Confidential information misuse in emails

Beware the boilerplate – what does your confidentiality clause actually mean? Logix Aero Ireland v Siam Aero Repair Company [2025] EWHC 1283 (KB) is a judgment on an application for the summary determination of a claim brought by A against their contractual counterparty, B. A and B entered into a letter of intent (LOI) for the sale of aircraft engines. The LOI included a boilerplate confidentiality clause.   What happened next is, regrettably, not unusual. A fraudster came into possession of an email between the parties and thereafter interposed themselves into correspondence without the parties knowing. Both parties proceeded to negotiate and sign a contract, then respectively produce and pay invoices, all the time without realising that they were corresponding with a fraudster and not their counterparty. The fraudster therefore amended payment details etc, absconding with the ‘agreed’ purchase price.   The claim concerned the fallout between the parties. The buyer, who had paid against a fraudulent invoice, sought to claim against the seller.   As is not surprising, the Judge held that there was no concluded contract between the parties, who had each signed different versions of the contract as provided by the fraudster. One point (among others) which is of more interest is what the judge had to say about confidentiality.   The buyer claimed that the seller had breached the absolute confidentiality obligation in the LOI by sending various documents to the fraudster – albeit unwittingly. This, it was said, enabled the fraudster to defraud the buyer, which therefore had a claim against the seller for breach of the confidentiality clause. Damages would be calculated by reference to the sum paid to the fraudster.   The Judge considered various arguments by the parties on construction and ultimately concluded that there was sufficient merit on that aspect which would survive a summary judgment application. However, the Judge dismissed the claim on the basis of causation. As pleaded, it was not merely the fault of the seller that enabled the fraud; the fraud was only possible because the buyer had engaged in precisely the same ‘wrongdoing’ – i.e. sending information and documents to the fraudster in (assumed) breach of the confidentiality term.   However, this leaves open the possibility of future claims succeeding if the causation issue can be overcome. In the meantime, consider your boilerplate clauses: do you really want to be subject to an absolute obligation of confidentiality, or would it be better to qualify that obligation by reference to ‘reasonable care’?   Last week, I very much enjoyed discussing this – and various other – aspects of the case with Luke Zadkovich and Calum Cheyne for their podcast, Case By Case. Do subscribe and listen, when it comes out.

So you thought Signalgate was bad...how about GmailGate? Yup. Members of President Donald Trump’s National Security Council, including White House national security adviser Michael Waltz, have conducted government business over personal Gmail accounts, according to documents reviewed by The Washington Post and interviews with three U.S. officials. The use of Gmail, a far less secure method of communication than the encrypted messaging app Signal, is the latest example of questionable data security practices by top national security officials already under fire for the mistaken inclusion of a journalist in a group chat about high-level planning for military operations in Yemen. A senior Waltz aide used the commercial email service for highly technical conversations with colleagues at other government agencies involving sensitive military positions and powerful weapons systems relating to an ongoing conflict, according to emails reviewed by The Post. While the NSC official used his Gmail account, his interagency colleagues used government-issued accounts, headers from the email correspondence show. Waltz has had less sensitive, but potentially exploitable information sent to his Gmail, such as his schedule and other work documents, said officials, who, like others, spoke on the condition of anonymity to describe what they viewed as problematic handling of information. The officials said Waltz would sometimes copy and paste from his schedule into Signal to coordinate meetings and discussions. The use of personal email, even for unclassified materials, is risky given the premium value foreign intelligence services place on the communications and schedules of senior government officials, such as the national security adviser, experts say. NSC spokesman Brian Hughes said he has seen no evidence of Waltz using his personal email as described and said on occasions when “legacy contacts” have emailed him work-related materials, he makes sure to “cc” his government email to ensure compliance with federal records laws that require officials to archive official correspondence. “Waltz didn’t and wouldn’t send classified information on an open account,” said Hughes. When asked about a Waltz staffer discussing sensitive military matters over Gmail, Hughes said NSC staff have guidance about using “only secure platforms for classified information.” https://lnkd.in/gPHz2fnk

