Privacy policy

---

Best Practices Policy #3- Privacy and Information Security:    First Action Title Agency  has adopted the following policies and procedures to document our information security program to protect Non-public Personal Information as required by local, state and federal law (including the Gramm-Leach-Bliley Act) require. The program is appropriate to the size and complexity of our company and the nature and scope of our activities. Compliance with the following procedures is required of all employees and failure to comply with the procedures outlined herein will be grounds for immediate termination of employment.
Our company recognizes we must take necessary and appropriate steps, within our capabilities, to protect Non-public, Personal Information (NPI) from loss or misuse to avoid reputational damage and to prevent the use of this data from adversely impacting our customers and business. The protection of this data is a critical business requirement, yet flexibility to access the data and to work efficiently with it was also considered in the development of this policy. This policy will be evaluated annually, and adjusted in the event our business operations change or in light of relevant circumstances. 

For the purposes of this policy Non-public Personal Information (NPI) is defined as “First name or first initial and last name coupled with any of the following: Social Security Number, Driver’s license number, state issued ID number, credit card number, debit card number or other financial account numbers.” "Personal Information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

A.      Physical security of Non-public Personal Information (NPI)

To help ensure the physical security of all Non-public Personal Information we will:

1. Restrict access to Non-public Personal Information to authorized employees with a legitimate business purpose, on a need to know basis.
2. Perform a criminal and public records background check going back at least five (5) years is performed when a new employee is hired and is performed on all employees that will have access to NPI. These checks for Criminal Offenses will include Dishonesty Offenses (involving dishonesty, a breach of trust, or money laundering) and Violence Offenses (felony or its equivalent, or multiple misdemeanors or their equivalents) principally involving violence or harassment for any employee with customer contact. A background check will be performed at least every three years thereafter.
3. Restrict the use of removable media unless authorized by management and properly secured and stored when not in use.
4. Use only secure methods of transmitting NPI
5. Adhere to a “clean desk” policy during the work day where all files (hard copy or electronic) are closed and locked when employees are away from their desk, and stored in locked desk, file cabinet, or secure room overnight.
6. Share information with third parties and affiliated or related parties only in accordance with our Privacy Notice which shall be posted on our website.

B.      Network Security of Non-public Personal Information

To help ensure the secure collection, transmission, and storage of Non-public Personal Information within our network we will:

• Take appropriate steps to protect the security of our computing network to include, firewalls, up to date virus protection, and intrusion detection and prevention systems.
• Utilize strong, individual, and unique passwords that are changed at least every 90 days. A strong password is at least 8 characters in length and contains 3 of the following 4 types of characters (lower case letters, upper case letter and special characters)
• Encrypt any email transmission containing NPI
• Provide our employees with our “Acceptable Use of Information Technology Policy” (see attached) that is acknowledged annually. This helps assist our staff and other authorized users in conducting the tasks associated with their job and remain in compliance with the Privacy Policy of First Action Title Agency  (see attached) and all relevant federal and state laws and regulations protecting NPI.

C.      Disposal of Non-public Personal Information

To help protect and properly dispose of Non-public Personal Information we have:

1. Clearly defined and communicated to our employees what types of information/data fall into the category of NPI. A definition of NPI is provided in the beginning of this policy.
2. Provided shredders or locked disposal bins accessible only by an outside shredding service. 
3. Required all hardware containing NPI that is to be disposed of to be erased/encrypted or physically destroyed prior to disposal.

D.   Establish a Disaster Management Plan

The company has established a Disaster Management Plan (attached).  This plan helps ensure adequate back-up, recovery and business continuity procedures for our company.  This plan is reviewed and updated annually or as appropriate.

E.   Appropriate Management and Training of Employees to Help Ensure Compliance with the Information Security Program of First Action Title Agency .

To ensure appropriate management of our policy, and employee training regarding the Company’s information security policy we:

1. Provide all employees with a copy of our Acceptable Use of Information Technology Resources policy and obtain signed acknowledgements of receipt.(attached)
2. Review our Information and Data Privacy Policy annually to detect the potential for improper disclosure of confidential information and update as appropriate.
3. Oversee all third party service providers to help ensure compliance with our Company’s information security program. We retain service providers that are capable of appropriately safeguarding NPI and have either agreed to do so in our contract or have otherwise demonstrated that they protect NPI in accordance with our policy. If security breaches occur, proper notification is provided to consumers and law enforcement in accordance with the Company’s privacy and information security program.

F.    Notification of Security Breaches to Customers and Law Enforcement

To ensure proper notification of security breaches to our customers and law enforcement we will:

• Post our Information and Data Privacy Policy on our website (or provided to our customers at closing if no website exists).
• Adhere to our procedure to notify our customers and law enforcement of the breach as required by law or contract. All data breaches will be reported and investigated in a timely manner. In the event of a breach, employees will immediately notify a supervisor or agency management. The data will be secured to prevent any further breach, and the reasonable integrity, security and confidentiality of the data or data system will be restored.
• Contact our IT department (or IT contractor) to help determine the nature of the breach in terms of its extent and seriousness. We may also contact our Legal Department (or Attorney) to help determine the category of the breach. 
• Document the breach, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, accessed or acquired by an unauthorized person.
• Provide the documentation on the breach to senior management who will direct that notification be given to affected parties if the breach appears to have resulted in the theft or loss of NPI.
• Provide notification of a breach to affected individuals without unreasonable delay except that notification shall be delayed if law enforcement informs the Company that disclosure of the breach would impede a criminal or other investigation. A request for delayed notification must be made in writing including the name of the law enforcement officer making the request and the officer's agency engaged in the investigation. Such delayed notification shall continue until the law enforcement agency communicates to First Action Title Agency its determination that notification will no longer impede the investigation.
• Ensure the notification is clear and conspicuous and includes the following:
  • A description of the incident in general terms;
  • A description of the type of personal information that was subject to the unauthorized access and acquisition;
  • A general description of the actions taken to protect the personal information from further unauthorized access.
  • A telephone number that the person may call for further information and assistance;
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports;
  • The toll-free numbers and addresses for the major consumer reporting agencies: and the toll free numbers, address, and website address for the Federal Trade Commission (FTC) and the Attorney General’s Office for the state in which the victim is located, along with a statement that the individual can obtain information from these sources about preventing identify theft.
• Notify the affected persons by one of the following methods:
  • If we can identify the particular individuals affected and have the necessary contact information of the affected individuals, notice will be provided in writing by US Postal Service or by electronic notification if the Company has a valid email address.
  • If we do not have the necessary contact information to notify an individual or are not able to identify particular affected individuals, notice will be provided by a conspicuous posting on the Company’s website and publication in widely distributed print media in the states where affected individuals are reasonably anticipated to reside.