You’re about to share entry-level import data — HTS codes, duty amounts, supplier identities, sourcing countries, cost structures — with a third-party firm for IEEPA tariff recovery. That data, in the wrong hands, could reveal your competitive positioning, margin structure, and supply chain dependencies to anyone who knows how to read it.
This isn’t theoretical risk. The IEEPA recovery space has attracted firms of varying professionalism, and the pressure to act quickly before deadlines pass can tempt importers to skip the due diligence that protects their information. Don’t skip it.
Here’s what your confidentiality framework should look like — from the NDA through ongoing data security practices — for any IEEPA recovery engagement.
Why Import Data Is Commercially Sensitive
Before diving into protections, let’s be specific about what’s at risk.
What Your Import Data Reveals
| Data Element | Competitive Intelligence Value |
|---|---|
| HTS codes | Product specifications, material composition |
| Country of origin | Sourcing strategy, supplier geography |
| Entry values | Cost structure, landed cost per unit |
| Import volumes | Production scale, demand forecasting |
| Port patterns | Distribution network, logistics strategy |
| Supplier names (from commercial invoices) | Supply chain relationships, negotiating leverage |
| Duty rates paid | Tariff classification strategy, effective cost |
A competitor with access to your full entry data for the IEEPA period could reconstruct your sourcing strategy, estimate your margins, and identify your suppliers. An unscrupulous broker or consultant could use that data to solicit your business or your suppliers’ business. This isn’t paranoia — it’s basic competitive intelligence protection.
The IEEPA Recovery Context
The Supreme Court ruling created a defined pool of refundable duties — approximately $166 billion across all importers. That pool has attracted every category of professional services firm, from established trade law practices to newly formed consultancies to financial firms pivoting into claims purchasing.
The legitimate firms in this space take data security seriously. The opportunistic ones may not. Your NDA and security requirements are the filter that separates them.
The NDA: Essential Provisions
A good NDA for IEEPA recovery engagements should be mutual, specific to import data, and enforceable. Here are the provisions that matter most.
Definition of Confidential Information
The NDA must explicitly define import data as confidential. Generic confidentiality language — “all information shared during the engagement” — may not be specific enough to cover entry-level data, HTS codes, and trade data if challenged.
Recommended language should include:
- Entry summary data and entry numbers
- Customs duty amounts and tariff classifications
- Country of origin information
- Supplier and manufacturer identities
- Import volumes and values
- Trade routes and port-of-entry patterns
- ACE portal data including ES-003 reports
- Any data derived from the above (analyses, summaries, projections)
Permitted Use Restrictions
The data can only be used for the specific, stated purpose — analyzing and supporting your IEEPA tariff recovery. Any other use should be explicitly prohibited, including:
- Market research or competitive analysis
- Solicitation of your suppliers or customers
- Aggregation with other clients’ data for publications or marketing
- Sale or transfer to third parties without express written consent
- Internal business development using your data as a case study (without anonymization and consent)
Non-Solicitation
The firm should agree not to use information gained during the engagement to solicit your suppliers, customers, or customs broker relationships. This is especially important with firms that serve multiple importers in your industry.
Data Handling Requirements
The NDA should specify minimum data handling standards:
- All data transmitted via encrypted channels
- Data stored in access-controlled, encrypted systems
- Access limited to named individuals working on your engagement
- No copies on personal devices without authorization
- Audit trail of data access maintained
Return and Destruction
At the conclusion of the engagement (or upon your request at any time), the firm must:
- Return all original data and copies to you, OR
- Destroy all data in their possession and certify destruction in writing
- Purge data from backups within a defined period (typically 30-90 days)
- Retain only what’s legally required, with continued confidentiality obligations
Breach Notification
The firm must notify you within 24-72 hours of discovering any breach, unauthorized access, or potential compromise of your data. The notification should include:
- Nature and scope of the breach
- Data elements potentially affected
- Steps taken to contain the breach
- Remediation plan
Term and Survival
Confidentiality obligations should survive the end of the engagement by at least 2-3 years. Some provisions — particularly regarding competitive use of your data — should survive indefinitely.
Remedies
The NDA should acknowledge that a breach of confidentiality may cause irreparable harm and that injunctive relief (in addition to monetary damages) is an appropriate remedy. This gives you faster enforcement options than a standard breach of contract claim.
