Background Checks for Access to Confidential Information: Mitigating Security Risks

Explanation

This clause addresses the issue of security risks stemming from access to confidential information by each party's representatives or employees. It stipulates:

1) The party receiving the confidential information (the Receiving Party) warrants - i.e. formally guarantees - that it has conducted background checks on all its representatives who will get access to the shared confidential details.

2) The aim of these background checks is to make sure that such access does not pose any security risks, e.g. risks of unauthorized disclosure, data breaches, theft of information, etc. Proper vetting helps determine representatives can be trusted with confidential data.

3) The Receiving Party must make reasonable efforts to limit access to only those representatives who genuinely need to know the confidential information, and only for the specific purpose permitted under the agreement (the "Purpose"). Access should not extend beyond what is strictly necessary.

4) Taken together, the Receiving Party is obliged to both vet its representatives for risks before granting any access and then restrict access only to those individuals cleared and needing information relevant to the Purpose.

The main objectives of including a clause like this are:

1) Reassuring the party disclosing the confidential information (the Disclosing Party) that appropriate security checks and controls will govern access within the Receiving Party's organization. This aims to mitigate worries about unauthorized use or inadequate protection of sensitive information once shared.

2) Ensuring confidential information is only shared internally on a "need to know" basis for sole purpose of the agreement. Wider circulation threatens security and may risk information being used for other unknown or unauthorized reasons. Strict access restrictions are required.

3) Encouraging the Receiving Party to properly vet and monitor its representatives. Conducting background checks and limiting access helps avoid information in trusted hands ending up in the wrong hands, intentionally or otherwise.

4) Potentially limiting the Disclosing Party's liability for any breaches or threats to shared data stemming from the Receiving Party failing to properly check and control its representatives. The clause signals this responsibility lies with the Receiving Party as recipient of the confidential information.

In summary, the main purpose of a background check clause is risk management - ensuring sensitive confidential information entrusted between parties remains secure by placing obligations on the Receiving Party to thoroughly check and restrict internal access to information based on strict need to know criteria relevant only to the agreement's purpose.

History of the clause (for the geeks)

Early confidentiality agreements typically contained broad obligations not to disclose or improperly use shared confidential information but placed little emphasis on security controls around internal access and distribution of details within each party's organization. While prohibiting outright unauthorized disclosure to third parties or external use was standard, risks of information seeping into the wrong hands internally were less commonly addressed.

As data privacy concerns grew and threats around data theft, hacking and leaks intensified from the late 20th century onwards, this approach seemed increasingly inadequate. Certain infamous security breaches stemmed from lack of vetting and control of systems access, allowing "insiders" to gain and share sensitive data illicitly. It became clear confidentiality required a "need to know" approach restricting even internal access and proactively vetting for risks.

Litigation also began highlighting background check and access limitation provisions as markers of adequate security measures in disputes around unauthorized disclosures by parties' own employees or affiliates. Their presence suggested a higher duty of care had been exercised. Courts viewed unchecked internal access as potentially undermining duty of confidentiality, especially where recipients of information took a "hands-off" approach to data security and risk management.

In response, restrictions on need to know access and obligations to properly vet those accessing confidential information through background checks emerged as commonplace terms in commercial agreements. Clauses developed requiring recipients of information to: specifically covenant that proper background screening had been completed on all representatives accessing data; ensure only those truly needing access for the purpose were allowed it; and take reasonable measures to maintain limited circulation even internally. These curtailed under-the-radar threats from insiders.

Today, background check and internal control clauses remain ubiquitous in confidentiality agreements, though significant variations exist in scope and levels of screening/restriction stipulated depending on sensitivity of information and industry. Certain standards around checking employees for risks like fraud or theft offences have developed, especially in finance/IT sectors, but vetting also often targets role, data access needs, and confidentiality awareness. Their aim is reassuring through transparency around security measures, but obligations tend to be tailored to relationships and risks.

In summary, inadequate historical focus on managing "insider threats" led to recognition that confidentiality requires strict controls even within recipients' own organizations. Background check and access limitation clauses emerged to evidence security measures, limit undisclosed risks from unvetted or over-privileged representatives, promote "need to know" principles, and potentially mitigate liability for unauthorized disclosures emanating internally. They highlight that confidentiality is an obligation not just between parties but within parties themselves. Their increasing prevalence reflects heightened awareness around data security as a duty of care, especially given modern technical capacities for rapid widespread data circulation and breach.