CUSTOMER PRIVACY NOTICE Last Updated: December 16, 2021.
Purpose of Notice
FactorCloud, LLC (the "Company") is committed to protecting the privacy and security of the personal and business information we collect, use, share, store, and otherwise process as part of our business practices.
We also believe in transparency, and we are committed to informing you about how we treat the information we collect, use, share, store, and process.
This Consumer Privacy Notice describes our practices regarding your personal and business information when you use the Company's ledger-based, electronic factoring system. When we interact with business or personal information on behalf of a customer, we adhere to the standards set forth in our contract with them and the terms set forth in this Notice.2. Application of NoticeThis Notice applies to personal and business information collected through the Company's website, software, electronic communications, and mobile or desktop applications.
Please read this Notice carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, you should not use the Company's services or use any of its platforms. Your use of the Company's services or use of any of its platforms expressly indicates that you agree to the terms and conditions set forth in this Notice.3. Information CollectedThe Company strives to only collect the information it needs to perform its services. The information we receive about you depends on the context of your interactions with the Company, how you configure your account, how you use the Company's services and platforms, and the choices that you make in connection with your User Agreement with the Company. The Company may collect the following categories of information:Category
We collect the types of information covered by this Notice from:
We retain and use your information for as long as is necessary to fulfill the purposes for which it was collected, to comply with our business requirements and legal obligations, to resolve disputes, to protect our assets, to operate our business, and to enforce our agreements. We may delete your information if we believe it is incomplete, inaccurate, or that our continued storage of it is contrary to our objectives or legal obligations. When we delete data, it will be removed from our active cloud based servers and databases, but it may remain in our electronic archives for a period of time pursuant to our contractual obligations or when it is not practical or possible to delete it. To the extent permitted by law, we may retain and use anonymous, de-identified, or aggregated information for performance reporting, benchmarking, and analytic purposes and for operational improvement.6. Information UseWe collect and process the information contained in this Notice only in the following circumstances:
We may disclose the information governed under this Notice:
The Company uses physical, electronic, technical, and organizational safeguards designed to protect your information from accidental loss and from unauthorized access, use, alternation, and disclosure. However, we cannot guarantee that your information will remain secure in all circumstances.
Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your information, we cannot guarantee the security of your information transmitted via the internet or other electronic means. Any transmission of information via the internet or other electronic means is at your own risk.
All information you provide to us is stored on our secure cloud-based servers behind secure firewalls. There are two versions stored in different locations for redundancy and disaster recovery. The Company's customers can request a mirrored third-copy version.
The Company's employees and contractors are provided with unique login credentials to access the Company's systems, networks, clouds, and servers. The Company requires that all passwords must be strong and updated on a quarterly basis. To protect against password guessing and other brute force attacks, The Company will deactivate user accounts after three failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility.
The Company also employs two-factor user authentication to protect the information stored on its systems, networks, clouds, and servers. The Company monitors access to its systems, networks, clouds, and servers and may deactivate a user's credentials and access ability if the Company detects in unusual, suspicious, inappropriate, unlawful, or unauthorized access or activity.
The Company's employees and contractors are only authorized to access the Company's systems, networks, clouds, and servers on Company-owned and Company-issued devices and/or devices that have been approved and registered with the Company. To access each device, the Company provides its employees and contractors with unique login credentials. The Company requires that all passwords to access each device must be strong and updated on a quarterly basis. These devices are equipped with anti-virus programs that are updated on a regular basis.
The Company also limits which employees and contractors can access specific systems, networks, clouds, and servers based on whether the employee and/or contractor has a specific business-based need for such access. Customers only have access to their information contained within the Company's systems, networks, clouds, and servers and will not, under any circumstances, be granted access to any other information contained on the Company's systems, networks, clouds, and servers.
The safety and security of a customer's information also depends on the Company. Where you use a username and password to access the Company's platforms, you are responsible for keeping that information confidential. Do not share your username or password with anyone. To the extent that you provide access to the Company's platforms to others not associated with the Company, you provide such access at your own risk and are responsible for ensuring that such users only access the Company's platforms consistent with this Policy.