Beyond the NDA: Technical Data Security
An NDA is a legal framework. Technical security measures are the practical implementation. Both are necessary.
Encryption Standards
In transit: All data shared between you and the firm should use TLS 1.2 or higher encryption. In practice, this means:
- Secure file sharing platforms (not email attachments for sensitive data)
- HTTPS-only web portals
- Encrypted email if email is used (S/MIME or PGP)
At rest: Data stored by the firm should be encrypted using AES-256 or equivalent. This applies to:
- File storage systems
- Database records
- Backup media
- Any derived analyses or reports containing your data
Access Control
The firm should implement the principle of least privilege — each person has access only to the data they need for their specific role. Ask for confirmation of:
- Named individuals with access to your data
- Role-based access controls (not everyone in the firm can see everything)
- Multi-factor authentication for data access systems
- Regular access reviews to remove personnel who no longer need access
Transmission Methods
For sharing entry-level data, insist on one of these methods:
| Method | Security Level | Appropriate For |
|---|---|---|
| Secure client portal | High | Ongoing data exchange |
| Encrypted file sharing (e.g., secure link) | High | One-time large file transfers |
| Encrypted email | Moderate | Small files, non-entry-level data |
| Standard email attachment | Unacceptable | Never use for import data |
| Physical media (USB) | Variable | Only with encryption and chain of custody |
If a firm says “just email it over,” push back. Unencrypted email passes through multiple servers, can be intercepted, and creates permanent copies you can’t control.
Vendor Security
If the firm uses third-party tools or cloud services to store your data, those vendors’ security is your concern too. Ask:
- Which cloud platforms are used for data storage?
- Do those platforms have SOC 2 or equivalent certifications?
- Is data stored in the United States or internationally?
- Are subprocessors bound by equivalent confidentiality terms?
Industry-Specific Considerations
Certain industries have additional data sensitivity factors in the IEEPA context.
Pharmaceutical and Chemical Importers
Your entry data may reveal proprietary formulations through HTS classifications. Chemical compound classifications and pharmaceutical ingredient sourcing data have heightened sensitivity. Additional protections — such as anonymized initial analysis before sharing full detail — may be appropriate.
Defense and Dual-Use Products
If any of your imports include items subject to EAR (Export Administration Regulations) or ITAR (International Traffic in Arms Regulations), your import data may have additional regulatory sensitivity. Confirm that the firm’s data handling complies with applicable export control requirements.
Retail and Consumer Products
For retail importers, entry data can reveal upcoming product lines, pricing strategies, and vendor relationships that are competitively sensitive. If the advisory firm also serves your competitors, insist on firewalled engagement teams with no cross-pollination.
Small and Mid-Market Importers
Smaller importers sometimes assume their data isn’t valuable enough to warrant serious protection. That’s a mistake. A small importer’s entry data may be even more revealing than a large firm’s, because it represents a higher percentage of total operations. And the consequences of a data breach — loss of a key supplier relationship, for instance — can be proportionally more damaging.
The Data Sharing Workflow
Here’s a practical step-by-step process for sharing data securely during your IEEPA recovery:
Step 1: Execute the NDA (Day 1)
Before any data changes hands, sign the mutual NDA. Most firms can execute within 24-48 hours. If they can’t produce an NDA promptly, that’s either a red flag or a sign of disorganization — neither is encouraging.
Step 2: Confirm Technical Protocols (Day 1-2)
Agree on transmission methods, storage standards, and access controls. Get written confirmation of who will have access.
Step 3: Share Preliminary Data (Day 2-3)
Start with the minimum data needed for initial qualification: company profile, estimated import volume, product categories, countries of origin. No entry-level detail at this stage. This is sufficient for the initial assessment intake.
Step 4: Share Detailed Data (Day 3-7)
After the preliminary qualification and discovery call, share entry-level data via the agreed secure channels. This includes your ES-003 report, entry summary detail, and HTS code information.
Step 5: Authorize Broker Coordination (As Needed)
If you want the firm to coordinate directly with your customs broker, provide specific written authorization defining the scope.
Step 6: Monitor and Verify (Ongoing)
Periodically confirm that data handling practices remain consistent with agreements. Request access logs if your NDA includes that provision.
What to Do If Something Goes Wrong
Despite best efforts, data incidents happen. Here’s your response protocol.
