This week’s unsolicited advice on tech contracts …
IT contracts often include data in the definition of “Confidential Information.” In other words, they use the confidentiality clause to protect “Customer Data” – or whatever else they’re calling the data at issue. That’s not … the worst idea I’ve ever heard. But it leads to some questions.
A. Does including data in Confidential Information help?
No, not if the contract has a good data section or attachment – e.g., a data processing addendum (DPA). The DPA just about always says the vendor – or whoever’s on the receiving end – shall not disclose or share the data. It almost always says the vendor shall protect the data and shall only use it to support the customer. (In fact, the typical DPA has far more extensive security requirements than the typical confidentiality clause.) So treating data as Confidential Information adds nothing.
Actually, there is one thing. Liability for breach of confidentiality is usually unlimited, unlike DPA liability. That’s good for the controller, usually the customer. Processor/vendors, on the other hand, see below.
Of course, in the absence of a DPA, or a good one, protecting Customer Data with confidentiality terms makes some sense. But why don’t you have a DPA?
B. If the customer does include data, should it add additional terms?
Yes. Confidential Information definitions usually have exceptions. Information isn’t confidential if it’s independently developed, in the public domain, exposed w/o the recipient’s fault, etc. Calling data Confidential Information could be interpreted to mean the data loses all protection in those cases – and it certainly should not.
One way or another, clarify that data is always protected.
C. Should the vendor add additional terms?
Yes. As I said, the limit of liability (LoL) usually doesn’t apply to confidentiality. If you’re the vendor, you really don’t want unlimited liability for data.
So add terms saying the LoL always applies to data incidents.
NDA/confidentiality terms were created to protect business plans, secret sauce recipes, source code, and business docs, particularly trade secrets. Data/DPA terms were created for data, including private information. You’ll probably end up with a clearer, simpler contract if you keep them separate.
© 2024 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock photos!