Customer Misconception: No Need for a Contract – Selling Information Disposition by the Book (vol. 3)
May 1, 2017
Bob Johnson, NAID CEO
This is the third installment in my blog series on using the Information Disposition textbook to overcome the most costly customer misconceptions. It makes perfect sense that customers who do not see the critical importance of vendor qualifications would also minimize the value of having a contract with those vendors.
Information Disposition will equip service providers who encounter the customer philosophy that there is no need to have a contract with a destruction vendor on the job, by pointing directly to regulatory compliance and best practices. The subject of contracts surfaces in most detail in Chapter 4: Risk Management; in fact, it is considered one of the top four elements of any information disposition risk management strategy. As readers will see, there is more than enough even in the introductory paragraphs to convince a customer that a contract is prudent. One excerpt in particular may be all that is necessary for the client to understand its importance:
“…there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, but not having a contractual agreement with a downstream data-related service provider would likely be deemed unreasonable and negligent.” (pg. 85)
Still, it is worth reading the introduction in its entirety.
Obtaining appropriate legal counsel is a prerogative of any party entering a contractual relationship. The forthcoming information is not to be construed as legal advice but rather an attempt to articulate relevant issues.
From an internal perspective, employee acknowledgements and agreements mentioned previously are a form of contract.
From an external perspective, there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, not having a contractual agreement with any downstream data-related service provider would likely be deemed unreasonable and negligent.
Contracts codify agreements and, in doing so, protect all parties to it. Contracts between a data controller and service provider would typically include all of the following:
- Contain or reference exhibits containing the promised/expected security measures and processes
- Include pricing and payment terms
- Provide regulatory linkage, for example, to breach notification requirements, the HIPAA Privacy and Security rules, GLBA Safeguards Rule, etc.
- Include the term (period) of the contract, renewal and early termination provisions
- Delineate how and where disputes would be resolved
It is expected that each party in the contract is responsible for protecting their interests. As a result, the party producing the agreement is primarily focused on protecting its interests, potentially at the expense of the other. It is assumed that both parties will consider how the agreements affect them and to be aware of the other party’s responsibility to protect themselves.
The chapter goes on to list more than a dozen contractual clauses that are either required by law or required as a best practice to protect the client (and in most cases the service provider as well).
No client could read this section of Chapter 4 and still believe that the obligation to have a contract with a data destruction service provider should be ignored.