Yes, it is permissible to share a list of customer names and addresses with a third-party vendor for purposes of printing postcards if certain requirements are met.
Customer names and addresses may be shared with a third party if you provide your customers with an initial notice that accurately reflects your privacy policies and procedures, and you enter into a written contract with the third party preventing it from misusing or losing your customers’ information. The written contract must prohibit the third party “from disclosing or using the information other than to carry out the purposes for which [the bank] disclosed the information” (in this case, for purposes of printing the postcards).
Also, note that the postcards themselves must not reveal that the recipients are customers of your bank. Both federal and Illinois privacy laws protect “financial records” and “personally identifiable financial information.” These terms are defined broadly, including even the fact that an individual is a customer of your bank. Regulation P’s privacy requirements generally prohibit your bank from disclosing “the fact that an individual is or has been one of your customers or has obtained a financial product or service from you.”
For resources related to our guidance, please see:
- Regulation P, 12 CFR 1016.13(a)(1) (“The opt out requirements . . . do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you: (i) Provide the initial notice in accordance with § 1016.4; and (ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in § 1016.14 or § 1016.15 in the ordinary course of business to carry out those purposes.”)
- Interagency Guidelines Establishing Information Security Standards, 12 CFR 208, Appendix D-2 (Federal Reserve Board) (“Each bank shall: . . . (2) Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; . . . .”)
- Small Entity Compliance Guide, Interagency Guidelines Establishing Information Security Standards (“In particular, financial institutions must require their service providers by contract to (1) Implement appropriate measures designed to protect against unauthorized access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and (2) Properly dispose of customer information. In addition, the Incident Response Guidance states that an institution’s contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible following any such incident.”)
- Regulation P, 12 CFR 1016.3(p)(1)(i) (“Nonpublic personal information means . . . Personally identifiable financial information . . . .”)
- Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (“Personally identifiable financial information includes . . . The fact that an individual is or has been one of your customers or has obtained a financial product or service from you . . . .”)