If you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes). How quaint. We no longer keep most of our information – providers do that for us. We store our data in the cloud, through cloud providers. We outsource business applications to SaaS providers, and even entire systems as PaaS. And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.
But we’re still accountable for our information in others’ hands:
- Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.
- Data security – we’re generally responsible for data breaches suffered by our service providers. Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators. Regardless, in the wake of a service provider data breach, we’re in the hot seat.
- Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
- Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies. At worst? See Litigation, Data Security, and Business Continuity above.
Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.
And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example:
- HIPAA covered entities and business associates must address data security in their business associate agreements;
- The various iterations of functional regulations under the Gramm-Leach-Bliley Act require financial institutions to address service provider security when selecting, contracting with, and overseeing service providers;
- The Disposal Rule under FACTA requires safeguards for consumer information, including effective selection, contracting, and oversight for disposal providers; and
- Several states’ Protected Information regulations require effective security safeguards in service provider relationships.
Many organizations have already hard-wired data security considerations into their service provider selection, contracting, and oversight. Why not leverage these existing processes beyond data security, applying controls to all of your information compliance and risks involving third-party custodians of your information? If your processes are already in place for data security, then simply broaden their scope.
So, in selection due diligence, don’t simply inquire about data security – also dig into the provider’s capabilities to follow your retention rules, timely restore data, and apply legal holds. In your service provider contracts, don’t merely address data security obligations – add provisions governing information retention/destruction; information integrity, accessibility, and disaster restoration; and service provider’s responsibilities for preservation and collection under legal holds. And in overseeing your existing service providers, don’t solely focus on data safeguards – be vigilant about the provider’s actual compliance with your organization’s retention/destruction rules, data management standards, and legal holds.