Confidential Information: US

This Confidential Information policy explains how your organization can protect non-public business and third-party information while still respecting employees' protected rights, including the right to discuss wages and working conditions under the National Labor Relations Act (NLRA) and the whistleblower protections strengthened by the Defend Trade Secrets Act of 2016 (DTSA). A well-written confidentiality policy sets clear, practical expectations for handling sensitive information (like intellectual property, finances, customer and vendor data, and product plans), points employees to any separate NDA they signed, and avoids overly broad restrictions that can create legal risk.

The History Behind Confidential Information Policies in the US

Confidential Information policies come from the fact that employers needed a practical way to protect trade secrets and sensitive business data as work became more specialized and information moved faster. Courts had long recognized trade secret claims under state common law, and by the late 70s and 80s states began adopting versions of the Uniform Trade Secrets Act to standardize what counted as a trade secret and what counted as misappropriation. That legal backing made confidentiality expectations easier to enforce, especially when employees could walk out the door with customer lists, pricing, product plans, or source code.

Federal law then made theft of trade secrets a federal crime with the Economic Espionage Act of 1996, and the Defend Trade Secrets Act of 2016 created a federal civil cause of action and added a specific notice requirement about immunity for certain whistleblowing disclosures (for example, to a government official or an attorney, under seal). That DTSA notice requirement pushed organizations to tighten up confidentiality language, connect policies to standalone NDAs, and document the steps they take to treat information as confidential.

In the 2010s, the rise of security and trust audits (like SOC 2) used in vendor due diligence, especially for SaaS and cloud providers, made confidentiality policies feel less optional. As SOC 2 reports became a common way for service providers to prove their controls to customers and stakeholders, organizations increasingly needed written policies, training, and employee acknowledgements as auditable evidence, including confidentiality commitments that apply to everyone.

Labor law also influenced confidentiality policies. The National Labor Relations Act protects employees' rights to discuss wages and working conditions, and the NLRB has repeatedly challenged broad confidentiality rules that employees could reasonably read as gag orders about workplace issues. Employers responded by carving out NLRA-protected activity and whistleblower rights, and by getting more specific about what "confidential" means, so any policy protects real business secrets without turning into a blanket ban on employee conversations.

Which Law is this Confidential Information Policy Meant to Comply With?

If you create and distribute a Confidential Information Policy for your US-based employees, ensure it complies with the National Labor Relations Act (NLRA) and the Defend Trade Secrets Act of 2016 (DTSA).

How to Write a US-Specific Confidential Information Policy

• Start with "why" and introduce the concept, explain that employees may access sensitive business information and must protect it.
• State the core rule that employees must keep confidential information private during employment and after employment ends.
• Define confidential information broadly as non-public information, and give representative examples of the types of information covered.
• Tell employees to handle work-only information carefully and to treat uncertain information as confidential until clarified.
• Explain that improper disclosure can lead to workplace discipline and potential legal consequences.
• Cross-reference any separate confidentiality or non-disclosure agreement as the primary source of detailed obligations.
• Include a clear carveout that the policy does not limit employees' legal rights, including protected reporting and discussions about wages and working conditions.

When to Include this Policy in Your Employee Handbook

The law does not require you to publish a policy or issue a specific notice. That said, you still have to comply with the requirements that apply to you as an employer. 

Even when notice is not required, this is still the kind of policy most employers should put in their handbook or otherwise publish to employees. It answers a question employees will ask, sets expectations, and gives managers a consistent script. If you don't include it, you'll end up explaining it ad hoc, and that's when inconsistency, resentment, and accidental noncompliance shows up. 

Other Considerations

None.

Exceptions

None.