Your import data is more than a list of entry numbers. It reveals your sourcing strategy, supplier relationships, cost structures, product mix, trade routes, and competitive positioning. In the wrong hands, it’s a roadmap for competitors, a target list for solicitors, and a potential liability.
Yet to pursue your IEEPA tariff refund, you need to share some of this data with outside parties — your customs broker, an advisory firm, potentially a claim purchaser, or a trade attorney. The question isn’t whether to share; it’s how to share safely.
Before you hand over a single spreadsheet, ask these eight questions. They apply to any firm you’re considering working with on IEEPA recovery — whether it’s an advisory firm, a claim buyer, a legal practice, or a consulting outfit.
Question 1: “What Specific Data Do You Actually Need?”
This is the threshold question, and the answer tells you a lot about the firm’s sophistication.
What Good Looks Like
A competent firm will request specific, limited data appropriate to the current stage of your engagement. For an initial assessment, they should need:
- Company name and contact information
- Estimated annual import volume
- Primary countries of origin
- General product categories
- Customs broker identification
They should NOT need entry-level detail, HTS codes, duty amounts, or supplier names at the intake stage. That data comes later, after an initial qualification and usually after a confidentiality agreement is in place.
What Bad Looks Like
A firm that asks for your full ES-003 report and entry-level detail before you’ve had a single conversation is either unsophisticated about data sensitivity or intentionally collecting more information than they need. Either way, it’s a warning sign.
The assessment process should be staged: basic qualification first, then progressively detailed data sharing as the engagement deepens and trust is established. Our walkthrough of the Impact Assessment process shows how this staging works in practice.
The Minimum Data Principle
Share the minimum data necessary for each stage. You can always provide more later. You can never take it back once it’s shared.
| Engagement Stage | Appropriate Data to Share |
|---|---|
| Initial qualification | Company profile, import volume estimate, product categories |
| Preliminary assessment | Broker name, country mix, estimated IEEPA duty total |
| Detailed analysis | ES-003 report, entry-level data, HTS codes, duty amounts |
| Filing/execution | Full entry documentation, commercial invoices, broker authorization |
Question 2: “Will You Sign a Mutual NDA Before I Share Any Data?”
Non-negotiable. Any firm that hesitates to sign a mutual non-disclosure agreement before receiving your import data is not worth working with.
What the NDA Should Cover
- Definition of confidential information that explicitly includes import data, entry information, trade routes, supplier identities, and financial details
- Permitted use restrictions — the data can only be used for the stated purpose (IEEPA recovery analysis)
- Non-solicitation provisions — the firm cannot use your data to market to your suppliers or customers
- Data retention and destruction — what happens to your data when the engagement ends
- Breach remedies — what recourse you have if the NDA is violated
- Term — how long the confidentiality obligations last (should be at least 2-3 years post-engagement)
Mutual vs. One-Way
Always push for mutual NDAs, even though you’re the one sharing more sensitive data. A mutual NDA signals that the firm respects the confidentiality framework and holds itself to the same standard it expects of you.
Template NDAs
Many firms will offer their standard NDA. That’s fine as a starting point, but read it carefully. Look for carve-outs that effectively nullify the protections — phrases like “except as reasonably necessary for business purposes” can be loopholes you could drive a truck through. If you’re uncertain, have your legal counsel review it.
Question 3: “How Will My Data Be Stored and Protected?”
Technical data security matters. A signed NDA is a legal protection; technical safeguards are a practical protection. You need both.
Minimum Technical Standards
Any firm handling your import data should be able to confirm:
- Encryption in transit — data transmitted via encrypted channels (TLS/SSL), not plain email attachments
- Encryption at rest — data stored in encrypted systems, not on unencrypted laptops or shared drives
- Access controls — limited to personnel who need the data for your engagement, not accessible to the entire firm
- Audit logging — records of who accessed your data and when
- Backup and recovery — data is backed up but backups are equally protected
- Device security — company devices are encrypted, password-protected, and remotely wipeable
Cloud Storage Considerations
Most firms use cloud-based systems. That’s generally fine — major cloud platforms have strong security. But ask which platform and whether data is stored in shared environments or isolated tenancies.
Physical Security
For firms with physical offices, basic physical security should include locked facilities, restricted server room access, and clean-desk policies. This matters less for digital-only firms but is worth asking about for traditional consultancies.
