Follow ACC Docket Online:  

This Week in Privacy: Due Diligence on Confidential Policies

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email with “This Week in Privacy" in the subject line.

Q: Do I really have to share all of my policies to customers for their due diligence in vetting me as a vendor? I consider my policies to be confidential.

A: In general, businesses have a legal duty to vet the vendors that fall in certain categories. This includes key suppliers for manufacturing or vendors that will handle any confidential personal information, such as protected health information under HIPAA (Health Insurance Portability and Accountability Act of 1996), sensitive personal data from Europe, student data under FERPA (Family Educational Rights and Privacy Act of 1974), and more.

One of the most basic ways to perform due diligence is to ensure that the vendor has the appropriate measures in place, such as policies. Many companies, however, do consider policies to be confidential.

A happy medium may be to write policies that are high-level and speak to the basics, then implement procedures, guides, playbooks, SOPs, or work instructions to execute on the policies. Those detailed documents may be kept confidential. However, the policies are sufficiently high-level to avoid providing confidential information, but satisfy the due diligence need. You may still need to provide some show of proof that the policies are actually followed, such as logs, dates of training, and more. It’s not a perfect solution, but may help alleviate some burden on both sides.

Another route is to certify or be audited based on policies and practices, such as ISO certification or a SOC2 audit (Service Organization Controls). But no certification or audit processes will be perfectly aligned with what all customers believe they need to see. There should be a standard vetting service, but the ones currently available are not widely adopted.

So yes, potential vendors often spend hundreds of hours in personnel time and effort to answer security questionnaires from every potential customer — taking valuable time and budget away from putting actual security practices in place.

About the Author

K Royal is a technology columnist for, and director at TrustArc. @heartofprivacykroyal

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.