NDAs and Confidentiality Agreements: What They Protect, What They Don't, and When They Expire

Before two companies can evaluate whether to do business together, they need to share information that neither would want a competitor to see. Customer lists, pricing strategies, financial projections, proprietary technology, product roadmaps, and business plans all need to move between the parties during negotiations, due diligence, vendor evaluations, and partnership discussions. A non-disclosure agreement imposes a binding obligation to protect that information and provides enforceable remedies if the obligation is breached.

NDAs are among the most frequently signed contracts in commercial practice, and they're often treated as formalities. That's a mistake. A poorly drafted NDA can fail to protect trade secrets that took years to develop, impose obligations so broad they're unenforceable, or expire before the information loses its competitive value. An NDA should be drafted with the same attention to risk allocation that goes into the substantive agreement it precedes.

Mutual Versus Unilateral

A unilateral NDA protects information flowing in one direction. One party discloses, the other receives and agrees to protect. Unilateral NDAs are appropriate when only one side is sharing sensitive information, such as when a company shares proprietary technology with a prospective vendor for evaluation purposes, or when an employer discloses trade secrets to a new employee.

A mutual (bilateral) NDA protects information flowing in both directions. Each party is both a disclosing party and a receiving party, and each owes confidentiality obligations to the other. Mutual NDAs are standard in M&A discussions, joint venture negotiations, strategic partnership evaluations, and vendor relationships where both sides share proprietary information during the evaluation process.

If both parties will be sharing sensitive information, use a mutual NDA. Using a unilateral NDA when both sides are disclosing leaves the disclosing-only party without protection, even though it's sharing information that may be equally valuable.

Defining Confidential Information

How the NDA defines "confidential information" determines what's protected and what's not. Two drafting approaches are common.

Broad inclusion with specific exclusions defines confidential information as all information disclosed by the disclosing party to the receiving party, in any form (written, oral, visual, electronic), and then carves out specific categories of information that aren't covered. This approach casts a wide net and is easier to administer because the disclosing party doesn't need to label every document as confidential. Many commercial NDAs use this approach.

Narrow enumeration identifies specific categories of information that are confidential (customer lists, pricing data, source code, financial statements) and treats everything outside the list as unprotected. This approach provides certainty about what's covered but risks leaving out categories of information that the disclosing party didn't think to list.

Whichever approach you use, avoid defining confidential information as "all information." Courts have questioned the enforceability of definitions so broad that they encompass publicly available information, common industry knowledge, and facts the receiving party already knew. A definition that protects everything protects nothing if a court finds it unreasonable.

Some NDAs require the disclosing party to mark written materials as "Confidential" and to follow up oral disclosures with a written summary identifying the information as confidential within a specified period (typically 10 to 30 days). Marking requirements add administrative burdens but provide certainty about what's covered. If your NDA includes a marking requirement, follow it. Unmarked information may fall outside the definition.

The Four Standard Exclusions

Every NDA should exclude from the confidentiality obligation information that the receiving party shouldn't be required to protect because it's not proprietary or because the receiving party obtained it without the disclosing party's help.

Information that's publicly available at the time of disclosure, or that becomes publicly available after disclosure through no fault of the receiving party, isn't confidential. If the disclosing party's trade secret is published in an industry journal, the receiving party has no obligation to treat it as secret.

Information the receiving party already possessed before the disclosing party shared it is excluded. If the receiving party had the same customer list before the NDA was signed, the NDA imposes no new obligation to protect something the receiving party already knew.

Information independently developed by the receiving party without reference to or use of the disclosing party's confidential information is excluded. If the receiving party's engineers develop the same technology through their own research, without accessing the disclosing party's materials, the NDA doesn't give the disclosing party rights over the independently developed work.

Information received from a third party who had no confidentiality obligation to the disclosing party is excluded. If a third party lawfully shares the same information with the receiving party, the NDA doesn't retroactively restrict the receiving party's use of it.

These exclusions are standard because they're fair. A receiving party shouldn't be penalized for knowing something it already knew, developing something it would have developed anyway, or receiving something from someone who wasn't bound by the NDA.

Permitted Disclosures

An NDA should permit the receiving party to disclose confidential information to certain people who need access to perform the business purpose that justified the NDA in the first place. Common permitted recipients include the receiving party's employees, officers, and directors who have a need to know, outside advisors (lawyers, accountants, financial advisors) retained in connection with the transaction, and affiliates (subsidiaries, parent companies) involved in the evaluation.

Permitted disclosures should be conditioned on the recipients being bound by confidentiality obligations at least as protective as the NDA. If an employee who receives confidential information under a permitted disclosure isn't bound by any confidentiality obligation, the protection is illusory.

Every NDA should address compelled disclosure. If the receiving party is served with a subpoena, court order, or regulatory demand requiring production of the disclosing party's confidential information, the NDA should permit compliance with the legal requirement while requiring the receiving party to provide prompt notice to the disclosing party (so the disclosing party can seek a protective order) and to disclose only the minimum amount of information required to satisfy the legal obligation.

Term Versus Survival

An NDA has two time dimensions, and they're different.

An NDA's term defines how long the parties can share confidential information under the agreement. Once the term expires, neither party has an obligation to accept new disclosures, and the NDA no longer governs new information. Many commercial NDAs have a term of one to three years, though some are open-ended until terminated by either party on written notice.

Survival defines how long the confidentiality obligation continues after the NDA's term expires. Information shared during the term remains protected for the survival period. A two-year NDA with a five-year survival period means information can be shared during the first two years and must be protected until five years after disclosure (or five years after the NDA terminates, depending on how the survival clause is drafted).