The Company also use reasonable security measures when transmitting personal information to consumers in response to requests under the California Consumer Privacy Act. We have implemented reasonable security measures to detect fraudulent identify-verification activity and to prevent the authorized access to or deletion of personal identifiable information.
Greg EganDirector of Engineering3490 Piedmont Rd., Suite 1350Atlanta, GA 30305, US
Specific State Rights
Depending on your state of residence in the United States of America, you may have other rights regarding the collection, use, storage, and deletion of your personal information.
We will not disclose information about your creditworthiness to our affiliates and will not disclose your personal information, financial information, credit report, or health information to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.
The California law provides California residents with specific rights regarding their personal information. This section describes those rights and explains how to exercise those rights.
Right to Know and Data Portability
You have the right to request that we disclose certain information to you about our collection and use of your personal information every year. (the "right to know"). Once we receive your request and confirm your identity, we will disclose to you:
Right to Delete
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.
Exercising Your Rights to Know or Delete
To exercise your rights to know or delete described above, please submit a request to:
Director of Engineering
3490 Piedmont Rd., Suite 1350
Atlanta, GA 30305, US
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
Changes to this Notice
We may add to, change, update, or modify this Notice to reflect any changes to how we treat your information or in response to changes in law. Should this Notice change, we will provide the updated version to you. Any such changes, updates, or modifications will be effective immediately upon posting. The date on which this Notice was last modified is identified at the beginning of this Notice.
You are expected to, and you acknowledge and agree that it is your responsibility to, carefully review this Notice prior to using the Company's services or its platforms, and from time to time, so that you are aware of any changes. Your continued use of the Company's services and platforms after the “Last Updated” date will constitute your acceptance of and agreement to such changes and to our collection and sharing of your information according to the terms of the then-current Notice. If you do not agree with this Notice and our practices, you should not use the Company's services or platforms.
FactorCloud’s use and transfer to any other app of information received from Google’s APIs will adhere to Google API Services User Data Policy, including the Limited User requirements.
EMPLOYEE PRIVACY NOTICE
Last Updated: December 16, 2021.
Purpose of Notice
FactorCloud, LLC (the "Company") is committed to protecting the privacy and security of the personal information we receive or collect from its employees. We also believe in transparency about how we handle your personal information. This Notice is intended to provide the Company's employees with information concerning the Company's practices regarding the personal information about its employees that it collects, uses, and stores. PLEASE READ THIS NOTICE CAREFULLY, TOGETHER WITH ANY OTHER PRIVACY NOTICES THAT WE MAY PROVIDE TO YOU AT TIMES WHEN WE ARE SPECIFICALLY COLLECTING OR PROCESSING INFORMATION ABOUT YOU, TO UNDERSTAND HOW WE TREAT YOUR PERSONAL INFORMATION, AND WHAT CHOICES AND RIGHTS YOU HAVE IN THIS REGARD.
The Company collects, processes, and stores the following personal information from its employees for the purposes described below. Category
Data Collection Process
We collect information from you relevant to your employment in a variety of ways, including directly from you (in writing, verbally, or electronically), in conversations, in reviews and evaluations, and through the use of office computer and telephony equipment.
Refusal to Provide Personal Information
You may object to our collection of data requested during your employment with us. However, if you do not provide the information, we may not be able to perform certain activities necessary to maintain your employment or comply with legal obligations.
We collect, use, process, and store your personal information for the following purposes related to your employment:
To Carry Out Our Legitimate Interests
We collect, use, process, and store information that is necessary for the purposes of our pursuit of our legitimate interests in managing your employment, in our ongoing assessment and verification of your suitability for working with us, and in keeping records of your employment. We also have a legitimate interest in processing data to deal with complaints, claims, and lawsuits made against us. For our legitimate interests, we may also share your personal information with our corporate parents, subsidiaries, and affiliates. In addition, we may disclose your personal information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our company assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our website users is among the assets transferred.
