Customer Misconception #2:
No Need for a Contract
It makes perfect sense that customers who do not see the critical
importance of vendor qualifications would also minimize the value
of having a contract with those vendors.
Information Disposition will equip service providers who encounter
the customer philosophy that there is no need to have a contract
with a destruction vendor on the job, by pointing directly to
regulatory compliance and best practices. The subject of contracts
surfaces in greatest detail in Chapter 4: Risk Management; in fact,
it is considered one of the top four elements of any information
disposition risk management strategy. As readers will see, there is
more than enough even in the introductory paragraphs to convince
a customer that a contract is prudent. One excerpt in particular
may be all that is necessary for the client to understand its
“…there may be no circumstance in which a data controller
could reasonably defend the absence of a written contract
with any service provider retained to dispose of regulated
PII or PHI. Not only do data protection provisions in HIPAA
and GLBA require covered entities to have a contract, but
not having a contractual agreement with a downstream
data-related service provider would likely be deemed
unreasonable and negligent.” (pg. 85)
Still, it is worth reading the introduction in its entirety.
Obtaining appropriate legal counsel is a prerogative of any
party entering a contractual relationship. The forthcoming
information is not to be construed as legal advice but rather
an attempt to articulate relevant issues.
From an internal perspective, employee acknowledgements
and agreements mentioned previously are a form of
From an external perspective, there may be no circumstance
in which a data controller could reasonably defend the
absence of a written contract with any service provider
retained to dispose of regulated PII or PHI. Not only do
data protection provisions in HIPAA and GLBA require
covered entities to have a contract, not having a contractual
agreement with any downstream data-related service
provider would likely be deemed unreasonable and negligent.
Contracts codify agreements and, in doing so, protect all
parties to it. Contracts between a data controller and service
provider would typically include all of the following:
• Contain or reference exhibits containing the
promised/expected security measures and
• Include pricing and payment terms
• Provide regulatory linkage, for example, to breach
notification requirements, the HIPAA Privacy and
Security rules, GLBA Safeguards Rule, etc.
• Include the term (period) of the contract, renewal
and early termination provisions
• Delineate how and where disputes would be
It is expected that each party in the contract is responsible
for protecting their interests. As a result, the party
producing the agreement is primarily focused on protecting
its interests, potentially at the expense of the other.
It is assumed that both parties will consider how the
agreements affect them and to be aware of the other party’s
responsibility to protect themselves.
The chapter goes on to list more than a dozen contractual clauses
that are either required by law or required as a best practice to
protect the client (and in most cases the service provider as well).
No client could read this section of Chapter 4 and still believe that
the obligation to have a contract with a data destruction service
provider should be ignored.
Customer Misconception #3:
Only Large Records Purges Need Destruction
(Not Daily Paper)
The third most costly misconception is when customers do not give
appropriate attention to destroying the media that they discard on
a daily basis in the normal course of business (usually waste paper).
In fairness, most of the data destruction industry growth in the U.S.
market over the past 15 years is due to the fact that more and more
organizations do destroy incidental media. In that regard, things
are better. However, there is a still lot of room for improvement. Not
only do too many organizations still neglect protecting the media
they discard daily, even if they do provide a way to collect it, they do
not make sure it all gets in the security container.
This usually boils down to one common denominator: The client
doesn’t really think of the discarded daily media as an official