𝐓𝐨𝐝𝐚𝐲’𝐬 𝐀𝐈 𝐭𝐢𝐩 𝐢𝐬 𝐚𝐛𝐨𝐮𝐭 𝐮𝐩𝐝𝐚𝐭𝐢𝐧𝐠 𝐲𝐨𝐮𝐫 𝐍𝐃𝐀𝐬 𝐭𝐨 𝐩𝐫𝐞𝐯𝐞𝐧𝐭 𝐫𝐞𝐜𝐢𝐩𝐢𝐞𝐧𝐭𝐬 𝐟𝐫𝐨𝐦 𝐮𝐬𝐢𝐧𝐠 𝐀𝐈 𝐭𝐨 𝐩𝐫𝐨𝐜𝐞𝐬𝐬 𝐜𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧. An NDA is a crucial document that helps protect your confidential information. 𝐅𝐢𝐯𝐞 𝐤𝐞𝐲 𝐜𝐨𝐦𝐩𝐨𝐧𝐞𝐧𝐭𝐬 𝐨𝐟 𝐚𝐧 𝐍𝐃𝐀 1. 𝐃𝐞𝐟𝐢𝐧𝐢𝐭𝐢𝐨𝐧 𝐨𝐟 𝐜𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧: clarifies what’s confidential and what isn’t. 3. 𝐔𝐬𝐞 𝐫𝐞𝐬𝐭𝐫𝐢𝐜𝐭𝐢𝐨𝐧𝐬: outlines limits on how the recipient can use confidential information. 3. 𝐈𝐧𝐣𝐮𝐧𝐜𝐭𝐢𝐯𝐞 𝐫𝐞𝐥𝐢𝐞𝐟: specifies legal remedies for breaches of the NDA. 4. 𝐑𝐞𝐭𝐞𝐧𝐭𝐢𝐨𝐧 𝐨𝐟 𝐫𝐢𝐠𝐡𝐭𝐬: affirms your ownership of the confidential information. 5. 𝐓𝐞𝐫𝐦𝐢𝐧𝐚𝐭𝐢𝐨𝐧: details how and when the NDA ends. 𝐓𝐡𝐞 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐜𝐞 𝐨𝐟 𝐮𝐬𝐞 𝐫𝐞𝐬𝐭𝐫𝐢𝐜𝐭𝐢𝐨𝐧𝐬 The focus here is on the “Use restrictions” section of the NDA. This part establishes what the NDA prohibits the recipient from doing with your confidential information. Typically, it restricts the recipient from using the information solely for the intended purpose of the NDA, sharing it only with those necessary to achieve that purpose and keeping it secure. 𝐓𝐡𝐞 𝐀𝐈 𝐜𝐨𝐧𝐬𝐢𝐝𝐞𝐫𝐚𝐭𝐢𝐨𝐧 However, a common oversight in many NDAs is the absence of specific mention of using AI or generative AI technologies, such as ChatGPT, to process confidential information. Without explicit restrictions on using generative AI, recipients might freely apply these technologies to your confidential information. This is problematic for several reasons. Most notably, trade secret laws in many jurisdictions require businesses to make reasonable efforts to safeguard their secrets. Addressing the use of generative AI technologies is essential to maintain legal protection. Furthermore, many NDAs lack clauses holding recipients accountable for any third-party AI systems that process confidential information. 𝐑𝐞𝐜𝐨𝐦𝐦𝐞𝐧𝐝𝐚𝐭𝐢𝐨𝐧 To maintain the integrity and protection of your trade secrets, I recommend updating your NDAs. Include specific provisions that restrict the use of AI technologies in processing confidential information. This will help ensure that your efforts to protect confidential information align with legal requirements and technological advancements.

When you upload your company’s trade secrets to write an email... 😬 AI tools like ChatGPT are amazing for productivity (we all love a quick boost), but there’s a hidden risk many don’t realize: Uploading confidential information could mean exposing data that isn’t fully protected. Here’s how you can stay safe while using AI responsibly: 1. Check the policy – Always read the platform’s terms and privacy details. 2. Avoid sensitive data – Never upload anything personal, proprietary, or classified. 3. Use secure options – Look for enterprise-grade AI tools with better safeguards. 4. Anonymize your data – Strip out identifying details before uploading. How to stop ChatGPT from using your data for training? Go to Settings → Data Controls → Uncheck "Improve the model for everyone." AI should enhance your workflow—not compromise it.

I’ve been in this field long enough to see things most people will never believe. But today hit differently. We arrested a Data Protection Officer of a reputable company here in Lagos — for something that’s becoming an ugly trend: leaking sensitive company information to scammers. Though I’m not too surprised by this arrest, but I was just surprised that such a highly respected organization could fall victim to such a basic security lapse — one that's now causing them a serious and embarrassing blow." Let's get this right! These cybercriminals are no longer just using guesswork. I can say this, over and over again. They’re now going as far as working with insiders to access company databases, steal email patterns, and send highly convincing phishing messages to vendors and contractors — defrauding them of millions on daily basis. And sadly, most companies have no idea it’s happening... until it’s too late. Here’s what’s going wrong: Some internal staff are no longer loyal — they sell data without thinking twice. Companies trust too easily without strong internal checks or cyber audits. Vendors and contractors fall for fake emails that look “official” because they’re crafted with inside information. The good news is; THIS MUST STOP. We must protect what we’re building. 🔐 What I recommend: Companies must verify the integrity of their own teams, especially those who handle sensitive data. Data officers must be held accountable. No one is above scrutiny. Contractors should double-check every email — especially payment-related instructions. And organizations need independent cybercrime investigators — not just software — to constantly monitor threats. The truth is this: Cyber fraud isn’t just a digital issue anymore. It’s now personal. It’s inside. And we must act now. Let’s take this seriously — not just for compliance, but for survival. In togetherness, we can flattern the curve of #crime in our society. #SayNoToCyberFraud #CompanysInsiderThreat #ContractorAndVendorSafetyAlert #MykCrimeControlThreatSupport