Confidentiality for business information is rarely implied at law, so if a business is going to share sensitive information with someone, it needs to protect that by a non-disclosure agreement (NDA). NDAs (also called confidentiality agreements) can be either standalone or as part of a larger agreement.
NDAs are routine and are often considered standard agreements – but here are 8 things to think about.
- Should it be mutual to protect both parties’ information, or does it need to only protect one party?
- Does it need to protect just the discloser’s information, or is third party information involved?
- Does the confidential information include personal information as defined under privacy laws? If so, it may need some additional or different wording to comply with privacy obligations.
- NDAs have 2 basic elements – what the recipient can do with the information, and who the recipient can share the information with both inside and outside of the organization.
- Should the definition of confidential information describe what is confidential, or is it only confidential if it is marked confidential? Requiring marking makes it clear for the recipient, but the owner has to remember to do that, and it can be a nuisance to deal with oral or unwritten material.
- Does the information cease to be confidential after a fixed number of years, or does it last until the information gets in the public domain?
- If it is a standalone NDA that is a precursor to a substantive agreement, it needs to be addressed again in the substantive agreement – either by replacing it with new NDA language, or by explicitly confirming that the original NDA continues.
- Be on the lookout for other things buried within an NDA. They usually stick to NDA concepts, but occasionally contain unexpected provisions.
Businesses often use agreements that others have created for things like software licensing, web terms and conditions, customer agreements, privacy policies and HR policies.
That can be dangerous. Just because an agreement works for Microsoft or Google doesn’t mean it fits your situation. Using these as a guide or rough draft can’t hurt – but using them without a critical review of whether they work for your situation is fraught with risk.
Here are 7 reasons someone else’s document won’t work for you
- US based limitation of liability clauses usually miss a key Canadian concept that can limit its effectiveness.
- Limitations of liability may not be effective in different jurisdictions. In the UK, for example, limitations of liability are in practice unenforceable.
- For things like privacy policies, being compliant with privacy laws involves far more than just sticking up a policy. And there are often significant differences in the laws behind them.
- That DMCA copyright notice in US based web terms is meaningless in Canadian law.
- Different business models and facts can require very different terms. For example, are the services aimed at children? Is the product software, or is it an online service?
- Large corporations tend to use longer, more complex, wordier agreements than are really necessary. People accept those from large corporations because it seems to go with the territory, but is that what you want to put in front of your customers?
- There is a risk that the document won’t address an issue that is unique to your business or jurisdiction.
Privacy laws apply to every business that knows any information about individuals.
Here are 11 things you should know about privacy.
- There are many privacy statutes that may apply depending on the nature of the information, the nature of your business, and what province your customers are in. Health information, for example, is usually subject to different statutes than other personal information.
- In general, if you want to use someone’s personal information for something they would not think is necessary to provide your services, you need their permission.
- Mandatory breach notification is becoming more common. Some provincial statutes require it, PIPEDA now includes breach notification provisions that are coming into effect soon. The notice requirements include some rather subjective tests, and must be reviewed carefully if you have a privacy breach.
- The definition of personal information is fairly broad. It includes things like an IP address, and depending on the jurisdiction, may include car license plates.
- You must have a privacy officer who is accountable and available to your customers.
- A privacy audit may be in order. Make sure you understand what information you actually do collect, use and disclose. A disconnect between reality and what your policy says is a recipe for disaster.
- Privacy, anti-spam legislation (CASL), and Don Not Call legislation complement each other, work together, and shouldn’t be viewed in isolation.
- Some privacy laws (in particular some provincial laws dealing with public sector or health information) say that data can’t reside outside of Canada.
- Having processes and protections in place to keep personal information out of the wrong hands is crucial. It is equally crucial to deal with a privacy breach appropriately to reduce legal, customer, and headline risk.
The cloud is a fluffy concept, and takes many different forms, but basically means any computer services that are provided on systems that you access over the internet. Examples include things like gmail, dropbox, and Google docs. It can include sophisticated applications for accounting, document management, and other business processes. Other forms include just the physical infrastructure that you install and manage your own software on. The cloud can offer many advantages when used properly, but also carries risks that need to be managed.
Here are 8 things to consider when using the cloud.
- Consider how mission critical the cloud service is to your business. Far more diligence and care is required for a service that is crucial to the operation of your business.