For trade secrets, the survival period should be indefinite. Trade secrets retain their value only as long as they remain secret, and a fixed survival period that expires while the information is still commercially valuable leaves the disclosing party unprotected during the period when protection is most needed. Many commercial NDAs use a dual survival approach, with a fixed period (two to five years) for general confidential information and an indefinite period for trade secrets.

Remedies for Breach

Money damages alone are often inadequate for breach of an NDA, because once confidential information is disclosed, it can't be un-disclosed. A competitor who obtains a trade secret through an NDA breach can use it indefinitely, and no amount of money fully compensates for the loss of a competitive advantage that depended on secrecy.

Injunctive relief (a court order prohibiting further disclosure or use of the information) is the most important remedy in an NDA because it stops the harm rather than just compensating for it. Most NDAs include a provision stating that breach would cause irreparable harm for which monetary damages would be inadequate, and that the disclosing party is entitled to seek injunctive relief without posting a bond. This language doesn't guarantee a court will grant an injunction, but it establishes the parties' agreement that injunctive relief is appropriate.

Monetary damages compensate the disclosing party for financial losses caused by the breach, including lost profits, lost business opportunities, and the cost of mitigating the breach. Proving the amount of damages for a confidentiality breach can be difficult, which is why some NDAs include liquidated damages (a pre-determined amount payable upon breach) as an alternative.

Attorney's fee provisions require the breaching party to pay the non-breaching party's legal costs. Without a fee-shifting provision, each party bears its own legal costs regardless of who wins, which can make enforcement economically impractical for smaller breaches.

Relationship to Trade Secret Law

An NDA is a contractual obligation. Trade secret law provides an additional, independent layer of protection that doesn't depend on the existence of an NDA.

Under the Texas Uniform Trade Secrets Act (Texas Civil Practice and Remedies Code Chapter 134A, adopted in 2013), a trade secret owner can bring a civil action for misappropriation (acquisition, disclosure, or use of a trade secret through improper means) regardless of whether an NDA exists. TUTSA provides injunctive relief, damages (including unjust enrichment), exemplary damages up to twice the amount awarded for willful and malicious misappropriation, and attorney's fees in certain circumstances.

Under the federal Defend Trade Secrets Act (18 U.S.C. § 1836, enacted in 2016), a trade secret owner can bring a civil action in federal court for misappropriation of a trade secret related to a product or service used in interstate or foreign commerce. DTSA provides similar remedies to TUTSA, including injunctive relief, damages, exemplary damages up to twice the award, and attorney's fees.

DTSA imposes one specific drafting requirement for NDAs in the employment context. Under 18 U.S.C. § 1833(b)(3), an employer can recover exemplary damages and attorney's fees against a current or former employee who misappropriates trade secrets only if the employer's NDA includes a notice of immunity for whistleblower disclosures made in confidence to a government official or attorney for the purpose of reporting a suspected violation of law. NDAs that don't include this notice cap the employer's recoverable remedies. Every NDA with an employee, contractor, or consultant should include the DTSA immunity notice.

Common Mistakes

Defining confidential information so broadly that the definition is unenforceable. "All information of any kind" invites a court to find the definition unreasonable. Use a broad definition with specific exclusions, and make sure the exclusions are standard.

Using a unilateral NDA when both parties are sharing information. If the relationship involves two-way disclosure, both parties need protection.

Setting a survival period that expires before the information loses its competitive value. A two-year survival period for a trade secret that will remain commercially valuable for 20 years leaves 18 years of exposure.

Omitting the compelled-disclosure provision. Without it, a receiving party served with a subpoena has no contractual guidance on how to handle the disclosure, and the disclosing party may not learn about the subpoena until after the information has been produced.

Failing to include the DTSA whistleblower immunity notice in employee NDAs. Without it, the employer can't recover exemplary damages or attorney's fees under the federal Defend Trade Secrets Act against that employee, even if the misappropriation was willful and malicious, though TUTSA's exemplary damages and fees remain available. The rule reaches agreements entered into or updated after May 11, 2016.

Treating the NDA as a formality rather than a negotiated agreement. If the information you're sharing is valuable enough to require an NDA, the NDA is valuable enough to draft correctly.

Practical Recommendations

Match the NDA type to the relationship. Use unilateral for one-way disclosures (employee onboarding, vendor evaluations where only you're sharing). Use mutual for two-way disclosures (M&A, partnerships, joint ventures).

Define confidential information with a broad-inclusion approach and include all four standard exclusions. This provides the disclosing party broad protection while ensuring the receiving party isn't bound to protect information it has a legitimate right to use.

Set the survival period based on the nature of the information. Two to five years for general business information. Indefinite for trade secrets. State both durations in the NDA rather than applying a single period to all categories.

Include remedies that match the harm. Injunctive relief for stopping ongoing disclosure. Monetary damages for compensating losses. Attorney's fees for making enforcement economically viable. Liquidated damages if proving actual losses would be difficult.

Include the DTSA immunity notice in every NDA with an employee, contractor, or consultant. It's a single paragraph, and omitting it forfeits exemplary damages and attorney's fees in any federal DTSA claim against that employee.

Keep the NDA's scope focused on protecting information, not restricting competition. An NDA that functions as a disguised non-compete (prohibiting the receiving party from working in a particular industry or soliciting customers, rather than simply protecting confidential information) may be challenged as an unreasonable restraint of trade. NDAs protect information. Non-competes restrict competition. Keep them separate, and enforce each on its own terms.

Need advice tied to your business issue?

Share the issue. Get direct attorney review. Receive a concrete recommendation.

Submit an Inquiry