Confidential Information Definitions in NDAs: Why "Any Information Disclosed" Is Not a Definition and What to Use Instead

Read more
Read more
Read more

Page Content

Michael M.
Lawyer (content verification)

A client hands you an NDA before a first product demo. You skim it, sign it, and move on — until eighteen months later a former engineer joins a competitor and starts repeating things he heard in that meeting. You go back to enforce the agreement and discover the "Confidential Information" clause says something like "any information disclosed by either party." Your lawyer's first question is not "did he disclose it?" It's "what, exactly, did this contract actually protect?" That one paragraph is often the difference between a six-figure settlement and a dismissed complaint.

This article is about that one paragraph — the definition of "Confidential Information" inside a non-disclosure agreement (NDA) — and why the most common version of it, the one copied from a free NDA template a decade ago, is quietly unenforceable in a growing number of courts.

When "Any Information You Disclose" Backfires

Business owners tend to think broader is safer: if the definition covers "any and all information," nothing can slip through the cracks. Courts read it the opposite way. A definition with no boundaries gives the receiving party no way to know what they can and cannot talk about, and contract law generally refuses to enforce a promise that is too vague to determine what performance actually requires. As several practitioner sources note, a definition like "all information shared between the parties" can be found by a court to be too sweeping to enforce, precisely because it does not tell anyone where the line sits.

The irony is that the businesses most likely to use this kind of catch-all language are small companies that drafted their own NDA from a sample they found online, rather than a document written for their specific relationship. A generic definition feels thorough. In litigation, it reads as lazy.

Why Courts Reject This Kind of Definition

The legal theory is straightforward. A contract clause fails for vagueness if a reasonable person cannot tell what obligation it imposes. Applied to confidentiality clauses, that means courts ask: does this definition give the receiving party fair notice of what they must not disclose? An unbounded definition — "any information concerning the business," with no categories, no exclusions, and no time limit — has been rejected on exactly this ground.

In Lasership, Inc. v. Watson, 79 Va. Cir. 205 (Fairfax Cir. Ct. 2009), a Virginia trial court sustained a demurrer against an employer's breach-of-contract claim because the confidentiality clause prohibited the former employee from disclosing "any information concerning the business of Lasership" to anyone, forever. The court found the clause was not narrowly tailored to protect a legitimate business interest and held it unenforceable as a matter of law.

"[This provision] prohibits [the employee] from telling a neighbor for the rest of her life anything about [the employer], including information that is not proprietary in nature or worthy of confidence. The clause is overly broad and is unenforceable as a matter of law." — Lasership, Inc. v. Watson, 79 Va. Cir. 205, 215–216 (Fairfax Cir. Ct. 2009)

The lesson is not that broad protection is illegal. It's that a definition has to draw a line a court can actually apply — subject matter, some exclusions, and ideally a defined duration — instead of just gesturing at "everything."

The Legal Standard Hiding Behind "Confidential": DTSA and State Trade Secret Law

Most NDAs are written as though "confidential information" is a purely contractual concept, but it sits next to a statutory one: the trade secret. Under the federal Defend Trade Secrets Act (18 U.S.C. § 1836), and under the state versions of the Uniform Trade Secrets Act adopted in nearly every state, information only qualifies for trade secret protection if it derives independent economic value from not being generally known and the owner has taken reasonable measures to keep it secret.

Your NDA is one of those "reasonable measures." Courts evaluating a trade secret claim look at whether the company had signed confidentiality agreements, access controls, and consistent internal practices — not just whether the word "confidential" appeared somewhere in a document. A definition that never distinguishes ordinary business information from trade secrets makes it harder to later argue that the company treated its crown-jewel information with any particular care.

  • Trade secrets: protected by statute regardless of contract wording, but only if secrecy was actively maintained
  • Confidential information (non-trade-secret): protected only through the contract itself, and only to the extent the definition covers it
  • Public or independently known information: protected by neither, and should always be excluded expressly

In practice, courts evaluating whether a company took "reasonable measures" to protect a trade secret look well beyond the four corners of the NDA. They consider access controls (who could actually open the file), technical safeguards (passwords, encryption, permission tiers), and whether the company's own internal habits matched what the contract promised. A beautifully drafted definition paired with a shared drive that every employee could browse freely will not impress a judge. The contract and the company's actual practices need to tell the same story.

Risk scale showing high, medium, and low risk confidentiality definitions

Confidential Information vs. Trade Secret: Not the Same Legal Test

It's tempting to draft one definition and assume it covers both concepts equally. It doesn't. A trade secret has to meet a specific legal test — economic value from secrecy, plus reasonable protective measures — while "confidential information" under a contract is whatever the parties agree it is. That flexibility is useful, but it also means a poorly built definition can leave your actual trade secrets under-protected if the contract language is narrower than what the statute would otherwise cover.

