Great American Title Company is hereinafter referred to as "the company."
1.0 Overview
Great American Title Company requires its employees to notify persons whose "personal information" held by the company have been compromised by a "security breach".
2.0 Purpose
This Policy is intended to ensure that the appropriate procedure is followed in the event of a breach in personal information. The procedures in this Policy must be followed for all types of breaches unless otherwise indicated.
3.0 Scope
The scope of this policy covers the information needed to process any type of breach; whether it is a security breach or a lesser breach.
4.0 Policy
Procedures in the Event of any and all Breaches Containment, Classification and Report of a Breach.
4.1 Containment
The first priority after any type of breach is discovered is to contain the breach and notify your immediate supervisor or management as quickly as possible. The data must be secured, and the reasonable integrity, security, and confidentiality of the data or data system must be restored.
4.2 Classification and Internal Reporting
The next step is to determine the exact nature of the breach in terms of its extent and seriousness. The supervisor or executive management must take immediate action to
determine the extent and category of the breach and to take such further action as is necessary to contain the breach or recover the missing data. Company’s Counsel may
also be requested to help determine the category of the breach. The supervisor or executive management must document the breach, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, accessed or acquired by an unauthorized person.
4.3 Action Steps after Discovery of Any and All Breaches
Contact the Company’s in house Counsel or President of Company.
4.3.1 Action’s to be taken if the Company’s in house Counsel or President determines there has been a "Lesser Breach," i.e., a Breach that does not constitute a "Security Breach" as defined by this Policy.
If there has not been a "security breach" as defined by the this Policy, then only the Company Counsel or its President, in their sole discretion, may direct that notification be given, if, under the facts and circumstances surrounding the breach, the Company Counsel or its President believes it to be in the best interest of the Company and of individuals whose personal information may have been put at risk.
4.4 Notifications
4.4.1 Time for Providing Notification
The Company shall notify affected individuals without unreasonable delay.
Responsibility for Providing Notification
The responsibility for providing notification shall be at the determination of
Company’s Counsel or the President. The Company’s Counsel or President may
delegate this responsibility, but should satisfy himself or herself that the proper notification has, in fact, occurred. The Company’s Counsel or President will
review the proposed notification before it is sent and will assist in drafting as required.
Contents of the Notification
The notification shall be clear and conspicuous and include all of the following:
1.A description of the incident in general terms;
2.A description of the type of personal information that was subject to the unauthorized access and acquisition;
3.A description of the actions taken by the Company to protect the personal information from further unauthorized access. However, the description of those actions may be general so as not to further increase the risk or severity of the breach;
4.A telephone number that the person may call for further information and assistance;
5.Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports;
6.The
A.Equifax
B.Experian (888)EXPERIAN
C. TransUnion
7.The
A.Federal Trade Commission Consumer Response Center 600 Pennsylvania Avenue NW Washington, DC 20580
B.Texas Attorney General Office 300 W. 15th Street
Austin, TX 78701 Telephone: (800)
www.oag.state.tx.us/agency/contacts.shtml
4.4.2 Method of Notification
Notification to affected persons must be provided by one of the following methods unless substitute notification is permitted:
1.Written notification
2.Electronic notification, for those persons for whom the Company has a valid
3.Telephonic notification provided that contact is made directly with the affected persons
4.4.3 Substitute Notification.
Substitute notification may be given if:
1.The cost of providing the notification exceeds $250,000
2.The Company does not have the necessary contact information to notify an individual in any of the aforementioned manners
3.The Company is not able to identify particular affected individuals
4.4.4 Method of Substitute Notification.
If given, substitute notification shall include all of the following:
1.
2.Conspicuous posting of the notification on the Company’s Web page
5.0 Enforcement
This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
6.0 Definitions
"Personal Information" is defined to mean a person's first name or first initial and last name in combination with any of the following items:
Social security or employer taxpayer identification number.
Driver's license, State identification card, or passport numbers.
Checking account numbers.
Savings account numbers.
Credit card numbers.
Debit card numbers.
Personal Identification Number (PIN code).
Digital signatures.
Any other numbers or information that can be used to access a person's financial resources.
Biometric data.
Fingerprints
Even if listed above, "personal information" does not include publicly available directories containing information an individual has voluntarily consented to have
publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, State, or local government records.
"Security Breach" is defined to mean: an incident of unauthorized access to and acquisition of unencrypted and
Good faith acquisition of personal information by an employee for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose and is not subject to further unauthorized disclosure.
"Security Breach" vs. "Lesser Breach"
In this Policy, the phrase "security breach" means that type of breach necessitating notice to impacted persons. The phrase "lesser breach" refers to any other type of breach. The procedures in this Policy must be followed for all types of breaches unless otherwise indicated.
7.0 Revision History
Revision 1.0, 10/13/2012