Confidential Information Definitions in NDAs: Why "Any Information Disclosed" Is Not a Definition and What to Use Instead

Read more
Read more
Read more

Page Content

Michael M.
Lawyer (content verification)

A client hands you a one-page NDA before a vendor call. The confidentiality clause says the receiving party must protect "any information disclosed by either party." You sign it, the deal falls through, and six months later your former counterpart is using your pricing model with a competitor. You go to enforce the agreement, and your lawyer tells you the definition is the problem: it says everything, which in practice means it protects almost nothing a court will recognize.

This is one of the most common drafting failures in small business NDAs, and it is entirely avoidable. Below is what "confidential information" actually needs to say to hold up, how it differs when the agreement is between individuals versus between legal entities, and the specific wording that closes the gaps a generic online generator leaves open.

Why "Any Information Disclosed" Is Not a Definition

A definition tells a reader what is inside a category and what is outside it. "Any information disclosed by either party" does neither. It does not exclude the weather small talk before the meeting, the vendor's own publicly listed prices, or facts the recipient already knew. Courts read confidentiality clauses the way they read any other contract term: for reasonable specificity. When a definition covers literally everything, a judge cannot tell what the parties actually intended to protect, and that vagueness gets read against the party that drafted the clause.

The practical effect is not that the whole NDA becomes worthless — it is that when you need the clause most, in a breach dispute, the other side's first move is to attack the definition itself. If they win that argument, there is nothing left to enforce.

Confidential information vs trade secret comparison

What Courts Actually Require From a Confidentiality Definition

The standard courts apply is reasonable specificity, not perfection. A definition that names categories — customer lists, pricing structures, source code, financial projections — paired with a general catch-all for "information a reasonable person would understand to be confidential given the circumstances of disclosure" tends to survive scrutiny. A definition that is only a catch-all, with no categories at all, tends not to. The goal is a definition specific enough that a judge reading it cold could sort a piece of information into "covered" or "not covered" without guessing.

This same logic shows up outside the NDA context too. In California, courts applying Business and Professions Code Section 16600 have struck down confidentiality language that functions as a disguised non-compete precisely because it defined confidential information so broadly that it covered anything an employee learned on the job — turning a disclosure restriction into a restraint on lawful work.

"Language that labels virtually everything an employee learned, observed, or heard as confidential is a red flag. Courts read those terms as restraining lawful work rather than protecting specific secrets, which invites Section 16600 challenges."

The Legal Difference Between Confidential Information and a Trade Secret

Small business owners often use "confidential information" and "trade secret" interchangeably, but they are not the same thing, and the difference matters for how long protection lasts and what you have to prove. A trade secret is defined by statute, not by your contract. Under the Defend Trade Secrets Act, information qualifies only if the owner has taken reasonable measures to keep it secret and the information derives independent economic value from not being generally known.

Ordinary confidential information — an org chart, an internal budget draft, a vendor's contact list — does not need to meet that bar. It is protected because your contract says so, for as long as the contract says so. That is exactly why the NDA's definition matters so much: for anything that is not a bona fide trade secret, the contract is the only thing standing between your business and a former partner talking freely.

Categories: A Definition Structure That Holds Up

The most durable definitions use a three-part structure: (1) a general statement of purpose, (2) a non-exhaustive list of categories, and (3) a reasonable-person catch-all. Skipping the list and relying only on the catch-all is a common shortcut in templates pulled from a generic online generator, and it is the first thing a defense lawyer will highlight in a dispute.

  • Business and financial data: pricing, margins, budgets, forecasts, and unpublished financial statements
  • Technical data: source code, product designs, formulas, prototypes, and R&D notes
  • Customer and vendor data: client lists, contact details, purchase history, and supplier terms
  • Personnel data: compensation structures, performance reviews, and org charts
  • Strategic materials: business plans, marketing strategy, and unannounced product roadmaps

Sample Definition Clause You Can Adapt

Below is a working definition built around that structure. Treat it as a starting draft, not a copy-paste standard — you should still tailor the enumerated categories to what your business actually shares.

"Confidential Information" means any non-public information disclosed by either party (the "Disclosing Party") to the other (the "Receiving Party"), whether in written, oral, electronic, or other form, that is designated as confidential at the time of disclosure or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation: (i) business and financial information, including pricing, margins, and forecasts; (ii) technical information, including source code, designs, and processes; (iii) customer, vendor, and personnel information; and (iv) business plans, strategies, and product roadmaps not yet publicly announced.

Notice what this sample does that "any information disclosed" does not: it lists categories, it sets a reasonable-person standard for anything not on the list, and it ties confidentiality to the circumstances of disclosure rather than to the recipient's guesswork.

