by Leonard A. Bellavia, Esq.

The Safeguards Rule of the Gramm-Leach-Bliley Act obligates businesses to protect consumer’s nonpublic personal information.  This obligation includes protecting nonpublic personal information shared with vendors during the course of business.  If, for example, your business contracts with a vendor to send direct mail to existing consumers, the vendor will require nonpublic personal information to do so, thereby triggering the Safeguards Rule.  In these circumstances, businesses must obtain written statements that comply with the Safeguards Rule from each vendor with whom the business shares such information.  In short, this written statement outlines the vendor’s Safeguards Rule compliance efforts.  However, the information you share with vendors is extremely valuable.  Besides obtaining what is necessary for Safeguards Rule compliance, you should take additional steps to make sure the vendor isn’t profiting from your customer’s information without your knowledge.

Here are some best practices you should consider when sharing your customer database with vendors:

  • Research the vendor: Most vendors solicit businesses through ‘cold calls’ or at displays at trade association meetings.  Before you agree to grant access to your database, perform additional research on the vendor.  Find out where the business is based and ask for references, both from businesses that have conducted business with the vendor in the past as well as bank references
  • Selectively push information to vendors: You should not transmit your entire customer database to vendors and allow them to ‘sort out’ the data.  For example, if a vendor is compiling an off-lease promotion, the vendor should only need the data for particular customers, and not your entire database
  • Limit vendor’s use of the database: Most vendors draft their contracts to allow them broad latitude to determine appropriate use of your customer database.  Such use may include reselling your customer database to unrelated third parties.  Make sure to review each vendor agreement to identify what possible uses the vendor may intend for your database and draft appropriate restrictions.  While you are reviewing the use provision of the contract, remember to review other provisions, such as choice of law, venue and jurisdiction.  If you do not, you may find that the contract significantly restricts your ability to sue to the vendor should a disagreement arise

We can help your company comply with the Safeguards Rule.  Please call us at 631-224-7000.