Data Privacy and Security Policy
Statement of Policy
It is the policy of CMIC to protect against the unauthorized access, use, corruption, disclosure, and distribution of non-public personal information in its possession, and to comply with all applicable state and federal laws and regulations regarding such information. CMIC shall hold non-public personal information in strict confidence and shall not release or disclose such information to any person except as required or authorized by law and only to such persons who are authorized to receive it. CMIC shall not utilize any non-public personal information for any purpose other than the administration of it business activities. In furtherance of this policy, CMIC shall adopt procedures for the administrative, technical and physical safeguarding of all non-public personal information. CMIC shall ensure that an entity retained by it, or any other entity that utilizes information provided by CMIC to carry out its responsibilities, shall have signed and agreed to abide by the terms of the Data Privacy and Security Policy or shall have adopted a data privacy and security policy that is substantially similar to CMIC’s policy.
CMIC shall appoint an Information Security Officer to review and maintain compliance with the principles of this Policy. It is the responsibility of such Security Officer to ensure the following:
- Access to non-public personal information shall be limited to authorized users who need to have access to carry out CMIC’s responsibilities as it relates to that information.
- Each employee and authorized user with access to non-public personal information shall annually sign a copy of CMIC’s Data and Privacy Security Policy and Procedures and agree to abide by its terms.
- Except as required by law, when CMIC provides non-public personal information to third parties, it shall first provide a copy of this Data Privacy and Security Policy and require the third party to certify that it has read the policy and agrees to comply with applicable provisions, or that it has a substantially similar data privacy and security policy and that it will comply with the applicable provisions of its policy with respect to the non-public personal information provided.
- CMIC will perform a background check as further defined in CMIC’s human resources policies on employees with access to non-public personal information. Any third party with access to non-public personal information must certify that it has performed a background check on its employees who have access to CMIC’s non-public personal information.
- CMIC shall ensure to the extent possible that there is a clear separation of duties to prevent important management controls from being overlooked and to preserve the integrity, availability, and confidentiality of information assets by minimizing opportunities for security incidents, outages and personnel problems.
- CMIC shall train employees and other authorized users in the use and maintenance of security procedures.
- Violations of the data privacy and security policy may result in disciplinary action up to and including termination of employment.
CMIC will adopt procedures for protecting and maintaining the security and integrity of its information systems including network infrastructure and software design, information processing, storage, transmission, retrieval and disposal. These procedures address the following matters:
- Limiting access to those individuals necessary to carry out CMIC’s role with respect to non-public personal information.
- Limiting access to only those authorized users who shall have signed and agreed to abide by the terms of the Data Privacy and Security Policy or shall have adopted a data privacy and security policy that is substantially similar to CMIC policy.
- Protecting physical and electronic records from unauthorized access, interception, distribution or destruction.
- Records back-up and off-site storage procedures to prevent inadvertent loss or destruction of records.
- Data security procedures to prevent unauthorized access or interception of non-public personal information.
- Procedures for protecting data when changing, upgrading, or replacing servers, computers or other storage media.
- Procedures for properly disposing of unneeded or outdated records.
- Procedures to monitor, detect, and report upon any improper disclosure or theft of nonpublic personal information.
- Procedures to periodically test and review the security procedures and maintain a record of the maintenance and review process.
- Annual audit of procedures for compliance and effectiveness with adjustments as appropriate.
Information Security and Response
CMIC will adopt procedures for the prevention, detection and response to unauthorized access to non-public personal information. In the event non-public personal information is accessed by someone without proper authorization, CMIC shall immediately investigate and take appropriate remedial actions to mitigate or prevent loss or damage to affected individuals. Each situation will be evaluated separately, and based upon the potential for loss or damage to affected individuals; CMIC will take one or more of the following measures:
- Make such notifications to affected individuals as may be required by law.
- Report the incident to appropriate law enforcement officials.
- Determine the nature and cause of the security breach and implement corrective measures.
As used in this section, “personal information” means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.