Marking Requirements vs. "Reasonable Person" Standard

Some NDAs require that confidential information be marked "Confidential" at the time of disclosure, usually to make disputes easier to prove later. That approach is clean for paper documents but breaks down fast for verbal disclosures on a call or in a walkthrough of a facility. If your NDA relies solely on marking, unmarked information may not be protected at all, no matter how obviously sensitive it was. This is exactly the kind of gap that shows up in a bare independent contractor agreement when the confidentiality section is copied in without adjusting for how the contractor actually receives project information.

The better draft combines both: require marking where practical, but add that orally or visually disclosed information is still covered if the disclosing party identifies it as confidential at the time, or if the recipient should reasonably have understood it was confidential given the context. This hybrid approach is now standard practice in agreements drafted by counsel rather than assembled from a bare-bones template.

Checklist for enforceable NDA confidentiality definition

The Five Exclusions Every Definition Needs

A definition that never excludes anything is functionally overbroad, even with a good category list. Every enforceable definition needs standard carve-outs for information that should never have been restricted in the first place.

  • Information already in the public domain through no fault of the receiving party
  • Information the receiving party already lawfully possessed before disclosure
  • Information independently developed without reference to the disclosed material
  • Information rightfully received from a third party without a confidentiality duty
  • Information the disclosing party agrees in writing is no longer confidential

Leaving these out does not make the definition stronger — it makes it look like an overreach, which is exactly the argument a receiving party's lawyer will make when a dispute reaches court.

Handling Information Disclosed Before the NDA Was Signed

A mistake that occured often enough to be worth flagging separately: parties frequently exchange information in early conversations, then sign an NDA weeks later assuming it protects everything already shared. It does not, unless the agreement specifically says so. If you had a preliminary call before signing, add a sentence bringing prior disclosures within the definition's scope, dated back to first contact. Otherwise, that earlier information sits in a gap the agreement never reaches.

Mutual NDAs: Why One Definition Must Work Both Directions

When both sides are sharing sensitive information — a joint venture, an acquisition discussion, a co-development deal — you need a mutual NDA, and the single definition of "Confidential Information" has to function symmetrically for both the disclosing and receiving roles, since each party occupies both roles at different points. A one-sided definition drafted with only one party's disclosures in mind creates a lopsided agreement that a sophisticated counterparty will flag in redlines, and that a court may read narrowly against the drafter if a dispute arises later. The same symmetry problem shows up when confidentiality language is buried inside a service agreement written from only the vendor's point of view — the client's disclosures often end up with weaker protection almost by accident.

This is also where the "between individuals" versus "between legal entities" distinction actually shows up in drafting, not just in party names. An NDA between individuals — say, two co-founders working out an early partnership before forming an LLC — should define confidential information to include personal financial contributions and equity discussions, not just corporate categories. An NDA between legal entities more often needs categories tied to systems, IP, and customer data at a company level. The underlying legal standard for enforceability does not change based on whether the parties are people or companies, but the categories you list absolutely should.

Spectrum from vague to well-drafted confidentiality definition

The DTSA Whistleblower Notice Requirement

Since 2016, the Defend Trade Secrets Act has required a specific notice in any agreement governing trade secrets or other confidential information signed by an employee, contractor, or consultant. Skipping it does not void the NDA, but it costs you access to enhanced remedies. The notice belongs in the standalone NDA and, just as importantly, in the confidentiality section of the underlying employment contract itself, since both documents typically govern the same relationship.

Under the statute, an individual cannot be held civilly or criminally liable for disclosing a trade secret in confidence to a government official or attorney for the purpose of reporting a suspected violation of law, or in a court filing made under seal. If your NDA or employment agreement does not include this notice, you lose eligibility for exemplary damages and attorney's fees in a DTSA misappropriation claim, even if you otherwise win the case.

Immunity Notice: Employee is notified that, under the Defend Trade Secrets Act, an individual may not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret made in confidence to a government official or to an attorney, solely for the purpose of reporting or investigating a suspected violation of law, or in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal.

A well-worded definition is necessary but not sufficient. Courts evaluating whether information genuinely qualifies for protection look at how the business actually treated it, not just what the contract says. In one federal case, a semiconductor company requiring a business partner to obtain signed confidentiality agreements from every individual employee who would access its technical data, and to expressly mark protected documents, was cited as the kind of practical, layered protection that supports a later misappropriation claim. A definition sitting in an NDA that nobody follows in practice is much weaker in litigation than the same definition backed by consistent access controls and internal marking habits.

The takeaway for a small business is not that you need enterprise-grade security software. It is that your actual practices — who gets access, whether documents get labeled, whether departing employees or contractors sign an acknowledgment — should roughly match what your NDA definition promises. A gap between the two is exactly what a defense lawyer will highlight first.

