issues.
I expect that in the terms of use I’ll say, in effect, “Here’s are the security measures that have been taken. We won’t be liable if any information you disclose in using the system is misappropriated by a hacker or by one of our representatives acting illicitly.”
Ken
I won’t say that you can’t ignore the issue, but on the other hand if we look at the standards to which things like ethics boards hold electronics services, and compare them to normal course of business in the non-electronic world (what kind of NDA do you have with that bike messenger guy?)(have you ever actually read the terms of service you have with FedEx?), we would find that we’re asking for levels of perfection in one place that we don’t in the others. Maybe it’s time to clean up the whole world’s attitude towards data security — Or, maybe it’s time to realize that ‘reasonable’ is good enough in the rest of the world and that’s good enough here as well (or we’ll never get anything done).
This seems much more of an issue for public companies, where the consequences of deal information escaping are likely to be far greater, with criminal liability potentially involved. This is probably why codes are mainly seen in M&A and stock offerings, rather than general commercial transactions.
I don’t use codenames in my work, though in a recent deal we did use a person’s and a company’s initials in documents (prior to execution copies) to prevent a mislaid document disclosing to a stranger that the person was shortly to leave their current employer. Not quite the same protection, or as fun, but fine for our purposes.