SHARKBYTES is committed to protecting the privacy and security of all Highly Confidential Data (as defined in Section 4.0 below) that SHARKBYTES maintains, including information about individuals such as associates, customers, vendors and suppliers (hereafter, “individuals”). Many federal and state laws in the United States and laws of other countries around the world require companies to take measures to protect the confidentiality of certain Highly Confidential Data that is owned, licensed, processed or otherwise accessed in connection with the provision of goods or services or in connection with employment or volunteer work. Our customerss also expect us to provide a high level of security to any sensitive information with which we come into contact.
The purpose of this Policy is to (a) advise all SHARKBYTES associates of the best way to protect Highly Confidential Data of individuals from unauthorized disclosure, access and inappropriate use; and (b) advise SHARKBYTES associates who manage or control SHARKBYTES’s High Risk Applications (as defined in 4.0 below) of their responsibilities with respect to the protection of the Highly Confidential Data that may be stored on or accessed by such High Risk Applications.
This Policy applies to all SHARKBYTES associates worldwide.
This Policy should be read in conjunction with SHARKBYTES’s other Policies and Procedures relating to privacy, security and data protection, some of which are compiled in SHARKBYTES’s Written Information Security Plan. These policies and procedures are referenced in Section 5.0 below.
3.1 PROPER USE OF HIGHLY CONFIDENTIAL DATA BY ALL SHARKBYTES ASSOCIATES
All associates should be aware of and comply with SHARKBYTES’s Privacy and Data Protection Policies which pertains to any personally identifiable information about an individual. Certain business processes at SHARKBYTES require the use of and access to Highly Confidential Data of Individuals. It is the responsibility of each associate with access to Highly Confidential Data to use this information in an appropriate manner and to comply with all applicable data privacy laws and regulations. If you believe you have a legitimate business need to use or access Highly Confidential Data, you must comply with the requirements set forth herein.
Highly Confidential Data should only be accessed, collected or stored if it is appropriate for a legitimate business purpose. If your responsibilities require the collection, access or storage of Highly Confidential Data, you must ensure that you understand your obligations under this Policy.
All Application Owners are responsible for identifying any Highly Confidential Data that is coming into, stored on or leaving their applications and must comply with the provisions of section 3.2 of this Policy.
3.1.1 LIMITING USE/DELETION AND DESTRUCTION
To the extent that Highly Confidential Data is not needed for the performance of your business function, it should be deleted from a file or document and destroyed. This applies to both electronically stored documents and paper records.
Highly Confidential Data should not be printed unless absolutely necessary.
If a record or document containing Highly Confidential Data is no longer needed, it should be disposed of securely (i.e. deleted, shredded or placed into a locked bin marked for shredding) in accordance with SHARKBYTES’s Records and Information Management Policies.
SHARKBYTES associates should not accept or obtain access to any documents containing Highly Confidential Data of a third party unless it is necessary for a legitimate business purpose.
Highly Confidential Data must only be collected for specified, explicit, and legitimate purposes and must not be further processed in a way that is incompatible with those purposes.
3.1.2 STORAGE AND ACCESS
Portable devices (including laptops, mobile phones, Blackberries, PDAs, USB drives and mp3 players) can be easily lost or stolen and do not have the same security levels as central servers or desktop computers. Accordingly, Highly Confidential Data should NEVER be stored on a portable device unless the file is secured by encryption technology. If your business process requires downloading such information onto a portable device, you should consult SHARKBYTES’s Executive Director to ensure that proper security measures are followed to protect the Highly Confidential Data.
Highly Confidential Data should only be stored on authorized servers and applications in approved production environment. If your business process requires storage of Highly Confidential Data on a non-authorized server or application, you should consult SHARKBYTES’s Executive Director to ensure that proper security measures are followed to protect the information.
C. Highly Confidential Data should never be uploaded to any publicly accessible websites, social media sites (such as Facebook, LinkedIn or Twitter), or cloud-based storage or collaboration sites (such as Dropbox, personal OneDrive and Google Drive) unless approved by SHARKBYTES’s Executive Director.
