I am curious about what specific NPI they have access to where they will still be low risk. In my understanding, Nonpublic Personal Information, or NPI, is a type of sensitive information created and defined by the Gramm-Leach Bliley Act (GLBA), which specifically regulates financial services institutions.
NPI may include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, or any other consumer financial information that:
As to how often that is up to you and your organization. Generally, vendors who can access NPI are not low risk; they are at least moderate risk. But it would be best to do at least an annual risk re-assessment and due diligence. I hope that is helpful, but I would love to hear from other members.