‪(480) 285-8227 dave@dealercomply360.com

NPI Third-Party Agreement Policy

Purpose:
The purpose of this policy is to establish guidelines for sharing and safeguarding Non-Public Personal Information (NPI) with third-party service providers. This policy ensures compliance with the Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, and other applicable regulations, while protecting customer privacy and maintaining data security.

1. Scope

This policy applies to all employees, contractors, and third-party service providers of [Dealership Name] who handle or have access to customer NPI. It governs all contracts, data-sharing practices, and monitoring of third-party activities involving NPI.

2. Policy Statement

[Dealership Name] will only share NPI with third parties under strict conditions, including clear agreements that outline the security measures required to protect NPI. Third-party service providers must comply with applicable laws and dealership policies regarding the handling, storage, and disposal of NPI.

3. Definitions

  • Non-Public Personal Information (NPI): Personally identifiable financial information provided by a customer in connection with a transaction or service. Examples include Social Security numbers, financial account numbers, and loan details.
  • Third-Party Service Provider: Any vendor, contractor, or business partner that performs services for [Dealership Name] and may access, process, or store NPI.

4. Requirements for Third-Party Agreements

4.1 Due Diligence

Before engaging with a third party, [Dealership Name] will:

  1. Assess the vendor’s data security policies and procedures.
  2. Verify the vendor’s ability to comply with GLBA and FTC Safeguards Rule requirements.
  3. Review the vendor’s history of compliance, including references and any past security incidents.

4.2 Contractual Obligations

All contracts with third-party service providers must include provisions that require:

  1. Confidentiality:

    • The third party must maintain the confidentiality of all NPI shared by the dealership.
    • Prohibit unauthorized sharing or use of NPI for purposes not specified in the agreement.

  2. Data Security Measures:

    • Implement and maintain appropriate administrative, technical, and physical safeguards to protect NPI.
    • Encrypt NPI during transmission and at rest.

  3. Notification of Breach:

    • Notify [Dealership Name] immediately (no later than 24 hours) upon discovering any data breach, loss, or unauthorized access involving NPI.

  4. Compliance with Laws:

    • Comply with all applicable laws and regulations governing the protection of NPI.

  5. Return or Disposal of NPI:

    • Return or securely dispose of all NPI when it is no longer required for the agreed-upon purpose.

  6. Audit and Monitoring Rights:

    • Allow [Dealership Name] to audit the vendor’s compliance with data protection requirements periodically.

5. Sharing NPI with Third Parties

Third parties may only receive NPI when:

  • The purpose is necessary for completing a transaction or providing a service to the customer.
  • Customers have been notified of the sharing in the dealership’s privacy notice.
  • The third party has agreed in writing to comply with all terms in the third-party agreement.

6. Monitoring and Auditing

  • Periodic Audits: Conduct regular reviews of third-party service providers to ensure compliance with security and contractual requirements.
  • Performance Monitoring: Continuously monitor third-party activities to detect potential risks or breaches.
  • Incident Reviews: Investigate all security incidents involving third parties and implement corrective actions as necessary.

7. Employee Responsibilities

  • Employees must:
    • Verify that a valid agreement is in place before sharing NPI with any third party.
    • Notify the Compliance Officer of any concerns about a third party’s handling of NPI.

8. Prohibited Practices

Employees and third parties must not:

  • Share NPI with unauthorized individuals or entities.
  • Access or use NPI for purposes outside the scope of the agreement.
  • Retain NPI longer than necessary without written approval from [Dealership Name].

9. Penalties for Non-Compliance

Failure to comply with this policy may result in:

  • Termination of the third-party agreement.
  • Regulatory penalties or fines for [Dealership Name].
  • Disciplinary action for employees, up to and including termination.

10. Policy Updates

This policy will be reviewed annually and updated as necessary to reflect changes in regulations, dealership practices, or third-party relationships.

Acknowledgment
I acknowledge that I have read and understand the NPI Third-Party Agreement Policy and agree to comply with its provisions.

Employee or Third-Party Representative Signature: ___________________________
Date: ___________________________

Manager Signature: ___________________________
Date: ___________________________

This policy ensures the secure and lawful sharing of NPI with third-party service providers while maintaining compliance and customer trust. Let me know if you need assistance drafting specific third-party agreement templates!