It's all about the “secret sauce.” Doing business with other companies is a common course of action, but in any deal, a company wants to make sure it protects its most valuable information. Simple? Sure, but the execution of a nondisclosure agreement (NDA), data protection agreement (DPA), or other security or privacy agreements can be much tougher.

The “Negotiating Privacy and Security in Transactions: NDAs, DPAs, and Privacy & Security Addendums” panel at the 2019 Association of Corporate Counsel (ACC) Xchange conference broke this execution down into 10 steps that are crucial to protecting company information. The panel featured Kerry Childe, an attorney most recently with Best Buy, and Sarah Sederstrom, vice president of legal with Wunderman, with Helena Ledic, associate general counsel at CSC, acting as moderator.

1. Know your deal: It may seem simple, but the first thing Sederstrom asks young attorneys when they come to her with a problem is, “What's the deal?” She explained that this may be the most important consideration for keeping data secure: “Knowing what the particular deal is, as well as what your company typically does in this area, is important.”

Childe added, “You cannot negotiate these in a vacuum. You have to know if you are the one person who knows … what it is the deal is trying to do before you can negotiate the right provision.” If not, she explained, attorneys are going to be negotiating the wrong things up front.

2. Understand the scope of document: What transactions is an NDA or DPA intended to cover? Is it for all exchanges, or just one? Is the scope of the agreement mutual, or just one-way depending on who's giving up information? It's important to know exactly what an NDA or DPA is looking to do before it can properly proceed.

Sederstrom added that it can be important for legal ops professionals as well to be “asking these questions in the scope of document, not in the particular deal, but if you can create efficiencies in your particular department.” Based on properly scoping documents, she said, legal departments can more effectively use the data found within agreements to create different templates and decision trees and properly categorize documents.

3. Consider the invasiveness of the document: This is scope creep, and it can be suspicious when additional details like overbroad IP ownership, non-competes, and security addendums are included, Sederstrom said. She explained, “A lot of times you can't take it at face value. Particularly when I have engineers working with me, is there something else in that document?”

Even if a legal department would like to have a lower standard for a deal, the realities of the situation sometimes make that prohibitive, Childe added. If they leave out a certain detail, the worry is that a supplier can come back and say, 'We agreed to that.' As a result, the default is to throw kitchen sink at a document as a defensive measure.

4. Define confidential information and types of data categories: To be sure, it's important to delineate what information is actually being contained in a document. “Is it just going to be proprietary trade secret information? Is it going to be personal data?” Childe asked. She added, “Know and understand what kinds of data will be part of this deal, because each one of those things may carry separate regulatory requirements, and may carry with it separate contractual requirements.”

Sederstrom noted that sometimes confidential information definitions can be very broad and followed by a clause that says all confidential information should be secured. This can cause a legal department difficulties. “Most of the time, confidential information isn't encrypted from end to end. … So it's something to consider for ease of negotiation, try and tailor it a little bit.”

5. Work with your business, security and procurement teams: Working with others can take a number of different forms, from coordination to instituting playbooks to understanding the trigger issues of some team members such as audit rights, patching or time taken on a problem.

Sederstrom, for example, noted that she always gets her chief privacy officer involved with DPAs because of the time they take, often a year or more. Childe's chief privacy officer, meanwhile, did not let the legal department negotiate out the ability to conduct an on-site audit, instead looking to make that determination herself.

“The piece that is most important from the legal perspective … is making sure your business unit understands what you're trying to accomplish so they don't blow it up for you,” Childe explained.

6. Consider data scope and location: Beyond knowing the deal and the scope of the agreement itself, counsel should also take a close look at the scope of the data involved and where that data is being held. Are there fields of data being changed? Where is that data from? And if there is a data transfer, does it require model standard contracts, or is there another mechanism in place?

This gets tricky because of international agreements such as the General Data Protection Regulation (GDPR). Childe noted that when she was at Best Buy, the company had no stores or customers outside the U.S., and thus a lot of the standard GDPR issues did not apply to them. “Best Buy regularly gets documents that require us to agree to DPAs, GDPR, standard terms and conditions. And I push back on every one of those. … Does the EU standard need to apply worldwide? Our argument is no.”

But, Sederstrom added, “That gets tricky though. What if the deal changes?” The legal department, in that case, needs to make sure it is thoroughly tracking any changes that take place.

7. Watch for DPAs, NDAs or PSAs with Kitchen Sink Provisions: Some agreements will throw in a number of privacy and security clauses at the end with overly broad provisions. Sederstrom said they give her pause: “Is it really nondisclosure, or do you want me to not sell to your competitors?”

If getting others to review an agreement, she noted, “The best thing you can use is your own template and then compare, until they learn what's standard in something.”

Childe also added that attorneys should not put additional provisions only at the end. “You need to have that full scope, and if you've gotten it only from the end, it feels like a gotcha from either end.”

8. Be aware of certifications and pass-throughs for the cloud: Cloud providers are now easier to work with than in the past, the panel agreed, but attorneys still need to be aware. Childe noted that, for example, Amazon has SOC 2 and other controls, but it's incumbent on counsel to understand what those are when working with someone else. Data storage and processing different things as well, and can be delineated in agreements.

In her company, CSC's Ledic noted that a person in her IT department wants to make all attorneys go through a cloud security audit to better understand what it takes. “If attorneys actually had to sit there rather than just the security people, [requested security audits] would be cut down by 75 percent,” she explained.

9. Keep aware of changing privacy policies: In Childe's words, compliance with the current California Consumer Privacy Act (CCPA) is “a little like trying to change tires while you're rolling down a highway.” Since it's constantly in flux, counsel “have to keep in mind what your privacy policy says.”

For certain, companies need to find a way to comply with domestic laws while still holding to international standards. As Childe notes, “it's not clear whether the FTC will enforce foreign jurisdiction privacy statements as actionable.” A dedicated privacy person can help attorneys walk through this process, but “some data sets are so complex that there's no way to know.”

10. Don't just sign:  Sederstrom provided a final warning: If the other side says, “It's just an NDA, just sign it,” it's an indication that you should do the exact opposite. “When they say that, I pretty much know I need to take a look at it,” she explained.

Childe, meanwhile, told attendees to be open to a deal with special provisions, even if it might ultimately mean more work. For some deals, she said, “you're just going to have to understand why that deal is unique and work with it.”