since 2016 (thanks to obama) in the US you cannot enforce civil liability against your staff for divulging *any* secret information (related to foreign/interstate commerce, as it's a federal law) to the police, even if there is no law being broken or underlying criminal activity. police suspicion is sufficient to render your NDA pointless.

it's getting to the point where keeping private information private is harder and harder, and will soon be illegal.