Q&A #38 – Is a nondisclosure agreement better than a confidentiality policy?
Question: My nonprofit is concerned about keeping our sensitive information confidential, and we’re considering having Board members and staff sign standard nondisclosure agreements. However, we already have a confidentiality policy in our employee handbook and our Board policy manual, and some Board members have argued that nondisclosure agreement is therefore not necessary. Should we have a nondisclosure agreement, or is our information already protected?
Answer: A nondisclosure agreement (“NDA”) would very likely be more protective than your employee handbook and Board policies, but it is important to consider what the differences are and how they relate to your organization so you can make a more informed decision about whether to use an NDA. Employee handbook and Board policies addressing confidentiality are helpful because they establish the understanding, culture, and expectation that sensitive information must be kept confidential. However, the remedies for a violation of a confidentiality policy are quite limited.
If an employee violates the policy, this could be grounds for discipline or termination. If a Board member violates the policy, the Board member could be voted off the Board and could perhaps be subject to a claim for breach of fiduciary duties (although it is generally difficult to sue a Board member for breach of fiduciary duties). This is about all the relief that is available when you rely on your employee handbook and Board policies, and even this modest relief would probably not apply to the volunteers, independent contractors, and others who may have access to an organization’s confidential information.
An NDA is different because it establishes a contractual remedy. This means that, if necessary, the organization could sue the person for breaching the NDA and obtain injunctive relief (a court order to stop disclosing the information or to take some other action) and/or damages (a court order for payment to compensate the organization for the harm done by the disclosure). It may even be possible to specify in the NDA the amount of the damages that would be payable because of this breach – this is called liquidated damages (note: you must be careful with this because courts will only enforce liquidated damages clauses that are intended to estimate actual damages rather than impose a penalty).
Of course, litigation is expensive and can be very disruptive to your organization and its reputation, and your organization may never want to actually follow through on its right to enforce an NDA in court (assuming that the NDA is enforceable, which is not always the case),. Nonetheless, simply establishing that these remedies are available can be a powerful incentive for people to comply with their confidentiality obligations.
There are complications with NDAs that you will need to think through with the help of legal counsel. For Board members, you want to make sure that the NDA is tailored to permit the Board members to disclose appropriate information to third parties in furtherance of their duties on the Board (for example, to consultants, auditors, donors, grantors, etc.). For employees, you should check the applicable state employment law, as an increasing number of states have passed laws that limit the use of NDAs that have the purpose or effect of restricting employees from disclosing the details of sexual harassment or other illegal activity. And in all cases you need to make sure there is adequate “consideration” (i.e. something of value received by both sides) for the NDA.
Planning Tip – An important first step is to identify and list all the different types of information that the organization considers highly sensitive. While it is tempting to use standard, off-the-shelf, all-encompassing NDA language that covers all information that could possibly relate to the organization, this approach risks creating overbroad obligations that are quite burdensome and less likely to be enforceable. If possible, it is generally more fair and more enforceable to limit the scope of an NDA to the specific information that is most sensitive.
Ultimately, the question of whether to use an NDA or rely on your organization’s employee handbook and Board policies will depend on how sensitive your organization’s information is or will be in the future. If disclosure of the information would cause significant harm to the organization or its donors, service recipients, or other stakeholders, then it probably merits having the additional protection of an NDA. And in any case it is worth revisiting your existing policies to determine if they should be revised to better fit your organization’s needs.
If you have a question you would like to submit to SE4N, send it to us using the contact form and we will consider answering it in a future post. Please do not send confidential information.