Practically, this means many well-drafted NDAs now split the definition into two tiers: standard confidential information (protected for a fixed term, say three to five years) and trade secrets (protected for as long as the information remains a trade secret under law, which can be indefinite). This isn't just belt-and-suspenders drafting — some courts view an indefinite duration applied to ordinary business information as itself a sign of overbreadth, while accepting the same duration for genuine trade secrets.

Three Ways to Define Confidential Information (and Which One to Pick)

In practice, nearly every enforceable definition falls into one of three structures. Picking the right one for your relationship — a one-off vendor conversation versus an ongoing joint development deal — matters more than which law firm's generator produced the base language.

  • Marking-only: only information physically or verbally marked "Confidential" at the time of disclosure counts
  • Category-based: specific subject-matter categories are listed (financials, source code, customer lists, pricing) regardless of marking
  • Hybrid catch-all: categories plus a "reasonably understood to be confidential" clause covering gaps

None of these three structures is inherently "correct" — a court doesn't strike down a marking-only definition just because a category-based one exists. What matters is whether the structure you chose actually matches how information moves in your relationship. A due diligence process built almost entirely on shared documents in a data room is a reasonable fit for marking-only, since every file passes through a controlled channel anyway. A fast-moving product collaboration where most of the important information gets said out loud in a working session is a poor fit for marking-only, and a much better fit for category-based or hybrid language.

The Marking Trap: When "Stamp It Confidential" Backfires

Marking requirements sound rigorous, and they can be — for parties with the internal discipline to actually apply them. The trap is that most small businesses do not stamp every email, slide deck, or hallway conversation, and a marking-only definition will exclude exactly the information that later gets misused, because nobody remembered to write "Confidential" on it.

If you do use a marking requirement, build in a grace period for oral or visual disclosures so a verbal conversation at a trade show isn't automatically unprotected:

A workable clause reads: "Information disclosed orally or visually shall be considered Confidential Information only if identified as confidential at the time of disclosure and summarized in a writing marked 'Confidential' and delivered to the Receiving Party within ten (10) business days of the oral or visual disclosure." That single sentence closes the most litigated gap in marking-based NDAs: the disclosure everyone agrees was confidential in spirit, but that no one reduced to writing in time.

Category-Based Definitions That Actually Hold Up

For most day-to-day business relationships — a vendor, a contractor, a prospective buyer — a category-based definition is the workable middle ground. It doesn't depend on someone remembering to stamp a document, and it gives a court concrete subject matter to compare against what was actually shared. When you draft an independent contractor agreement that includes confidentiality terms, this is usually the right structure, since contractors routinely receive both written files and verbal instructions.

"'Confidential Information' means non-public information disclosed by the Disclosing Party to the Receiving Party relating to: (a) product designs, source code, and technical specifications; (b) pricing, costs, and financial projections; (c) customer and supplier lists and terms; and (d) business plans and strategies not generally known outside the Disclosing Party's organization."

Notice what this version does that "any information disclosed" does not: it tells a reader, in plain categories, what they signed up to protect. That specificity is exactly what separates an enforceable clause from one a court can strike on a demurrer.

Comparison of marking-only, category-based, and hybrid catch-all confidentiality definitions

The Hybrid Catch-All: Best of Both Worlds

The definition that shows up most often in current, professionally drafted NDAs — and the one favored by attorneys advising technology and services companies — combines named categories with a bounded catch-all for information "reasonably understood" to be confidential given the context of disclosure. It is broader than a pure category list without collapsing into the vague standard that got the Lasership clause thrown out.

Typical hybrid wording looks like this: "Confidential Information includes the categories described above, together with any other non-public information that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure, excluding information described in Section [X] (Exclusions)." This wording is deliberately still a standard structure any transactional lawyer will recognize, but it is not interchangeable boilerplate — the bracketed cross-reference to an exclusions section is what keeps the catch-all from becoming the same problem a marketing agency ran into when a court found its "all information shared between the parties" definition too sweeping to enforce.

Carve-Outs You Cannot Skip

Every one of the three structures above needs the same set of exclusions, or the definition will eventually swallow information that was never really secret in the first place. Skipping these is one of the most common ways otherwise reasonable NDAs get undermined — not struck down entirely, but narrowed by a court exactly when you need it broadest.

  • Information already in the public domain through no fault of the receiving party
  • Information the receiving party already lawfully possessed before disclosure
  • Information independently developed without reference to the disclosed material
  • Information rightfully received from a third party without a duty of confidentiality
  • Information required to be disclosed by law, court order, or regulator, usually with an advance-notice requirement

Leaving out even one of these — particularly the public-domain carve-out — has occured in NDAs drafted hastily under deal pressure, and it hands the receiving party an easy argument that the whole definition is unreasonable.

