Information governance focuses a lot of time and attention on internal compliance with law and company policy and the protection/security of corporate information. One aspect of protecting/securing corporate information is to protect/secure it where it lives, which may not be just within the corporation.
“Firms Raise Hacking Defenses,” Wall Street Journal, October 27, 2014 B5. are looking at how one group of vendors control access and use of the bank’s information: the outside lawyers.
Do your vendors follow your information policies and record retention and disposal processes? If you have litigation or an investigation, you likely have a duty to preserve and produce relevant information in the hands of your vendors. Do you audit them, too?