A few weeks ago a company called Fly Clear went out of business. For those of you unfamiliar with this particular company, its mission was to speed you through the airport security lines by pre-clearing you with the government and issuing you a special card that would take you to the front of the line. In the process of clearing you for this privilege the company collected very important personal information, such as your biometrics: fingerprints, retina scans, etc. The first question that most Fly Clear users are probably asking is: what will happen to all my data? Can Fly Clear guarantee that it does not fall into the wrong hands or become public? How will my privacy be preserved? Fortunately, according to its Web site, Fly Clear appears to be working with Verified Identity Pass, Inc. and the Transportation Security Administration (TSA) to secure information for deletion or future use in another Registered Traveler program operated by a TSA authorized service provider.

This is a great example, however, of what companies need to think about when it comes to the governance and securing of data when there is a third party involved. Take those same user concerns about the storage and privacy of data and multiply them ten- fold and you have the picture of outsourcing corporate records "“ or as I like to call it "records in the cloud." Many companies are jumping onto the "˜cloud' bandwagon. Salesforce.com is one of the most common ways for companies to manage their sales leads. Microsoft Office Online and Google mail are gaining in popularity. It is very appealing to give up responsibility for the infrastructure, for the nightmare of upgrades, and at first glance-- the responsibility. The responsibility however does NOT go away. In fact, putting information in the hands of the third party requires great thought.

Before deciding to put information in the hands of a third party, it is important to understand what they do with that information. How is your disposition policy adhered to? What is their back up practice? Where does the infrastructure reside? How is your information co-mingled with others or is it? What happens if they go out of business or are acquired (potentially by your competitor)? And as in the example of Fly Clear "“ what are the procedures to get information back the case that this occurs? If you fail to ask all the right questions and to ascertain that your information is treated correctly, you may have a number of legal and eDiscovery issues that you did not bargain for. In my next blog I will provide an initial check list of information you should be concerned with. In the meantime, I'd love to hear your thoughts and ideas.