Follow ACC Docket Online:  

Ask Aliya: Working with Companies That Refuse to Erase Data

“Ask Aliya” is a column for lawyers who are the first legal hire at their company and need advice from an in-house lawyer who has been there before. Aliya Ramji was the director of legal and business strategy for Figure 1 Inc., a network used by more than one million healthcare professionals to share cases and collaborate. She is now a partner at McCarthy Tétrault, where she offers guidance on in-house law and startup businesses. To have your legal questions for startups answered, email [email protected] with "Ask Aliya" in the subject line.

Dear Aliya,

I work for a small technology company with several patents and trade secrets. I find it difficult to negotiate destruction clauses in NDAs and confidential information clauses in contracts because larger companies don't want to take on the obligation to delete electronic records. Having our confidential information in backup files or cached records makes us extremely uneasy. How do we go about working with other companies when they refuse to completely delete files?

Need to keep a secret

Dear Need to keep a secret,

I understand your struggle and find myself in your shoes often. Clients, vendors, and strategic partners want to find a way to limit their obligations to delete electronic records. I also understand their predicament because when a commercial relationship ends, it is very difficult to delete electronic records completely. They might be able to delete the information that is readily accessible but backup versions exist somewhere. It would be tedious to outline a formal destruction process and the likelihood of compliance is slim. Complete destruction of electronic records might actually entail physically destroying all the hardware on which the information is saved. This is an unrealistic expectation; companies cannot be required to destroy all of their hardware for each party with which they have contractual obligations.

This puts companies like yours in a difficult situation. How can you balance the company’s requirement to ensure confidentiality, even after a business relationship has ended, with the other party’s obligation to destroy the confidential information in a practical and realistic manner?

Having been on both sides of the equation, I believe that the solution has to be one of compromise. Short of physically destroying hardware, it’s very difficult to destroy all electronic records. Does that mean that a company with trade secrets cannot share information? If that were the case, some companies would never do business. Therefore, a company with trade secrets should take all reasonable precautions when negotiating confidential information clauses.

A newer method that a company can use to ensure all of its information is electronically destroyed is crypto-shredding. Some companies encrypt their data so that it is only accessible to others once the company provides a decryption key. Crypto-shredding is the practice of deleting data by deleting or overwriting the encryption keys. It is important to note that crypto-shredding generally only erases the primary source of the data and doesn’t necessarily account for secondary and tertiary backups. This method will also only work correctly for backups if you have strong key management processes.

As you know, this is not an easy concept to grapple with. Each company will come to contract negotiations with its own degree of risk tolerance. Your organization will have to determine its own unique risk tolerance and negotiate contracts based on this.

Go get ‘em.


About the Author

Aliya RamjiAliya Ramji was previously the director of legal and business strategy for Figure 1 Inc. Presently, she is a partner at McCarthy Tétrault, where she offers guidance on in-house law and startup businesses. She also was a 2016 recipient of ACC’s Top 10 30-Somethings.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.