confidentiality-security-agreement

# Employee Confidentiality and Security Agreement

Drafts an execution-ready agreement protecting company proprietary information, trade secrets, and digital assets while establishing employee security obligations and post-employment restrictions.

---

## Checkpoint A: Pre-Draft Intake (Mandatory)

Ask every time unless user says "use defaults." Gather:

1. **Governing jurisdiction** — state law for restrictive covenants, trade secret protections, consideration requirements
2. **Company documents** — existing confidentiality agreements, handbooks, security policies
3. **Employee role** — position, access level, exposure to sensitive systems/data
4. **Industry context** — regulated industries (healthcare, finance, defense) need sector-specific provisions
5. **Existing restrictive covenants** — prior agreements that must be harmonized

**If user doesn't respond**, apply and label defaults: at-will employment state; general staff access level; 3-year non-trade-secret duration; 1-year non-solicitation; governing law per company's home state.

### Intake Table

| Item | Details |
|---|---|
| Company (legal name/entity/state) | |
| Employee (name/title/department) | |
| Governing jurisdiction | |
| Access level (general / elevated / executive) | |
| Regulated industry? (specify) | |
| Existing agreements to harmonize | |
| Post-hire execution? (additional consideration needed) | |

---

## Pre-Drafting Research

| Area | Key Items |
|---|---|
| State enforceability | Restrictive covenant standards, blue-pencil vs. reformation, consideration requirements |
| Trade secret law | UTSA adoption, state statutes, DTSA federal protections |
| Employee mobility | Non-compete bans/restrictions, NLRA § 7 protections, whistleblower statutes |
| Data protection | State privacy acts, HIPAA, GLBA, CMMC (if defense) |
| Recent case law | Reasonableness standards for scope/duration in governing jurisdiction |

---

## Step 1: Draft Confidential Information Provisions

### Definition — Layered Category Approach

| Category | Examples |
|---|---|
| Technical/Proprietary | Trade secrets, source code, algorithms, R&D, manufacturing processes |
| Business Strategy | Business plans, pricing, margins, financial projections, M&A targets |
| Customer/Relationship | Customer lists, supplier networks, contract terms, referral sources |
| Financial/Operational | Financial statements, budgets, compensation structures, performance metrics |
| Intellectual Property | Inventions, patents, copyrights, trademarks, proprietary methodologies |

- Cover all formats: written, oral, electronic, visual
- Include derivative works (analyses, compilations, summaries)
- Protection applies regardless of whether marked "confidential"

### Standard Exceptions

Employee bears burden of proof (clear and convincing evidence):

1. Already public at disclosure (not through employee's breach)
2. Lawfully in employee's possession pre-disclosure (documented)
3. Received from third party without restriction
4. Independently developed without reference to Confidential Information (contemporaneous documentation required)

### Obligations

- Non-disclosure without prior written authorization from authorized officer
- Duration: indefinite for trade secrets; [3–5] years for other Confidential Information
- Use limited to assigned duties within employment scope
- Standard of care: at least reasonable care, no less than employee's own
- Need-to-know restriction; internal sharing only to authorized personnel under equivalent obligations
- Secure storage: encryption (electronic), locked storage (physical), secure disposal
- Immediate incident notification to security officer/legal

### Compelled Disclosure Carve-Out

Immediate notice to legal on receipt of subpoena/court order → cooperate with protective order efforts → disclose only what is legally required.

### Protected Activity Savings Clause (REQUIRED)

- DTSA immunity for disclosures to attorneys/government officials in confidence
- Whistleblower cooperation protections
- NLRA § 7 rights preserved (wages, working conditions)

---

## Step 2: Draft Security Responsibilities

### Password and Access Control

- Personal credentials; never shared
- Minimum: 12+ characters, mixed case/numbers/symbols, unique per system
- No plaintext storage; company-approved password managers only
- MFA required on all available systems
- Lock workstations when unattended; log out of sessions
- Report compromised credentials immediately
- All access terminates upon separation

### Acceptable Use

| Permitted | Prohibited |
|---|---|
| Primary business use of company systems | Unauthorized software/extension installation |
| Limited personal use (non-interfering) | Circumventing security controls or monitoring |
| Professional communications via company tools | Unauthorized devices on company networks |
| | Illegal, explicit, or infringing content |
| | Competitive activities on company systems |
| | Company data on unapproved personal cloud |

- BYOD (if applicable): company MDM required, remote wipe consent, security software mandatory
- Remote access: approved VPN only; adequate privacy at remote locations
- **No expectation of privacy** on company systems — monitoring may occur without notice

### Incident Reporting Protocol

Reportable: data breaches, unauthorized access, malware, phishing, lost/stolen devices, inadvertent disclosure, suspicious behavior, physical security breaches.

1. Report to IT security + direct supervisor within [2–4] hours of discovery
2. Preserve all evidence — no deletion, alteration, or destruction
3. Document: what happened, when discovered, systems/data affected, actions taken
4. Maintain incident confidentiality; share only with authorized personnel
5. Follow incident response team instructions

**Non-retaliation:** Good faith reporting carries no negative consequences, even if incident resulted from employee's error.

