Your M&A NDA guide: Non-disclosure challenges and best practices

A breach of confidentiality during mergers and acquisitions (M&A) can potentially have severe consequences — 70% of companies that experience a data breach report significant business disruption. One way to protect confidentiality is to sign a well-drafted non-disclosure agreement (NDA) early in the M&A timeline.

An NDA regulates how sensitive information is maintained during the translation. This article explores the main considerations around managing NDAs in mergers and acquisitions and outlines:

• What’s typically covered under an M&A NDA.
• Obligations of NDA parties.
• Tips for negotiating NDAs.
• Best practices for drafting NDAs.
• Solutions to common NDA challenges.

Why is an NDA important for mergers and acquisitions?

A non-disclosure agreement is a legally binding contract between two or more parties that outlines how they share confidential information. The main purpose of a non-disclosure agreement between a prospective buyer and seller in an M&A transaction is to:

• Protect confidential information
  An NDA outlines the obligations of deal parties to keep confidential information secure. This helps parties prevent misunderstandings while handling sensitive data.
• Regulate how information flows
  Outlines the scope of confidential treatment, confidentiality periods, disclosure exceptions, return and destruction procedures, and other terms.
• Build trust
  Outlines confidentiality violation and unauthorized disclosure remedies. This establishes the foundation for accountability, risk mitigation, and overall confidence in the confidentiality of the M&A process.

It’s crucial to execute an NDA early in the transaction process so both parties are legally bound to protect confidential information from the start.

What is covered under an M&A NDA?

A non-disclosure agreement in a business acquisition, merger, or joint venture typically covers the following topics:

• Definition of confidential information
  This specifies what qualifies as confidential information. This is usually proprietary information, including financial information, employee data, marketing and customer data, trade secrets, and derivative information. Derivative information includes analyses, studies, compilations, and forecasts prepared by a potential buyer or its representatives based on sellers’ confidential information.
• Restriction on the use of confidential information
  This limits the use of confidential information, typically to analyze the potential transaction  — conduct due diligence, valuation modeling, and integration planning.
• Obligations of deal parties
  This outlines the obligations of the receiving party (the party that receives confidential information).
• Reasonable efforts to protect confidential information disclosed
  This defines appropriate measures to protect sensitive information. The responsibility for the data breach usually lies with the receiving party.
• NDA terms
  This specifies the period during which the obligations under the NDA agreement remain in effect. 
• Remedies
  This specifies legal protections for the disclosing party, including the amount the receiving party must compensate for actual damages. 
• Permissible disclosures
  This specifies circumstances, such as legal investigations, under which the receiving party is allowed to disclose confidential information.
• Return of confidential information
  This governs how copies of confidential and derivative information are handled. It usually ensures that, upon request, the receiving party returns copies of confidential information to the disclosing party and destroys derivative information.
• Confidentiality period
  This governs the period during which confidential information must be kept private.
• No obligation to proceed
  This clarifies that deal parties are free to decide whether to move forward and are allowed to walk away if necessary.
• No granting of intellectual property rights
  This ensures that the disclosing party retains ownership of intellectual property disclosed to the receiving party, including patents, trade secrets, or trademarks.
• Enforcement mechanisms
  This details how the NDA is enforced, including the action taken if the terms of the agreement are breached.
• Governing law and jurisdiction
  This specifies a legal framework of the agreement.
• Dispute resolution
  This specifies the methods and procedures for resolving disputes regarding the breach of obligations and the terms of the agreement.

Obligations under an NDA

NDA obligations generally relate to the receiving party and focus on protecting the disclosing party’s business interests and ensuring the confidentiality of information shared during the deal. The receiving party may be obliged to:

• Maintain confidentiality of shared information.
• Use confidential information exclusively for purposes outlined in the agreement.
• Use reasonable protection measures to keep confidential information secure.
• Not share confidential information with receiving party’s representatives without prior written consent from the disclosing party.
• Ensure the receiving party’s representatives who use confidential information are informed about its confidential status and apply reasonable protection measures.
• Not share confidential information with third parties for the minimum period outlined in the agreement, unless specifically compelled to disclose such information in court proceedings.
• Destroy confidential information upon request or after the confidentiality period ends.
• Notify the disclosing party about data breaches and cover data breach damages.