Duration: How Long Should the Definition's Protection Last

Ordinary business information does not need forever-confidentiality, and asking for it invites a court to find the term unreasonable. A term of two to five years is standard and defensible for routine business data. Trade secrets are different: because their value depends entirely on continued secrecy, protection for a genuine trade secret can and should extend for as long as the information remains secret and the owner maintains reasonable protective measures — potentially indefinitely.

Courts have not been entirely consistent on what happens when a flat expiration date is applied to trade secret material without an exception. In one case, a federal court in California declined to grant a preliminary injunction in part because a confidentiality agreement that expired after ten years did not reflect reasonable steps to protect trade secret information on an ongoing basis. The practical lesson: if your NDA's definition includes genuine trade secrets, draft a separate, longer — or open-ended — duration for that category rather than applying one expiration date to everything.

Common Mistakes That Gut the Definition

Most enforcement failures trace back to the same handful of drafting shortcuts, often introduced when a business copies a definition from an old template without adjusting it for the current deal.

  • Using only a catch-all phrase like "all information" with no enumerated categories at all
  • Forgetting the five standard exclusions, making the clause look punitive rather than protective
  • Applying one flat duration to both routine data and genuine trade secrets
  • Failing to address information exchanged before the NDA was signed
  • Leaving out the DTSA whistleblower notice, which quietly caps available remedies

Four-step process for drafting a confidentiality definition

Between Individuals vs. Between Legal Entities: Does the Definition Change

Yes, in substance if not in legal standard. A generator that produces the exact same boilerplate for a two-founder handshake deal and a corporate joint venture is producing a document that fits neither well. For individuals, add categories covering personal contributions, informal equity splits, and any personal financial information exchanged. For entities, add categories for systems access, aggregated customer data, and any information subject to separate regulatory confidentiality duties, such as health or financial data governed by other statutes. In both cases the core legal test — reasonable specificity, reasonable duration, legitimate business purpose — stays exactly the same; only the category list under it should look different. If confidentiality is one piece of a larger engagement, the same category-first approach belongs in a consulting agreement just as much as in a standalone NDA.

Drafting Around Severability

Even a well-built definition benefits from a backstop. Include a severability clause stating that if a court finds any part of the confidentiality definition or scope unenforceable, the rest of the agreement remains in force and the court may narrow the offending language rather than void the whole document. Without this clause, some courts will strike the entire agreement over a single overbroad phrase rather than blue-pencil the problem out. It is a short paragraph that costs you nothing to include and can save the rest of a carefully drafted NDA if one clause gets challenged.

Putting It Into a Full Template

Once the definition is solid, it needs to sit inside an NDA that also handles marking (if used), exclusions, duration, remedies, and the whistleblower notice as separate, clearly labeled sections — not folded into one dense paragraph. If you are building this from scratch rather than starting over each time, keep a working draft with the definition already structured this way, then adjust the category list per deal. A full catalog of adaptable formats, including the agreement types referenced throughout this article, is available in the document template library.

Whichever base document you start from, resist the urge to treat the definition as a settled, one-size-fits-all paragraph you never revisit. A definition that made sense for a software licensing discussion is not automatically right for a manufacturing supply relationship or a two-person consulting arrangement. Reread the category list every time you reuse the agreement, and update it to match what is actually being shared in that specific deal — a five-minute edit that meaningfully changes how the clause holds up later.

This matters particularly for founders and early-stage teams who often sign an NDA before anything is formalized — before an LLC exists, before roles are assigned, sometimes before there is even a business plan beyond a conversation. In that setting, a definition built for a full corporate transaction is the wrong tool. Define confidential information around the actual subject matter being discussed: a specific idea, a prototype, a customer introduction, or the financial terms of a potential partnership. Avoid vague references to "the business" when no business yet exists on paper, since a court will struggle to identify what the parties actually meant to protect at that early stage.

Final Checklist Before You Sign

Before you send or sign an NDA, run the definition through this final check. It takes ten minutes and it is seperate from — and more important than — reviewing the rest of the boilerplate.

  • Does the definition list actual categories, not just a single sweeping phrase?
  • Is there a reasonable-person catch-all for information you did not anticipate?
  • Are the five standard exclusions present and complete?
  • Does duration distinguish ordinary information from genuine trade secrets?
  • Is the DTSA whistleblower notice included, and does the agreement address pre-signing disclosures and severability?

A confidentiality definition is not boilerplate you can safely leave on autopilot. It is the single clause that determines whether the rest of the agreement means anything when it is actually tested. Draft it with the same care you would give the payment terms, because in a dispute, it will get exactly that level of scrutiny.

Article reviewed by: Michael M. (Attorney)

By continuing to use the site you agree to the use of cookies. Read more in the privacy policy.