It’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems?  Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works:

  • What third-party information do we have, located where?
  • Who is the third party, and what (if anything) have we already agreed to do regarding permissible use, ownership of derivative information, retention/disposition, privacy, security, and litigation preservation and production?
  • What do we want our rules to be on each of these topics?  The first two (permissible use and ownership of derivative information) are often already addressed contractually, along with archaic, boilerplate treatment of data designated as “confidential information.”  But surprisingly, many agreements are either silent or pay short shrift to retention/disposition, privacy, security, and litigation preservation and production.
  • What do we want our responsibilities to be if problems arise – what notification obligations should we have, how should liabilities be allocated and limited, and what insurance should be in place?
  • Make sure our rules and responsibilities are in our contracts.  Yes, disparities in bargaining power will eat the “perfect world” for breakfast.  But we need to know what we want(ed), and we must keep track of what we got, and didn’t get.  Doing so allows us to follow through and create exceptions as needed to our rules governing information generally, and also prompts us to adjust for the resulting risks and exposures.
  • Apply the resulting rules to how information is actually handled at our company.   We now have clarity on what rules apply to what third-party information.  Ideally, most such rules align with our general policies for retention/disposition, privacy, security, and litigation, but inevitably some exceptions will need to be made.  Don’t let these exceptions languish in some contract file in the Legal Department – these special rules for third-party information must be woven into company information management systems, compliance efforts, and employee awareness.