All employees are required to comply with SHARKBYTES’s Password Procedure to ensure that all employee computers that store Highly Confidential Data are protected with strong passwords that are changed frequently in accordance with such Procedure.
Hardcopy files containing Highly Confidential Data must be stored in a secure location, such as a locked file cabinet or room, with access limited to only those associates who require the data for performance of their job roles.
3.1.3 DISCLOSURE AND TRANSMISSION TO THIRD PARTIES
Highly Confidential Data should never be provided to a Third Party (as defined in 4.0 below) unless approved in advance by SHARKBYTES’s Executive Director.
If it is necessary to provide Highly Confidential Data to a Third Party for a legitimate business purpose, then the transaction must be managed through SHARKBYTES’s review process, which will include:
the completion and submission by the Third Party of a written request to the Executive Director to determine the nature of the data being transferred, the purpose for its use, and the security and privacy policies and procedures of the Third Party;
· Review and approval by SHARKBYTES’s Executive Director or other appropriate agreement reflecting the transaction;
· Execution by the third party of SHARKBYTES’s Data Protection Agreement if same is not included in the Master Services Agreement or other appropriate agreement; and
Engagement of SHARKBYTES’s security protocol to ensure that the transmission is performed in a secure manner in accordance with SHARKBYTES’s procedures, including the use of file encryption and/or the use of secure transmission protocols established by Enterprise Information Security. Under no circumstances may un-encrypted Highly Confidential Data be transmitted to third parties through email or FTP.
C. Any Highly Confidential Data that is transmitted wirelessly or across public networks must be encrypted in accordance with the industries standard encryption procedure.
3.1.4 SECURITY BREACH OR UNAUTHORIZED ACCESS
In the event that a SHARKBYTES associate becomes aware of a Security Breach (as defined in 4.0 below) or suspected Security Breach with respect to any Highly Confidential Data, or any incident which may result in the unauthorized disclosure of, access to or inappropriate use of Highly Confidential Data, he or she must report the suspected Security Breach immediately by notifying SHARKBYTES’s Executive Director by email and telephone.
Any associate who witnesses or becomes aware of a lost or stolen laptop or other portable computing device must immediately notify SHARKBYTES Executive Director by email and phone.
In determining whether a Security Breach or unauthorized disclosure of, access to or inappropriate use of Highly Confidential Data has occurred, or is reasonably believed to have occurred, associates should consider the following factors, among others:
i. An indication that the information is (or may be) in the physical possession and control of an unauthorized person such as a lost or stolen computer or other device containing Highly Confidential Data.
ii. An indication that the Highly Confidential Data has been sent to, downloaded by, or copied by an unauthorized person.
iii. An indication that the Highly Confidential Data was used by an unauthorized person, such as having fraudulent accounts opened or instances of identity theft.
iv. An indication that the Highly Confidential Data was transmitted to an unauthorized person.
Once SHARKBYTES’s Executive Director has been notified of the Security Breach or unauthorized disclosure, access or inappropriate use, he or she will begin an investigation to determine if there are notification or other legal requirements with respect to such incident. SHARKBYTES’s Executive Director will be responsible for compliance with applicable laws relating to such incident.
3.2 PROTECTION OF HIGHLY CONFIDENTIAL DATA IN SHARKBYTES’S HIGH RISK APPLICATIONS
It is imperative that all High Risk Applications (as defined in 4.0 below) be secured appropriately to avoid any unauthorized disclosure of, access to or inappropriate use of Highly Confidential Data. This Section of the Policy specifically applies to all SHARKBYTES associates who are responsible for the maintenance or control of any High Risk Applications (“Application Owners"). These procedures, controls and safeguards are designed to:
a. ensure the security and confidentiality of Highly Confidential Data stored in or accessed by the High Risk Applications;
b. protect against any anticipated threats or hazards to the security or integrity of the Highly Confidential Data stored in or accessed by the High Risk Applications; and
c. protect against unauthorized disclosure of, access to and inappropriate use of any such Highly Confidential Data stored in or accessed by the High Risk Applications that could result in substantial harm or inconvenience to individuals.
