We have adopted the following policies and procedures to document our information security program to protect Non-public Personal Information as required by local, state and federal law. Compliance with the following procedures is required of all employees and failure to comply with the procedures outlined herein will be grounds for immediate termination of employment.
Our company recognizes we must take necessary and appropriate steps, within our capabilities, to protect Non-public, Personal Information (NPI) from loss or misuse to avoid reputational damage and to prevent the use of this data from adversely impacting our customers and business. The protection of this data is a critical business requirement, yet flexibility to access the data and to work efficiently with it was also considered in the development of this Policy. This policy will be evaluated annually, and adjusted in the event our business operations change or as a result of our security testing and monitoring. For the purposes of this policy Non-public Personal Information (NPI) is defined as “First name or first initial and last name coupled with any of the following: Social Security Number, Driver’s license number, state issued ID number, credit card number, debit card number or other financial account numbers.” "Personal Information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
A.Physical security of Non-public Personal Information (NPI)
To help ensure the physical security of all Non-public Personal Information we will:
Restrict access to Non-public Personal Information to authorized employees with a legitimate business purpose, on a need to know basis. They will have undergone ten (10) year Criminal Background Checks at hiring. These checks for Criminal Offenses will include Dishonesty Offenses (involving dishonesty, a breach of trust, or money laundering) and Violence Offenses (felony or its equivalent, or multiple misdemeanors or their equivalents) principally involving violence or harassment for any employee with customer contact.
Restrict the use of removable media unless authorized by management and properly secured and stored when not in use.
Use only secure methods of transmitting NPI
Adhere to a “clean desk” policy during the work day where all files (hard copy or electronic) are closed and locked when employees are away from their desk, and stored in locked desk, file cabinet, or secure room overnight.
Share information with third parties and affiliated or related parties only in accordance with our Privacy Notice which shall be provided to all parties upon or immediately after receipt of an application to provide title or closing services.
B.Network security of Non-public Personal Information
To help ensure the secure collection, transmission, and storage of Non-public Personal Information within our network we will:
Take appropriate steps to protect the security of our computing network to include, firewalls, up to date virus protection, and intrusion detection and prevention systems.
Utilize strong, individual, and unique passwords that are changed at least every 90 days. A strong password is at least 8 characters in length and contains 3 of the following 4 types of characters (lower case letters, upper case letter and special characters)
Encrypt any email transmission containing NPI
C.Disposal of Non-public Personal Information
To help protect and properly dispose of Non-public Personal Information we have:
Clearly defined and communicated to our employees what types of information/data fall into the category of NPI.
Provided shredders or locked disposal bins accessible only by an outside shredding service and require our employees to dispose of all NPI on a daily basis.
Required all hardware containing NPI that is to be disposed of to be erased/encrypted or physically destroyed prior to disposal.
D.Establish a disaster management plan
The company has established a Disaster Recovery Plan. This plan helps ensure adequate back-up, recovery and business continuity procedures for our company. This plan is reviewed and updated annually as appropriate.
E.Appropriate management and training of employees to help ensure compliance with the Company’s information security program
To ensure appropriate management of our policy, and employee training regarding the Company’s information security policy we:
Provide all employees with a copy of our Acceptable Use of Information Technology Resources policy and obtain signed acknowledgements of receipt.(see attached)
Oversee all third party service providers to help ensure compliance with our Company’s information security program. Providers are selected after appropriate due diligence. We retain service providers that are capable of appropriately safeguarding Non-public Personal Information. They are provided with copies of this information security policy and made aware of procedures to notify our company immediately in the event of any security breach involving NPI. If security breaches occur, proper notification is provided to consumers and law enforcement in accordance with the Company’s privacy and information security program.
F.Notification of security breaches to customers and law enforcement
To ensure proper notification of security breaches to our customers and law enforcement we will:
Adhere to our procedure to notify our customers and law enforcement of the breach as required by law or contract. All data breaches will be reported and investigated in a timely manner. In the event of a breach, employees will immediately notify a supervisor or agency management. The data will be secured to prevent any further breach, and the reasonable integrity, security and confidentiality of the data or data system will be restored.
Contact our IT department (or IT contractor) to help determine the nature of the breach in terms of its extent and seriousness. We may also contact our Legal Department (or Attorney) to help determine the category of the breach.
Document the breach, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, accessed or acquired by an unauthorized person.
Provide the documentation on the breach to senior management who will direct that notification be given to affected parties if the breach appears to have resulted in the theft or loss of NPI.
Provide notification of a breach to affected individuals without unreasonable delay except that notification shall be delayed if law enforcement informs the Company that disclosure of the breach would impede a criminal or other investigation. A request for delayed notification must be made in writing including the name of the law enforcement officer making the request and the officer's agency engaged in the investigation. Such delayed notification shall continue until the law enforcement agency communicates to the Company its determination that notification will no longer impede the investigation.
Ensure the notification is clear and conspicuous and includes the following:
A description of the incident in general terms;
A description of the type of personal information that was subject to the unauthorized access and acquisition;
A general description of the actions taken to protect the personal information from further unauthorized access.
A telephone number that the person may call for further information and assistance;
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports;
The toll-free numbers and addresses for the major consumer reporting agencies: and the toll free numbers, address, and website address for the Federal Trade Commission (FTC) and the Attorney General’s Office for the state in which the victim is located, along with a statement that the individual can obtain information from these sources about preventing identify theft.
Notify the affected persons by one of the following methods:
If we can identify the particular individuals affected and have the necessary contact information of the affected individuals, notice will be provided in writing by US Postal Service or by electronic notification if the Company has a valid email address.
If we do not have the necessary contact information to notify an individual or are not able to identify particular affected individuals, notice will be provided by a conspicuous posting on the Company’s website and publication in widely distributed print media in the states where affected individuals are reasonably anticipated to reside.