Defining Confidential Information — What Does an NDA Actually Protect?

Most NDA disputes originate from unclear definitions of what constitutes confidential information. When both parties don't know "what counts as secret," contractors can't judge what to protect, and clients can't even assert that a breach occurred.

Freelance engineer A had signed an NDA with client company X stipulating that "all information learned through the engagement" constituted confidential information. Six months later, A accepted a similar system development project from a different client. X asserted that A had utilized confidential information and demanded a work stoppage. A had only used generic design patterns, but because the clause was overbroad, A was forced to incur negotiation costs and psychological burden.

Clients are similarly disadvantaged by definitional ambiguity. Marketing company Y shared a new service concept with a freelance copywriter under an NDA that defined confidential information as "all information disclosed by either party, whether oral or written." When the writer posted on social media about "writing copy for a next-generation service," Y tried to claim damages but found it nearly impossible to prove that the post actually fell within the definition of confidential information. They ultimately had to drop the claim.

What these cases share is that the confidential information definition clause failed to function as a legal protective mechanism. A definition that is too broad unjustly restricts contractors' legitimate work, while one that is too abstract fails to protect the information clients actually need to keep secret.

Defining confidential information in an NDA is the act of concretizing "what we are protecting," and the precision of that definition determines the effectiveness of the entire agreement. Designing the scope of confidential information is a core clause that both parties must engage with seriously before signing.

There are three main approaches to defining confidential information, each with distinct characteristics that should be weighed against the nature of the transaction.

1. Enumeration Approach (Specific Listing)

This approach lists specific categories of information to be protected — for example: "customer lists, pricing information, unreleased product specifications, financial data, and system design documents."

The advantage is clarity. Both parties can immediately identify what qualifies as confidential information, making practical judgment straightforward. Information not on the list is generally not subject to confidentiality obligations, clearly protecting the contractor's scope of activity.

The risk is that important information may fall through the gaps. If significant information is disclosed that wasn't anticipated at the time of contracting, it may not be covered. Clients bear the risk of a coarser protective net.

2. General Clause Approach (Comprehensive)

This approach uses language such as "any information related to this agreement that one party discloses to the other and which is identified as confidential at the time of disclosure." Many standard templates use this approach.

The advantage is comprehensive coverage. It addresses new information that arises as the engagement progresses and avoids gaps by category. Clients benefit from broad protection.

However, contractors face difficulty judging "how far does confidential information extend?" Extremely broad definitions like "all information learned through the engagement" risk being partially invalidated by courts and tend to create practical dysfunction.

3. Marking Approach (Designation)

Under this approach, written disclosures are marked "Confidential" or similar, and oral disclosures are confirmed in writing within a specified period (e.g., seven days).

The advantage is a clear boundary for confidential information. Disclosing parties consciously select what they want protected, rationalizing management costs.

The challenge is that protection is lost if marking is forgotten. Oral discussions and informally shared information are easily overlooked, leaving important unmarked information unprotected.

In practice, combinations of these approaches are common. A hybrid form — "information listed in the attached schedule shall be confidential information, and any other information designated as confidential (either by written designation or written confirmation within five business days of disclosure) shall also be included" — often provides the best balance of protective certainty and practical clarity.

Exclusion clauses in confidentiality agreements define categories of information that do not give rise to confidentiality obligations, even if they fall within the definition of confidential information. Well-designed exclusions protect contractors' legitimate business activities and allow clients to focus on information that can realistically be protected — a rational outcome for both sides.

The four categories internationally recognized as standard exclusions are:

① Publicly Available Information

Information "already in the public domain at the time of receipt" or "which enters the public domain after receipt through no fault of the recipient" is excluded from confidentiality obligations. Binding parties over information already in public circulation is both impractical and legally difficult to justify.

② Information Already in Recipient's Possession

Information "lawfully possessed by the recipient prior to receipt from the disclosing party" is excluded. Without this exclusion, contractors could be barred from using their own existing knowledge, skills, and technical know-how — an unjust result.

③ Independently Developed Information

Information "independently developed or created by the recipient without reference to the disclosed information" is not subject to confidentiality obligations. This clause prevents a contractor's independent development achievements from being treated as secret simply because they received similar information.

④ Information Legitimately Obtained from Third Parties

Information "received from a third party with legitimate authority and without confidentiality obligations" is also excluded. It would be excessive to bind a recipient over information obtained through a non-confidential third-party channel.

