• United States



Off-site records storage vendors not making the grade

Apr 12, 20072 mins
Data and Information SecurityIT LeadershipPhysical Security

Most businesses today do a reasonably good job of securing sensitive information on their servers.  Specifically, personally identifiable information of consumers is finally receiving the attention it deserves – at least by most companies.  Businesses are taking their responsibility as stewards of the information entrusted to them more seriously.  Given the foregoing, it is amazing how few companies think about data security when they entrust their records to a third party vendor for off-site, long-term storage.

Those attempting to address this issue will find a sharp disconnect between the approaches off-site storage vendors take in their agreements regarding security and the rest of the world.

That is, some storage vendors seem to have missed the last several years of laws, regulations, and headlines regarding just how important data security really is.  Some of these vendors offer little more protection in their agreements than one would receive at a monthly container rental facility alongside the interstate.  Something needs to be done.

Businesses need to look more closely at their off-site storage vendors, conduct appropriate due diligence, and require specific language in their agreements regarding the vendor’s obligations concerning information security.  To stay competitive, storage vendors are going to have to step-up to the plate on security issues, including being able to furnish their customers with written evidence of their security procedures and the results of recent security audits.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author