25.8 VITA recommendations for a successful IT contract

25.8.18 IT confidentiality agreements

Parties to IT contracts frequently enter into confidentiality agreements before the contract is signed. Any consultant or supplier who has access to sensitive agency data must agree to treat that data as confidential, whether it is personally identifiable employee or agency data, agency lists, marketing plans, nonpublic financial information or trade secrets. In many cases, an agency may need to disclose some of this information to an IT supplier before the contract is signed. Confidentiality protection requires more than a well written agreement. When an agency needs to protect certain information, employees need to be educated not to make unnecessary disclosures. Where the confidentiality agreement calls for marking or otherwise identifying information as confidential, employees must be sure to so identify the information. It is important to keep complete and accurate records of who has access to the information and how it is transmitted and used. Below is a comprehensive contractual definition of "confidential information:"

"As used herein, the term "Confidential Information" of agency means all information that supplier may receive from the agency, its employees, agents or representatives, prior to or on or after the date hereof, which is not generally available to the public, including but not limited to agency lists, proposed or planned products or services, marketing plans, financial and accounting records, cost and profit figures, forecasts and projections and projections and credit information."

  • Identifying confidential information: If the agency desires that the confidentiality agreement be more restrictive, it can require that each item that is disclosed be specifically identified as being "confidential" in order to be within the scope of the agreement. Here is one example of such a clause:

    "If the Confidential Information is embodied in tangible material (including without limitation, software, hardware, drawings, graphs, charts, disks, tapes, prototypes and samples), it shall be labeled as "Confidential" or bear a similar legend. If the Confidential Information is disclosed orally or visually, it shall be identified as such at the time of disclosure, and be confirmed in a writing within XX days of such disclosure, referencing the place and date of oral or visual disclosure and the names of the employees of the receiving party to whom such oral or visual disclosure was made, and including therein a brief description of the Confidential Information disclosed." It may make sense for an agency to include as confidential information "all oral and written information that an objective observer would consider confidential taking into account the surrounding circumstances." In other words, did the recipient have reason to believe the information he or she saw (rather than information actively supplied to him or her) might be confidential?
  • Extent of the nondisclosure obligation: The core of any confidentiality agreement is the clause that obligates the receiving party to treat the received information as confidential. This clause can be drafted in any number of ways.

    Here's an example of an expansive confidentiality provision:

    "Except as set forth herein or as otherwise agreed by the parties in writing, each Recipient shall at all times, both during and after the Disclosure Period: (i) not disclose any Confidential Information of the other party or its affiliate to any person other than the Recipient's employees or representatives who need to know such information; (ii) use the same care and discretion to avoid disclosure as the Recipient uses with respect to its own confidential information; (iii) not use any Confidential Information in the Recipient's business, nor develop, market, license or sell any product, process or service based on any Confidential Information; and (iv) not modify, reverse engineer or create derivative works based on any computer code owned by the other party or its affiliate."

    The clause includes both a nondisclosure and nonuse obligation. It specifies a level of care that the recipient uses with respect to its own confidential information, and it restricts the recipient from reverse engineering the disclosing company's software or creating derivative works. A variation might include an absolute obligation not to disclose, rather than an obligation to exercise a defined level of care to avoid disclosure. Depending on the importance of the information being protected, an agency may consider including a detailed security requirements addendum. Another way of limiting the use of the information would be to say that the recipient may "use the information only for the purpose for which it was disclosed, or otherwise solely for the benefit of the Discloser." The clause also restricts the range of parties to whom the recipient may disclose to the recipient's employees or representatives who need to know such information. Some agreements add that any such employees or representatives must be under a similar obligation of confidentiality. At a minimum, the recipient should be obligated to inform such recipients of their obligation to retain the information in confidence. Here is sample contract language that will fulfill that purpose: "Each Recipient will ensure that its employees, agents and representatives also comply with the Recipient's obligations of confidentiality and non-use under this Agreement."
  • Exceptions to confidentiality: Certain information is typically exempted from the coverage of a confidentiality agreement. For instance, here is a typical "exception" clause: "The obligations of confidentiality and non-use described above will not apply to information that (i) was already rightfully known to the Recipient on a non-confidential basis before the Effective Date; (ii) was independently developed by the Recipient; or (iii) is publicly available when received, or thereafter becomes publicly available through no fault of the Recipient or its employees, agents or representatives." Other exceptions to confidentiality coverage might include information obtained from a third party without obligation of confidentiality, or information disclosed by the discloser without obligation of confidentiality.

