top of page
  • Whatsapp
  • LinkedIn
  • Facebook

Why Many NDAs Fail To Actually Protect Businesses In Malaysia

  • Writer: ipgenn
    ipgenn
  • Jun 19
  • 7 min read

A Signed NDA Does Not Automatically Mean You Are Protected


Many business owners take comfort once a Non-Disclosure Agreement (NDA) has been signed.


The assumption is simple. “We have an NDA. Therefore, our confidential information is protected.”


Unfortunately, that assumption is often wrong.


Some of the most valuable assets owned by a business are not its machinery, office, inventory or equipment. They are information, such as customer databases, recipes, technical know-how, software source code and many more.


Yet when disputes arise, many businesses discover that having an NDA is very different from being able to successfully enforce one.


In practice, confidential information is frequently lost through former employees, business partners, software vendors, manufacturers and others.


By the time the business realises what has happened, customers may already have moved, competitors may already have benefited, and the damage may be difficult to reverse.


The uncomfortable reality is this:


An NDA is only one part of a confidentiality protection strategy.


Whether a business succeeds in protecting its confidential information often depends on factors that go far beyond the wording of the NDA itself.


Why many NDAs fail to actually protect businesses in Malaysia

The First Mistake: Treating Everything As Confidential


If everything is labelled confidential, sometimes nothing is.


One of the most common drafting mistakes is defining confidential information too broadly.


Many NDAs contain provisions stating that confidential information means: “All information relating to the business.”


At first glance, this sounds comprehensive.


However, when a dispute reaches court, a business may be required to identify with reasonable precision what information was actually misused.


Was it a customer database, source code, formula or technical drawings?


The more valuable the information, the more clearly it should be identified.


This issue was highlighted in the case Dynacast (Melaka) Sdn Bhd & Ors v Vision Cast Sdn Bhd & Anor [2016] 3 MLJ 417, where the court criticised the claimant’s failure to sufficiently identify the confidential information allegedly misappropriated. The claim ultimately failed because the pleading and evidence did not clearly establish what confidential information had actually been taken or used.


Imagine a software company alleges that a former developer stole confidential information.


If the company merely says: “the employee took our confidential information.”, that may not be enough.


However, if it can identify specifically, like whether it’s source code repositories, architecture documentation or API specifications. The claim may become significantly stronger.


The Second Mistake: Assuming Information Is Not Confidential Simply Because Part of It is Public


Information may still be confidential even if parts of it are publicly available.In the case Shafubahrim Mohd v. Em Exhibitors (M) Sdn Bhd & Anor [2012] 5 CLJ 360 (“PIKOM PC Fair case”), the 2nd defendant was a former employee who had access to PIKOM’s Exhibitors Database while organising the PC FAIR exhibitions. After leaving PIKOM, she set up a competing exhibition business known as PC EXPO. It was found that she used information obtained from PIKOM’s confidential Exhibitors Database, including direct contact details of exhibitors and decision-makers, to contact and recruit exhibitors for the competing PC EXPO event.


The defendants argued that the information was not confidential because it could be obtained from the PIKOM website and show guides. They also claimed that any information used formed part of the 2nd defendant’s personal knowledge and experience gained during employment.


Whereas the plaintiff argued that its Exhibitors Database was confidential information developed over many years. The database contained valuable non-public information, including direct contact persons, email addresses and mobile numbers of exhibitors.


The court eventually found that the Exhibitors Database was confidential information. The database contained specific contact details and “lead” information that were not publicly available and access to it was restricted within PIKOM. So, the court concluded that the defendants had misused the plaintiff’s confidential information and that such information remained proprietary to PIKOM notwithstanding the 2nd defendant’s knowledge of it.


The Third Mistake: Relying On The NDA While Ignoring Operational Security


An NDA cannot compensate for poor internal controls.


Many businesses invest considerable effort in drafting agreements.


Very few invest the same effort in controlling access to confidential information.


Consider the following questions:


  • Can any employee export the customer database?

  • Can staff download source code onto personal devices?

  • Are access logs maintained?

  • Are confidential files segregated?

  • Are passwords shared between departments?


Example


A food manufacturer may have an NDA with its production manager.


However, if recipes are freely circulated through WhatsApp groups and stored on unsecured personal devices, enforcement becomes substantially more difficult.


The problem is not necessarily the NDA.


The problem is the absence of operational protection.


The Fourth Mistake: Forgetting About What Happens After The Relationship Ends


Confidentiality protection should continue beyond termination.


Many NDAs focus heavily on disclosure restrictions during the relationship.


Surprisingly, some pay little attention to what happens afterwards.


Questions that should be addressed include:


  • Must documents be returned?

  • Must electronic copies be deleted?

  • Must cloud backups be removed?

  • Must destruction be certified?


Without clear obligations, confidential information often remains in circulation long after the relationship has ended.


Practical Example


A software vendor may receive access to the Client’s operational workflows, customer records and transaction data.


If the engagement ends, the business should have a clear contractual mechanism requiring return or destruction of information.


Otherwise, future disputes become significantly more complicated.


The Fifth Mistake: Focusing On Damages Instead Of Prevention


For many businesses, stopping the leak is more important than recovering compensation later.


Business owners often assume the purpose of an NDA is to claim damages.


