Are we required to obtain a confidentiality agreement from the credit reporting agency? We have a contract, do we also need a confidentiality agreement?

Does anyone have guidance on what type of information is required to be obtained for specific types of vendors?

I appreciate any assistance! Thank you!

In response to your first question, if your contract contains the required language relating to information security, there should no need for an additional agreement. We found that when GLB first came out, a lot of contracts didn't have language and we had to develop an agreement. However, has time as gone on, most are aware of what banks will be looking for and generally contain the language or something similar.

We risk rate our vendors based on risk associated with information security and business continuity. If a customer is rated as high risk in either category, we require annual review of financials and SAS70 or other audit to identify internal control weaknesses. Any vendor that has access to customer information must execute a contract with GLBA info security verbiage, security breach notice and document disposal language. I have a sample security agreement that serves as an addendum to any existing contract for those contracts that do not contain satisfactory language.

Hello, I seen your response regarding having an addendum if the vendor does not have the GLBA verbiage in the agreement. Do you mind sending me a a copy, I currently audit 3rd party vendors and this info would be useful.. I appreciate your help.