When it is thought of at all in the context of IP, confidential information is often thought of as things like secret recipes, codes or algorithms – less often as internal business processes, marketing strategies, supplier and customer lists and all that other critical information that a company and its employees acquire over time, through considerable effort and trial and error, that isn’t generally known outside of the company and that gives the company an edge over the competition. This kind of information is often called confidential business information or “CBI”.
Every company, big or small, established or start-up, has CBI. It can be one of the company’s most valuable assets. But if it isn’t identified and adequately protected, its value will depreciate quickly or, worse, it will simply walk out the door.
Identifying and protecting CBI is especially important for entrepreneurs and emerging companies. So often it is the knowledge and ideas that are “under the hood” of these businesses that provide them with their principal advantage. Knowledge and ideas can be difficult and impractical, if not impossible, to protect through patents, copyright or trade marks. Maintaining confidentiality in this kind of information opposite other companies, employees, independent contractors or consultants may be the only way to prevent others from reaping the benefits of the time, hard work and innovation that went into acquiring it.
What is CBI?
Information doesn’t have to be “secret” to be CBI. Very generally, information can be CBI if:
- it isn’t generally known outside of the company;
- time and effort would be needed to find it elsewhere; and
- it has commercial value.
As such, CBI can consist almost entirely of non-confidential elements as long as the whole package, such as a marketing plan, is not generally known and can’t otherwise be found in one place.
One way to identify a company’s CBI is to do an informal audit. Ask what has the company learned through its own trial and error that has helped it improve processes or sales? What are new employees trained in that they wouldn’t learn elsewhere? What would you tell a lawyer or accountant about how the business operates that you wouldn’t want a competitor to know?
Much of this information will not be CBI. It may be easily accessible in the public domain or form part of a skill set that a person is entitled to call their own. But there is no harm in being over-inclusive when it comes to identifying a company’s CBI in order to protect it. All information that meets the above criteria should be identified so that at least it can be treated as confidential whether it is truly confidential or not.
The very nature of CBI makes it hard to protect. It is easily shared, is extremely portable and impossible to take back once it’s out of your control (it can’t be “unlearned” by an unintended recipient). It can also be fun to talk about. Business people, especially entrepreneurs, are always eager to learn what’s “under the hood” of a successful business model, product or service. And unlike patents, copyright and trade marks, there is no specific legislation in Canada for protecting it.
Identifying CBI is the first step in protecting it. The law will only protect a discloser’s rights in confidential information to the extent that a recipient was made aware of its confidentiality. The information must have been identified as confidential before it was disclosed. One way to do this is to have a manual, ideally marked “Confidential”, in which all of a company’s CBI is reduced to writing. A franchisor’s operating manual – containing all of the “how-to” for operating a franchise (e.g. how long to cook the French fries) - is a good example.
For CBI that is made up of mostly non-confidential elements (like a marketing strategy), it is especially important to put it down in writing and mark it “Confidential”. In the event of a legal dispute, a judge will be far more likely to find that information like this is confidential if the owner did something to assemble all of it into one place and to “tie a bow” around it.
Once information has been identified and designated as confidential, all who come into contact with it should be made aware of its confidentiality and become obligated not to disclose it. This includes employees, independent contractors or consultants and other companies you might engage in a commercial relationship or negotiation. The most effective way to communicate confidentiality and impose a non-disclosure obligation is through some form of written agreement. This can be a confidentiality covenant in an employment agreement, a letter to be signed by another party to a negotiation or a formal non-disclosure agreement (NDA).
There are many “pro forma” NDA-type agreements available on the internet. However, to be most effective, an NDA should be tailored to the situation. First, the more specific an NDA is about the information or categories of information that are at issue and how it may and may not be used, the less likely it is to be breached, at least unwittingly. Second, in the event of dispute, a court will be far more likely find that information is confidential if it is specifically identified in a schedule to an NDA or another written agreement.
More important, however, is how CBI is actually managed and disclosed, regardless of what manuals or contracts might say about it. If the President of the company discloses CBI to hundreds of people at a conference, or if it is routinely shared without restrictions, then it is not confidential. To protect CBI and its value, there must be protocols in place. Don’t just ask people to sign NDAs. Tell them what they are signing and show them what procedures are in place to keep CBI confidential. For instance, CBI should only be disclosed internally and to others on a need to know basis.
I’ve represented clients in a number cases involving breach of confidence or misappropriation of trade secrets. In every case, the information at issue was first disclosed in the context of some exciting new project when everyone was getting along perfectly and couldn’t imagine things ever going wrong. So don’t think that identifying and protecting CBI is only important when suspicions are first aroused. By that time, it will probably be too late.
By the way, here's a quick clip of me talking about CBI…