4 minutes
Seven steps to take to mitigate the risk of compromising personally identifiable information
With a high number of privacy rules and guidelines currently being enforced, how can a credit union use contract management software to mitigate risk and protect members’ personally identifiable information?
Legislation and regulations continue to evolve to protect consumer and other personal data considered private. Government organizations, such as the Federal Trade Commission, help prevent unfair and deceptive business practices. Recently, the FTC reported that it obtained 114 court orders against businesses with deceptive practices. Keep in mind, the European Union’s General Data Protection Regulation protects private data, and the Healthcare Insurance Portability and Accountability Act protects data related to an individual’s health. The credit card industry and the Security Standards Council published guidance for the industry to protect data related to payment transactions.
Even the US Government is publishing guidance for protecting personally identifiable information. The United States Office of the Management and Budget published guidance for safeguarding against, and responding to, the breach of personally identifiable information.
Clearly, organizations are under increased demands to safeguard private data.
Typically, this protected data includes:
- employee names
- mailing addresses
- e-mail addresses
- telephone numbers
- dates of birth
- driver’s license numbers
- healthcare data
- financial data
Each credit union should seek an attorney’s advice on compliance matters, but you can still implement the seven basic guidelines below to use contract management software to help prevent unauthorized use of disclosure of private consumer data.
Seven Steps for Effective Use of Contract Management Software
There are many affordable, yet robust, contract management software systems on the market. Be sure to find one that enables your organization to track the data fields you require as well as counter-party information and contract terms and conditions. Ensure it supports automated workflow alerts and has artificial intelligence to monitor contract compliance.
Follow these steps:
1. Have an attorney review your organization’s standard contract provisions and ensure the contracts include a provision that limits your vendors’ and counterparties’ use of your organization’s private data, including data about your credit union’s members. Also, include a clause that your organization’s data is considered private and confidential and that the data processor cannot utilize or sell the data for any purpose other than to fulfill its obligations under its agreement with your organization.
2. Hold the processor accountable. Include language that the data should be encrypted and securely stored. With modern contract management software, these clauses can be built with rules-based clauses and drafted using your organization’s contract templates.
3. Ensure that each vendor, sub-contractor, and sub-processor that your organization shares confidential data with has restrictions on data use in the primary agreement between each party.
4. Ensure the contract software system has fields to track if your organization shares your consumer or financial data with a counter-party and set an alert to be notified when this information is entered into the system. Fields such as “Share consumer data”, “Share financial data”, and “Share private data” are great fields to add. In addition, set an annual reminder to audit the firm to ensure compliance.
5. Set a task approval alert to notify a risk manager or legal professional when a “pending” contract is being considered if any private, consumer, or PII data is shared with the counterparty. This risk-based task can repeat annually or more frequently, based on your needs, to ensure proper risk and legal review prior to the contract being signed and binding.
6. Use artificial intelligence to automatically review and scan contract text for key words or phrases based on business logic and word sentiment configured in the artificial intelligence engine. For example, the artificial intelligence engine should automate the process (if possible) that a human legal reviewer performs, such as automatically locating high-risk keywords and phrases such as: “telemarketing,” “marketing,” “data disclosure,” “confidentiality,” “access to data,” “consumer records,” “data hosting,” “export of data,” and other terms or phrases your legal team would like the contract artificial intelligence engine to flag, providing proactive risk-based alerts.
7. Set up task alerts and monitor reports to renew contracts with vendors, terminate unwanted contracts, audit each counterparty for compliance, modify contracts as needed, and ensure proper disposal and return of data at, or before, termination.
Although the privacy protection rules and regulations vary by country, state/province and industry and pose unique challenges, following some basic steps and utilizing software built for contract management can help. Remember to always seek legal advice to ensure compliance with applicable laws and regulations.
Mark Nastasi is EVP of CobbleStone Software, Princeton, New Jersey, a leader in providing enterprise contract management and compliance software solutions since 1995. CobbleStone’s contract management solutions have been trusted by thousands and are currently used by leading, global enterprises in the finance sector, among many others. To learn to improve complex, time-consuming, and inefficient contract management processes, be sure to check out The 8 Critical Stages of Contract Management.