A further practically important consideration is disclosure required by law, regulatory authority, or court order. When disclosure is legally mandated, the confidentiality obligation should be explicitly waived, with a provision requiring prior notice to the disclosing party where possible.

The recipient (contractor) generally bears the burden of proving that an exclusion applies. Claiming "this information was publicly known" or "we developed this independently" requires documentary evidence. Contractors should habitually maintain records of their technical knowledge at contract inception, documentation of independent development, and sources of public information as a form of self-protection.

The appropriate design of confidential information definitions varies by the content and business type of the transaction. Using generic templates across different contexts tends to create mismatched protection.

Web Production and Graphic Design

In this business type, the core confidential information is typically the client's brand strategy, unreleased campaign materials, and internally used design systems. General design knowledge — color choices, font selection, basic layout patterns — is universal professional knowledge and should not be restricted as confidential.

An effective approach is to center the definition on "materials and data provided by the client and information directly derived from them," with an explicit exclusion for "general design techniques, tool usage methods, and industry practices."

System Development and Programming

In system development, the core confidential information is business workflows, data structures, API specifications, and security design. Generic architecture patterns, framework usage, and universal algorithms are part of the contractor's professional knowledge and must be protected.

A common dispute arises when a contractor, having learned a client's workflow, applies that experience with a similar client in another industry, and the original client asserts "use of confidential information." A definition that clearly distinguishes "information and know-how specific to a particular client's business" from "general industry knowledge and technical knowledge" is essential.

Consulting and Research

In consulting, the core confidential information is the client's management challenges, financial position, and unreleased business plans. Because this business type involves heavy oral information sharing, the marking approach alone is difficult to implement. A practical approach combines a substantive comprehensive definition — "all information shared for the purpose of the consulting engagement shall be deemed confidential information" — with detailed exclusion clauses.

Engagements Involving Recruitment or HR Information

Business types handling personal information, such as recruitment consulting or training design, require attention to overlap with the Act on the Protection of Personal Information. Because confidentiality obligations and personal information handling obligations have distinct legal bases, the NDA should explicitly state that "personal information shall be handled separately pursuant to the Act on the Protection of Personal Information and related regulations" to avoid conflation.

What Contractors (Freelancers and Contracting Companies) Should Check

First, verify that "the definition of confidential information does not place undue restrictions on your existing skills, knowledge, or experience from other engagements." If the definition uses language like "all information learned through the engagement," negotiate to explicitly add exclusions for "skills, knowledge, and experience held prior to receipt" and "general technical knowledge and industry practices."

Second, check the duration of the confidentiality obligation. Five-year, ten-year, or indefinite confidentiality obligations can significantly constrain a freelancer's business continuity. Seek differentiated terms by information type (e.g., personal information for five years, other technical information for two years) and push for reasonable durations.

Third, verify whether any liquidated damages clause includes a cap. A clause requiring "full actual damages" for a confidentiality breach can be disproportionate to the scale of the engagement fee. Consider requesting an amendment to cap liability at an appropriate ceiling.

What Clients (Companies and Commissioning Parties) Should Check

First, verify that "the information you actually want to protect is covered by the definition." If using an enumeration approach, list all categories of information you may disclose during the engagement before the project begins, and confirm the definition is comprehensive.

Second, scrutinize the definition from the perspective of "only protect what can realistically be protected." Overly broad definitions make it harder to prove violations in disputes, increase contractor frustration, and ultimately damage the relationship. Narrowing down to information where there is a rational necessity for protection actually increases effectiveness.

Third, confirm that internal management practices are consistent with the definition. Defining "all system design documents as confidential information" while failing to manage those documents adequately internally means there is no actual protection in practice. Simultaneously audit whether the defined information is subject to appropriate access controls, storage protocols, and disposal procedures.

Common Checkpoints for Both Parties

Before signing, read the confidential information definition clause aloud and ask yourself: "Does this make sense when applied to the information I will actually be disclosing or receiving?" For small businesses without legal departments, having a qualified attorney review just the definition clause represents a high cost-benefit investment.

The confidential information definition is the foundational clause upon which the entire NDA's effectiveness rests. Rather than "just sign it," the process of both parties confirming "what we are protecting, why, and how" before contracting also contributes to building long-term trust. An NDA signed with a vague definition carries the inherent risk of being used not to protect, but to dispute.