You signed an NDA before sharing your business plan with a potential partner. You felt protected. Six months later, you discover your proprietary pricing model is now part of a competitor's pitch deck — and your NDA can't do a thing about it.
This happens more often than you'd think. NDAs are the most common legal document in business, but they're also the most commonly botched. A bad NDA isn't just useless — it's worse than useless, because it gives you a false sense of security.
Here are seven mistakes we see small business owners make with NDAs, and how to fix each one.
1. Defining "Confidential Information" Too Broadly (Or Too Narrowly)
The most common NDA mistake is getting the scope wrong. If your NDA says confidential information means "anything related to the business," a court may find that definition unreasonably broad and refuse to enforce it. You might as well have signed nothing.
On the flip side, if your definition is too narrow — say, limited to "financial documents" — then your trade secrets, customer lists, product roadmaps, and internal processes are all fair game.
The fix: Be specific about the categories of information you're protecting. List them: customer lists, pricing models, source code, supplier agreements, marketing strategies, product development plans. You don't need to list every document, but you need to define the categories clearly enough that a court can draw a line.
2. No AI Training Data Clause
This is the NDA gap that's costing businesses right now, and almost nobody is talking about it.
Here's the scenario: you share confidential financial projections with a consultant under an NDA. That consultant pastes your data into ChatGPT to "help with analysis." Your proprietary numbers are now part of a training dataset owned by OpenAI. They're gone. Permanently embedded in a model that serves millions of users.
Your traditional NDA probably says something like "Confidential information may not be disclosed to third parties." But is an AI model a third party? Is pasting data into a chatbot a "disclosure"? Courts haven't fully settled these questions yet, and if your NDA doesn't explicitly address AI tools, you're rolling the dice.
After the United States v. Heppner ruling in February 2026, federal courts have made clear that information entered into consumer AI platforms carries no expectation of confidentiality. The Southern District of New York found that sharing information with a consumer AI tool is equivalent to sharing it with any other third party — privilege and confidentiality protections evaporate.
The fix: Add an explicit AI clause to every NDA. At minimum, it should prohibit the receiving party from inputting confidential information into any AI system, machine learning model, or automated processing tool — whether public or private — without prior written consent. Include language covering third-party AI vendors, subprocessors, and any tools that may retain or learn from the data.
This isn't theoretical. Within the next year, AI clauses will be standard in commercial NDAs. If yours doesn't have one yet, you're already behind.
3. The Wrong Entity Signed
In the rush to close a deal, people sign NDAs using trading names, parent company names, or even personal names when they should be signing as the legal entity that actually owns the confidential information.
If "Smith Consulting LLC" owns your trade secrets but "John Smith" signed the NDA, you may not have standing to enforce it. This is especially common with freelancers, sole proprietors operating through LLCs, and small businesses with multiple entities.
The fix: Triple-check the legal entity names on both sides. The signing party should be the entity that owns or controls the confidential information. If multiple entities are involved, each one needs to be named — or use a defined term that encompasses all of them.
4. No Injunction Language
Imagine someone violates your NDA and starts sharing your trade secrets. You need a court to stop them immediately — not six months from now after full litigation. That's what injunctive relief does.
But many template NDAs (especially AI-generated ones) either omit injunction language entirely or include a weak version that doesn't explicitly acknowledge irreparable harm. Without this language, you'll need to prove irreparable harm from scratch in court — a much harder lift.
The fix: Include an explicit provision stating that any breach of the NDA would cause irreparable harm not adequately compensable by monetary damages, and that the disclosing party is entitled to seek injunctive relief without the necessity of proving actual damages or posting a bond. Your attorney can tailor this to your jurisdiction.
5. Missing or Vague Duration Terms
How long does your NDA last? If the answer is "I'm not sure" or "forever," you have a problem.
Courts are skeptical of perpetual NDAs. Some jurisdictions won't enforce them at all. On the other hand, if your NDA expires in one year but your trade secrets have a ten-year commercial life, you've left nine years of exposure on the table.
The fix: Set a reasonable duration that matches the useful life of the confidential information. For most business relationships, two to five years is standard. For trade secrets with long-term value (like proprietary formulas or algorithms), you can tie the duration to how long the information remains a trade secret — but get legal advice on how your jurisdiction handles this.
6. No Obligation to Return or Destroy Information
Your NDA should specify what happens to confidential information when the relationship ends. If it doesn't, the receiving party can sit on your trade secrets indefinitely — stored in email archives, cloud drives, or (increasingly) in AI tools they've used during the engagement.
The fix: Include a return-or-destroy clause that requires the receiving party to either return all confidential information or certify its destruction within a specific timeframe (typically 10–30 days) after the NDA terminates or upon request. In 2026, this clause should also explicitly cover data stored in AI systems, cloud platforms, and third-party tools.
7. Using a Template Without Legal Review
This one ties everything together. The internet is full of free NDA templates. AI tools can generate one in seconds. And for the most basic, lowest-stakes situations, a template might be fine.
But for anything involving real trade secrets, significant business relationships, or substantial financial stakes, an unreviewed template is a liability. Templates don't know your jurisdiction's quirks. They don't know that your state requires specific language to protect trade secrets. They don't include the AI provisions we discussed above. And they definitely don't account for the specific dynamics of your business relationship.
The cost of an attorney reviewing an NDA — or drafting one tailored to your situation — is typically $200 to $800 on a fixed-fee basis. The cost of an unenforceable NDA when you actually need it? Potentially everything.
The fix: Have an attorney review any NDA that protects information worth more than a few thousand dollars. Services like AC Privilege combine AI-powered document analysis with real attorney oversight, giving you speed and thoroughness at a fixed price — with the privilege protection that a template can never provide.
The Bottom Line
An NDA is only as good as its weakest clause. In 2026, the biggest emerging gap is AI — both in how your counterparty might use AI tools to process your confidential data, and in how AI-generated NDAs might leave out critical protections.
Review your existing NDAs. Add AI clauses. Make sure the fundamentals are solid — right parties, specific definitions, injunction language, clear duration, return-or-destroy obligations. And when the stakes are real, invest in legal review.
Your competitors are updating their NDAs for the AI era. Don't be the one still using a 2019 template.
This post is for informational purposes only and does not constitute legal advice.