Susi Auto Body, LLC Comprehensive Information Privacy and Security Program
I. OBJECTIVE
Our objective, in the development and implementation of this comprehensive written information privacy and security plan (“Plan”), is to create effective administrative, technical and physical safeguards for the protection of personal information of residents of the Commonwealth of Massachusetts and to comply with obligations under 201CMR 17.00. The Plan sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting personal information of residents of the Commonwealth of Massachusetts.
II. PURPOSES
The purpose of the Plan is to:
(a) Ensuring the security and confidentiality of personal information.
(b) Protecting against any anticipated threats or hazards to the security or integrity of such information.
(c) Protecting against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud;
For purposes of this policy, “personal information” means:
A Massachusetts resident’s first name and last name, or first initial and last name, in combination with any one or more of the following that relate to such resident:
(a) Social Security number;
(b) Driver’s license number or state-issued identification card number; or
(c) Financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account.
Susi recognizes that, in particular, it possess the personal information of Massachusetts residents in the following places:
Customers, prospective customers and former customers, employees thereof or parties to a lawsuit; personnel files and benefits information for Susi employees, payroll information for Susi employees, including direct deposit information, which may exist in hard copy in any Susi office(s) or other company authorized locations or in electronic format, including, but not limited to, Susi servers, Susi computer hard drive, CD-ROMs, USB drives and third-party service providers.
This policy is intended to protect this information from unauthorized access and/or use.
III. SCOPE:
In formulating and implementing the Plan, we have (1) identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information; (2) assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluated the sufficiency of existing policies, procedures, client and administrative information systems, and other safeguards in place to control risks; (4) designed and implemented a plan that puts safeguards in place to minimize those risks, consistent with the requirements of 201CMR 17.00; and (5) we will regularly monitor the effectiveness of those safeguards.
IV. DEFINITIONS:
The following words as used herein shall , unless the context requires otherwise, have the following meanings:
Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the Commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
Electronic: relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
Encrypted: the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
Owns or licenses: receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
Person: a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.
Personal Information: a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Record or Records: any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
Service provider or vendor: any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” or “ vendor” shall not include the U.S. Postal Service.
V. DATA SECURITY COORDINATOR
Susi has designated management to implement, supervise and maintain the Policy and appoint and oversee a Data Security Committee, who will be responsible for:
- Initial implementation of the Policy;
- Training employees;
- Regular testing of the Policy’s safeguards;
- Evaluating the ability of service providers with the law;
- Reviewing the scope of the security measures in the Policy at least annually or whenever there is a material change in our business practices affecting the Policy;
- Conducting an annual training session all Susi employees who have access to personal information.
VI. MOBILE SUBSCRIBER INFORMATION
- Your Mobile Information will NEVER be shared with other parties under any circumstances. This includes no sharing with third parties, affiliates, or for marketing or promotional purposes.
- TEXT MESSAGES: By complying with the preceding, the customer authorizes us to contact you including by sending text messages directly or through a conduit text messaging service and other communications to a cell phone using an automatic telephone dialing system or an artificial or prerecorded voice message, at any number you provide. You acknowledge that any text messages or prerecorded messages sent by us may contain sales or marketing content. You may revoke your consent for us to contact you at a specified telephone number by communicating your revocation to us through any reasonable means.
VII. INTERNAL RISKS
To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and currently effective no later than.
To combat internal risks to the security, confidentiality and/or integrity of records containing personal information, including any and all customer files, the following measures will be taken:
- Employees with access to personal information will be trained on this Policy;
- Susi employees shall access client files only for legitimate business purposes;
- Only Susi authorized personnel shall have access to employees’ personnel files, payroll information and benefit information.
- Files containing personal information shall be maintained in a secure fashion when not in use. If an employee needs to transport records containing personal information outside of Susi premises, reasonable steps shall be taken to maintain the security of the information. Personal information shall only be stored on Susi approved media.
(a) Susi employees who telecommute shall maintain the same level of security as required by Susi employees on site.
- When it is appropriate to destroy Susi records, paper and electronic records containing personal information shall be destroyed in a manner in which personal information cannot be read or reconstructed.
- Susi computers shall require a user ID and password. Current employees’ computer-use IDs and passwords shall be changed periodically. Electronic access to personal information shall be locked after multiple unsuccessful attempts to log in.
- Terminated employees must:
(a) Return all records containing personal information, in any form (including all such information stored on laptops or other portable devises or media and files, records, work papers, etc.);
(b) Return all keys, IDs, access codes and/or badges;
(c) Be prohibited from accessing personal information; and
(d) The terminated employee’s access to e-mail, voicemail and Susi internet and network passwords will be invalidated.
- Electronic access to personal information shall be restricted to active users and active user accounts only.
- Employees are encouraged to report to the Data Security Officer any suspicious or unauthorized use of customer information.
- All security measures contained in this Policy shall be reviewed and reevaluated annually, or whenever there is a material change in the business.
- Susi employees who violate this Policy may be subject to discipline up to and including termination.
- Susi should ensure that vendors who are provided personal information have their own complaint written security plan.
VIII. EXTERNAL RISKS TO PERSONAL INFORMATION
To minimize external risks to the security and integrity of records containing personal information, including any and all client files, files relating to a party to a lawsuit, the following measures will be taken:
- Visitors to Susi shall not have access to records containing personal information. Susi employees who host visitors should adhere to Susi visitor protocol and take reasonable steps to ensure the security of personal information.
- Susi shall maintain up-to-date firewall protection and operating system security patches.
- Susi shall maintain up-to-date versions of security software, which includes malware protection with up-to-date patches and virus definitions.
- To the extent technically feasible, personal information stored on laptops or other portable devise shall be encrypted.
- To the extent technically feasible, personal information transmitted across public networks or wirelessly shall be encrypted.
- To the extent Computer Systems shall be monitored for unauthorized use.
- Secure use protocols are in place, including:
(a) Protocols for control of user IDs and other identifiers;
(b) A secure method of assigning and selecting passwords; and
(c) Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.
- Employee log-ins and passwords are not vendor supplied default log-ins and passwords.
IX. IN THE EVENT OF A BREACH OF PERSONAL INFORMATION OCCURS
A security breach occurs when there is an unauthorized acquisition or use of personal information or one or more Massachusetts residents. The following measures will be taken by Susi in the event of a security breach which creates a risk of identity theft to Massachusetts residents:
- Susi will document responsive actions taken in connection with any incident involving a breach of security and conduct a post-incident review of events and actions taken, if any, to make changes in business practices relating to protections of personal information.
- Susi will notify the Massachusetts office of consumer Affairs and Business Regulations (OCABR), the Massachusetts Attorney General’s Office and the applicable Massachusetts state regulator (if any). This notice shall include the nature of the breach, the number of Massachusetts residents affected by the breach and all steps the agency has taken to rectify the incident and to prevent any further breaches from occurring.