Common NDA mistakes

Here are common mistakes to avoid when crafting and signing NDAs:

Not carefully defining confidential information

A vague definition of confidential information may create misunderstandings about which information is confidential. This may result in one party inadvertently disclosing critical information that was thought to be non-confidential.

The solution is to clarify which information is confidential, for example, financial records, trade secrets, employee data, and customer data. If deal parties anticipate sharing extensive financial data, a dedicated financial NDA may be necessary. Independently-developed business information (without the use of disclosing party’s information) is typically excluded from the NDA.

Not correcting typos or other errors

Even a small typo, like forgetting to include ‘Inc.’ after the legal name of the NDA party may result in an unenforceable agreement. Using legal and trade names consistently throughout the agreement helps to avoid misunderstandings and enforceability issues.

Being signed by the wrong person

NDA agreements must be signed by chief executive officers (CEOs), board chairs, and other authorized representatives. When signed by the wrong person, for example, a CEO’s secretary, the agreement may have enforceability issues.

Confidentiality agreement vs NDA: What’s the difference?

Confidentiality and business NDA agreements (business acquisition and business sale NDAs) share  similar roles in protecting sensitive information shared between two or more parties. However, they are typically used in different contexts:

1. A confidentiality agreement is typically used in employee relations. For example, a company may enter into a confidentiality agreement with an individual contractor to protect sensitive information shared during collaboration.
2. A business sale non-disclosure agreement (typically similar to a business acquisition NDA) protects confidential information shared between business entities in corporate transactions. For example, an M&A seller may enter into an NDA with an M&A buyer to protect critical corporate information.

How to negotiate an NDA?

A ‘standard’ NDA may overlook unique details of the particular transaction, such as pending patent applications or time-sensitive product announcements. Therefore, it’s crucial to tailor NDA provisions to your circumstances which often requires negotiations with the other party. Here are the key considerations when negotiating NDAs for mergers and acquisitions:

Unilateral NDA vs mutual NDA: Which one should you choose?

Deciding between unilateral and mutual NDA is usually the first step in negotiating information exchange in mergers and acquisitions. Here are the key differences:

• Unilateral NDA
  This is suitable when critical information flows in one direction — typically from the disclosing party (target company) to the receiving party (acquiring company).
• Mutual NDA
  More suitable when information flows in both directions. Both parties have obligations to each other.

The unilateral NDA for a sale of the business may be more suitable when sellers look to divest assets or exit without ongoing involvement. Mutual NDAs, on the other hand, may suit transactions where sellers anticipate ongoing involvement and conduct due diligence on buyers:

• Joint ventures
  The collaborative nature of joint ventures typically requires both parties to share critical information for successful outcomes.
• Transactions involving seller’s interest
  These occur when sellers or their shareholders retain a vested interest in the sold business, such as in stock-for-stock mergers where the acquiring company compensates the target’s shareholders with its own shares.

Which NDA clauses are typically negotiated?

Confidentiality period duration, the scope of confidential information, obligations, dispute resolution, and other important provisions are usually subject to negotiation.

A receiving party may seek to limit obligations, while a disclosing party may insist on longer confidentiality periods and stricter obligations. The buyer’s perspective is usually to limit liability for its representatives.

The seller’s perspective is usually to push for standstill provisions that prevent the buyer from making unsolicited offers to other interested parties or using tactics to disrupt the possible transaction. Balancing the expectations of the parties involved in the transaction can help in achieving mutually acceptable terms.

Should parties negotiate NDAs directly?

It’s generally advisable to execute M&A NDAs through M&A advisors, investment bankers, legal advisors, and other intermediaries. Using an M&A intermediary can help deal parties establish professional communications and facilitate an unbiased approach to NDA negotiations.