What’s Excessive
You’re not evaluating a Department of Defense contractor. You’re looking for reasonable, professional-grade data security — not SOC 2 Type II certification (though that’s a plus if they have it). The point is to confirm that the firm takes security seriously and has implemented practical protections.
Question 4: “Who Specifically Will Have Access to My Data?”
“Our team” is not an acceptable answer. You should know exactly which individuals will see your import data.
Acceptable Access Structure
A well-run firm will have a defined access hierarchy:
- Primary analyst assigned to your portfolio — sees all data
- Quality review team — may see data during review processes
- Firm principals — have oversight access but may not routinely view data
- IT/operations — may have technical access for system maintenance but should be covered by internal confidentiality policies
What You’re Guarding Against
The risk isn’t usually malicious data theft. It’s more commonly:
- Inadvertent disclosure — an analyst mentions your sourcing details in a conversation with another client
- Competitive intelligence — a firm that serves your competitors uses your data to inform their advisory
- Data aggregation — your data is combined with other clients’ data for market analysis or publications
These risks are mitigated by limited access, strong internal policies, and clear engagement terms.
Conflict of Interest Disclosure
Ask directly: “Do you currently represent any of my competitors?” A firm that advises both you and a direct competitor on IEEPA recovery has your sourcing data and theirs. Even with firewalls, this creates risk. If they do represent competitors, understand how they manage the conflict.
Question 5: “What Happens to My Data When the Engagement Ends?”
Data retention after engagement completion is a frequently overlooked risk. If a firm keeps your data indefinitely after your IEEPA recovery is complete, the risk surface persists long after the value has been delivered.
Best Practice: Defined Retention and Destruction
The firm should commit to:
- Defined retention period — typically 1-3 years post-engagement for legal and compliance purposes
- Documented destruction — at the end of the retention period, data is destroyed with written confirmation
- Return option — you can request your data be returned to you at any time
- Backup purging — destruction includes backup copies, not just primary storage
What’s Reasonable
Some data retention is legitimate. The firm may need records to support their work if questions arise, for tax and accounting purposes, or to comply with professional standards. A 2-year retention period with documented destruction is reasonable. Indefinite retention is not.
Ask for the Policy in Writing
Most firms have a data retention policy. Ask to see it. If they don’t have one, that tells you something about their maturity and professionalism.
Question 6: “Can You Provide References From Current Clients?”
References validate everything else. A firm that talks a good game about data security but can’t produce clients who confirm the experience may not be walking the talk.
What to Ask References
When speaking with references, ask specifically about data handling:
- Did the firm request only necessary data, or did they ask for everything?
- Did they sign an NDA promptly and without resistance?
- Did you experience any data security concerns during the engagement?
- How was communication about data access and handling?
- Would you share sensitive data with this firm again?
Red Flag: No References Available
Every established firm should be able to provide at least 2-3 client references. If they can’t — or won’t — that’s a significant concern regardless of their other qualifications. New firms may have limited references, which is understandable, but they should be transparent about that rather than deflecting.
For more on overall firm evaluation beyond data security, see our guide to evaluating IEEPA recovery firm offers.
Question 7: “How Do You Handle Data in Multi-Party Situations?”
IEEPA recovery often involves multiple parties: you (the importer), your customs broker, the advisory firm, potentially a trade attorney, and possibly a claim purchaser. Your data may need to flow between some or all of these parties.
Authorization and Control
You should control who receives your data at every stage. The firm should:
- Seek explicit authorization before sharing your data with any third party
- Limit sharing to the minimum data needed for each party’s role
- Extend NDA protections — any third party receiving your data should be bound by equivalent confidentiality terms
- Document all sharing — you should know exactly who has received what
Broker Authorization
If you authorize the advisory firm to coordinate directly with your customs broker, do so through a specific written authorization that defines the scope of data access. Don’t give blanket access — specify the date range, data types, and permitted activities.
Claim Purchaser Due Diligence
If you’re considering selling your claim for immediate capital, the purchaser will need to verify your data during due diligence. This is legitimate, but the data should flow through controlled channels — ideally a secure data room with access logging — not via unencrypted email attachments.
Question 8: “What Is Your Liability If There’s a Data Breach?”
Nobody likes talking about breach scenarios, but you need to know the answer before you need to use it.
