What is reasonable in a tech industry nondisclosure? Tech firms often ask employees and business partners to sign nondisclosure agreements—even when doing so is overkill. Learn what to look for in NDAs to ensure they work for everybody.

The deal is all but done: The project is defined, financial terms are set, and the people who’ll be doing the actual work seem to get along reasonably well. Then, the lawyers show up and someone produces a nondisclosure agreement (NDA).

"No big deal," the lawyers say. "We just need this NDA to make sure our secrets stay secret. This protects both sides, after all. Strictly routine. Sign it, and let’s get to work."

Not so fast. This isn’t an iTunes terms and conditions screen. This is serious legal stuff you need to pay attention to.

“NDAs are very effective legal tools,” says Fred Wilf, a managing partner of Philadelphia-area law firm Wilftek LLC who has been practicing technology law for three decades. “Courts take them seriously. People sometimes say, ‘The courts never enforce these, do they?’ The answer is, ‘Well, yeah, they do.’”

The NDA basics, Wilf says, are pretty straightforward. NDAs are one of the easier forms for someone to learn about and to use, manipulate, and modify for their purposes. “It makes sense for a tech person to spend the time to learn this stuff, because it affects them, whether they're trying to protect their own confidential information or whether it's presented to them because somebody wants to protect whatever confidential information they have.”

Here are some things you need to think about and check for before you sign or click "Agree."

Agree on what the secrets are

“You start with the definition of confidential information,” says Richard Santalesa, a Connecticut lawyer practicing as SmartEdge Law Group. “You make sure that [the agreement] encompasses what you intend or what you think may peripherally be exchanged.”

“It sounds obvious, but everyone needs to agree what secrets you’re keeping confidential,” Santalesa says.

And that raises the key question: How do you know what you need to keep close to the vest? Is it documents? Which documents? Conversations in meetings? Travel calendars?

As with many legal agreements, the answer is: It depends.

“It could be any information, including business information and technology information such as know-how, source code, suppliers, business partners, and relationships they have,” Wilf says. “It could be very, very expansive, or you can narrow it to much more specific information.”

“A lot of agreements will say that something’s only protected if you mark it 'confidential' or 'proprietary,' which means you have to assume that anything that's not marked is not protected,” Wilf continues. “Or you can flip that and say nothing needs to be marked and that you’re going to assume that everything shared is confidential until proven otherwise.”

The strategic CIOs Playbook: This 56-page guide explores key plays that, if executed successfully, enable successful and sustainable digital transformation. Download it now

But, because this is the law, not everyone agrees that confidential information can or even should be labeled. “Since most tech NDAs involve more online information than documents, confidential information should not be limited to documents or info where the words 'confidential' and 'proprietary' are included,” says Steven H. Shapiro, a former tech company general counsel and now a technology contract lawyer at Chicago-area law firm Culhane Meadows.

Agree on what you can disclose and to whom, and why

Great, you all agree on what constitutes a “secret.” But a secret to whom? Companies don’t work in a vacuum.

Can you disclose the secret to a contractor? How about someone in another corporate division? Can you even store the secret on a computer? What if that computer is connected to a network or a cloud? The NDA has to define the answers to such issues.

“The first question's going to be, ‘Who are the parties?’” Wilf says. “If it's a small company/big company issue, you're binding a bunch of people.” If you’re a small company, he posits, “are you bound to the big company and all of its affiliates or just a piece of that company? It's like knowing who you're getting into bed with. Who do you have all these obligations to, is what it comes down to.”

According to the attorneys, the laws surrounding NDAs are closely tied to trade secret law, which Wilf describes as “fragmented” among federal, state, and common law. But generally, Wilf says, the standard is that the holder of confidential information will take “no less than reasonable steps to keep it a secret,” he says. “That might mean you keep a hard copy in a locked drawer. You keep online information behind a wall of some sort or behind a password of some sort. You don't just publish it. You don't just leave a hard copy out on a desk. Those are probably reasonable steps.”

Another wrinkle is that the secrets may not actually be all that secret. “There should be standard exclusions” to NDAs, says Shapiro. “In general, there are three: information that is already in public domain, information that the recipient already has or independently developed, and information that is disclosed during the terms of the NDA” but not by any action or inaction on the part of the recipient.

Agree on how long the secrets need to be kept

The length of an NDA is a matter for negotiation. “I don't like perpetual obligations because there's really no way to enforce those going 10, 20 years down the road,” says Santalesa. “I like NDAs to include a specific time frame where they end post-disclosure. I think that works better for both parties because the valuable information degrades over time. There's a half-life to what something is worth, and that should be reflected in the agreement.”

Shapiro suggests that a two-year term is fairly common, but he sees ranges between six months and five years.

Trade secrets, though, are forever—or as long as the disclosing party says.

“Trade secret law says it stays confidential only as long as you keep it confidential,” Wilf says. “How useful is that if we're talking about source code five years later? The answer might be that it‘s still a trade secret. Heaven help us, but after all, we still see COBOL that's probably still running out there on some insurance company computers.” It may be an overreach for a company’s lawyers to want to protect a haunted mainframe, he says, but they have a right to do that.

Other red flags

Many NDA items apply to all sorts of businesses. However, one tech-specific thing to watch for is the matter of reverse engineering.

Trade secret law, Wilf says, sees reverse engineering as a perfectly legitimate way to learn a trade secret. But NDAs frequently prohibit the practice. “Even though that normally would be legal and perfectly fine, it's now by contract something that you can't do,” Wilf says. “It's a breach of contract if you [engage in reverse engineering], and the other party can sue you. The court's likely to enforce that, and there have been cases on that.”

Another red flag waves when someone under nondisclosure leaves the company. That can become complicated, because the employee may also be covered by a non-compete clause (which is a different matter, beyond the scope of this article). “The employee, of course, can't wipe their brain; that doesn't work,” Wilf says. Instead, he says, “they have to understand that anything they wrote for the former employer doesn't belong to them, which is not intuitive. They have to remember not to use techniques they developed specifically for that former employer. Of course, they can still use techniques that are documented. How many different ways can you do a Monte Carlo sort?”

Can NDAs be negotiated?

“Most attorneys who work on NDAs have done hundreds of them as a matter of course,” says Santalesa. “We all have a sense of what needs to be in there, what can I give up, what will I definitely strike out, and what do I need to talk to the business folks about. Everything is negotiable.”

"Sometimes you just have to give in,” says Shapiro. “A small company seeks a meeting or project with a big company; that’s the way of the world. Sometimes you get handed their form and it’s take it or leave it. I try to go the practical route as a first step and follow quickly with a ‘C’mon, no one asks for that.’”

There also may be abstruse boilerplate language that needs to be present for compliance or regulatory reasons, Santalesa says. “But for NDAs, it's really a kabuki dance at a certain point. Ultimately, they get done. I've never seen a deal fail because of an NDA form.”

Nondisclosure agreements: Lessons for leaders