This was posed to me and I have research with little findings. Does anyone have or use a list of critical vendors that you send out an annual privacy statement?
At my other employement, any firm that had a contact acknowledged our privacy statement. Here they want to send out a privacy statement to all critical vendors annually , have it signed and returned. What is anyone else doing?? The auditor wants to do an audit and doesn't know, go figure..
Thanks for any infor on this.

Thanks, I'll look into that

We are performing an annual risk assessment of all our vendors along with that we indicate if they have access to customer information. If they do we require an annual ackowledgement. That means the folks who wash our windows and clean our facilities sign it along with our external auditors and most of our IT vendors.

Thanks for sharing its very helpful..anyone else??

Are there any guidelines regarding vendor acknowledgement on this privacy issue and what is required? The questions won't stop. Thanks

I also have some additional questions:

Is a signature required from our vendors or do we have to just show proof that we sent them our own privacy policy for review?

Is an annual mailing required to our vendors, or is the initial signature good for as long as services are provided?

Who exactly should we be getting notices to - only our critical vendors or do we need them from contractors hired to perform work inside our branches?

Sending them a copy of your privacy notice or policy accomplishes nothing. The regulation requires that you ensure that your vendors maintain the information that you provide them confidential. It has nothing to do with the bank's privacy policy.

You have to have a "contractual" agreement with your vendors to the fact that information may not be shared beyond what is allowed by the regulation. Having them sign an annual notice is meaningless in my mind as long as the original contract is still in place and contains the appropriate contractual clauses.

This has come up again, the bank is determined to have new privacy agreements sent to various vendors for acknowledgement. I do not believe it has been done correctly in the past and they want to get it right with one shot. I believe, given your statement above, this need only be done once as long as there has not been a change in vendor or poilcy. I am correct?

What is your definition of privacy agreement? In addition to your bank's internal privacy and safeguarding policies you must require that your vendors implement an info security program too. "Information Security and Incident Response Agreement" This must be agreed to as part of the written agreement. This program should ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security and integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The agreement must also include incident response.