---

## Step 3: Draft Termination and Post-Employment Provisions

### Return of Property (immediately upon termination or earlier upon request)

- [ ] All company-issued equipment (laptops, phones, tablets, tokens, keys, cards)
- [ ] All physical documents containing Confidential Information
- [ ] Delete company data from personal devices, cloud accounts, personal email
- [ ] Written certification of compliance (specify devices/systems wiped)
- [ ] Certification required before release of final compensation

Company rights: inspect workspace/devices, remotely wipe MDM-enrolled devices, pursue legal remedies.

### Survival of Obligations

| Obligation | Duration |
|---|---|
| Trade secret confidentiality | Indefinite (while information qualifies) |
| Other Confidential Information | [3–5] years post-termination |
| Employee non-solicitation | [1–2] years (jurisdiction-dependent) |
| Customer non-solicitation | [1–2] years, material-contact customers only |

- Non-solicitation = active solicitation only; does not bar accepting competitor employment or responding to unsolicited inquiries
- Employee must notify prospective employers of continuing obligations
- Employee must notify company of new employment (employer, general responsibilities)
- Cooperation: respond to legal process, assist with litigation/investigations, provide truthful testimony (reasonable compensation for time)

---

## Step 4: Draft Legal Framework

### Acknowledgments (employee confirms)

- Read and understood; opportunity to consult counsel
- Voluntary execution without duress
- Restrictions reasonable in scope, duration, and geography
- Confidential Information is valuable; unauthorized disclosure = irreparable harm
- Adequate consideration received
- For post-hire execution: specify additional consideration (promotion, raise, bonus, or continued employment per jurisdiction) `[VERIFY]`

### Protected Rights Acknowledgment (REQUIRED)

- DTSA immunity per 18 U.S.C. § 1833(b) `[VERIFY]`
- Whistleblower protections: unrestricted government agency reporting
- NLRA § 7: right to discuss wages and working conditions

### Enforcement Provisions

- Governing law: [state], no conflicts-of-law principles
- Exclusive venue: state and federal courts in [county/state]
- Equitable relief available without bond or proof of actual damages
- Prevailing party: reasonable attorneys' fees, costs, expert fees
- Severability with reformation to minimum enforceable scope
- Integration clause; supersedes prior understandings on subject matter
- Amendment: written, signed by both parties; no oral modifications
- Assignment: company may assign (merger/acquisition/sale); employee may not
- Supplements (does not replace) other confidentiality/IP agreements — most protective provision controls

### Signature Block

Employee signature, printed name, date; authorized company representative signature, title, date. Separate acknowledgment page optional.

---

## Step 5: Assemble Agreement in Section Order

1. Parties, Recitals, and Effective Date
2. **Confidential Information** — definitions, categories, exceptions, obligations, compelled disclosure carve-out, protected activity savings clause
3. **Security Responsibilities** — access control, acceptable use, incident reporting, non-retaliation
4. **Termination and Post-Employment** — property return, survival of obligations, non-solicitation, cooperation
5. **Legal Framework** — acknowledgments, protected rights, enforcement, severability, integration
6. Signatures

---

## Checkpoint B: Post-Draft Alignment (Mandatory)

After delivering the initial draft, ask:

1. Are the confidential information categories appropriate for this employee's role and access level?
2. Are the non-solicitation durations acceptable given the governing jurisdiction?
3. Is additional consideration needed for post-hire execution?
4. Should BYOD or remote-work provisions be included or expanded?

If user doesn't answer, recommend confirming non-solicitation scope and post-hire consideration (highest-risk decisions) and proceed if authorized.

---

## Quality Audit

Before finalizing, verify:

- [ ] DTSA whistleblower immunity notice included per 18 U.S.C. § 1833(b) `[VERIFY]`
- [ ] NLRA § 7 savings clause present — no overbroad restrictions on wage/conditions discussions
- [ ] Protected activity carve-out covers government reporting and attorney disclosures
- [ ] Trade secret duration = indefinite; other confidential info = [3–5] years
- [ ] Non-solicitation scope reasonable for governing jurisdiction `[VERIFY]`
- [ ] Post-hire consideration specified if agreement executed after onboarding
- [ ] Blue-pencil/reformation doctrine matches governing state `[VERIFY]`
- [ ] Return-of-property checklist complete with certification requirement
- [ ] Incident reporting timeline and protocol specified
- [ ] No non-compete provisions unless specifically requested and confirmed enforceable `[VERIFY]`
- [ ] All bracketed business terms filled or flagged
- [ ] Compelled disclosure carve-out with notice + protective order cooperation

---

## Guidelines

- **Jurisdiction calibration is critical** — non-compete/non-solicitation enforceability varies by state; CA, CO, MN, OK, ND broadly restrict or ban non-competes `[VERIFY current status]`
- **Consideration requirement** — many jurisdictions require independent consideration beyond continued employment for post-hire agreements `[VERIFY]`
- **Blue-pencil vs. reformation** — know whether the jurisdiction modifies overbroad restrictions or voids them entirely
- **DTSA notice** — employers must provide DTSA whistleblower immunity notice in any trade secret agreement (18 U.S.C. § 1833(b)) `[VERIFY]`
- **NLRA compliance** — confidentiality provisions must not chill Section 7 rights
- **Role-based customization** — adjust categories, security requirements, and restriction durations to employee access level and seniority
- Do NOT include non-compete provisions unless specifically requested and confirmed enforceable
- Do not fabricate statutory citations, case law, or enforceability standards
- **All outputs require attorney review** in the governing jurisdiction