- Make sure you have a backup or mirror of the data in case something goes wrong.
- If the application is mission critical, make sure you have a continuity plan in place to keep operational if the cloud service is temporarily out of service or permanently gone.
- Privacy, security and encryption are essential to consider. Look at what information is stored and manipulated, who has access to it and how they access it, and what the consequences are if that information was compromised. Encryption is a complex subject and requires the right questions to be asked. Is it only when at rest? Is it during transit? Who has the encryption key? While it is not always practical, a zero knowledge approach where the vendor can’t access the data is ideal.
- If you use platform or infrastructure as a service where you are in control of certain aspects of it, make sure you get expert technical advice to set it up to make sure it is done right.
- Pay close attention to the provider’s service agreement. For basic, commodity services, the agreements will be non-negotiable and will include limited or zero liability if something goes wrong. As the cloud service becomes more sophisticated, personalized, and costly, those agreements tend to become more negotiable. The terms of the service agreement can be a risk assessment factor.
- In some circumstances privacy laws can dictate where data is stored or manipulated, or what you have to tell customers. Or your customers may perceive an advantage for the data to be housed in Canada, even though from a practical basis the risks may not vary much amongst first world countries. If any of these apply to you, make sure the location is where you need it to be.
- All the promises a vendor makes about data location, service levels, and data security have no teeth unless they are referred to in the service agreement, and are meaningless if not backed up by some consequence.
Most businesses have a web site – or at least should have one. Many customers get frustrated or don’t take a business seriously if it doesn’t have a web presence with at least some basic information. The web site might be a basic brochure site that tells about your location and hours and what you sell, or it could be a sophisticated e-commerce site or social media platform.
Web terms will get more complex and become more important as the web site becomes interactive, sells things, invites comments or third party posts, or deals with user generated content.
Browse wrap terms – where they appear only at a link at the bottom of the page – may not be enough. Where practical it is safer to bind the user to web terms in a click-wrap agreement.
Protecting your brand with a registered trademark can reduce the chances that someone else will try to compete using a confusingly similar brand, and make it easier to stop them if they do.
Here are 10 things you may not know about Trademarks
- Trademarks can’t be clearly descriptive of your goods or services. “Cold Ice Cream”, for example, can’t be registered as a trademark for an ice cream store.
- The best marks are unique and memorable, not descriptive. The goal of a trademark isn’t to tell your customer what your goods or services are, it is to make them recognize and want your products.
- The infringement test for trademarks is one of confusion and includes appearance and sound. For example, if two marks are spelled different but sound alike, they are still confusing. If a typical consumer sees an ad for breakfast cereal, and later in the store buys a different cereal thinking it was the one they saw in the ad, then it is confusingly similar.
- Trademarks can be registered for a brand name, a slogan, a logo, a sound, a shape, or a colour.
- In some circumstances, an unregistered (in legal terms a “common law”) trademark can trump a confusing registered mark. Searching for unregistered marks before registration is a good idea.
- Trademark registrations are done on a country by country basis (except for the European Union, where one registration covers all the EU countries). So one needs to look at where their goods and services are sold and in what volumes to determine where the trademark should be registered.
- Trademarks are registered based on their use description, and the drafting of that use description is crucial to ensure proper protection. For example, identical trademarks for a software application and for car parts are not considered confusing.
- Trademark registrations last for 15 years (being reduced to 10 years when pending changes to the Trademarks Act are in force), but can be renewed.
- If your trademark registration is ever attacked, or you want to enforce it against someone else, it can be crucial to have kept samples of how it has been used over time.
- If you don’t “use” your trademark, you can lose your registration and the ability to enforce it. “Use” for trademarks is narrower than you might think. It does not include, for example, a sign on a building or on your letterhead. Even on packaging or in text describing or advertising your products, it may not be considered use if the trademark doesn’t look different than the text around it.
It’s common for lawyers to have to sort out situations after the fact. This could be to document ownership of something, deal with differing thoughts on what a deal was, deal with a situation where someone has changed their mind, or enforce rights against someone who has done something improper.
While not every problem can be avoided, it is better for a business if their lawyer creates a fence at the top of a cliff rather than acts like an ambulance at the bottom.
Here are 5 examples why getting legal advice up front is best.
