If you have been reading my postings for the last several years, you know I am hardly one to be lax when it comes to information security measures \u2013 particularly when information will be shared with business partners and vendors. \u00a0That said, I am finding a common overreaction among businesses to this issue. \u00a0\tSophisticated businesses have now developed form information security language for inclusion in their business partner and vendor agreements. \u00a0That language is frequently very extensive, designed to cover the myriad of business and regulatory issues that arise when they entrust their most sensitive information to a third party. \u00a0The overreaction I am referring to is when a business has reduced the analysis of whether to require all of these extensive to a binary question: \u00a0Is any sensitive information at risk, regardless of how limited? \u00a0If the answer is \u201cyes,\u201d all security language is required. \u00a0If the answer is \u201cno,\u201d the security language can be foregone.\tLet me be more specific. \u00a0Businesses have developed very thorough contractual language to protect their highly confidential information. \u00a0The overreaction we are seeing is that those businesses frequently use an all-or-nothing approach to the use of this language. \u00a0If \u201cany\u201d personal information is at risk, even if it is very basic information involving, say customer names, the entirety of the extensive information security language is required. \u00a0There is no scaling of the language depending on the actual risk presented.\tI am not saying that customer names aren\u2019t deserving of protection, but, rather, I am merely trying to highlight the problem of the all-or-nothing approach. \u00a0I suggest scaling the protections required to actually reflect the risk may be a more appropriate approach, avoid costly negotiations over security provisions that provide only incremental or no real additional protection, and likely decrease the overall time for negotiations.\tOne-size seldom fits all in real life. \u00a0My suggestion is that businesses consider a scaled approach to information security, while, of course, still complying with all legal and regulatory requirements for the relevant data. \u00a0It does not make sense to use the same level of protection for a very minor, even incidental, contact with sensitive information as that required in an engagement where a vendor will be hosting the entirety of a business\u2019 customer database and transaction data.