Legal Trend Toward Meaningful Document Destruction Requirements in Vendor Relationships

A growing trend at both state and federal levels is the enactment of laws and regulations imposing obligations on businesses to ensure sensitive, personally identifiable information is permanently destroyed or irretrievably erased when it is no longer necessary to maintain it, when it resides on media that will be discarded or no longer used, when it resides on equipment that will sent out for maintenance or taken out of service, etc.  In particular, these obligations must be reflected in relevant third party vendor agreements.  That is, if an outsource vendor must transfer personally identifiable information to some form of removable media, the vendor must be contractually bound to scrub that media of the information once it is no longer needed.  It is that type of contractual obligation regarding destruction that is frequently overlooked in vendor engagements.  While businesses are exercising greater care in ensuring confidentiality and security are addressed in their vendor agreements, they either omit destruction obligations entirely or give them only a vague reference.  In light of recent laws and regulations (e.g., in Massachusetts, California, HITECH, FACTA, etc.) and evolving industry best practices, something more is needed.I suggest specific references to applicable statutes or standards for destruction should be included in all relevant agreements.  Language like the following could be used:

On Company’s written request or as soon as Vendor no longer needs to retain Customer Information in order to perform its duties under this Agreement, Vendor will promptly return or irretrievably destroy or erase all originals and copies of Customer Information in compliance with applicable law and best industry practices for the destruction or erasure of this type of information, but in event less than the level of care set forth in ____________________.

The blank, above, can be filled in with any specific, relevant regulatory or industry standard.  A few examples:  (i) the Fair and Accurate Credit Act of 2003 (FACTA) and the related FTC Regulation 16 CFR part 682; (ii) the Health Information Technology for Economic and Clinical Health (HITECH) Act; (iii) NIST Special Publication 800-88, Guidelines for Media Sanitization; or (iv) DoD 5220-22-M Standard.  By ensuring data is properly destroyed or erased, businesses and their vendors can both limit their ongoing risk and ensure regulatory compliance.