- Putting agreements in writing up front forces the parties to come to grips with different viewpoints, and addresses early any “that’s’ not what I thought the deal was” misunderstandings. (Fun fact – the law describes this as the parties not being “ad idem” – one of the few Latin legal terms that remain.) Far better to sort these issues out at the start rather than fester later.
- It’s frustrating for both a trademark lawyer and their client when the lawyer has to advise that the brand name the client had their heart set on and perhaps has created material around or talked about publicly, is simply not available. Far better to do trademark searches early, whether or not the mark will be registered.
- Promising people that they will be shareholders in a company is hard to later retract if it turns out that having them as shareholders is not prudent from a legal or tax perspective.
- Documenting ownership of intellectual property when it is created can be much easier from a practical, bargaining power, and cost perspective than trying to do it later.
- We don’t know what we don’t know. The more a lawyer (and accountant) know about your business and your plans, the better the advice we can give, especially when it suggests a different path.
When a company is owned by more than 1 person, it’s a good idea to have a shareholder agreement. This becomes more important as the number of shareholders increase. The content and complexity of a shareholder agreement varies greatly depending on the business and the nature of its shareholders.
Here are 8 things a shareholder agreement can accomplish.
- Ensure that shareholders can’t sell their shares to just anyone they please, and that any new shareholder is bound by the shareholder agreement.
- Ensure that minority shareholders are just along for the ride, and not getting in the way of the control of the majority owners.
- Alternatively, it can give minority shareholders rights they may not otherwise have.
- Provide a way for shareholders to sell their shares in a manner that is fair to all shareholders, and gives the existing shareholders a first ability to buy them.
- Provide a method to value the shares for transactions between shareholders.
- Set out responsibilities, roles, and expectations of the shareholders in the business.
- Limit the corporation’s ability to do certain things (such as major expenditures or new product lines) without the agreement of the majority of the shareholders.
- Restrict the ability of shareholders to take what they know about the business and start their own competing business.
Keeping corporate records and contracts in one place – and keeping a ticker system reminding of important dates and actions needed – makes it easier to find documents and reduces the risk that something gets missed. This simple task can save a lot of time, money and embarrassment.
Here are 5 examples of things that bad record keeping can mess up.
- Domain names need to be renewed annually. If a renewal gets missed and you lose your domain name, or your website or email systems goes down because you forget, it can be devastating.
- If you can readily put your hands on supplier and customer contracts, it can help resolve potential problems quickly.
- Mundane agreements for things like water coolers, copiers, and postage meters often have terms that automatically renew. You can easily get stuck with these for far longer than you wanted, or at prices far higher than needed if you don’t terminate them at the right time.
- Other agreements, like office leases, require a positive step to renew them by a certain time. Failure to do that can result in a less favourable renewal deal, or perhaps even result in the end of the lease.
- Being late for or missing payments that are not triggered by an invoice can cause problems. Income tax and other source deductions and HST payments are prime examples that can even result in personal liability for directors. Being chronically late for recurring payments such as equipment leases or internet access can put those arrangements in jeopardy and affect your credit rating.
Promotional contests that give away prizes can be valuable advertising tools when used properly. But they are fraught with legal risk and must be constructed very carefully. They also must include well drafted, legally compliant rules.
Here are 7 things that can get you into trouble.
- The Canadian Criminal Code contains rather bizarrely worded, hard to interpret sections making games of chance illegal. Subtle changes in the details of a contest can have major ramifications to what is needed to comply. This is why we so often see things like “no purchase entry” and “skill testing questions”.
- The Canadian Competition Act contains disclosure rules for contests around things such as the number of prizes and odds of winning. Unlike the criminal code provisions, these are easy to deal with – but they must be addressed.
- The “residents of Quebec not eligible” declaration we often see results from lottery legislation in Quebec. This legislation is such a nuisance to comply with that many just declare that their contests are not offered in Quebec.
- Privacy and anti-spam rules affect what you can do with entrant information and what you can send them by email. It is crucial to get these details right.
- If the contest is run using a social media platform, they often have their own rules that must be followed.
- If the contest includes the submission of something that the entrant creates – such as a photo, video, or essay – the rules must be clear about what you will do with it and contain appropriate permissions and representations.
- Contests run online are available to the entire world. Contest laws vary dramatically in different jurisdictions, so you need to limit geographic eligibility. And do you really want to have to ship your prize to Outer Slobovia?