In reality, by the time damages are assessed, customers may already be lost or trade secrets may already be disclosed.


Sometimes the most valuable remedy is not compensation. It is speed.


This is why confidentiality agreements should be drafted with enforcement in mind.


Particularly where disclosure could cause irreparable harm.


What Does An Effective Confidentiality Protection Strategy Look Like?


Many businesses assume that a signed NDA is enough to protect their confidential information. In practice, the strongest protection usually comes from a combination of legal safeguards, operational controls, employee management and proper record keeping.


Confidentiality is rarely protected by a single document. It is protected by a system.


Legal Layer: Establish Clear Rights and Obligations


The legal layer forms the foundation of any confidentiality strategy. This is where NDAs, employment agreements, consultant agreements and contractor agreements play an important role.


The objective is not merely to state that information is confidential. The agreements should clearly define what information is protected, who owns it, how it may be used, and what happens when the relationship ends. Intellectual property ownership provisions are equally important, particularly for software developers, product designers, researchers and businesses involved in innovation.


Without a proper legal framework, disputes often arise over whether the information was confidential in the first place, who owns it, or whether the recipient was entitled to use it.


Operational Layer: Limit Access to What Matters


Even the best drafted NDA may be of limited value if confidential information is freely accessible throughout the organisation.


Businesses should consider whether employees genuinely need access to certain information. Customer databases, pricing structures, recipes, source code, technical drawings and strategic plans should generally be accessible only to those whose roles require it.


Practical measures such as password protection, access restrictions, document classification systems and approval workflows help demonstrate that the business genuinely treats the information as confidential. They also reduce the risk of accidental leaks and unauthorised use.


In many cases, how a business handles information internally can be just as important as what its contracts say.


Human Resource Layer: Manage People, Not Just Documents


Many confidentiality disputes do not arise because of sophisticated cyberattacks. They arise because employees leave.


For that reason, confidentiality protection should begin on the first day of employment, not on the last day.


Employees should understand what information is confidential and why it matters to the business. This can be reinforced through onboarding procedures, confidentiality training and regular reminders. When an employee resigns, a proper exit process can help ensure that company property, documents and data are returned before departure.


A well-managed workforce is often one of the most effective forms of confidentiality protection.


Evidence Layer: Be Prepared If Enforcement Becomes Necessary


Many businesses only realise the importance of evidence after a dispute has already started.


If confidential information is misused, the business may need to show who had access to the information, when it was accessed, what obligations were agreed to, and what steps were taken to protect it.


Access records, acknowledgement forms, confidentiality notices and data retention policies can all become valuable evidence. These records may help establish that the information was confidential and that the recipient was aware of their obligations.


The objective is not merely to prevent misuse. It is to place the business in the strongest possible position if enforcement ever becomes necessary.


A Confidentiality Strategy Is A System, Not A Document


Businesses that successfully protect confidential information rarely rely on a single NDA. Instead, they combine legal protection, operational controls, employee management and evidence preservation into a coherent framework.


The question is not whether your business has an NDA.


The better question is whether your overall confidentiality framework would stand up to scrutiny if your most valuable information was misused tomorrow.


Frequently Asked Questions


Is an NDA legally enforceable in Malaysia?


Yes. NDAs are generally enforceable under Malaysian law, provided the obligations are properly drafted and the confidential information is capable of protection.


Does confidential information need to be marked “Confidential”?


Not necessarily. However, clearly identifying confidential information often strengthens the business’s position.


Can software source code be protected through an NDA?


Yes. Source code is often one of the most valuable forms of confidential information held by software businesses.


Is a customer database confidential information?


Potentially yes. Malaysian courts have recognised that proprietary databases developed through substantial effort may be capable of protection.


Can I use a free NDA template downloaded from the internet?


You can. However, many templates fail to address industry-specific risks, ownership issues, enforcement mechanisms and practical commercial realities.


Not sure whether your customer database, source code, recipe, business process or other confidential information is adequately protected?


At LAWENCO, we regularly advise businesses on confidentiality protection strategies, NDAs, employee confidentiality obligations, intellectual property ownership and enforcement options. If your business relies on valuable know-how or confidential information, a proper legal and operational framework can make a significant difference when a dispute arises.


Contact us if you would like to review your existing confidentiality arrangements or discuss how best to protect your business information.




Written by,

Registered Trademark, Patent and Design Agent

LL.B (HONS), CLP

Advocate & Solicitor




Disclaimer


The information contained in this article is intended as a general guide only and should not be regarded as legal advice. While every effort has been made to ensure the accuracy of the information at the time of publication, the law may change and its application will depend on the specific facts of each situation.


If you are facing a confidentiality dispute, considering the use of an NDA, or wish to protect your business’s confidential information, intellectual property or trade secrets, we recommend obtaining legal advice tailored to your particular circumstances.

 
 
 

Comments


LAWENCO | Advocates & Solicitors

 

T:       +6017-5581621

E:       hello@lawenco.com

A:       Messrs Lawrence Tan & Co. (000020008942)​

Advocates & Solicitors
A1-02-12, Arcoris Mont Kiara

Jalan Kiara, Mont Kiara

50480 WP Kuala Lumpur, Malaysia

​​​

  • Whatsapp
  • Linkedin
  • Facebook

 

© 2026 by LAWENCO 

Question? Contact Us

bottom of page