As early as Chapter 1 (pg. 14) in Information Disposition, where
data protection regulations are discussed in the book, regulatory
language is used to make the point.
Vendor Selection Due Diligence
Data controllers often outsource information management
or processing functions such as records storage, billing,
scanning, and information destruction to service providers.
Regulations universally understand this reality and,
therefore, require data controllers to demonstrate due
diligence in verifying such service providers meet the
appropriate security standards and regulatory compliance.
Per the U.S. Department of Health and Human Services:
The [HIPAA] Privacy Rule requires that a covered
entity obtain satisfactory assurances from its
business associate that the business associate
will appropriately safeguard the protected health
information it receives or creates on behalf of the
covered entity (HHS).
In the GLB Safeguards Rule, the instructions are to...
(d) Oversee service providers, by: ( 1) Taking
reasonable steps to select and retain service
providers that are capable of maintaining appropriate
safeguards for the customer information at issue;
and ( 2) Requiring your service providers by contract
to implement and maintain such safeguards (Federal
But singling out one passage does the book and truth of the
matter an injustice. The importance of due diligence in the vendor
selection process is riddled throughout the 272 pages.
For example, a description of data breach notification a few
paragraphs later includes the passage:
Further emphasizing the importance of appropriate
vendor selection due diligence, regulators have embedded
important practical provisions within the regulations.
First, data controllers are held legally responsible for
breaches resulting from inadequately vetted contractors.
For instance, under data breach notification laws, service
providers are simply required to notify the data controller.
It is the data controller’s responsibility to notify regulators
and the affected clients, as explained by the HHS:
If a breach of unsecured protected health
information occurs at or by a business associate,
the business associate must notify the covered
entity following the discovery of the breach. A
business associate must provide notice to the
covered entity without unreasonable delay and
no later than 60 days from the discovery of
the breach. To the extent possible, the business
associate should provide the covered entity with
the identification of each individual affected by the
breach as well as any information required to be
provided by the covered entity in its notification to
Regulatory requirements for covered entities to
have service providers’ contracts in place are also
clear evidence that due diligence in the selection
and management of service providers is an inherent
Chapter 4 addresses the topic of Risk Management Principles and
focuses on four critical aspects that most dramatically decrease
data controller risk and liability:
• Service Provider Selection
• Herein, an entire section of the chapter is
dedicated to what proper vendor selection looks
Once exposed to the content of Information Disposition, any
customer would be forced to realize that the qualifications of
their secure data destruction service are very important.
Heck, maybe all they have to do is read this article or the
Customer Misconception #2:
No Need for a Contract
It makes perfect sense that customers who do not see the
critical importance of vendor qualifications would also
minimize the value of having a contract with those vendors.
Information Disposition will equip service providers who
encounter the customer philosophy that there is no need to
have a contract with a destruction vendor on the job, by pointing
directly to regulatory compliance and best practices. The
subject of contracts surfaces in greatest detail in Chapter 4: Risk
Management; in fact, it is considered one of the top four elements
of any information disposition risk management strategy.
As readers will see, there is more than enough even in the
introductory paragraphs to convince a customer that a contract is
prudent. One excerpt in particular may be all that is necessary for
the client to understand its importance: