Defining Confidential Information

Reading module · approx 14 min

The definition of confidential information is the most consequential clause in any NDA. Everything else — obligations, carve-outs, term, remedies — operates on whatever this definition captures. Draft it wrong and the rest of the agreement is either useless or unenforceable.

There are two foundational approaches to defining confidential information, and most NDAs use a hybrid of both. Understanding the tradeoffs between them is the starting point for drafting any definition.

Approach 1: Broad-scope definition

The broad-scope definition captures all information shared between the parties, regardless of marking or designation, subject to specified carve-outs. A typical formulation:

"Confidential Information means all information disclosed by one party to the other, whether in writing, orally, electronically, or by inspection of tangible objects, including without limitation technical data, trade secrets, know-how, research, product plans, products, services, customers, customer lists, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration, marketing, finances, and other business information."

The advantages of a broad-scope definition are obvious: nothing is accidentally excluded by a failure to mark or designate. The disadvantages are less obvious but more dangerous. A receiving party subject to a broad-scope definition has no practical way to distinguish what information is and is not covered in a large-volume commercial relationship. Employees of the receiving party — who are the people actually handling the information — cannot be expected to know what falls within the definition without knowing what was shared in every conversation and meeting. This creates compliance problems in practice even where there is no bad faith.

Approach 2: Marking requirement

The marking-requirement definition covers only information that the disclosing party designates as confidential at the time of disclosure — by marking written documents, by giving oral notice for verbal disclosures and confirming in writing within a specified period (typically five to thirty days).

The advantages are precision and practicability: the receiving party always knows what information is covered. The disadvantages are significant: the disclosing party must maintain consistent marking discipline, and there is invariably a lag between the moment information is shared and the moment it is marked. Information that is disclosed in preliminary discussions before the NDA is signed — or before a marking procedure is followed — is frequently not captured.

The hybrid approach

Most well-drafted commercial NDAs use a hybrid. The definition has a broad-scope catch-all for written and electronic information (capturing everything documented), combined with a marking or confirmation requirement for oral and informal disclosures. This preserves breadth for formal information flows while requiring reasonable formality for oral communications.

For M&A due diligence NDAs, the hybrid approach is typically supplemented by a data room framework — all documents placed in the data room are by definition confidential, which removes the marking problem entirely for the document production phase.

The four standard carve-outs

Every well-drafted NDA definition of confidential information excludes four categories of information. These are not negotiating concessions; they are logical necessities. Information in any of these categories cannot meaningfully be protected by contractual obligation.

1. Information in the public domain

Information that is or becomes publicly available through no act or omission of the receiving party is excluded. The qualifying phrase — "through no act or omission of the receiving party" — is critical. If the receiving party leaks the information, it cannot then rely on the public domain carve-out. The carve-out is for information that is independently publicly available.

Note that "public domain" means genuinely accessible to the public, not merely known to a small industry circle. The test used by Indian courts is accessibility: could a person with ordinary diligence have accessed this information from public sources? If yes, it is in the public domain for carve-out purposes.

2. Information already known to the receiving party

Information that the receiving party possessed before disclosure, as demonstrated by contemporaneous records, is excluded. The contemporaneous records requirement matters — a receiving party cannot simply assert pre-existing knowledge. They must be able to point to documents, emails, or other records that pre-date the disclosure.

3. Information independently developed by the receiving party

Information that the receiving party develops independently, without reference to the confidential information, is excluded. This carve-out is difficult to establish in practice. The receiving party must show that their development was genuinely independent — which becomes nearly impossible if the disclosed information and the alleged independent development concern the same subject matter and emerged around the same time.

4. Information received from a third party without restriction

Information that the receiving party receives from a third party who is not under any confidentiality obligation to the disclosing party is excluded. The qualifying phrase matters: if the third party is themselves under an NDA with the disclosing party, information received from them is not covered by this carve-out. Chain-of-title in confidentiality matters.

The residuals clause

The residuals clause is a provision inserted by receiving parties — most aggressively by technology companies and large professional service firms — that excludes from the confidentiality obligation any information retained in the unaided memories of the receiving party's personnel who have been exposed to the confidential information.

A standard residuals clause reads:

"Notwithstanding the foregoing, the receiving party may use Residual Information for any purpose, including use in development, manufacture, promotion, sale, and maintenance of its products and services. 'Residual Information' means information in non-tangible form that may be retained in the unaided memory of persons who have had access to the Confidential Information, including ideas, concepts, know-how, or techniques contained therein."

When to strike the residuals clause. Almost always, if you are the disclosing party. The residuals clause effectively says: whatever your employees remember from exposure to our information, they can use freely in their other work. In the context of a commercial NDA for business discussions, this is usually acceptable because the information shared is unlikely to be memorised in detail. In any of the following situations, you should strike or heavily narrow the residuals clause:

• The disclosed information is technical — source code, algorithms, formulations, engineering specifications. Technical personnel do retain detailed technical information and use it in subsequent work.
• The counterparty is a direct or potential competitor. The residuals clause combined with competitive use is the most dangerous combination.
• The transaction is an M&A deal where the acquirer sends experienced professionals into your data room. Financial and operational professionals routinely retain detailed financial and operational information in memory and use it in subsequent work.

Purpose limitation

Every NDA should contain a purpose clause that defines the transaction or relationship for which information is being shared, and restricts the receiving party's use of confidential information to that purpose. Without a purpose limitation, the non-use obligation is vague — the receiving party is prohibited from disclosing but may use the information for any purpose other than the one specified, which in the absence of a specification means for any purpose at all.

The purpose clause connects to the carve-out structure. Information shared for the purpose of evaluating a joint venture is not necessarily shared for the purpose of product development. A receiving party that uses information shared for purpose A to assist with purpose B is in breach, even if purpose B is also legitimate as between the parties. This is particularly important in ongoing commercial relationships where the NDA covers a broad relationship — each use must be traceable to the defined purpose.

The aggregation problem

A sophisticated receiving party can sometimes reconstruct confidential information from non-confidential elements — combining publicly available data about a company's products, customers, and markets in a way that produces something that is genuinely confidential even though no single element was. This is the aggregation problem.

Standard NDA definitions do not address it. The disclosing party shares information X, Y, and Z, none of which is independently confidential. The receiving party combines X, Y, and Z to derive insight W, which is what the disclosing party actually wanted to protect. W was never disclosed and so is not covered by the NDA.

The fix is a compilation clause: the definition of confidential information expressly includes compilations or combinations of information, even if the individual elements are publicly available, where the compilation itself is not publicly available. This is standard in M&A NDAs but rarely appears in commercial NDAs.

Module 3 covers what the receiving party is actually required to do with the information once it is captured by the definition — the core obligations of non-disclosure and non-use, and the permitted disclosure windows.