This policy covers all Sedulous Authorized Persons, Sedulous web site visitors, Information Assets and Information Technology Assets as defined in Sedulous Cyber Security Policy.
Personally Identifiable Information (PII): Personal financial or medical information or other personal information of a confidential nature about an individual in combination with a known personal identifier such as the individual’s name, address, telephone number, or social security number. PII does not include information that is publicly accessible, such as information in public records, or information that does not identify an individual person, such as aggregate information or blind data that does not contain personal identifiers from which the person’s identity can be determined
Employee information: Any Personally Identifying Information of a Sedulous employee that is not subject to disclosure for a legitimate business purpose.
Depositor Information (sometimes referred to as Non-Public Financial Information): Any and all client data, or customer data of our clients, relating to and identified with a Depositor beyond Personally Identifying Information. Examples include account types, account balances and credit rating information gathered during account opening
Non-Public Supervisory Information (NPSI): Any information collected, maintained, produced or issued which relates to the supervision of or enforcement action between regulatory agencies and institutions or persons associated with the regulated industry
Protected Health Information (PHI): Health information, including demographic information, collected from an individual that: (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (c) identifies
the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual1.
1 PHI does not include information (x) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC 1232g; (y) in employment records held by a health care provider, health plan, employer or health care clearinghouse in its role as employer; or (z) regarding a person who has been deceased for more than 50 years.
The following requirements have been developed to ensure the privacy of covered information assets.
Sedulous Senior Management must ensure that an individual is clearly identified as the responsible party for administering all privacy-related processes at all times. Accountability is currently assigned to the Chief Technical Officer and the term “Privacy Officer” will apply.
Notice to clients
Sedulous will be responsible for providing notice to its clients and Sedulous site visitors covering their Privacy-related Information Assets that is collected, used, retained, disclosed and destroyed by Sedulous.
Choice and Consent
Sedulous will communicate the privacy choice to the clients and Sedulous site visitors and seek their consent before accessing their Privacy-related Information Assets, in any form.
Sedulous will communicate and seek the consent of the clients and Sedulous site visitors before collecting any additional Privacy-Information Assets on such client in any form.
Use and Retention
Sedulous will be responsible for communicating the usage of any client Privacy-related Information Assets. It will also be responsible for communicating the retention period established pursuant to policy or contractual obligations with clients, as appropriate, and safeguards put in place to ensure the confidentiality of this information. Data subject to litigation hold shall not be destroyed.
Sedulous will be responsible for controlling and monitoring the access to any Privacy-related Information Assets and the access will be controlled on “Need-to-know” and “Least Privilege” principles. Procedures will be implemented to ensure that there is no unauthorized access to Highly-Confidential information. Electronic mechanisms will be implemented to corroborate that Highly-Confidential information has not been altered or destroyed in an unauthorized manner.
The destruction of Privacy-related Information Assets will be performed based on the classification of the data. There will be a process to securely erase the data on the servers, workstations and any portable media that contains any of Sedulous’s or its clients’ data. The company will work with third party vendors to destroy the data storage media using degauss techniques and eradication of data. Data subject to litigation hold shall not be destroyed.
Disclosure to third parties
Sedulous may use the services of qualified third-party providers in the course of providing the contracted services to our clients. Where applicable, Sedulous will include Sedulous policy compliance and indemnification in all third-party provider contracts and agreements.
Sedulous will seek the consent of the clients, when they are the owners of the Privacy-Related Information Assets, before sharing it with any third parties. As part of this consent for disclosure, Sedulous will provide as to what information will be shared and with whom. It will also provide any additional details on the third party, if required by the client. It will proceed with the disclosure of information to third parties, only once the consent has been obtained from the clients or depositors.
Monitoring and enforcement
Sedulous will have monitoring controls for Privacy-related Information Assets It will also enforce these controls by monitoring them on a real-time basis. Any violations to these controls will be treated as a “Security Incident” and will be handled as per the “Incident Management Policy”.
Sedulous will ensure the quality of the Privacy-related Information Assets it collects or maintains and ensure that this information is accurate, complete, and relevant personal information for the purposes identified in the Notice. It will employ techniques to guarantee the quality of the Privacy-related Information Assets during the storage and communications with its clients, employees or any other third parties.
This policy must be reviewed at least annually by the Information Technology Manager for relevancy and accuracy. Duly noted revisions must be maintained within 4.13 of this document.
This document must conform to all state and federal privacy regulations governing Sedulous. It is also based on the privacy guidelines and requirements of any Compliance certification, which Sedulous seeks or maintains.
Communication and training
Sedulous provides a process and mechanism with which to handle periodic communication of policies and standards regarding privacy-related information to the internal organization and external owners. This communication will be achieved through the following means:
Periodic release and update notification via email
Availability in the common Intranet location, which is accessible to all of the employees and contractors
Sending periodic notification of update and availability to the external owners
Performing Security Awareness and Training for all appropriate parties, at least once a year
External communication – Sedulous Web site privacy statement
This policy also will be provided, upon request, to clients/customers and any other third party which directly or indirectly engages in business with Sedulous.
Privacy-related training and education material must be provided to employees, consultants and the third- party provider upon the beginning of employment or access to information. Training and education materials must be incorporated into an overall security awareness campaign, reviewed on an annual basis and signed by all the employees, contractors and third parties.
Information Security team must exercise due diligence for prospective third-party providers prior to contracting with the vendor to handle or process Privacy-related Information Assets. The team must review the ability of the third-party provider to meet privacy obligations at least annually.
Sedulous recognizes the need to react quickly to a possible exposure of privacy information to unauthorized parties and must maintain an incident response plan designed to mitigate, minimize, and manage any suspected or confirmed breach.
The Sedulous Computer Security Incident Response Team (CSIRT) will be responsible for accepting incident reports, investigation of incident reports, and all internal and external communications according to legal and other contractual obligations. The Information Technology Manager must give an explicit sign-off approval that all internal privacy laws have been reviewed.
Compliance with this policy is mandatory and all the employees, contractors and third parties will be required to accept them. Refer to the Sedulous Cyber Security Policy for details regarding non-compliance. Failure to comply can result in disciplinary actions up to and including termination.