Big company agreements for the inbound procurement of stuff

08 Sep 18
Big companies have procurement departments that use supplier contracts that contain clauses like this (from an actual big company supplier agreement (presented as "non-negotiable") for the purchase of off-site services, and one that already imposes robust confidentiality obligations on the supplier):

Supplier will: (a) designate one employee to be in charge of Supplier’s information security program; (b) maintain adequate physical security of all premises in which BIGCO Information will be processed and/or stored including that physical media containing such records is stored in locked facilities, storage areas or containers; (c) implement reasonable precautions with respect to the employment of, and access given to, Supplier personnel and contractors, including background checks; screening; security clearances that assign specific access privileges to individuals; training and security awareness programs for personnel and contractors; monitoring personnel and contractor compliance with policies and procedures; imposing disciplinary measures for violations of such policies and procedures; preventing terminated personnel and contractors from accessing systems or records containing BIGCO Information; and prohibiting Supplier personnel and contractors from bringing, transporting or transmitting BIGCO Information to their homes, or personal computers, e-mail accounts, devices or media; (d) impose reasonable restrictions on access to records containing BIGCO Information, such that BIGCO Information is only accessible to Supplier personnel and contractors on a need-to-know basis; (e) encrypt BIGCO Information with industry best practice encryption levels at all times while in transit over a public network or wireless network, while stored on a laptop or portable storage media or while stored on computing equipment that is connected to the Internet; (f) upon deletion of electronic BIGCO Information, at a minimum, ensure that computers and other media which may contain any BIGCO Information be overwritten with at least a single-string “wipe”; that offline queue computers’ memory that may contain any BIGCO Information be overwritten with, at a minimum, the number of strings of code as specified in the then-current U.S. Department of Defense standard for deletion of electronic information; and that any other computers or media on which any BIGCO Information may be contained be overwritten in a manner appropriate to the circumstances (but in no event less than a single-string wipe); and (g) adopt up-to-date and leading edge technologies in consultation with, or otherwise at the request of, BIGCO for the safe, secure and accurate collection, processing, storage and distribution of BIGCO Information.

If there's a breach of confidentiality, the supplier is liable. If there's not a breach of confidentiality, then none of the above matters.