Can You Trust Your Vendor?

By Elizabeth Bennett  |  Posted 2003-03-01
PDF Download For the next year, you're going to be joined at the hip with the consultants redesigning your network. You know they can do the job. But can you trust them with the piles of confidential data you'll be sharing during the project?

Defining precisely what information is confidential is critical, according to Susan Meyer, a contracts attorney for Latham & Watkins, LLP.

This should be done up front in a nondisclosure agreement (NDA), and updated during a project. "If you say, 'All information is confidential,' you may as well not have the document," she says. With so much information publicly available, identifying exactly what you're trying to protect will serve both parties and reduce the likelihood of misunderstanding or confusion, Meyer says.

But there's a fine line between protecting data and withholding it from people you've hired to make basic changes to your business or operations.

For vendors, getting the right information can be difficult, "not because companies think it will get out, but because they're afraid it's going to give the vendor a key piece of information that will reflect poorly on the company," says Tom Pisello, CEO of Orlando, Fla.-based consulting firm Alinean. But if you expect vendors to produce accurate and substantive work, Pisello says, they will need all relevant information—good, bad and ugly.

It may in fact be rare for a vendor to breach an NDA purposely. "Vendors often make their living in small niches of the industry," says Bud Porter-Roth, a business process management consultant. "They trade on their name and reputation, and if they screw up, the word will get out."

: Eight Rules for Data Confidentiality">

Reference: Eight Rules for Data Confidentiality

A mutual NDA may seem smart, but it's not always the best solution. If you're working with a software vendor, for example, don't create an obligation to protect their information, which you don't need or want anyway. Cover your own assets with a one-way agreement. For joint ventures or other complex, long-term projects, a mutual NDA may be more appropriate.

If relying on an outside firm to supervise some of your information systems, your data is at risk. You cannot be too clear about what is confidential. What do you want to protect, and what information would be the most damaging were it to be used without your permission? Decide which communications-e-mail, verbal, instant messages-should be considered confidential.

SING IT: FOR YOUR EYES ONLY This should be the soundtrack for both your request for proposal and your nondisclosure agreement. Make sure the only people who have access to your data are those directly involved with your project.

For substantive results, you need an open relationship with your vendor. You don't want to prevent suppliers from doing their jobs by limiting information; on the other hand, a healthy paranoia could serve you well. If you like your vendor, it may be tempting to involve the outfit in unrelated matters, but it's probably not worth jeopardizing your data.

You may think all intellectual property created for you is yours, but you may not always be able to claim sole ownership. A vendor may say, "Hey, I created this widget, and I should be able to take that knowledge to my next client." There are no easy answers to such questions, says attorney Susan Meyer. Try to identify and discuss such gray areas before the project begins.

Encourage commitment by holding vendors fiscally accountable. Try tying formal compensation, not just bonuses, to performance. "There was a lot of money spent in the go-go days and people failed to see the impact. Now vendors are being held incredibly accountable," says Tom Pisello of Alinean, a return-on-investment consultant. Create baselines prior to the project's start and hold vendors accountable for failures. Of course, don't forget to reward them for successes, as well.

After meetings and conferences, you may want to follow up with a note saying, "The information you received in the meeting is confidential." If you don't want your information used in any form—for training or a case study, say—make sure it says so in the initial nondisclosure contract.

Proving an NDA breach can be very difficult. If you think your vendor has divulged or is using confidential information for secondary purposes, assess the current and potential damage before spending time and money on legal proceedings.

Sources: Latham & Watkins, LLP; Porter-Roth Associates; Alinean