I am curious about what specific NPI they have access to where they will still be low risk. In my understanding, Nonpublic Personal Information, or NPI, is a type of sensitive information created and defined by the Gramm-Leach Bliley Act (GLBA), which specifically regulates financial services institutions.
NPI may include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, or any other consumer financial information that:
- a consumer provides to a financial institution
- results from a transaction or service performed for the consumer
- is otherwise obtained by the financial institutions
- NPI does not include information that has been made publicly available or widely distributed in the media or public government records
In any case, accessing NPI requires that the vendor demonstrate appropriate information security and privacy controls. This means reviewing all their SOC2 Type2 Reports, Security Certifications, penetration testing, etc. They would also need to provide evidence that they comply with privacy regulations. So, they should have a privacy policy, evidence of compliance training for their employees, and disclose any regulatory findings/actions and litigation history (including pending litigation) for the last five years.
As to how often that is up to you and your organization. Generally, vendors who can access NPI are not low risk; they are at least moderate risk. But it would be best to do at least an annual risk re-assessment and due diligence. I hope that is helpful, but I would love to hear from other members.
Original Message:
Sent: 07-22-2022 12:45 PM
From: Anonymous Member
Subject: NPI
This message was posted by a user wishing to remain anonymous
How Often should you perform Due Diligence on a vendor that is Non Critical, low risk, but does have access to NPI? What due diligence documents should you request due to the fact they do have NPI access?