Chapter 6: Confidentiality and Security

Two of the most frequently neglected areas in license negotiations are confidentiality and security. While almost every vendor agreement includes a basic confidentiality clause, such clauses are usually one-sided, protecting only the vendor's information. Virtually no vendor license agreements address issues relating to the specific security measures the vendor must implement to protect the licensee's data and other proprietary information while in the vendor's possession. In this chapter we discuss the protections licensees should require in their vendor agreements to ensure the licensee's sensitive data and information is held in confidence and adequately protected from authorized access.

The following sections of the form license agreement are discussed in this Chapter: 6 (Confidentiality).

1. Confidentiality Provisions

Section 6 of the vendor form agreement illustrates most of the problems found in form vendor agreements. The provision only protects the vendor's information, provides no clear definition of what comprises the "confidential information," and provides none of the standard exceptions to the confidentiality requirements (e.g., information that is in the public domain, information that is independently developed by the licensee, etc.). Also note that Section 6 prevents anyone other than the licensee's own employees from accessing and using the software. If the licensee, for example, permits a contract worker to use the software, it would be in breach of this provision. This type of one-sided confidentiality provision should be rejected. The licensee should insist on confidentiality provision that satisfies the following requirements:

• The confidentiality obligation should apply to protect the confidential information of both parties;

• A clear, broad definition of "confidential information" should be included. The definition should be carefully reviewed to ensure it includes every type of information the licensee intends to be maintained as confidential;

• The provision should require the receiving party to only disclose the information to employees, contractors, and agents who have a need to know and to institute appropriate protections to ensure those individuals understand their obligation to maintain the confidentiality of the information;

• Include standard exceptions (e.g., information that is in the public domain, information that is independently developed by the licensee, etc.) to the confidentiality requirement; and

• The confidentiality obligations should specifically survive expiration or termination of the agreement.

In addition to negotiating the language of the confidentiality provision itself, the licensee must ensure breach of the provision is carved out of the limitation of liability. ^[1] If breach of confidentiality is subject to the limitation of liability, the protections afforded in the confidentiality provision will be rendered largely useless. If the vendor faces little liability if it breaches its confidentiality obligations, the vendor will have little motivation to take those obligations seriously. Unless it is certain the vendor will have no access to licensee confidential information, the exclusion from the limitation of liability should be aggressively negotiated.

In certain regulated industries (e.g., healthcare and financial services), the licensee may be under a legal obligation to include additional protections in the confidentiality provision relating to the non-public personally identifiable financial or healthcare information of its customers. In some cases, a separate agreement relating solely to the protection of personally identifiable information may be required (e.g., a Business Associate Agreement in the healthcare industry). These provisions require the input of legal counsel experienced in these areas.

Example Revision:

6. [Alternate No. 1] Confidentiality. ^[2] In the performance of this Agreement, each party may have access to confidential, proprietary or trade secret information owned or provided by the other party relating to software computer programs, object code, source code, marketing plans, business plans, customers, financial information, specifications, business processes, flow charts and other data ("Confidential Information"). All Confidential Information supplied by one party to another pursuant to this Agreement shall remain the exclusive property of the disclosing party. The receiving party shall use such Confidential information only for the purposes of this Agreement and shall not copy, disclose, convey or transfer any of the Confidential Information or any part thereof to any third party, excluding the party's authorized employees and agents. Each party will implement adequate procedures with its employees or other persons permitted or who have access to the Confidential Information to satisfy their obligations under this Agreement. Neither party shall have any obligation with respect to Confidential Information which: (i) is or becomes generally known to the public by any means other than a breach of the obligations of a receiving party; (ii) was previously known to the a receiving party or rightly received by a receiving party from a third party; or (iii) is independently developed by or a the receiving party.

6. [Alternate No. 2] Confidentiality.

   • 6.1 Confidential Information Defined. "Confidential Information" shall mean, with respect to a party hereto, all information or material which (i) gives that party some competitive business advantage or the opportunity of obtaining such advantage or the disclosure of which could be detrimental to the interests of that party; or (ii) which is either (A) marked "Confidential," "Restricted," or "Proprietary Information" or other similar marking or (B) known by the parties to be considered confidential and proprietary. Neither party shall have any obligation with respect to confidential information which: (i) is known or used by the receiving party prior to disclosure by the disclosing party; (ii) either before or after the date of the disclosure by the disclosing party is disclosed to the receiving party by a third party under no obligation of confidentiality to the disclosing party; (iii) either before or after the date of the disclosure to the receiving party becomes published or generally known to the public through no fault of the receiving party; (iv) is independently developed by the receiving party; (v) is required to be disclosed by a final order of a court of competent jurisdiction; or (vi) is otherwise required to be disclosed by applicable law following reasonable notice to the disclosing party.

   • 6.2 Obligations. The parties agree to hold each other's Confidential Information in strict confidence. The parties agree not to make each other's Confidential Information available in any form to any third party or to use each other's Confidential Information for any purpose other than as specified in this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information of either party is not disclosed or distributed by its employees, agents or consultants in violation of the provisions of this Agreement. Each party's Confidential Information shall remain the sole and exclusive property of that party. Each party acknowledges that any use or disclosure of the other party's Confidential Information other than as specifically provided for in this Agreement may result in irreparable injury and damage to the non-using or non-disclosing party. Accordingly, each party hereby agrees that, in the event of use or disclosure by the other party other than as specifically provided for in this Agreement, the non-using or non-disclosing party may be entitled to equitable relief as granted by any appropriate judicial body.

^[1]See Chapter 5 for a discussion of limitation of liability provisions.

^[2]Suggested replacement language for the existing Section 6 of the vendor form agreement. Alternate No.1 is an example provision of a short form confidentiality provision. Alternate No. 2 presents a more fully fleshed out confidentiality clause.