The non-disclosure agreement is the most commonly signed commercial document in business. It is also, frequently, the most carelessly prepared.
Pulled from a template, emailed across as an afterthought, signed in seconds — the NDA has become a ritual rather than a safeguard.
The problem is not that businesses fail to use NDAs. It is that they trust them too much. A signed NDA creates a feeling of protection, which is not the same thing as protection. And when confidentiality is genuinely breached — when a former employee joins a competitor armed with client lists, or a potential acquirer absorbs proprietary information and then walks away — the legal reality often falls short of the expectation.
Here is what good NDAs actually contain, and where the bad ones fail.
Defining "confidential information" too broadly — or too narrowly.
Many NDAs define confidential information as "all information disclosed by one party to the other." This sounds comprehensive. It is almost useless. Courts require that confidential information be identified with reasonable precision. If you cannot point to what was protected, you cannot enforce the obligation.
The opposite error is equally common: listing specific categories so narrowly that material falling outside them is left unprotected. A clause covering "financial projections and customer data" may not extend to product roadmaps or supplier terms, even if those were plainly sensitive.
A well-drafted definition specifies the broad categories of information covered, carves out what is genuinely in the public domain, and includes a catch-all for information that is marked as confidential or that the recipient ought reasonably to understand is confidential by its nature. The carve-outs matter as much as the inclusions.
No meaningful term — or a term that has already expired.
Confidentiality obligations without a fixed term are common in consumer and employment contexts, but in commercial NDAs the parties usually set a duration. Two or three years is typical. The issue arises when that term is not calibrated to the information being protected.
A two-year obligation may be perfectly adequate for information about a specific project. It is inadequate for genuinely proprietary technology, long-term business strategy, or trade secrets that retain their value long after the agreement expires. Meanwhile, many businesses continue to rely on NDAs that have quietly lapsed.
The term should match the competitive lifespan of the information. Trade secrets are better protected by a perpetual obligation (or by a separate trade secrets clause under the Trade Secrets (Enforcement, etc) Regulations 2018) than by a fixed-term NDA. Note the start date: obligations run from execution, not from when the information was disclosed.
A signed NDA creates a feeling of protection, which is not the same thing as protection.
Permitted purposes that are far too wide.
Every NDA restricts use of confidential information to a stated purpose — for example, "evaluating a potential acquisition" or "the performance of the services." The scope of that permitted purpose determines how much freedom the receiving party actually has.
A purpose defined as "assessing business opportunities between the parties" is, on its face, wide enough to permit almost any internal use. The recipient's lawyers, strategy team and board could all review the information lawfully, with little constraint on what they then do with those insights.
The permitted purpose should be specific and narrow. Limit disclosure within the receiving party's organisation to individuals who genuinely need access, and require those individuals to be bound by equivalent obligations — whether by contract or, where they are employees, by a written acknowledgment. "Need to know" should be defined, not merely invoked.
Residuals clauses — the loophole most people have never heard of.
Technology companies in particular have long included what are called residuals clauses in their NDAs. A residuals clause provides that the receiving party is not restricted from using information retained in the unaided memories of its personnel — even if that information was disclosed in confidence.
The practical effect is stark. An engineer who works through your source code, a consultant who reviews your operational model, a potential investor who analyses your proprietary data — all of them may legitimately retain and apply what they have mentally absorbed, provided they are not referring back to any documents.
If your counterparty has inserted a residuals clause, understand what you are signing. In many commercial contexts the clause is fair — preventing a party from being hamstrung by information it cannot practically segregate from general expertise. In others, particularly where genuinely proprietary methodology is being disclosed, it is a significant risk. It can be negotiated out, or carved back to exclude specific categories of information.
No return or destruction obligation.
Most NDAs address what the recipient may do with confidential information. Far fewer address what happens to it afterwards. If the transaction does not proceed, if the relationship ends, or if the receiving party's personnel change — what happens to the documents, the data, the analysis?
Without a return or destruction obligation, the answer is: nothing. The information sits in inboxes, on shared drives, in backup systems — technically subject to the NDA, practically beyond anyone's control.
Require prompt return or certified destruction of confidential information on termination of the agreement or at the disclosing party's request. Allow the recipient to retain copies only to the extent required by law or regulatory obligation, and require that any retained copies remain subject to the confidentiality obligations. A certificate of destruction, while not infallible, creates an audit trail.
Remedies that are impossible to enforce.
When confidentiality is breached, the disclosing party's primary remedy is an injunction — a court order preventing further misuse of the information. Damages are often inadequate, because the harm from disclosure is usually irreversible and difficult to quantify.
But injunctions are not automatic. They require speed, evidence and the ability to demonstrate to a court that the information was clearly confidential, that the obligation was clear, and that damages would not be a sufficient remedy. Poorly defined NDAs make all three harder.
Liquidated damages clauses — pre-agreed sums payable on breach — can provide certainty, but they are rarely included in standard NDAs and will be unenforceable if they amount to a penalty rather than a genuine pre-estimate of loss.
Include an express acknowledgment that breach would cause irreparable harm, and that the disclosing party is entitled to seek equitable relief without the need to post a bond. This is standard in US contracts and increasingly common in English law NDAs. It does not guarantee an injunction, but it removes one layer of procedural friction at a moment when speed is everything.
The hidden gaps.
What NDAs cannot protect.
Even a well-drafted NDA has structural limits that no amount of careful drafting can cure.
Employees
An NDA with a corporate counterparty does not bind that counterparty's employees in their personal capacity. If a key individual leaves and takes what they know, your remedy is against the company — which may be judgment-proof or simply not worth suing.
Proof
You must be able to show what was disclosed, when and in what form. Without contemporaneous records — data room logs, email trails, watermarked documents — confidentiality claims become expensive credibility contests.
Public domain
Once information is genuinely in the public domain, the NDA is spent. A breach that puts information into the public domain cannot be undone by a court order. The only real protection at that point is damages, which are hard to quantify.
Jurisdiction
An English law NDA with a foreign counterparty may be unenforceable in that counterparty's home jurisdiction, or enforceable only through prohibitively expensive foreign proceedings. Governing law and jurisdiction clauses are not formalities.
None of this means NDAs are worthless. They establish a legal framework, create an evidential baseline, and — perhaps most practically — signal to the receiving party that you take confidentiality seriously and will act if it is breached. The deterrent value alone justifies their use.
But they are a beginning, not an ending. The businesses that are best protected are those that treat NDAs as one layer of a broader approach: careful about what they disclose, to whom and in what form; deliberate about data room access and document controls; and realistic about what a court can and cannot do after the fact.
The NDA you signed last week is probably fine. The question is whether you have read it carefully enough to know what it does not cover.