3.2.1 ACCESS CONTROLS
Application Owners responsible for maintaining or controlling any High Risk Applications must ensure that access to Highly Confidential Data stored on or accessed by such High Risk Application is only accessible by employees who need such information to perform their job duties for SHARKBYTES.
In compliance with the law:
A. SHARKBYTES has in place user authentication protocols, including:
(i) control of user IDs and other identifiers;
(ii) a secure method of assigning passwords;
(iii) security controls of passwords that ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.
B. For all High Risk Applications, unique user IDs and passwords are assigned to employees in a manner that is designed to maintain the security of the access controls to that application. In addition, all use of vendor-supplied default passwords to components of a High Risk Application is strictly prohibited.
C. Access to High Risk Applications is restricted to authorized users and active user accounts only. Such restrictions allow access to records and files containing Highly Confidential Data only to users with a need to access such Highly Confidential Data in order to perform their jobs. The Application Owner determines who shall be an authorized user of the applicable High Risk Application.
D. SHARKBYTES’s Password Procedure is followed, including the requirement that passwords are changed periodically and that access to users is blocked after multiple unsuccessful attempts to gain access are made.
E. In accordance with SHARKBYTES’s Access Procedure, the Application Owner shall ensure that reviews of High Risk Applications are conducted to ensure that electronic access by former employees, former service providers and any other individuals who are no longer authorized is promptly terminated, including System Administrators, DBAs, and Application Administrators. Voicemail access, email access, Internet access and passwords must be promptly blocked or disabled upon such termination.
All associates who may access Highly Confidential Data are required to complete SHARKBYTES’s Privacy and Security Awareness Training as mandated by SHARKBYTES. In addition, those employees who may access any Protected Health Information or any customer data in the course of their employment at SHARKBYTES must complete the HIPAA Privacy training course.
All employees are required to comply with SHARKBYTES’s policies and procedures which establish guidelines for the use of computer equipment, software and accessories that connect to the SHARKBYTES network or are used at a SHARKBYTES location or used to conduct SHARKBYTES business.
The following terms will be used throughout this Policy document and shall have the following meanings:
High Risk Applications: shall mean all applications, internal and external, which may access or store Highly Confidential Data (as defined below).
Protected Health Information: shall mean individually identifiable health information that is created, modified, received or maintained by a covered entity that relates to an individual’s past, present or future physical or mental condition, treatment, or payment for care. “Identifiable" means that a person reading this information could reasonably use it to identify an individual.
Security Breach: shall mean the unauthorized acquisition or unauthorized use of Highly Confidential Data.
Highly Confidential Data: shall mean any data whose unauthorized disclosure could seriously and adversely impact the Company, its customers, employees and business partners.
The following are examples of Highly Confidential Data. See SHARKBYTES’s Data Classification Policy for more information on how SHARKBYTES classifies data:
1. Financial Identity Data, defined as SHARKBYTES Data that may cause an individual personal financial harm or subject that individual to identity theft if disclosed, used or accessed improperly. For purposes of this Policy, Financial Identity Data includes all personal information referenced in applicable breach notification laws and regulations, including but not limited to an individual’s first name (or initial) and last name in addition to one or more of the following:
• Social Security Number or Tax Identification Number
• Driver’s license number or state-issued ID number
• Financial account number and/or access codes (including checking, savings, brokerage)
• Credit/debit card number (with or without security/access code or PIN)
• Passport number
• Health-related and health insurance information
• Date of birth
• Biometric data
• Maiden name or parents’ name
• Any other numbers or information that can be used to access a person’s financial resources
2. Sensitive Personal Information, defined as personal information about an individual containing:
• Racial or ethnic origins
• Political opinions
• Religious beliefs
• Trade Union membership
• Physical or mental health information
• Committed or alleged criminal offenses
3. Customer Information, including data files provided to SHARKBYTES for purposes of allowing SHARKBYTES to provide support or services to our customers. Because there is a possibility that these files may contain sensitive data or information that the customer deems to be highly confidential, we must provide strict protection for this information.
4. User IDs and Passwords and other credentials or codes that may allow access to systems and/or networks containing Highly Confidential Data.
Third Party: shall mean any individual who is not employed by SHARKBYTES or an organization that is not SHARKBYTES.