Great American Title Company is hereinafter referred to as "the company."

1.0 Overview

NPI or Confidential data is typically the data that holds the most value to a company. Often, NPI or confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data.

2.0 Purpose

The purpose of this policy is to detail how NPI or Confidential data, as identified by the Data Classification Policy, should be handled. This policy lays out standards for the use of confidential data, and outlines specific security controls to protect this data.

3.0 Scope

The scope of this policy covers all company - NPI or Confidential data, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc.

4.0Policy

4.1Treatment of NPI or Confidential Data

For clarity, the following sections on storage, transmission, and destruction of NPI or confidential data are restated from the Data Classification Policy.

4.1.1 Storage

NPI or Confidential data must be removed from email, desks, computer screens, and common areas unless it is currently in use. NPI or Confidential data should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.

4.1.2 Transmission

Passwords must be used when transmitting NPI or Confidential data, regardless of whether such transmission takes place inside or outside the company's network. NPI or Confidential data must not be left on voicemail systems, either inside or outside the company's network, or otherwise recorded.

4.1.3 Destruction

NPI or Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:

Paper/documents: cross cut shredding is required.

Storage media (CD's, DVD's): physical destruction is required.

Hard Drives/Systems/Mobile Storage Media: physical destruction is required. If physical destruction is not possible, the IT Manager must be notified.

4.1.4 Removable Media

Storage of NPI data on removable media must comply with the Information Security Policy.

4.2 Use of NPI or Confidential Data

A successful NPI or Confidential data policy is dependent on the users knowing and adhering to the company's standards involving the treatment of NPI or Confidential data. The following applies to how users must interact with NPI or confidential data:

Users must be advised of any NPI or Confidential data they have been granted access.

Users must only access NPI or Confidential data to perform his/her job function.

Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of NPI or Confidential data.

Users must protect any NPI or Confidential data to which they have been granted access and not reveal, release, share, email without the use of passwords, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.

Users must report any suspected misuse or unauthorized disclosure of NPI or Confidential data immediately to his or her supervisor.

If NPI or Confidential data is shared with third parties, such as contractors or vendors, a non-disclosure agreement must govern the third parties' use of NPI or Confidential data. Refer to the company's IT Outsourcing Policy for additional guidance.

If NPI or Confidential data is shared with a third party, the company must indicate to the third party how the data should be used, secured, and, destroyed. Refer to the company's IT Outsourcing Policy for additional guidance.

4.3Security Controls for NPI or Confidential Data

NPI or Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:

Passwords: Passwords must be used for confidential data transmitted internal or external to the company

Physical Security: Systems that contain NPI or confidential data, as well as NPI or Confidential data in hardcopy form, should be stored in secured areas. Special thought should be given to the security of the keys and access controls that secure this data.

Printing: When printing NPI or Confidential data the user should use their best efforts to ensure that the information is not viewed by others. Printers that are used for NPI or Confidential data must be located in secured areas.

Faxing: When faxing NPI or Confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the NPI or Confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving NPI or Confidential data must be located in secured areas.

Emailing: NPI or Confidential data must not be emailed inside or outside the company without the use of passwords. Incoming emails containing NPI must be printed and uploaded into FAST. Once completed, the email must be deleted. After the email is deleted, it must be deleted again from the deleted folder in Outlook.

Mailing: If NPI or Confidential data is sent outside the company, the user must use a service that requires a signature for receipt of that information. When sent inside the company, NPI or Confidential data must be transported in sealed security envelopes marked "Confidential."

Discussion: When NPI or Confidential data is discussed it should be done in non-public places, and where the discussion cannot be overheard.

NPI or Confidential data must be removed from documents unless its inclusion is absolutely necessary.

NPI or Confidential data must never be stored on non-company-provided machines (i.e., home computers).

If NPI or Confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded.

4.4Examples of NPI or Confidential Data

The following list is not intended to be exhaustive, but should provide the company with guidelines on what type of information is typically considered NPI or Confidential. NPI or Confidential data can include:

Employee or customer social security numbers or personal information

Medical and healthcare information

Electronic Protected Health Information (EPHI)

Customer data

Company financial data (if company is closely held)

Sales forecasts

Product and/or service plans, details, and schematics,

Network diagrams and security configurations

Communications about corporate legal matters

Passwords

Bank account information and routing numbers

Payroll information

Credit card information

Any confidential data held for a third party (be sure to adhere to any confidential data agreement covering such information)

4.5Emergency Access to Data

A procedure for access to NPI or Confidential data and critical data during an emergency, must be developed and documented. The company must establish a procedure for emergency access in case the normal mechanism for access to the data becomes unavailable or disabled due to system or network problems.

Refer to the Disaster Recover and Continuity Plans.

4.6 Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0 Enforcement

This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

6.0 Definitions

Authentication A security method used to verify the identity of a user and authorize access to a system or network.

Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.

NPI Non Public Information

Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

7.0 Revision History

Revision 1.0, 10/13/2012

Revision 2.0, 09/01/2014

Revision 3.0, 02/26/2015

Revision 4.0, 10/20/2015

Revision 5.0, 07/26/2019