A practical guide to software license agreements: confidentiality obligations

Software license agreements often contain provisions that impose restrictions and requirements regarding the use and disclosure of each party’s confidential information. Customers should consider whether the confidentiality obligations are reasonable and practicable for the particular circumstances of the transaction.

Confidentiality Restrictions/Requirements

Confidentiality provisions impose restrictions and requirements on a contracting party (the “Receiving Party”) regarding the use and disclosure of the confidential information of the other party (the “Disclosing Party”). Those obligations can be adjusted to reflect the nature of the Disclosing Party’s confidential information, the manner in which the Receiving Party will access and use the information, and the potential risks to the Disclosing Party if the information is misused. For example:

• confidential information: the information to be treated as confidential might be defined broadly (e.g. all non-public information about the Disclosing Party or its business) or narrowly (e.g. only information that is expressly identified in writing as confidential).
• permitted use: the purpose for which the Receiving Party may use the information can be specific (e.g. as reasonably required to use the licensed software) or general (as reasonably required to perform obligations and exercise rights under the agreement).
• permitted users: there might be restrictions on the individuals that may use the information (e.g. only the Receiving Party’s employees on a need-to-know basis).
• permitteddisclosures:there might be restrictions on the Receiving Party’s ability to disclose the information to other persons (e.g. no disclosure to contractors or service providers) or requirements for mandatory disclosures required by law (e.g. prior notice to the Disclosing Party of the required disclosure).
• protection/standardofcare:the Receiving Party’s obligation to protect the information might be absolute or limited to a specific standard of care (e.g. the same measures the Receiving Party uses to protect its own confidential information, but not less than reasonable care).
• duration: the confidentiality obligations might last for a specified period only (e.g. five years after disclosure of the information) or until each item of information no longer qualifies as confidential.
• exceptions: the confidentiality obligations might not apply to certain kinds of information (e.g. information that is already known to the Receiving Party or is subsequently obtained by the Receiving Party from another source that is not subject to confidentiality obligations).

Return/Destruction Obligation

Confidentiality provisions usually require the Receiving Party to return or permanently delete and destroy all records of the Disclosing Party’s confidential information in the Receiving Party’s possession or control when the Receiving Party no longer has a legitimate need to use or retain the information or when requested to do so by the Disclosing Party. There are often exceptions that permit the Receiving Party to retain records of information for legal compliance purposes.

Enforcement

Liability for breach of confidentiality obligations is often an exception to contractual liability exclusions and limitations, which means that the Receiving Party faces a risk of unlimited liability for all damage and loss suffered by the Disclosing Party as a result of the Receiving Party’s breach of confidentiality obligations. In addition, confidentiality provisions often give the Disclosing Party special enforcement remedies, including a right to inspect and verify the Receiving Party’s compliance with the confidentiality obligations and a right to judicial remedies (e.g. an injunction) to prevent the Receiving Party from breaching the confidentiality obligations.

Administrative Practices

Confidentiality obligations might require the Receiving Party to implement new administrative practices for handling the Disclosing Party’s confidential information. In some circumstances, those practices can be a significant burden and impose unanticipated costs on the Receiving Party.

Recommendations

Confidentiality obligations in a software license agreement should be reasonable and practicable for the intended transaction (including the kinds of sensitive information that will be disclosed and the manner in which the information will be used). A customer should carefully consider the administrative practices that will be required to comply with confidentiality obligations regarding the software vendor’s confidential information.