Customer Misconception: Vendor Qualifications Don’t Matter – Selling Information Disposition by the Book (vol. 2)
April 26, 2017
Bob Johnson, NAID CEO
In my last blog, Selling Information Disposition by the Book (vol. 1), the first in this series, I talked a bit about the mechanics of using the new Information Disposition textbook.
If I was to boil that post down to one sentence, it would be: Get the book in front of any customer bidding a shredding job, especially if they are floating a contract or RFP.
The rest of this series is meant to show readers some of the language in the book that is aimed specifically at customer misconceptions – misconceptions that put them at risk and stand in the way of service providers better serving them.
When we asked NAID members to vote, the number one customer misconception indicated was that “Vendor qualifications don’t matter.” Of course, this is very disturbing since nothing could be more wrong. In fact, making sure the service provider has the right qualifications is a legal requirement. And, since the customer will be held fully responsible for the actions of their service provider, it is important from a practical perspective too.
As early as Chapter 1 (pg. 14) in Information Disposition, where data protection regulations are discussed in the book, regulatory language is used to make the point.
Vendor Selection Due Diligence
Data controllers often outsource information management or processing functions such as records storage, billing, scanning, and information destruction to service providers. Regulations universally understand this reality and, therefore, require data controllers to demonstrate due diligence in verifying such service providers meet the appropriate security standards and regulatory compliance.
Per the U.S. Department of Health and Human Services:
The [HIPAA] Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity (HHS).
In the GLB Safeguards Rule, the instructions are to…
(d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards (Federal Register, 2002).
But singling out one passage does the book and truth of the matter an injustice. The importance of due diligence in the vendor selection process is riddled throughout the 272 pages.
For example, a description of data breach notification a few paragraphs later includes the passage:
Further emphasizing the importance of appropriate vendor selection due diligence, regulators have embedded important practical provisions within the regulations. First, data controllers are held legally responsible for breaches resulting from inadequately vetted contractors. For instance, under data breach notification laws, service providers are simply required to notify the data controller. It is the data controller’s responsibility to notify regulators and the affected clients, as explained by the HHS:
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.
Regulatory requirements for covered entities to have service providers’ contracts in place is also clear evidence that due diligence in the selection and management of service providers is an inherent expectation.
Chapter 4 addresses the topic of Risk Management Principles and focuses on four critical aspects that most dramatically decrease data controller risk and liability:
- Personnel
- Indemnification
- Contracts
- Service Provider Selection
- Herein, an entire section of the chapter is dedicated to what proper vendor selection looks like.
Blogs are not books and by now readers get the point.
Once exposed to the content of Information Disposition, any customer would be forced to realize that the qualifications of their secure data destruction service are very important.
Heck, maybe all they have to do is read this blog!