To Carry Out Our Legal Obligations and Perform a Contract
We collect, use, process, and store information that is necessary to comply with our legal obligations in the field of employment law, such as the performance of your employment relationship with us, and our performance of any employment agreement., Notably, we also collect, use, process, and store information to process the payroll, withhold taxes and social security charges; to maintain and improve security systems; to prepare reports for public authorities (e.g. company register); and to comply with applicable legal and regulatory obligations, notably employment laws and regulations.
Use of Personal Identifiable Information
The information you provide to us during your employment will be used for the following purposes:
Disclosure of Personal Information
We may share your personal information as follows:
Please use the “Contact Us” details at the end of this Notice to exercise your rights and choices. If you would like to manage, change, limit, or delete your personal information, such requests may be submitted via the “Contact Us” details at the end of this Notice.
Right of Access and Portability
If required by law, upon request, we will grant reasonable access to the personal information that we hold about you. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure that ensures your personal information is not disclosed to any person who has no right to receive it. You may request us to transfer the data that we hold about you for your own purposes.2. Accuracy and AmendmentOur goal is to keep your personal information accurate, current, and complete. You are responsible for contacting us if you believe your personal information is not current, if you become aware of any inaccuracies, or if any of your personal information changes. We are not responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
Right to Object or Restrict the Processing of Your Data
In certain circumstances, as permitted under applicable law, you have the right to object to processing of your personal information and to ask us to erase or restrict our use of your personal information. If you would like us to stop using your personal information, please contact us and we will let you know if are able to agree to your request.
Right to Erasure and Deletion of Your Personal Information
You may have a legal right to request that we delete or stop processing your personal information when, for example, it is no longer necessary for the purposes for which it was collected, or when, among other things, your personal information has been unlawfully processed. All deletion requests should be sent to the address noted in the “Contact Us” section of this Notice. We may decide to delete your personal information if we believe it is incomplete, inaccurate or that our continued storage of your personal information is contrary to our legal obligations or business objectives. When we delete personal information, it will be removed from our databases, but it may remain in our archives when it is not practical or possible to delete it. We may also retain your personal information as needed to comply with our legal obligations, resolve disputes, or enforce any agreements.
Right to Withdraw Consent
If you have provided your consent to the collection, processing and transfer of your personal information, you have the right to fully or partially withdraw your consent. To withdraw your consent, please notify us using the information in the “Contact Us” section of this Notice. Once we have received notice that you have withdrawn your consent, in whole or in part, we will no longer process your information for the purpose(s) to which you originally consented and have since withdrawn unless there are compelling, legitimate grounds for further processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Right to Complain
If you believe that your rights relating to your personal information have been violated, you have a right to lodge a complaint with the applicable enforcement authority or to seek a remedy through the courts. You should notify the local Human Resources Department or use the information provided in the “Contact Us” section of this Notice. Any submitted complaints will be resolved in accordance with formal complaint procedures. If your efforts to resolve a concern with us are unsatisfactory, you may lodge a complaint with the local data protection or regulatory authority.
We reserve the right to update this Notice at any time, and we will provide you with a new privacy notice.
You may direct questions or comments about this Notice, access or correct the personal information we hold about you, or make a complaint about how we have handled your personal information by contacting us using the information below, and we will do our best to assist you:
Director of Engineering
3490 Piedmont Rd., Suite 1350
Atlanta, GA 30305, US
By signing the Consent form located on the next page, you provide you explicit consent to the collection, processing, storage, and use of the personal information covered by the Company's Employee Privacy Notice.
I affirm that I have read the Company's Employee Privacy Notice in its entirety and fully understand the same. I affirm that I give my express and explicit permission for FactorCloud, LLC to collect, process, store, and use my personal data as set forth in the Company's Employee Privacy Notice.
FACTORCLOUD'S INTERNAL PRIVACY PRACTICES AND PROTOCOLS
Last Updated: December 16, 2021.
PurposeThis Policy seeks to promotes an effective balance between information security practices and business needs. The Policy helps the Company meet its legal obligations and its customers' expectations. From time to time, the Company may implement different levels of security controls for different information assets, based on risk and other considerations. The Company may change this Policy at any time for any reason. When such changes occur, the Company will notify its Employees and Contractors.
