DATA PROTECTION POLICY AND SECURITY BREACH PROTOCOL
Company adopts the following policy and procedures in order to protect personal information and personal identifying information from unauthorized access, use or disclosure.
Personal Information (PI): a person’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted or secured by any other method rendering the name or element unreadable or unusable:
Social security number; Employer, student, military or passport identification number; Driver’s license or government/state issued ID number; Medical information; Biometric data; Health insurance ID number.
Personal information also includes: a person’s username or email address in combination with a password or security questions and answers that would permit access to an online account; or, a person’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.
Personal Identifying Information (PII): includes:
Social security number; A personal identification number; A password or passcode; A government and/or state issued driver’s license or identification card number; A government passport number; Biometric data An employer, student or military identification number A financial transaction device (banking card, credit/debit card, electronic fund transfer card, guaranteed check card or bank account numbers)
Personal Data: a collective reference to both PI and PII
Security Breach: the unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information. A security breach does not include a good faith acquisition of personal data by an employee or agent for business purposes, so long as the personal data obtained is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.
IIProcedure for the Maintenance and Protection of Personal Data
Company shall make reasonable efforts not to obtain or accept any personal data in any format at any time, unless required for business recordkeeping purposes or for payment by a third-party to Company.
Company understands that, from time to time, it is necessary to accept personal data from contractors, vendors, employees, customers or other third parties. Company shall request that any personal data obtained from any third party be provided in hard copy. Company shall make reasonable efforts not to store or request any personal data in electronic format, whether by email, text message or otherwise.
Company shall maintain all paper files that contain personal data under lock and key.
If Company maintains files containing personal data in electronic format, such electronic files should be kept in a password protected folder on Company hard drive.
IIIProcedure for the Destruction of Paper or Electronic Records Containing Personal Data
At such time that any personal data maintained by Company is no longer needed, Company shall promptly destroy or arrange for the destruction of such personal data by:
Redacting the personal data from the document, or shredding copies of all documents that contain personal data, if such documents were kept in paper format; or, Redacting any electronic records containing personal data and thereafter deleting the record from Company’s hard drive.
Company may employ other procedures for the destruction of documents or files containing personal data, as may be appropriate, so long as the method employed by Company to destroy the personal data renders the personal data unreadable or indecipherable through any means.
IVProcedure for Working with Third Party Vendors who Obtain, Maintain or Preserve Personal Data for or on Behalf of Company
Third party vendors play an important role in the support of Company. In some instances, third party vendors may collect, store, and maintain personal data on behalf of Company. This policy will establish rules for operating with third party vendors regarding access to Company information, their operator responsibilities, and protection of personal data.
This policy applies to all Company staff responsible for negotiating or executing third party contracts.
Prior to entering into any agreement or contract with a third party vendor, Company staff shall make a reasonable inquiry to determine whether the third party vendor is compliant with state and federal data protection laws.
Staff or other persons acting on behalf of Company when entering into contracts with third party vendors who will receive and maintain personal data shall confirm that such third party vendors implement and maintain reasonable security procedures and practices that are:
Appropriate to the nature of the personal data disclosed to the service provider; and, Reasonably designed to help protect any personal data from unauthorized access, use, modification, disclosure or destruction;
Staff or other persons acting on behalf of Company when entering into contracts with third party vendors who will receive and maintain personal data shall further confirm that the third partyvendor has implemented procedures for reporting security breaches that are consistent with Company’s policy and the Colorado Consumer Protection Act.
Company shall not enter into any contracts or agreements with any third party vendors which require Company to be responsible for any personal data transmitted to or maintained by such third party vendors without prior written approval from Company’s Employing Broker.
VProcedure for Reporting a Security Breach
If Company becomes aware that a security breach may have occurred, Company must promptly conduct a good faith investigation to determine the likelihood that personal data has or will be misused.
If the investigation determines that the misuse of information has not occurred, and is not reasonably likely to occur, no notice is required.
If the investigation determines that a misuse of information has occurred or is reasonably likely to occur, notice of the security breach must be made expeditiously to all persons potentially affected by the security breach, and not later than thirty days after the date of determination that a security breach occurred.
Notice of a security breach affecting encrypted information is only required if the investigation determines that the encryption key or other means to decipher the encrypted information was also acquired in the security breach or was reasonably believed to have been acquired.
Notice of a security breach under this section must include the following:
The date, estimated date, or estimated date range of the security breach; A description of the personal information that was acquired or reasonably believed to have been acquired as a part of the security breach; Company’s contact information that the person receiving the notice may use to call and inquire about the security breach; The toll-free numbers, addresses, and websites for consumer reporting agencies; The toll-free number, address, and website for the Federal Trade Commission; and, A statement that the person receiving the notice can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.
If it is determined that the security breach has compromised a person’s username or email address in combination with a password or security questions and answers that would permit access to an online account, the notice of the security breach must also:
Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the person whose personal information has been breached uses the same username, e-mail address and password, security question or answer.
Notice of the security breach may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation, and the law enforcement agency has notified Company not to send the notices as otherwise required. Once law enforcement determines that the notice of the security breach will no longer impede the investigation, and has notified Company that it is appropriate to send notice of the security breach, Company must promptly send the required notices, no later than thirty days after such notification from law enforcement.
If the security breach affects five hundred Colorado residents or more, notice of the security breach must also be made expeditiously to the Colorado attorney general, and not later than thirty days after the date of determination that a security breach occurred.
If the security breach affects more than one thousand Colorado residents, Company shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of the notification to such residents, and the approximate number of residents to be notified. Company is not required to provide the names or other personal data of the security breach notice recipients.