Managing Confidential Information Disclosures

August 1, 2008

A question came up recently on an ACC (Association of Corporate Counsel) listserv about best practices in managing information received under a confidentiality obligation.

“We are trying to develop a ‘best practices’ process for NDAs i.e., how to keep track of info that is received and to who it is disclosed; how to preserve it/destroy it when the nda ends etc. Anything you have prepared in this regard would be appreciated. Thanks”

Several people on the listserv responded that they’d be interested in this information, but no one responded that they had developed such a process, so I thought people might benefit from this. Here’s my response, supplemented with additional information about the solution provided by my company, Pontus Global, Inc., that I didn’t feel I should provide on the listserv:

It’s interesting that no one responded to your posting with a solution, but that several people were interested in the information. In my experience this is something that few companies do well, and that many companies feel uneasy about. The responses seem to support my observations. Also, here’s what Eric Goldman had to say about it:

“Companies need to manage information they receive under an NDA. Specifically, employees must segregate restricted information from that which is unrestricted. Also, they need to know the applicable NDA restrictions, and manage their use and disclosure of information in accordance with those restrictions. Realistically, most people can’t do this.

Worse, few Internet companies have any information intake or management systems. Without such systems, it is very easy for a company to inadvertently breach its NDAs.”

Here are some thoughts on how companies should be doing it. (I need to disclose that the company I recently joined as GC provides platforms that helps companies manage these kinds of processes, so I’m trying to keep this information as generic as possible.)

1. The idea of establishing a “best practice” process is good, but it needs to be more than just a document, because policy documents tend to be ignored or forgotten. Rather, the process should be supported by systems that guide people through the process and help them to comply.

2. As soon as you allow employees to exchange confidential information by email you’ve lost control of the information (whether it’s information you disclose or information you receive). Unless all parties involved have and are diligent about using a very good document or content management system it’s too easy for emails to be misplaced or forwarded to the wrong people. As a result, you can never be sure that your company actually complied with a return or destroy requirement.

3. Instead, you should establish a secure central repository for information exchange where all employees involved in a project can upload information and make it available to the other party, and where the other side can upload information and your employees with a need for the information can access it. Access to the information should be controlled and auditable. The system would also inform all involved of their obligations with respect to the information, provide access to relevant sections of the NDA, and require people to agree to comply before they can access the information.

4. Once a project or relationship ends, the system should allow for the destruction or retention (with very limited access) of the information stored in the system. It should also make it easy to inform those who have downloaded information that they are required to return destroy it and require them to certify that they have done so.

5. Because everyone seems to like to use email so much, whatever alternative you provide (mandate) must be extremely easy to use. In fact, it should provide benefits that email can’t provide in order to make sure people actually use it and don’t revert to their old habit of using email.

I don’t know if there are other companies that provide something similar, but my company does provide a system to deal with this kind of information disclosure. We believe a system like this allows companies to easily adopt “best practices” for dealing with receipt of confidential information and is a huge leap beyond exchanging information through email, with all the associated risks and tracking problems that entails.

There are certainly other options. For example, your IT people could probably create this kind of a system using something like SharePoint. However, many companies that try to do this internally find it difficult to design and maintain the system, assuming you can even get your IT department to help. Also, it’s often easier to convince another party to use a system provided by a third party.

I didn’t think it would be appropriate to post specific information about my company’s solution on the listerv, but Pontus does provide a hosted contracts system that can manage not only contracts and contracts processes (including NDAs), but also the associated information disclosed under the NDA.

We provide a place where both companies (or more if more than two companies are involved) can upload the information they intend to disclose and limit access to selected users. We can control whether people can download the information or just view it. The system tracks who accesses the information and who downloaded information. Users can also easily link to the actual NDA to determine what their obligations are under the NDA. If information needs to be archived or destroyed we can remove it from the system or make it inaccessible, and we can provide a log of who has downloaded information so it can be tracked down and destroyed.

If anyone would like additional information or would be interested in seeing a demo of the Pontus system, please contact me or