So, if we get our vendors who handle covered accounts to sign an agreement that states:

Vendor agrees to maintain policies and practices designed to:


[*]Ensure the security and confidentiality of confidential information
[*]Protect against any anticipated threats or hazards to the security or integrity of confidential information
[*]Protect against unauthorized access to or use of confidential information that could result in substantial harm or inconvience to any customer

Are we covered under the red flag vendor management rules?

That seems close to our Information Security Agreement - except we also require our vendors (by contract) to agree to -

[*] Take appropriate actions to address incidents of unauthorized access to the Bank's "sensitive customer information" (etc)

[*] Make every effort to ensure the complete destruction, beyond the possibility of recovery by unauthorized persons, of any record containing consumer information that is no longer intended to be retained for its business purposes.

I have the opinion that our Information Security contracts are sufficient to address identity theft preventions issues with our vendors... until I am told otherwise...

Thats what i am going to assume as well, thanks.

That would be great b/c I was ready to do an addendum for them all.