NDAs have very specific value when two companies wish to discuss a potential collaboration that involves trade secrets, IP or other matters that they wish to discuss, but wish to discuss under protection.
It's less obvious what value they have when used by companies to get their employees or staff to sign them.
A common argument that has been produced in favour of having NDAs is that they are best practice - but, even if NDAs are best practice (and I'm not sure they are - I'd want to see the evidence for this), best practice is that best practice is adapted to circumstance and adopted for good reasons, not imposed, against sound objections, just because it has the label 'best practice'.
Since then, I've been thinking about, and discussing NDAs, so I thought it useful to add this discussion to this group:
When somebody is concerned enough to impose NDAs on everybody my thought is "Honi soit qui mal y pense", then the following questions come to mind:
- What are they trying to hide? Is there some secret formula (like the fabled Coca-Cola one) that they're worried about getting out - or do they want to hide incompetence, political manoeuvres (which, like orchestral ones, prefer the dark), or corruption?
- Do NDAs work? Would some evil traitor who infiltrated Coca--Cola and decided to sell their formula to Pepsi really think 'Oh, no, I can't do that, I've signed an NDA!', and Coca-Cola would thus be protected?
- Do NDAs work? How many people have been prosecuted successfully for breaking one? When such prosecutions were successful, how good were they for the company's reputation?
- Are NDAs magical thinking? The idea that a form of words, written by a lawyer, when signed, form a magical protective charm?
- Is it simply paranoia? If somebody has had an unfortunate life, surrounded by secret policemen and psychopaths, then you could understand their paranoia. Somebody with mild schizophrenia might have irrational paranoia (eating lots of oily fish can help)
- Or are the people who are insistent on NDAs dishonest themselves (hence 'Honi soit qui mal y pense') and think that, if it was them, they'd behave badly if they weren't stopped by an NDA?
- Or is it simply insecurity? The thought that, if you don't micromanage all the news you'll find yourself exposed to the world in a compromising situation.
- NDAs claim, in their text, to be contracts that protect the interests of both parties. However, this is, surely humbug, how many individuals feel that their interests have been served by signing an NDA with a company?
- NDAs are claimed as protection. However, if somebody did something damaging to an organisation by revealing something secret that was serious enough to go to law about - wouldn't existing laws, such as theft, or libel or malicious damage do the trick? Do NDAs add anything even legally useful?
I suspect that it's usually some mixture of the above. Few of these are concerned with the good of the organisation.
However, from the point of view of governance, it is reasonable that you've said to people that you don't want your dirty linen washed in public, so, please could they agree not to pass on everything to possibly malevolent outsiders.
It's also reasonable that, if you have colleagues who are paranoid or insecure, or have some magical thinking (and none of these are disqualifications for most jobs or from being a generally good egg), then it's a kindness to make a concession to their feelings.
Are NDAs actually 'Best Practice'? The ITIL guidance is:
From ITIL 'Service Operation':
Screening and vetting
All service operation staff should be screened and vetted to a security level appropriate to the organization in question.
Suppliers and third-party contractors should also be screened and vetted – both the organizations and the specific personnel involved. Many organizations have started using police or government agency background checks, especially where contractors will be working with classified systems. Where necessary, appropriate non-disclosure and confidentiality agreements must be put in place.
In Service Design, it talks about the Security Management System (ISMS), and says:
The objective of the implementation element of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the information security policy. Measures include:
■ Accountability for assets – service asset and configuration management and the CMS are invaluable here
■ Information classification – information and repositories should be classified according to the sensitivity and the impact of disclosure.
The successful implementation of the security controls and measures is dependent on a number of factors:
■ The determination of a clear and agreed policy, integrated with the needs of the business
■ Security procedures that are justified, appropriate and supported by senior management
■ Effective marketing and education in security requirements
■ A mechanism for improvement
As is so often the case, what is important is a balanced approach with the value of an exercised considered in the light of the value and cost to all parties.