Customer Misconception #1:
Vendor Qualifications Don’t Matter
When we asked NAID members to vote, the number one customer
misconception indicated was that “Vendor qualifications don’t
matter.” Of course, this is very disturbing since nothing could be
more wrong. In fact, making sure the service provider has the right
qualifications is a legal requirement. And, since the customer will be
held fully responsible for the actions of their service provider, it is
important from a practical perspective too.
As early as Chapter 1 (pg. 14) in Information Disposition, where
data protection regulations are discussed in the book, regulatory
language is used to make the point.
Vendor Selection Due Diligence
Data controllers often outsource information management
or processing functions such as records storage, billing,
scanning, and information destruction to service providers.
Regulations universally understand this reality and,
therefore, require data controllers to demonstrate due
diligence in verifying such service providers meet the
appropriate security standards and regulatory compliance.
Per the U.S. Department of Health and Human Services:
The [HIPAA] Privacy Rule requires that a covered
entity obtain satisfactory assurances from its business
associate that the business associate will appropriately
safeguard the protected health information it receives
or creates on behalf of the covered entity (HHS).
In the GLB Safeguards Rule, the instructions are to...
(d) Oversee service providers, by: ( 1) Taking reasonable
steps to select and retain service providers that are
capable of maintaining appropriate safeguards for
the customer information at issue; and ( 2) Requiring
your service providers by contract to implement and
maintain such safeguards (Federal Register, 2002).
But singling out one passage does the book and truth of the matter
an injustice. The importance of due diligence in the vendor selection
process is riddled throughout the 272 pages.
For example, a description of data breach notification a few
paragraphs later includes the passage:
Further emphasizing the importance of appropriate
vendor selection due diligence, regulators have embedded
important practical provisions within the regulations. First,
data controllers are held legally responsible for breaches
resulting from inadequately vetted contractors. For instance,
under data breach notification laws, service providers are
simply required to notify the data controller. It is the data
controller’s responsibility to notify regulators and the
affected clients, as explained by the HHS:
If a breach of unsecured protected health information
occurs at or by a business associate, the business
associate must notify the covered entity following
the discovery of the breach. A business associate
must provide notice to the covered entity without
unreasonable delay and no later than 60 days from
the discovery of the breach. To the extent possible, the
business associate should provide the covered entity
with the identification of each individual affected by
the breach as well as any information required to be
provided by the covered entity in its notification to
Regulatory requirements for covered entities to have service
providers’ contracts in place are also clear evidence that
due diligence in the selection and management of service
providers is an inherent expectation.
Chapter 4 addresses the topic of Risk Management Principles and
focuses on four critical aspects that most dramatically decrease
data controller risk and liability:
• Service Provider Selection
• Herein, an entire section of the chapter is dedicated
to what proper vendor selection looks like.
Once exposed to the content of Information Disposition, any
customer would be forced to realize that the qualifications of their
secure data destruction service are very important.
Heck, maybe all they have to do is read this article or the
continued on page 32