If you have been reading my postings for the last several years, you know I am hardly one to be lax when it comes to information security measures – particularly when information will be shared with business partners and vendors. That said, I am finding a common overreaction among businesses to this issue.
Sophisticated businesses have now developed form information security language for inclusion in their business partner and vendor agreements. That language is frequently very extensive, designed to cover the myriad of business and regulatory issues that arise when they entrust their most sensitive information to a third party. The overreaction I am referring to is when a business has reduced the analysis of whether to require all of these extensive to a binary question: Is any sensitive information at risk, regardless of how limited? If the answer is “yes,” all security language is required. If the answer is “no,” the security language can be foregone.
Let me be more specific. Businesses have developed very thorough contractual language to protect their highly confidential information. The overreaction we are seeing is that those businesses frequently use an all-or-nothing approach to the use of this language. If “any” personal information is at risk, even if it is very basic information involving, say customer names, the entirety of the extensive information security language is required. There is no scaling of the language depending on the actual risk presented.
I am not saying that customer names aren’t deserving of protection, but, rather, I am merely trying to highlight the problem of the all-or-nothing approach. I suggest scaling the protections required to actually reflect the risk may be a more appropriate approach, avoid costly negotiations over security provisions that provide only incremental or no real additional protection, and likely decrease the overall time for negotiations.
One-size seldom fits all in real life. My suggestion is that businesses consider a scaled approach to information security, while, of course, still complying with all legal and regulatory requirements for the relevant data. It does not make sense to use the same level of protection for a very minor, even incidental, contact with sensitive information as that required in an engagement where a vendor will be hosting the entirety of a business’ customer database and transaction data.