• United States



Legal Trend Toward Meaningful Document Destruction Requirements in Vendor Relationships

May 06, 20102 mins
Data and Information Security

A growing trend at both state and federal levels is the enactment of laws and regulations imposing obligations on businesses to ensure sensitive, personally identifiable information is permanently destroyed or irretrievably erased when it is no longer necessary to maintain it, when it resides on media that will be discarded or no longer used, when it resides on equipment that will sent out for maintenance or taken out of service, etc.  In particular, these obligations must be reflected in relevant third party vendor agreements.  That is, if an outsource vendor must transfer personally identifiable information to some form of removable media, the vendor must be contractually bound to scrub that media of the information once it is no longer needed.  It is that type of contractual obligation regarding destruction that is frequently overlooked in vendor engagements.  While businesses are exercising greater care in ensuring confidentiality and security are addressed in their vendor agreements, they either omit destruction obligations entirely or give them only a vague reference.  In light of recent laws and regulations (e.g., in Massachusetts, California, HITECH, FACTA, etc.) and evolving industry best practices, something more is needed.I suggest specific references to applicable statutes or standards for destruction should be included in all relevant agreements.  Language like the following could be used:

On Company’s written request or as soon as Vendor no longer needs to retain Customer Information in order to perform its duties under this Agreement, Vendor will promptly return or irretrievably destroy or erase all originals and copies of Customer Information in compliance with applicable law and best industry practices for the destruction or erasure of this type of information, but in event less than the level of care set forth in ____________________.

The blank, above, can be filled in with any specific, relevant regulatory or industry standard.  A few examples:  (i) the Fair and Accurate Credit Act of 2003 (FACTA) and the related FTC Regulation 16 CFR part 682; (ii) the Health Information Technology for Economic and Clinical Health (HITECH) Act; (iii) NIST Special Publication 800-88, Guidelines for Media Sanitization; or (iv) DoD 5220-22-M Standard.  By ensuring data is properly destroyed or erased, businesses and their vendors can both limit their ongoing risk and ensure regulatory compliance.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author