It’s important to retrieve non-public personal information (NPPI) data after a contract has terminated. There’s a significant amount of focus on important issues or concerns when onboarding a new vendor. Emphasis is given to data security around a customer’s non-public and personal information.
How this data is handled and stored while the vendor relationship is active is often a key standard by which vendors are evaluated. However, remember that unless additional precautions are taken, the data could still be accessed by unauthorized users after contract termination.
Verify What Happens to Your Data
If you’re terminating a vendor relationship, you should consider the amount and type of data that the vendor holds on their servers. Since you can’t technically see the data, ask these 3 questions:
- Where is it stored?
- Is it segregated from their other clients’ data?
- Do additional vendors (third or fourth parties) have access to it?
Consider this. Your organization’s data still resides on a vendor’s system who may employ someone who has access to confidential data, or they may give access to another vendor. Can anyone really know if your data is being accessed, used or resold after the event?
Create a Plan to Receive Your Data
Follow these 4 steps to get your data back:
- Request digital shred: As you near the termination date of the contract with the vendor, a formal request should be submitted to the vendor asking them to digitally shred your data. An attestation should accompany this stating that the vendor can no longer access the data upon the successful completion of the shred service.
- Request for print shred: If the vendor stores NPPI in paper form in addition to the electronic form, then all paper should either be shredded or sent directly to you.
- Ensure everything is accounted for: Even after returned, you should store this data one way or another. The returned physical files, back up data tapes and monthly data sent to vendors for quality control audits should all be accounted for. Performing an audit, monthly or quarterly, of data shared is crucial to ensuring where copies of NPPI are currently being stored.
- Verify with a certificate: If your vendor has confirmed that your data is destroyed, then request they provide a certificate which confirms this practice. The certificate will verify the status of the data and provides an additional sense of security in your vendor oversight responsibilities. Proof is important!
Misplaced Data Affects Regulatory, Reputation and Financial Risk
There have been several instances reported where vendors have disposed of documents which contain a customer’s confidential information. This makes it easy for someone to locate and steal a customer’s information.
In this scenario, the regulatory and reputational risk for the organization and third party vendor is very serious as it can lead to a significant physical data security breach.
Hopefully You Get Your Data Back
Regardless of the size of the vendor, always take the appropriate actions to trust but verify your vendor relationships. Initial due diligence is important, but you should also include a termination and exit strategy in the contract, as this is necessary to think about upfront too.
Never just assume the vendor will handle the data as you expect. Always verify that each vendor is committing in the contract that they will destroy and return all data in a satisfactory and compliant manner.
Are you prepared to handle it if your vendor suffers a data breach? Check out this infographic to help.