Yogi Berra will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.
It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”
Broadly speaking, the custodial location of data does not determine the organization’s data compliance requirements and risks. A company’s data security obligations do not evaporate when the company houses protected data with a service provider; its records retention and destruction rules do not disappear if the company’s data is hosted remotely; and its litigation preservation duties do not vanish for information in its control, regardless of third-party possession or custody. Given this reality, organizations must find effective strategies to address data security, retention/destruction, and litigation preservation for their information in the custody of service providers.
A key benefit of the IG perspective is that it enables organizations to borrow useful strategies from one established discipline and apply them broadly. The importance of service provider controls is well-established in the data security discipline. For example:
- HIPAA covered entities and business associates must address data security in their business associate agreements;
- The various iterations of functional regulations under Gramm-Leach-Bliley require financial institutions to oversee service provider security;
- The Disposal Rule under FACTA requires safeguards for consumer information, including effective selection, contracting, and oversight for disposal providers; and
- Several states’ Protected Information regulations require effective security safeguards in service provider relationships.
Not surprisingly, most organizations have embedded data security considerations into their processes for service provider selection, contracting, and oversight (if you haven’t yet done so, add that to the “To Do” list).
But why not leverage these existing processes beyond data security, applying controls to all information compliance and risk involving your service providers? The processes are already in place – the organization simply broadens their scope. Thus, in selection due diligence, don’t simply inquire about data security – also dig into the provider’s capabilities to follow your retention rules and to apply legal holds. In your service provider contracts, don’t merely address data security obligations – add provisions governing information retention/ destruction and defining the service provider’s responsibilities for preservation and collection under legal holds. And in service provider oversight, don’t solely focus on data safeguards – be vigilant about the provider’s actual compliance with your organization’s retention/ destruction rules and legal holds.
“You’ve got to be very careful if you don’t know where you are going, because you might not get there.” Your organization’s information is increasing going elsewhere – into the custody of your service providers. The focus of information governance efforts must go there too. So, be “amphibious,” hitting from both sides of the plate – stay the course in establishing internal controls for information security, retention/destruction, and preservation, but also devote serious attention to information governance in your service provider relationships. And when the going gets tough, remember: “It ain’t the heat, it’s the humility.”