If the question is do you need a confidentiality agreement/security agreement with a consumer reporting agency, this is how it was explained to me:
When you report the information to the credit bureau, the information now belongs to the credit bureau. It is no longer "your" information that you need to safeguard.
The distinction made is that when you use a third party data processor, the processor is handling YOUR data which you still need to protect.
But when you report information to a credit bureau, it now becomes THEIR data, and they are held to a security standard of their own under FCRA.
Regulations are a poor substitute for ethics.