The simplest answer to this question is that it depends. Granted, that is not really an answer, but it really does depend on the strength of the NDA, as well as whether the party signing it correctly understands its requirements. Here are the reasons that NDAs often fail to fulfill their very purpose:
An NDA is only as strong as the clauses that it contains. Vague statements that the party must keep all
information a secret forever simply won't suffice. Although excessive detail is not necessary, language that specifically explains what information has to be protected and the consequences for failing to comply must be included. Together, the clauses of the NDA must adequately describe the who, what, when, and how of the arrangement.
Obviously, the who pertains to the parties bound by the agreement and the what is the information that is to remain confidential. The when, or the timeframe, should be an agreed upon period of time during which the NDA will be in effect. And, as for how, this is usually addressed in a catch all explanation that the party must act responsibly and take reasonable measures to prevent disclosing the confidential information, both intentionally and inadvertently. In general, a specific agreement with unambiguous clauses is preferable to a broader one, as the latter will be subject to interpretation and thus more likely to create problems.
Specific Events not Explained
Another aspect to consider including in the NDA to strengthen its ability to protect confidential data relates to how information will be treated under certain circumstances. For example, in the event that an employee leaves the company while the NDA is still in effect, the NDA should explain the expectations on how returning and relinquishing access to information must occur. If the NDA does not address this, information saved on a device may be taken and access to professional accounts may not be terminated.
In these situations, even if the person does not commit direct acts that are contrary to the NDA agreement, items may nonetheless become misappropriated due to this oversight. Thus, to avoid this, it is important to identify events that may occur in the future and explain how the company would like to handle those situations.
Lack of Additional Security
It really isn't the NDA that fails to protect information so much as it is human error. After all, an NDA serves to deter people but it primarily provides a company with recourse after information has been inappropriately disseminated. As a result, the strongest, most specific NDA in the world is basically irrelevant if other security measures are not implemented to further safeguard data. At a minimum, information should be stored in an electronic database that has multi-factor access procedures and encryption for data at rest and in transit.
Of course, other methods can be utilized as well, such as limiting access and distribution, filing for the appropriate legal protection, via a trademark or patent for example, and vigilantly tracking all sensitive data. If there are multiple security efforts in place, then in the event that one falters, the others will hopefully prevent or mitigate any additional consequences.
Document retention, management, and sharing play a key role in keeping private information safe. At far too many companies, employees send and receive emails with documents attached and proceed to save those documents to their hard drive without thinking. Granted, many of them may not realize that this puts data in jeopardy. But, the reason they do not realize this is probably a reflection of the company failing to create and institute a coherent document strategy. If your company goes to the trouble of requiring employees to sign an NDA, then it should also ensure that there is a data security plan implemented.
Despite the potential limitations of NDAs, they are important agreements that must be utilized in conjunction with other robust security methods to ensure that data is protected on several fronts.