As a result of the FACTA, interagency guidelines for information security standards were ammended to include a provision regarding the proper disposal of consumer information. We are in the process of updating our privacy/confidentiality agreements with our service providers and was wondering if it was necessary to add a specific statement that requires the service provider to "dispose of consumer information in a manner consistent with the disposal of customer information."
Is it sufficient enough to just generally state that the service provider agrees to "implement appropriate security measures designed to meet the objectives of regulatory guidelines governing the safeguarding of financial institution financial information" ?