Whack-A-Mole. Cockroaches. Electronic confidential information. What’s the common thread? They’re all difficult to destroy. The moles of the carnival game relentlessly pop up in new places. Cockroaches could survive a nuclear attack. And it would be difficult — potentially impossible — to completely destroy electronic confidential information as is required under many confidentiality agreements.
The Typical Return or Destroy Requirement
Confidentiality agreements often require the party that has an obligation to protect the confidential information (the receiving party) to either return or destroy the information at the end of the agreement. Here’s a typical provision, which I borrowed from the Iowa State University Extension website:
Upon termination of the discussions between the Parties or upon the Disclosing Party’s request, all records, any compositions, articles, documents and other items which contain, disclose and/or embody any Confidential Information (including, without limitation, all copies, reproductions, summaries and notes of the contents thereof), regardless of the person causing the same to be in such form, shall be returned to the Disclosing Party or destroyed by the Receiving Party, and the Receiving Party will certify that the provisions of this paragraph have been complied with.
Exceptions for Backup Data
Some confidentiality agreements include exceptions to the obligation to return or destroy the information. For example, the agreement might allow the receiving party’s counsel to retain an archival copy in case a dispute ever arises. Some well-thought-out confidentiality agreements also take into account the realities of our electronic world where data is automatically copied for backup purposes. These confidentiality agreements might have an exception for backup copies that no one except IT folks have access to.
Data is routinely backed up without our being aware of it. Sure, some IT person somewhere in every company probably knows what sort of data is stored on the company’s servers. But the people who negotiate, sign, and perform confidentiality agreements (and are responsible for returning or destroying confidential information) probably have little more than a rudimentary understanding of how data is transmitted, stored, and backed up. And they probably don’t know who has access to it.
Can All Copies of Electronic Confidential Information Be Destroyed?
Letting a receiving party off the hook from the duty to go through all the backup tapes and eradicate confidential information makes sense. But I’m not sure the typical carve-out is broad enough to cover all the copies of the information that actually exist. In fact, I’m not sure it’s feasible to take into account all those copies.
Take a common scenario involving the disclosure of a single document to a single person. The party that owns the information attaches a document to an email and sends the email to an officer of the receiving party who is authorized access under the confidentiality agreement. The transmission email makes it clear that the document is confidential and that it’s protected under the confidentiality agreement. The officer saves the document to the receiving party’s computer network (taking care to restrict access to persons who are authorized access to the document) and emails the document to other employees of the receiving party having a “need to know,” as well as the company’s lawyer and accountant, each of whom is also permitted access to the document under the confidentiality agreement. This type of sharing is probably exactly what the parties contemplated when they negotiated the confidentiality agreement.
So one document has been emailed two times and the emails were directed only to people who are authorized to receive the confidential information and care has been taken to restrict access to the copies that are known to exist.
Consider these questions: (1) How many copies of the document are now in existence? (2) Where are the copies of the document located? (3) Can all the copies be rounded up and destroyed if required under a confidentiality agreement? The answer to (3) is probably “no,” and I think (1) and (2) are as easy to answer as “How many angels can dance on the head of a pin?”
Copies of data are created automatically in the ordinary course of electronic communication and data storage without the awareness of the people using the data. When you send an email, for example, a copy is saved to your “sent” folder. When you delete the email from your “sent” folder, it remains in your computer’s “trash can.” When you empty the trash can, it might — or might not — then actually be deleted from your computer. Plus, when you send your email, it probably bounces around innumerable computers all over the world before ending up in the recipient’s email inbox. Backups of data are routinely saved to enterprise servers. Data might also be backed up automatically to a cloud-based system. And I haven’t even mentioned what happens when people access data via their smartphones and tablets.
Does It Matter?
Confidentiality agreements often require the receiving party to return or destroy confidential information at the end of the agreement, but can you ever hope to round up all the copies of electronic confidential information and destroy them? Maybe it’s possible, but I doubt it. Does this mean that most confidentiality agreements are breached, at least technically?
What do you think? And does it even matter, or are we talking about dancing angels and pins?