Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

I'm interested in knowing how others are handling CCPA requirements.  Do you take the position that you are not responsible for any CCPA violations of your vendors / service providers because you have executed separate agreements or amendments prohibiting your third parties from retaining, using, disclosing personal information (PI) for any purpose other than the specific purpose of performing the services specified in the contract?  Or are you adding detailed questions concerning PI to your questionnaire to determine which of your vendors are obligated under CCPA and exactly what PI is being collected?

​We identified the vendors in our inventory for whom CCPA would be applicable, had our legal draw up an amendment to sign specific to CCPA compliance. Those who would not sign the amendment were asked to provide an attestation covering key components of CCPA compliance to acknowledge that they were aware and compliant, and those who would not do option A or B we are evaluating the contracts to ensure there are covenants around compliance to "all applicable laws and regulations" and either revising the contracts to include language if deficient or sending them a letter asking them to acknowledge that they are aware of and compliant to CCPA as it applies to the services provided to us. We started about a month ago.


------------------------------

Original Message:
Sent: 11-18-2019 09:44 AM
From: Anonymous Member
Subject: CCPA

This message was posted by a user wishing to remain anonymous

I'm interested in knowing how others are handling CCPA requirements.  Do you take the position that you are not responsible for any CCPA violations of your vendors / service providers because you have executed separate agreements or amendments prohibiting your third parties from retaining, using, disclosing personal information (PI) for any purpose other than the specific purpose of performing the services specified in the contract?  Or are you adding detailed questions concerning PI to your questionnaire to determine which of your vendors are obligated under CCPA and exactly what PI is being collected?

Jennifer, I'm curious to know if you are a financial institution and are you located in California?  With the GLBA exception in the CCPA law, financial institutions are exempt from the CCPA.  Trying to understand if we need to be doing something more than we already are.
Original Message:
Sent: 11-19-2019 07:40 AM
From: Jennifer Wilkinson
Subject: CCPA

​We identified the vendors in our inventory for whom CCPA would be applicable, had our legal draw up an amendment to sign specific to CCPA compliance. Those who would not sign the amendment were asked to provide an attestation covering key components of CCPA compliance to acknowledge that they were aware and compliant, and those who would not do option A or B we are evaluating the contracts to ensure there are covenants around compliance to "all applicable laws and regulations" and either revising the contracts to include language if deficient or sending them a letter asking them to acknowledge that they are aware of and compliant to CCPA as it applies to the services provided to us. We started about a month ago.



Original Message:
Sent: 11-18-2019 09:44 AM
From: Anonymous Member
Subject: CCPA

This message was posted by a user wishing to remain anonymous

I'm interested in knowing how others are handling CCPA requirements.  Do you take the position that you are not responsible for any CCPA violations of your vendors / service providers because you have executed separate agreements or amendments prohibiting your third parties from retaining, using, disclosing personal information (PI) for any purpose other than the specific purpose of performing the services specified in the contract?  Or are you adding detailed questions concerning PI to your questionnaire to determine which of your vendors are obligated under CCPA and exactly what PI is being collected?

​Hello and Happy New Year!
We are a thrift bank however we do not have deposit accounts. Cenlar is an ESOP mortgage subservicer. We service for many financial institutions as well as private corporations some in CA, and some with customers in CA we subservice.

Let me know if that helps.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management

------------------------------

Original Message:
Sent: 01-08-2020 12:37 PM
From: Michele Deo
Subject: CCPA

Jennifer, I'm curious to know if you are a financial institution and are you located in California?  With the GLBA exception in the CCPA law, financial institutions are exempt from the CCPA.  Trying to understand if we need to be doing something more than we already are.
Original Message:
Sent: 11-19-2019 07:40 AM
From: Jennifer Wilkinson
Subject: CCPA

​We identified the vendors in our inventory for whom CCPA would be applicable, had our legal draw up an amendment to sign specific to CCPA compliance. Those who would not sign the amendment were asked to provide an attestation covering key components of CCPA compliance to acknowledge that they were aware and compliant, and those who would not do option A or B we are evaluating the contracts to ensure there are covenants around compliance to "all applicable laws and regulations" and either revising the contracts to include language if deficient or sending them a letter asking them to acknowledge that they are aware of and compliant to CCPA as it applies to the services provided to us. We started about a month ago.



Original Message:
Sent: 11-18-2019 09:44 AM
From: Anonymous Member
Subject: CCPA

This message was posted by a user wishing to remain anonymous

I'm interested in knowing how others are handling CCPA requirements.  Do you take the position that you are not responsible for any CCPA violations of your vendors / service providers because you have executed separate agreements or amendments prohibiting your third parties from retaining, using, disclosing personal information (PI) for any purpose other than the specific purpose of performing the services specified in the contract?  Or are you adding detailed questions concerning PI to your questionnaire to determine which of your vendors are obligated under CCPA and exactly what PI is being collected?