Liability for Disclosures of Permitted Disclosures

Contract Type:

The Receiving Party shall procure that any Permitted Disclosee to whom it discloses the Confidential Information pursuant to Clause [X] complies with the obligations of confidentiality set out in this Agreement as if it were the Receiving Party. The Receiving Party shall be liable for any failure by any Permitted Disclosee to comply with such obligations.


This clause deals with liability for confidential information shared with permitted third parties. In short, it means:

1) If the receiving party discloses confidential information to any authorized third parties (as allowed under Clause [X] of the agreement), it must ensure those third parties abide by the same confidentiality obligations as the receiving party.

2) The receiving party will be legally responsible for any failure by those third parties to properly keep the information confidential and comply with the terms of the agreement.

In other words, this clause:

A) Requires the receiving party to bind any authorized third parties to confidentiality before sharing the information with them. They must oblige those parties to uphold the same confidentiality duties as the receiving party, as stated in the agreement.

B) Holds the receiving party liable for breaches of confidentiality by any third parties they share the information with under the terms of the agreement. The receiving party remains responsible for damages or losses in the event those third parties improperly disclose the confidential information.

C) Aims to ensure sensitive information is handled carefully by any authorized parties receiving it under the agreement, by making the primary receiving party - who controls any onward sharing - accountable for any failure to do so. All disclosure and confidentiality obligations ultimately remain with the receiving party.

Overall, this clause intends to extend the responsibility for information security beyond direct parties to the agreement, to any delegates they share the information with as permitted under its terms. Confidentiality requirements pass down the chain of sharing, as does liability for their breach.

Accountability is not fragmented but channeled back to the receiving party as the primary trader and owner of obligations in the agreement.

History of the clause (for the geeks)

Confidentiality agreements initially focused on the direct parties to the contract, imposing obligations on the receiving party and recourse for the disclosing party in the event of breach. However, as business practices grew more complex, confidential information was commonly shared with third parties authorized under the agreement - such as employees, advisors, service providers or funders.

This introduced new risks around onward sharing and wider exposure of sensitive data.

Clauses emerged to extend confidentiality duties to authorized third parties and hold receiving parties liable for their breaches, closing potential loopholes in protection. Receiving parties controlled the flow of information beyond themselves, so accountability for its security passed downstream with the data. Failure to bind delegates to the same obligations and safeguard information all the way along the sharing chain could undermine the purpose of agreements.

Early third party clauses were often quite broadly framed, imposing a general duty of obligation and responsibility over authorized disclosures without much specificity. As information grew increasingly sensitive and valuable, more prescriptive terms specifying exact duties, permitted purposes and uses developed. Precise delegation and liability clauses aimed to maintain a clear and consistent trail of accountability for confidential data as it was shared under authorization with multiple external parties.

Modern agreements now typically contain detailed terms around need, relationship and contracts that must be in place before any third party receives or uses the information. The disclosing party will usually require security standards to match their own obligations, and the ability to revoke third party permissions if needed to contain risk. Receiving parties in turn seek to limit liability where security lapses were reasonably unforeseeable or outside their control - but remain broadly accountable for authorized disclosures.

Sophisticated liability for permitted disclosure clauses balance enabling practical information sharing with rigorously protecting confidential data in an interconnected digital world where multiple parties may handle it. Agreements aim to impose obligations where recipients have influence and control, with recourse channeled to where the underlying duties to share data securely ultimately lie.

Provisions recognize commercial realities but help define a standard of care and responsibility to maintain information security in complex data trails.