How Secure is Your Confidential Data After a Service is Cancelled

Charlie Munger-Knowing what you don't know is more useful than being brilliant.

When is the last time you read – or even thought about – the third-party service provider agreement you signed? The typical terms include an important non-disclosure section where the provider agrees to safeguard your confidential information.

Among other things, they usually agree not to disclose your valuable trade secrets or compromise your company’s competitiveness. When your relationship ends for whatever reason, your provider agrees to return the confidential information you shared with them. Obviously, the terms are more complex than this so I’ll leave that to the attorneys to dissect.

But you see where we’re going. This is where things get messy.

Sharing Information is Easy. Getting It Back Isn't.

There was a time not so long ago when the information hand-off followed a simple straight path. Documents were physical paper carefully passed person-to-person. Then paper thankfully became digital versions that were efficiently emailed.

At the same time, internal company networks became more robust, providing easier access to information anytime, anyplace. Software-as-a-service offerings like Dropbox, OneDrive, and Google Drive created convenient information storage and sharing. Document management on both sides became less structured, secure, and consistent.

What About Third-Party Providers' Backups?

Every reputable third-party provider understands how valuable your information is, and their practices should reflect that. Reliable data backups ensure that your information is stored securely and recoverable if needed.

That also means that your proprietary secrets will remain with the provider after your relationship has ended. Removing your specific company’s information from all backup copies is difficult, time-consuming, and costly for your provider. It's unlikely that this is something they do.

Internal company server backups provide responsible oversight and access to your data -- if your provider implements proper controls. These backup copies often look like the file organization that you see on your own network server drives. Anyone with access to the backup can easily find your confidential files.

SaaS application backups, on the other hand, are virtually impossible to identify discrete data. They are a single collection of massive amounts of unordered, non-company identifiable data.

What does the agreement say about the return of every instance of your confidential information?

Where Does Your Confidential Information Live?

Every service provider has their own process for managing your information. That means that you need to ask them specific questions about protecting and returning your information before you sign their agreement.

"We'll return your information and protect your confidentiality for x period of time after the relationship ends isn't good enough."

Here are 10 questions to start your data protection conversation.

Where do you store the information we provide i.e., internal company network server, third-party server, SaaS applications, desktops or laptops?

How do you manage user access to our information? The answer should be the Principle of Least Privilege. This means that the files are organized in such a way that only those users who are actively assigned to your account have access to your information.

How do you ensure that former employees no longer have access to our files? They should have a documented employee offboarding procedure that they share with you.

Is our company’s confidential information regularly backed up? How often? Where are the backups stored?

Who has access to these backups?

How long are both full and incremental backups retained?

After our relationship ends, who has access to backups that might compromise our confidentiality?

What measures do you have in place to safeguard our confidentiality?

Is any of our company’s confidential information stored on SaaS applications such as Dropbox, OneDrive, or Google Drive? If so, how is user access managed?

Are login credentials (username and password) for our files stored in a password manager? If so, what procedures do you have in place to immediately remove our credentials after the relationship has ended?

Wrapping It Up

The answers to these and other questions will ensure your service agreement is in line with today’s information management practices. Remember: Even the best questions aren't a substitute for your business attorney's review -- before you sign.

Discover Practical Knowledge Sharing for Business & Technology Leaders

If you've ever searched for a place to connect with business leaders without the ads, sales pitches, and usual social media clutter, you know how hard that can be.

That's why we created Studio CXO. We're business leaders like you who know there can be a better way.

Explore Studio CXO Now

Rulings from the FTC

FTC October 2024 Rule Makes Subscriptions, Memberships, Automatic Renewal Cancellations Easier for Buyers

Linda Rolf is a lifelong curious learner who believes a knowledge-first approach builds valuable, lasting client relationships.

She loves discovering the unexpected connections among technology, data, information, people and process. For more than four decades, Linda and Quest Technology Group have been their clients' trusted advisor and strategic partner.

Tags: Data Security