|
IT security teams need to know about confidentiality clauses in
contracts.
The law of confidentiality is one of the cornerstones of legal
protection for information, and is a double-edged sword: it can be
used to protect your own information, but it can also be used
against you if your security measures are not all they should
be.
The first thing to note is that your organisation's liability to
others for a disclosure of confidential information may have arisen
in circumstances that you, as guardian of its confidential
information, may not have been aware of. Even in the absence of a
written agreement, there can be an automatic liability to third
parties under the law of confidence.
For information to be classed as confidential, it must have the
"necessary quality of confidence" and be disclosed in circumstances
implying a duty of confidence. The phrase "necessary quality of
confidence" in broad terms means the information is worthy of
protection: it is not trivial or obvious, or already public
knowledge.
There are certain relationships where it is established that a
duty of confidence automatically exists, such as the relationship
between doctor and patient. However, in other relationships the
matter hinges around whether the discloser had a reasonable
expectation that the information would be kept confidential, and
whether that was reasonably evident to the recipient. There is no
handy checklist for determining whether these factors exist, and
there will be an element of judgement involved, however.
Finally, for information to be deemed to be confidential there
must be some detriment to the party that "owns" it in the event
that the information is disclosed or misused.
The second thing to note is that a duty of confidence can arise
under a contract. Most organisations will have a large number of
agreements with suppliers, customers and other bodies on various
matters. All these agreements are likely to contain confidentiality
clauses. Failure to observe these clauses is a breach of contract,
which is actionable if a loss ensues.
The great advantage of a contractual confidentiality clause is
that it takes the guesswork out of determining what information is
protected. Many confidentiality clauses are so wide that they cover
all information disclosed, whether it is confidential in the common
law sense discussed above, or not. However, where the information
is not confidential in the common law sense, disclosure or misuse
in contravention of the agreement is less likely to lead to a loss
on the part of the "owner" and therefore it is unlikely that an
action for breach of contract could be sustained.
But the rub is that express confidentiality clauses vary in
their terminology. Some of the more complex clauses require the
recipient to keep confidential information separate from other
types of information, and many require an organisation to only
disclose the other party's confidential information to those
employees that need to have access to it. A business that does not
consult its IT team with a view to setting up access protocols to
police these obligations internally is likely to find itself in
breach of them. Another common term in confidentiality clauses is
that the recipient will treat the confidential information with no
less care than it does its own information. Again, if the IT team
is not made aware of this obligation, it is unlikely to be
fulfilled.
What is clear is that the IT team cannot fully protect an
organisation from risk unless it is given greater knowledge of the
wider business being conducted and, in particular, the
confidentiality obligations that are being entered into. Currently,
it is very unlikely that the business teams in an organisation, or
even its legal teams, would think to inform the IT security team of
the obligations they are committing to. This position should change
if maximum legal protection is to be secured, and demonstrates how
IT security teams can and should increase their profile within
their organisations for the good of all.
|