What to Look For
- Notification obligation — the firm must notify you promptly (within 24-72 hours) of any data breach affecting your information
- Remediation responsibility — the firm covers costs of addressing the breach, including any required notifications to affected parties
- Insurance coverage — the firm carries professional liability and/or cyber liability insurance
- Liability cap — understand any limitations on the firm’s liability. Some engagement agreements cap liability at the fee amount, which may be inadequate for a significant breach
Proportionality
The level of data breach protection should be proportionate to the sensitivity of the data shared. For basic company profile information, standard professional liability is sufficient. For entry-level import data with supplier details and pricing, stronger protections are warranted.
Special Considerations for Sensitive Industries
Certain industries face heightened data sensitivity that requires additional precautions beyond the standard framework.
Government Contractors
If your company holds government contracts, your import data may be subject to ITAR, EAR, or DFARS requirements. Sharing this data with a third party may require specific authorization or compliance verification. Consult your contracts administrator and legal counsel before sharing any import data that relates to government contract performance.
Pharmaceutical Companies
Pharmaceutical import data can reveal drug formulation strategies, active ingredient sourcing, and clinical trial supply chains. These are among the most competitively sensitive data elements in any industry. Consider whether the advisory firm serves any pharmaceutical competitors and insist on engagement-team firewalls if they do.
Financial Services Companies
Banks and financial institutions that import physical goods (technology equipment, physical security products) may have additional data handling requirements under GLBA or SOX. Verify that the firm’s data practices meet your regulatory obligations.
Publicly Traded Companies
Public companies should consider whether their IEEPA recovery strategy constitutes material nonpublic information under securities law. In most cases, the recovery itself isn’t material unless it represents a significant percentage of earnings. But discuss with your general counsel before sharing detailed financial projections with outside parties who aren’t bound by insider trading restrictions.
The Real-World Data Sharing Process
Here’s how data sharing typically works in practice, step by step:
Step 1: You sign a mutual NDA with the firm. This takes 24-48 hours for execution. Standard terms; rarely requires extensive negotiation.
Step 2: You share preliminary information — company profile, estimated import volume, product categories, countries of origin. This is low-sensitivity information that frames the engagement.
Step 3: You authorize your customs broker to share ACE data with the firm, or you pull the data yourself and share it via the firm’s secure portal. This is the high-sensitivity step — entry-level data, HTS codes, duty amounts, and liquidation statuses.
Step 4: The firm analyzes the data and produces your Impact Assessment. During analysis, they may ask clarifying questions that require additional information sharing — typically on specific entries with unusual characteristics.
Step 5: The assessment is delivered. From this point, data sharing may continue for ongoing advisory (if you engage) or stop (if you don’t).
At no point should you be asked to share banking information, tax returns, or login credentials to any system. If a firm asks for these, that’s a non-negotiable red flag.
Putting It All Together
Here’s a practical workflow for protecting your data through the IEEPA recovery process:
Before sharing anything:
- Determine the minimum data needed for the current stage
- Request and execute a mutual NDA
- Confirm the firm’s data security practices (Questions 3-5)
- Check references regarding data handling (Question 6)
When sharing data: 5. Use encrypted transmission methods — never unencrypted email for entry-level data 6. Mark documents as “Confidential — IEEPA Recovery Only” 7. Log what you’ve shared, with whom, and when
During the engagement: 8. Limit data sharing to authorized parties with explicit approval 9. Request periodic confirmation of who has access 10. Report any concerns promptly
After the engagement: 11. Request confirmation of data destruction per the agreed retention schedule 12. Retain your copy of the NDA and all authorizations
The Balance: Security vs. Speed
We recognize the tension. The cost of waiting on IEEPA recovery is real — protest deadlines are expiring, CAPE queue positions are filling, and the time value of your refund is eroding. You don’t want data security concerns to become an excuse for inaction.
The good news: proper data security doesn’t have to be slow. A competent firm can execute an NDA in a day, set up encrypted data transmission in hours, and begin analysis immediately upon data receipt. If a firm tells you that security protocols will add weeks to the process, they don’t have good protocols — they’re building them from scratch.
Get your free Impact Assessment →
We execute mutual NDAs upon request, transmit all data via encrypted channels, limit access to assigned team members, and destroy data per documented retention schedules. Your import data is commercially sensitive, and we treat it that way. Start your assessment today with confidence that your information is protected.
