That seems close to our Information Security Agreement - except we also require our vendors (by contract) to agree to -
[*] Take appropriate actions to address incidents of unauthorized access to the Bank's "sensitive customer information" (etc)
[*] Make every effort to ensure the complete destruction, beyond the possibility of recovery by unauthorized persons, of any record containing consumer information that is no longer intended to be retained for its business purposes.
I have the opinion that our Information Security contracts are sufficient to address identity theft preventions issues with our vendors... until I am told otherwise...