    A supplier might also want a confidentiality exception for "residual information." The supplier's programmers will inevitably learn skills through the work they perform for the agency, and it would be impossible to prevent them from using these skills. The supplier will not want to be liable for breach of contract as a result of the supplier's use of such residual information. Here is some suggested contract language to address this situation: "The Recipient may disclose, publish, disseminate, and use the ideas, concepts, know-how and techniques, related to the Recipient's business activities, which are contained in the Discloser's information and retained in the memories of Recipient's employees who have had access to the information pursuant to this Agreement ("Residual Information"). Nothing contained in this Section gives Recipient the right to disclose, publish or disseminate, except as set forth elsewhere in this Agreement:

    1) the source of Residual Information;
    2) any financial, statistical or personnel data of the Discloser; or 
    3) the business plans of Discloser."

    Such a clause allows the employees of the supplier to work with other agencies. It is also not a bad idea as a general rule from the agency's point of view, because the agency potentially receives the benefit of residual information that the supplier received from other agencies.
  • Disclosures required by law: A party that is bound by a confidentiality agreement may find itself subject to a court order or a subpoena to disclose information that such party is contractually obligated not to disclose. Many confidentiality agreements specifically deal with this situation by requiring notice to the discloser and an opportunity to object or seek a protective order. Here is a sample clause to address this issue: "In the event that Recipient becomes legally compelled to disclose any Confidential Information, Recipient shall: (i) promptly notify the Discloser that such information is required to be disclosed, (ii) use Recipient's best efforts to obtain legally binding assurance that all those who receive disclosure of such information are bound by an obligation of confidentiality, and (iii) disclose only that portion of the Confidential Information that Recipient's legal counsel advises is legally required to be disclosed."

    Agency procurements are subject to the Freedom of Information Act, with exceptions in the VPPA. The requirements of the Virginia Freedom of Information Act are more fully discussed in Chapter 10 of this manual.
  • Duration of confidentiality obligation: Many recipients of confidential information from suppliers seek to limit the length of their obligation not to disclose such information. One way to do this is to limit the term of the confidentiality obligation. Some agreements, for example, require the recipient of confidential information to regard the information as confidential for a period of one, two or three years. On the other hand, it may be very important to the discloser to preserve the confidentiality of the disclosed information indefinitely. This is an issue that the parties should consider based on the specific facts and needs of the parties. VITA normally includes confidentiality obligations in its Survival provision.
  • Return of confidential materials: The discloser of confidential information will want to include a clause requiring the recipient to return the confidential information to the discloser upon request. Here is an example of such a provision: "Upon the request of Discloser, Recipient will promptly return to Discloser all Confidential Information and all copies thereof in Recipient's possession or under Recipient's control, and Recipient will destroy all copies thereof on Recipient's computers, disks and other digital storage devices."

    When the confidentiality clause is part of a larger agreement, the agreement should provide that the confidential information will be returned to the discloser upon the expiration or termination of the agreement. The agreement should always provide that it will be governed by the laws of the Commonwealth of Virginia. In addition to the clauses described above, a confidentiality agreement might contain provisions to the effect that:
    • the discloser may obtain both injunctive relief and monetary damages in the event that the recipient fails to comply, and that the recipient will pay for the discloser's attorneys' fees;
    • a recipient in breach must indemnify if a third party sues the discloser due to the breach;
    • monetary liability for breach is limited to a specified dollar amount:
    • the disclosed information remains the property of the disclosing party;
    • the recipient shall immediately notify the discloser upon discovering any loss or unauthorized disclosure by any of the recipient's personnel of any confidential information;
    • each party shall comply with all applicable laws, rules and regulations, including those relating to technology export or transfer;
    • the discloser is disclosing the information "as is" or with implied or express warranties;
    • the discloser is granting no license;
    • the recipient is not restricted from providing competitive products or services to others;
    • the recipient may not reverse engineer, decompile or disassemble any disclosed software;
    • the recipient will not export any disclosed software in violation of any export laws;
    • the parties will mediate and then arbitrate any dispute (with a carve-out for injunctions).