One of my first "ahas" at Gartner was a statement by one of the senior
analysts: "We don't sign NDAs with vendors. Why would we tie our hands when we have so many
sources of information apart from vendors? And if we do, the NDA is for a maximum of 2-3 days while
an M&A or something else really sensitive needs to be embargoed".
Wow, I remember thinking - it's amazing Gartner gets away with that with
vendors 50X their size. They sure did.
That was in 1995. Today, even firms that are not in information business like
Gartner have many, many sources of public and conversational information from
peers, partners, vendors. Yet NDAs have exploded in quantity and
their ridiculous reach. Such as 10 year NDAs in an industry where things change by the
minute. NDAs to establish a process to sign the actual NDA.
And of course, that has spawned bunches of exceptions in the NDAs to reflect
the growing sources of information we have. And to allow us to respond to ever
aggressive regulatory requirements when they demand information without caring
whether it was covered by some NDA.
Given all this NDA and exception proliferation, I can safely say if the
average company did a trace analysis of all its NDAs signed in the last 5 years, it would find the majority of them are contradicted by other NDAs signed by other party. They would find the biggest "leakers" of truly proprietary information
tend to be employees - salespeople who take customer and price lists, engineers
who take their intimate product details when they change jobs. The old adage never held truer - if more
than 2 people at your company know about something, it's out there in some shape
or form.
So here's a plea to the industry. Let's not rotely sign or ask for NDAs.
Let's require them in very narrow time frames and very tight definitions. Let's come
up with a framework like the intelligence community does. Certain information
should be "eyes only" for a very small group of folks. Every thing else should
be graded in terms of reality - is the information really, really confidential
and not already already out there or could not be deduced with little effort?
Without that we are deluding ourselves our information is "protected". And
just adding to legal fees and administrivia.
Comments
Non-Disclosure Agreements: Just say No!
One of my first "ahas" at Gartner was a statement by one of the senior
analysts: "We don't sign NDAs with vendors. Why would we tie our hands when we have so many
sources of information apart from vendors? And if we do, the NDA is for a maximum of 2-3 days while
an M&A or something else really sensitive needs to be embargoed".
Wow, I remember thinking - it's amazing Gartner gets away with that with
vendors 50X their size. They sure did.
That was in 1995. Today, even firms that are not in information business like
Gartner have many, many sources of public and conversational information from
peers, partners, vendors. Yet NDAs have exploded in quantity and
their ridiculous reach. Such as 10 year NDAs in an industry where things change by the
minute. NDAs to establish a process to sign the actual NDA.
And of course, that has spawned bunches of exceptions in the NDAs to reflect
the growing sources of information we have. And to allow us to respond to ever
aggressive regulatory requirements when they demand information without caring
whether it was covered by some NDA.
Given all this NDA and exception proliferation, I can safely say if the
average company did a trace analysis of all its NDAs signed in the last 5 years, it would find the majority of them are contradicted by other NDAs signed by other party. They would find the biggest "leakers" of truly proprietary information
tend to be employees - salespeople who take customer and price lists, engineers
who take their intimate product details when they change jobs. The old adage never held truer - if more
than 2 people at your company know about something, it's out there in some shape
or form.
So here's a plea to the industry. Let's not rotely sign or ask for NDAs.
Let's require them in very narrow time frames and very tight definitions. Let's come
up with a framework like the intelligence community does. Certain information
should be "eyes only" for a very small group of folks. Every thing else should
be graded in terms of reality - is the information really, really confidential
and not already already out there or could not be deduced with little effort?
Without that we are deluding ourselves our information is "protected". And
just adding to legal fees and administrivia.
Non-Disclosure Agreements: Just say No!
One of my first "ahas" at Gartner was a statement by one of the senior analysts: "We don't sign NDAs with vendors. Why would we tie our hands when we have so many sources of information apart from vendors? And if we do, the NDA is for a maximum of 2-3 days while an M&A or something else really sensitive needs to be embargoed".
Wow, I remember thinking - it's amazing Gartner gets away with that with vendors 50X their size. They sure did.
That was in 1995. Today, even firms that are not in information business like Gartner have many, many sources of public and conversational information from peers, partners, vendors. Yet NDAs have exploded in quantity and their ridiculous reach. Such as 10 year NDAs in an industry where things change by the minute. NDAs to establish a process to sign the actual NDA.
And of course, that has spawned bunches of exceptions in the NDAs to reflect the growing sources of information we have. And to allow us to respond to ever aggressive regulatory requirements when they demand information without caring whether it was covered by some NDA.
Given all this NDA and exception proliferation, I can safely say if the average company did a trace analysis of all its NDAs signed in the last 5 years, it would find the majority of them are contradicted by other NDAs signed by other party. They would find the biggest "leakers" of truly proprietary information tend to be employees - salespeople who take customer and price lists, engineers who take their intimate product details when they change jobs. The old adage never held truer - if more than 2 people at your company know about something, it's out there in some shape or form.
So here's a plea to the industry. Let's not rotely sign or ask for NDAs. Let's require them in very narrow time frames and very tight definitions. Let's come up with a framework like the intelligence community does. Certain information should be "eyes only" for a very small group of folks. Every thing else should be graded in terms of reality - is the information really, really confidential and not already already out there or could not be deduced with little effort?
Without that we are deluding ourselves our information is "protected". And just adding to legal fees and administrivia.
September 26, 2008 in Industry Commentary | Permalink