When reviewing vendor contracts for identity theft protections, could we consider protections for safeguarding of customer information (ie. GLB) as sufficient or should we require specific identity theft safeguard language as part of our agreements?

I am taking the position that the GLB protections in our vendor agreements are sufficient to cover identity theft.

Glad to hear. So are we.

Colorado, would you mind sharing your wording on this (i.e. how did you justify your reliance on GLB in your policy/program)? Thanks!

We will be looking for new contracts to specify the id theft specifically but now are using GLBA reliance.

Supposedly, your core processor should have a program to detect, prevent and mittigate identity theft that they can provide to you. Has anyone obtained one from their processor?

Secondly, for all other service providers, we need to consider how they could contribute to identity theft. A good example that was brought up a a seminar I attended was a tri-merge vendor that was not passing along fraud alerts from all the credit bureaus they collected information from to a bank.

I'm looking for more examples of how a vendor might contribute to identity theft. Does anyone have another example?

Also, WHICH vendors will you be requiring a Red Flag covenant from?

I've talked to several of my peers and it seems like this part of the program is still confusing to many of us. I'm not confident that we can rely on the GLBA safeguarding language to satisfy this requirement.

We were thinking of adding an addendum to our already third party service proveder contracts and mailing those out annually. But what would the addendum wording include?

At this time we have decided to do the GLB reliance approach, but we are curious if anyone has wording to share.

I am curious too!

Most contracts we reviewed also have language that supports "future regulatory requirements". We felt comfortable with that plus GLBA language.