The DTSA Whistleblower Notice Almost Everyone Forgets

Since 2016, the Defend Trade Secrets Act has required a specific notice in any contract governing the use of trade secrets or confidential information, if the company wants access to the DTSA's enhanced remedies — double damages and attorney's fees for willful misappropriation. Leaving this notice out doesn't void the NDA, but it can cost you those enhanced remedies exactly when you'd want them most.

"Notice of Immunity: An individual shall not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret that is made in confidence to a federal, state, or local government official, or to an attorney, solely for the purpose of reporting or investigating a suspected violation of law, or that is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal."

Add this near the confidentiality obligations, not buried in a miscellaneous section — reviewers (and courts) look for it in context.

Checklist of what to include and what to avoid in a confidential information definition

What Lasership v. Watson Teaches About Overreach

It's worth returning to the Virginia case because the fact pattern is so ordinary. The employer wasn't trying to do anything unusual — it wanted to stop a dispatcher who had access to competitive strategy sessions from talking to a direct competitor. The problem was entirely in the drafting: the clause covered "any information concerning the business," with no categories, no time limit, and no distinction between trade secrets and the fact that the office opens at 8 a.m.

The practical takeaway for a small business is not "don't protect broad categories of information." It's "don't let the definition be broader than what you can plausibly argue deserves protection." A definition that would, taken literally, stop an employee from mentioning where the company's office is located invites exactly the argument that sank the Lasership clause.

Drafting for a Mutual NDA Between Two Companies

Definitions get more complicated once both sides are disclosing information — a joint venture, an M&A due diligence process, or a co-development deal. In an NDA between legal entities, each company usually wants its own information protected as broadly as possible while limiting its own obligations toward the other side's disclosures. The fix is symmetry: define "Disclosing Party" and "Receiving Party" as interchangeable roles, so the same definition and the same exclusions apply no matter which company shared what.

This differs from an NDA between individuals, such as two founders discussing a potential partnership before either has formed a company. There, the categories tend to be simpler — a business idea, a customer introduction, a pitch deck — and a shorter, plain-language category list usually works better than importing full corporate-style defined terms. If you're formalizing that relationship further, a standard employment contract with its own confidentiality section may end up doing more work than a standalone NDA once one founder actually joins the other's payroll.

For an ongoing relationship where a company brings in outside consultants under a consulting agreement, the mutual structure matters even more, since consultants often bring their own proprietary methods into the room and don't want those methods swept into the client's definition of confidential information by accident.

Four steps to draft a confidentiality definition for a mutual NDA between two companies

Common Mistakes That Gut an Otherwise Good Definition

Even businesses that know better make a small number of recurring errors. Most of them are fixable in one draft pass, which makes them all the more frustrating to find in litigation.

  • Using "and/or similar information" as a catch-all — courts treat this as no more specific than "any information"
  • Forgetting to mirror obligations in a supposedly mutual NDA, so only one side's disclosures are actually protected
  • Applying one duration to both trade secrets and ordinary confidential information, instead of splitting the two
  • Pulling boilerplate from an online generator without adjusting the categories to the actual deal
  • Failing to require the receiving party to protect information with the same standard of care it uses for its own confidential data

None of these mistakes are particularly exotic, which is part of the problem — they're common precisly because most people treat the definition section as a formality to get through before the "real" terms like payment and termination. If your confidentiality obligations live inside a broader service agreement rather than a standalone NDA, the same drafting rules apply — a vague definition buried in Section 14 is just as unenforceable as one in a dedicated confidentiality document. The full template catalog has both formats if you need to start from a cleaner base than whatever is sitting in your shared drive.

Final Checklist Before You Send Your Next NDA

Before you send an NDA — whether you wrote it yourself, adapted a sample, pulled a draft from an online contract generator, or asked a lawyer to create one from scratch — run the definition section through this list:

  • Does it name specific categories of information rather than relying on "any information"?
  • Does it address oral and visual disclosures, not just written documents?
  • Does it include the standard carve-outs: public domain, prior knowledge, independent development, third-party disclosure, legal compulsion?
  • Does it separate trade secret duration from ordinary confidential information duration?
  • Does it include the DTSA whistleblower notice?

If you can answer yes to all five, your definition is doing its job. If you can't, you don't have a confidentiality agreement — you have a document that feels like one until the day you actually need it to work in court.

Article reviewed by: Michael M. (Attorney)

By continuing to use the site you agree to the use of cookies. Read more in the privacy policy.