If You Suspect Unauthorized Access
- Notify the firm immediately and request an investigation
- Document what you know — when you became aware, what evidence you have
- Request a written incident report within 72 hours
- Consult legal counsel about your rights under the NDA
- If confirmed, invoke the breach notification and remediation provisions of your NDA
If You Want to Terminate the Engagement
- Provide written notice per the engagement agreement terms
- Request immediate data return or destruction
- Request written certification of destruction within the agreed timeframe
- Verify that any third parties who received your data (broker, attorney) also comply
If the Firm Is Unresponsive
If a firm stops responding to data security inquiries or refuses to confirm compliance with NDA terms, that’s a breach in itself. Document the non-response and consult legal counsel.
Evaluating a Firm’s Security Posture: The Quick Assessment
You don’t need to conduct a full security audit of every firm you talk to. But you can assess their security posture in about 15 minutes with the right questions.
The Five-Minute Security Check
Ask these five questions and evaluate the responses:
-
“Do you have a standard NDA ready?” A firm with a prepared mutual NDA signals they’ve thought about data security before you asked. If they need to “get one drafted,” that’s a yellow flag.
-
“How do you transmit sensitive data?” The answer should reference encryption, secure portals, or specific tools. If the answer is “email,” that’s a red flag for entry-level data.
-
“Who will have access to my data?” The answer should name specific roles or individuals, not “our team.” Vague access means everyone has access.
-
“What happens to my data when we’re done?” The answer should reference a defined retention period and documented destruction. “We keep it in our files” is not acceptable.
-
“Have you ever had a data incident?” This is a test of honesty as much as security. A firm that says “never” may be truthful, or may not have systems capable of detecting incidents. The best answer acknowledges that no system is perfect and describes their monitoring and response capabilities.
Scoring the Responses
Give each answer a score of 0-2:
- 0: No meaningful answer or red flags
- 1: Adequate answer but room for improvement
- 2: Strong, specific, confident answer
Score 8-10: Strong security posture. Proceed with confidence. Score 5-7: Adequate but push for improvements in weak areas before sharing sensitive data. Score 0-4: Consider alternatives. A firm that can’t articulate basic data security practices may not have them.
Common NDA Negotiation Points
When reviewing a firm’s NDA, these are the provisions most commonly negotiated:
Definition Scope
Firms sometimes use narrow definitions of confidential information that don’t explicitly cover import data. Push for a broad definition that includes:
- Entry-level data (numbers, dates, ports, duty amounts)
- HTS classifications and duty types
- Supplier and manufacturer identities
- Trade routes, volumes, and patterns
- Any derived analysis or reports
Permitted Disclosures
Most NDAs include carve-outs for disclosures required by law, court order, or regulatory requirement. These are standard and acceptable. What’s NOT acceptable is a broad carve-out for “business purposes” or “as reasonably necessary” — these can be interpreted to allow almost any disclosure.
Injunctive Relief
Insist on a provision acknowledging that breach may cause irreparable harm and that injunctive relief (a court order to stop the breach) is available in addition to monetary damages. Without this, your only remedy is a lawsuit for money damages — by which time the harm may be done.
Survival Period
The confidentiality obligations should survive the end of the NDA or engagement by at least 2-3 years. Some competitive intelligence provisions (preventing use of your data to benefit competitors) should survive indefinitely. Push for the longest survival period the firm will accept.
Governing Law
Ensure the NDA is governed by a jurisdiction you’re comfortable with. If the firm is in New York and you’re in California, negotiating for your home state’s law — or a neutral jurisdiction — is reasonable.
Balancing Protection and Progress
We understand the tension. Every day spent negotiating NDA language is a day closer to protest deadlines and a day further back in the CAPE queue. Data security should protect you, not paralyze you.
The good news: a competent firm will have these protocols already in place. They’ve thought about data security before you asked, and they can execute quickly. If a firm needs weeks to produce an NDA or establish secure data transmission, they’re building infrastructure that should have existed before they started taking clients.
Speed and security aren’t opposites. They’re both indicators of professionalism.
Get your free Impact Assessment →
We execute mutual NDAs within 24 hours, transmit all data via encrypted channels, maintain named access controls, and certify data destruction at engagement conclusion. Your data security is not an afterthought — it’s built into every step of our process. Start your assessment today knowing your information is protected from day one.