Best practices for drafting an NDA

Here are the best practices for drafting professional non-disclosure agreements for mergers and acquisitions:

Outlining confidentiality measures

It’s advisable to outline the specific security measures the disclosing party wants the receiving party to use for information protection. This will help align expectations on confidentiality obligations and reduce the risks of data breaches. The following data security measures can be used:

• Access permissions.
• Strong password policies.
• Two-factor authentication.
• Information rights management (IRM) security.

Clarifying third-party access

It might be useful to add clauses that govern how third parties, such as contractors, legal advisors, or investment banks, should use confidential information. This helps avoid misunderstandings at later M&A stages. Such provisions are also highly relevant for security purposes because approximately 29% of data breaches occur due to third parties falling victim to cyberattacks.

Addressing potential conflicts

It might be useful to include additional provisions that address other areas of potential conflict:

• Handling of inadvertent disclosures.
• Relationship with whistleblowing.
• NDA termination conditions, including completion of the NDA purpose, end of the confidentiality period, or a written notice to the other party.
• Exemption from liability in extreme circumstances, including war, natural disasters, or terrorist attacks.

Overcoming common NDA challenges

Challenges may arise when there’s a disagreement over certain terms of the agreement:

Confidentiality terms

One of the key challenges in NDA agreements is balancing the duration of confidentiality obligations. Overlong or even ‘indefinite’ periods can be burdensome and practically impossible to stick to, particularly for acquirers engaging in frequent M&A. Sellers, however, have concerns about their trade secrets being exploited after the confidentiality period ends and so are compelled to ask for the longest practical duration.

The solution may be to split confidentiality periods for ‘regular’ information and trade secrets. Two or five years of confidentiality restrictions are usually sufficient for information that is not a trade secret. For trade secrets, longer confidentiality periods may apply.

Employee non-solicitation

Employee non-solicitation clauses, which prohibit one party from recruiting employees of another party, may be problematic if they imply excessive restrictions on either party’s hiring practices.

The solution may be to define a reasonable non-solicitation time frame (one or two years) and ensure that non-solicitation terms align with labor laws of the applicable jurisdiction.

Representatives’ access to critical information

The receiving party’s obligations to keep sensitive information confidential typically involve ensuring that its representatives also employ effective security measures. However, controlling how they do this can be problematic, particularly when deal teams use regular file-sharing tools not designed for heightened security.

Team members may also inadvertently expose critical information. For instance, 68% of data breaches involve non-malicious human elements, like making errors or falling victim to social engineering attacks.

To have better control of how representatives access critical information, dealmakers can use secure virtual data rooms (VDRs). Ideals VDR applies the following measures for effective management of confidential information:

• Role-based access permissions
  This applies eight levels of access permissions to ensure maximum control of representatives’ access to deal information.
• NDA verification
  This requires users to accept NDA terms upon login, ensuring they acknowledge confidentiality obligations before accessing confidential information.
• Two-factor authentication
  Requires a one-time verification code by SMS or authenticator app.
• IRM security
  Manages access to document actions such as viewing, downloading, and editing. IRM security allows you to maintain access permissions on downloaded files and revoke access at any time.
• Dynamic watermarking
  Applies user-dependent watermarks to files viewed and downloaded.
• Comprehensive audit trail
  Tracks all user activities in the data room and provides real-time visibility into how confidential information is accessed, when, and by whom.

The bottom line

• In mergers and acquisitions, NDAs protect sensitive information shared between parties. NDAs can be unilateral (where only one party discloses sensitive information) and mutual (when both parties exchange confidential information).
• Key NDA challenges include balancing confidentiality terms, addressing non-solicitation matters, and managing representatives’ access to confidential information.
• The best NDA practices involve using M&A intermediaries, articulating confidentiality measures, and addressing potential conflict areas, including inadvertent disclosures, whistleblowing, agreement termination, and liability limitations.

FAQ