Thursday, August 18, 2011

Personal Data Protection and Liability

A relatively recent issue to procurement is the issue of protection of personal data. Many countries and states rushed to enact laws placing responsibilities on companies that have personal data in their possession that is breached. It is estimated that the cost per breached record is in excess of $200 and the cost of a single breach can be in the millions of dollars.

With these electronic times the question is what procurement contracts need to address data protection. The most obvious is when you are buying a service or have an outsourced contract where the supplier will be receiving, collecting, or holding individual personal data.
The issue of personal data goes well beyond that. I remember reading about a police department that had scrapped or traded in a number of copy machines that they used where significant personal data and information about on-going investigations was stored in the memory of the copiers. Those copiers were about to be resold to the third world markets. In fact any device that stores data could potentially be storing personal data.

As the issue is fairly new one of the most traditional ways of protecting against the financial risk, which is Insurance, has only recently started to offer insurance lines. The issue for insurance is how do they go about understanding and quantifying the risk and potential cost impact. There are also a huge number of companies that sell software to try to protect data against intrusion or copying. The real question is how do you protect against it.

The first time I ran into the issue was when I was negotiating a disk drive agreement. The law department generated new language to be included in agreements to transfer liability to the Supplier. The supplier was adamant about not accepting liability so I found myself in the middle, which seems to a place where I frequently found myself. I have a practical side and decided to look into what we were doing in the past to manage it.

What I found was in our sales terms with our customers we disclaimed any liability for data and instructed them to wipe disks before returning any to us. We would then wipe the disk clean before sending it to the supplier. The supplier, because they could not manage return of the disk to the original customer and wanted to use repaired drives for warranty replacement, had as their first step in their process the requirement to also wipe the disk clean. The problem is that with disks or other forms of memory you can never totally eliminate the information stored, all you can do is try to make it unreadable by writing over it many times.

Another part of the Supplier’s concern was simple. The customer never told us when they returned the disk that it had personal data on it or that they didn’t erase the data. We never looked at what was on the disk either. We just did additional erasing of the disk. So there was not way to advise them that there was in fact personal data still remaining on the disk that required protection. They also didn’t look at what was on the disk so they didn’t know what it contained to be able to manage it differently than their normal process.

Then I thought about how you could provide 100% assurance that it wouldn’t be disclosed.
The only way to completely protect it would have been to totally destroy the disk. That would drive the cost of warranty and the cost of the product up. So that wasn’t practical.

Everyone needs to make their own conclusion, but my opinion for products that can store personal data the prime responsibility for managing against disclosure has to be the owner of that product. Only they know what’s on it. It’s their data, and they should have the primary responsibility to protect it. The best a company can do is to have processes in place to provide some level of protection against those individuals that don’t meet those responsibilities. Both we and the Supplier were doing that.

I also came to the conclusion that where data protection requirements and resulting liability for failing to meet those requirement best fits is when what you are buying a service or outsourced activity that involves the collection, use or storage personal data or when you need to share personal data with a supplier in their performance of their duties. Make sure they are aware that it is personal data and as such it requires a much higher standard of care. Treat it just like how companies share confidential information do because that’s what it is, confidential information if the individual. Then expect them to be liable just like they would be liable if confidential information you provided them wasn’t managed properly. Companies that agree to receive confidential information sign up to that liability every day. Liability for an individual’s personal data should be no different.