Standard of Care

Contract Type:

Each party shall exercise the same degree of care to prevent unauthorized use or disclosure of the Confidential Information as that party normally exercises to protect its own confidential information of a similar nature. No less than reasonable care shall be exercised.


This clause sets out the level of care and precaution that each party must take to prevent unauthorized disclosure or use of confidential information shared under the agreement.

Specifically, it requires each party to exercise at least the same degree of care that they normally take to protect their own similarly confidential information. But in no circumstances should the level of care be less than reasonable.

In short, it stipulates:

1) A comparative standard of care based on how each party safeguards their own equivalent confidential info. If high standards are applied internally, the same must be applied to the other party's info.

2) A minimum threshold of reasonable care. Even if a party's internal standards are lower, reasonable care and diligence is the bare minimum required under this clause.

3) The duty is to both prevent unauthorized use and disclosure. Simply avoiding disclosure is not enough if the information is still accessed and used without valid permission.

4) The standard of care applies to the manner in which each party handles and manages the confidential information. Precautionary measures and controls in line with the agreed standard must be adopted.

The main objectives of this type of clause are:

1) Ensuring shared information is properly protected.  Stipulating mandated standards of care aims to give reassurance that confidential info will not be mishandled or inadequately secured.

2) Preventing disputes. Specifying what constitutes reasonable care and diligence, by reference to each party's own standards, provides more clarity than a purely abstract standard. This can help avoid arguments over whether proper care was exercised.

3) Risk management. For sensitive commercial info, levels of acceptable risk from unauthorized use/disclosure must be managed. Agreed standards are designed to give confidence that risks will be mitigated by appropriate controls and safeguards.

So in summary, a clause like this aims to provide clear but customizable requirements for protecting confidential information, based on the parties' judgment of risk and internal practices. It seeks to balance flexibility against legally enforceable obligations, with an overarching standard of reasonable care.

History of the clause (for the geeks)

Early confidentiality agreements often did not specify precise standards of care for handling shared confidential information. Vague references to keeping information "confidential" or "secret" provided little guidance on appropriate risk management and security measures.

Parties were largely left to determine for themselves what constituted reasonable protection, if they considered it at all. As commercial transactions and relationships became more sophisticated, this approach became problematic.

By the mid-20th century, courts began scrutinizing the language of confidentiality agreements more closely in disputes over unauthorized disclosures. They sought clear evidence that parties understood their obligations and had agreed to exercise a sufficient degree of care. The obligation to protect confidential information emerged as proportional to the sensitivity of details shared. Agreements providing little or no practical guidance faced greater risk of being found unenforceable for lack of definiteness.

In response, provisions specifying minimum standards of care and diligence became commonplace in confidentiality contracts. They provided reassurance through broadly outlining the types of precautionary steps required, e.g. restricting access, securing storage, training staff. However, set standards also risked being inappropriate if not tailored to the situation. Gradually, more customized provisions emerged referencing the specific nature of shared information and parties’ own internal practices.

Today, standard of care clauses remain almost ubiquitous in commercial confidentiality agreements. They recognize that certain information security standards have become industry norms while also allowing for tailored obligations suited to precise risks and resources. A combination of general precepts around reasonable safeguards, specific practices based on the parties’ own standards, and minimum thresholds of diligence is typical. However, significant variation also still exists as confidentiality protocols are adapted to different data types, sectoral requirements, business models, and client-supplier relationships.

In summary, the historical trend reflects a movement away from reliance on vaguely implied duties of confidentiality toward negotiated standards of care designed to inspire confidence in how shared information will be protected. Case law, industry standards, and commercial expectations have all shaped the development of these types of clauses toward more customized provisions, but a number of overarching principles regarding security, access, and risk management underpin most approaches.

The evolution of standard of care clauses continues in line with advances in areas such as technology, data use, and privacy laws as well as day-to-day information management practices.