Several years ago, a major manufacturer that was spending thousands of dollars per year to securely destroy competitive trade information discovered that many of its local tooling companies and equipment suppliers were putting that same information in the trash. It went on for years by the time the problem came to light. And when it did, it was learned that the manufacturer had nothing in its vendor contracts or purchase orders that addressed information security, access control, or secure destruction.
Too often, vendors are entrusted with highly sensitive competitive information and there is little or no attempt to make sure they are properly protecting it. Unlike personal information where regulations require it to be protected, in a vendor relationship that has the potential to compromise competitive trade information, there is no such requirement. The only one in harms way is the organization itself.
Consider these hypothetical examples:
- ABC Manufacturing has designed a major packaging innovation for one of its products. To implement the innovation, it shares it with the vendor making its boxes. The box company immediately sees that this packaging innovation may be able to attract new customers, some of which compete with ABC.
- ABC Manufacturing uses two national long-haul trucking companies to deliver all its products. Both trucking companies, therefore, have information on amounts of product shipped and to which customers, both of which would be very valuable to ABC’s competitors.
- The cleaning service hired by ABC Manufacturing to tidy up the offices in the evening has access to the cluttered desks, wastebaskets, secure shredding consoles and stored records.
In all three cases, vendors who have nothing to do with data protection represent a potential leak of trade secret information. And, unfortunately, in the vast majority of cases, the contracts, purchase orders or other agreements that govern these relationships have no provisions, expectations, or any mention whatsoever of the vendor’s (and its employee’s) requirements to protect that information.
And it’s not only the competitive information itself that is at risk. Had there been a serious challenge to that manufacturer’s intellectual property rights, this lapse in ensuring such vendors had agreed in writing to protect the information would have undermined its right to claim intellectual property protections. The many precedents for this are based on the principle that a company cannot rely on the court to defend intellectual property if it is not itself protecting it. Stated more succinctly, for the court to recognize it as trade secret information, the owner must show they were securing it accordingly.
What to Do?
Most organizations need to take a new and more serious look at how all vendors are required to protect the information they will inevitably come across in the performance of their services.
Every organization should have some written understanding of the purchase orders, terms and conditions, or contracts it uses with all its vendors, assuring the security of the information to which the service provider and its employees will have access.
Some of the more important stipulations would be a simple recital that the service provider acknowledges its employees may encounter proprietary information and that they are bound by a written employment agreement to keep it confidential. Remember, taking reasonable steps to protect it in all cases is as critical to its security as it is to the ability to protect it in court.
To that end, for vendors who will be exposed to information with a higher sensitivity, such as product development, sales strategies and customer lists, more specifics are required. This would include specifications like criminal background screening of employees, their information management practices, and instructions on access control and secure disposal.
In the end, the goal is to ensure they are taking your organization’s information security as seriously as you do.
Of course, one option is to let Shred Vault help. Not only can we make sure your organization’s information is securely destroyed, but by referring us to all your vendors, you get the benefit of knowing they are too. And, if experience has taught us anything, it’s that they will thank you for doing so.
Contact Shred Vault today to learn how we help improve your vendors’ data security!
© 2023 Shred Vault, LLC – All Rights Reserved