1 00:00:00,005 --> 00:00:02,009 - [Instructor] As organizations begin to increasingly 2 00:00:02,009 --> 00:00:06,002 use vendors for services that include the storage, 3 00:00:06,002 --> 00:00:09,005 processing, and transmission of sensitive information, 4 00:00:09,005 --> 00:00:11,008 they must pay careful attention to the vendor's 5 00:00:11,008 --> 00:00:14,000 information management practices. 6 00:00:14,000 --> 00:00:18,004 Data ownership issues often arise in supplier relationships, 7 00:00:18,004 --> 00:00:21,000 particularly when the vendor is creating information 8 00:00:21,000 --> 00:00:23,000 on behalf of the customer. 9 00:00:23,000 --> 00:00:25,001 Agreements put in place prior to beginning 10 00:00:25,001 --> 00:00:27,006 a new vendor relationship should contain 11 00:00:27,006 --> 00:00:30,004 clear language around data ownership. 12 00:00:30,004 --> 00:00:32,004 In most cases a customer will want 13 00:00:32,004 --> 00:00:34,008 to ensure that the customer retains 14 00:00:34,008 --> 00:00:37,004 uninhibited ownership of the information 15 00:00:37,004 --> 00:00:40,000 and that the vendor's right to use the information 16 00:00:40,000 --> 00:00:44,003 is carefully limited to activities performed on behalf of 17 00:00:44,003 --> 00:00:47,000 and with the knowledge and consent of the customer. 18 00:00:47,000 --> 00:00:49,000 In addition, customers should ensure 19 00:00:49,000 --> 00:00:51,000 that the contract includes language 20 00:00:51,000 --> 00:00:53,006 that requires the vendor securely delete 21 00:00:53,006 --> 00:00:56,004 all customer information within an acceptable 22 00:00:56,004 --> 00:00:59,009 period of time after the relationship ends. 23 00:00:59,009 --> 00:01:03,000 One particular area of concern is data sharing. 24 00:01:03,000 --> 00:01:05,005 Customers should include language in vendor agreements 25 00:01:05,005 --> 00:01:07,006 that prohibits the vendor from sharing 26 00:01:07,006 --> 00:01:09,009 customer information with third parties 27 00:01:09,009 --> 00:01:12,007 without explicit consent from the customer. 28 00:01:12,007 --> 00:01:14,004 Finally, the customer should include 29 00:01:14,004 --> 00:01:17,006 data protection requirements in the contract. 30 00:01:17,006 --> 00:01:19,008 This is particularly important if the vendor 31 00:01:19,008 --> 00:01:23,000 will be the sole custodian of critical information 32 00:01:23,000 --> 00:01:24,008 belonging to the customer. 33 00:01:24,008 --> 00:01:27,000 The contract should specify that the vendor 34 00:01:27,000 --> 00:01:30,001 is responsible for preserving the information 35 00:01:30,001 --> 00:01:32,004 and implementing appropriate fault tolerance 36 00:01:32,004 --> 00:01:35,005 and backup procedures to prevent data loss. 37 00:01:35,005 --> 00:01:38,004 In cases where the information is especially critical, 38 00:01:38,004 --> 00:01:40,005 the agreement may even include provisions 39 00:01:40,005 --> 00:01:43,001 that specify the exact controls 40 00:01:43,001 --> 00:01:46,001 the vendor must put in place to protect information.