Data Protection Policy

Data Protection Policy:

Data classification and handling are essential to the safeguarding and protection of data

from unauthorized disclosure, at rest or in transit. State, Federal, and regulatory compliance

mandates that sensitive data is protected for Confidentiality, Integrity, and

Availability through the implementation of controls and monitoring.  We protect data both in digital and hard copies by limiting access to only authorized users. Policy requirements for the destruction and handling of sensitive data must be adhered to at all times.

Rights to request data:

We support the Right of Access.  Individuals may request to obtain records maintained by us on their behalf by completing the “Authorization for Release of Information” form.

Incident Response:

We maintain a dedicated Incident Response team.  The Incident Response team is tasked with the identification and eradication of attacks against the organization.

The Incident Response Process is comprised of the following phases (PICERL):

  • Preparation
  • Identification and Analysis
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Effective incident response is dynamic so in some cases activities may occur in multiple phases concurrently or by returning to previous phases.

Information Security Policies and Systems Audit:

We engage in an active Security program which is audited by an independent third party.  Security policies and systems audits are performed annually at a minimum.

Privacy and Data Security Management:

The Risk Management team is comprised of Executive Leadership roles – CEO, CFO, General Counsel, Chief Compliance Officer, and CIO.  The Executive Risk Management team has been developed to address cyber and data security risk concerns.