All of the Company's employees and contractors are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or the Company's Director of Engineering before taking any actions that create information security risks or otherwise deviate from this Policy's requirements. The Company may treat any failure to seek and follow such guidance as a violation of this Policy. Any violation of this Policy may result in discipline up to and including termination of employment for employees and termination of contract for contractors.
Do not share this Policy outside of the Company unless authorized in writing by the Company's Director of Engineering or the Company's Chief Executive Officer. The Company's customers, employees, and others rely on us to protect their information. An information security breach or cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to the Company. Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets.2. AcknowledgmentAll employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire. The Company will retain acknowledgment records.
The Company has granted its Director of Engineering the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate. On at least an annual basis, the Director of Engineering will initiate a review of this Policy, engaging stakeholders such as individual business units, including Human Resources and outside legal counsel, as appropriate.
Employees must complete information security training within two weeks after initial hire. All workforce members must complete information security training on at least an annual basis. Failure to participate in required training a violation of this Policy. The Company will retain attendance records and copies of security training materials delivered.
This Policy is intended to protect all personal identifiable information, the confidential information and trade secrets of the Company, and the confidential information of the Company's customers.
Personal identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
Confidential information is information that may cause harm to the Company, its customers, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual's privacy, the Company's marketplace position or that of its customers or legal or regulatory liabilities. Examples of confidential information include, but are not limited to:
The Company uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. All employees and contractors must:
Role-Based Access Controls
The Company restricts access to specific systems, networks, clouds, and servers to only those employees and contractors with a business need for such access. Any requests for access must be submitted to the Director of Engineering. At least once a year, the Director of Engineering will review user accounts and access levels to confirm that a legitimate business need for the access still exists.
When an employee or contractor stops working for the Company, the Director of Engineering will deactivate the individual's account on the employee's or contractor's last day of work. 8. Device and End-User Controls Employees and contractors may only access the Company's networks using end-user devices that have been approved by and registered with the Director of Engineering that are equipped with the Company's required information security applications and software including, but not limited to, protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions. Company-owned machines may be configured to automatically receive upgrades. You may be denied remote access using non-Company owned devices that do not meet current standards.
To protect the Company's information and data, including personal identifiable information, confidential information, and trade secrets from being lost or becoming public, all employees and contractors must immediately report any device used for the Company's business that is lost, stolen, accessed by unauthorized persons, or otherwise compromised to the Director of Engineering so that the Director of Engineering can assess the risk and, if necessary, remotely wipe all of the Company's information and/or data and/or the entire contents of the device, including your personal content, in Director of Engineer's sole discretion. You must also promptly provide the Company with access to the device when requested or required for the Company's legitimate business purposes, including in the event of any security incident or investigation.
This Policy applies to all devices used to conduct the Company's business regardless of whether the device is owned by the Company, the employee, and/or the contractor.
Employees and contractors must abide by the following:
Unique Identifier and Access Management
The Company will assign each individual subject to this policy with a unique identifier to access its devices, systems, networks, clouds, and servers. Each specific identifiers must be linked to an accountable individual. The Company will then assign each unique identifier a unique password. You can then change your password to something that you will remember. However, the password must be strong, hard to guess, and meet the character requirements imposed by the Company. You must not share your account or password with others. You will be prompted to change your password quarterly and must comply.
Best practices for passwords is as follows:
Acceptable Use Policy
The Company provides networks, systems, servers, clouds, computers, software, hardware, electronic resources, and physical resources for business purposes only. Do not use the Company's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with the Company or its customers. Do not use the Company's resources in a manner that negatively impacts your job performance or impairs others' abilities to do their jobs. Do not use the Company's resources for activities that may be deemed illegal under applicable law. If the Company suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.
The Company prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:
Development activities, including system testing, must take place in reasonably segmented environments. Maintain segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. Software and technology development can only be performed by individuals authorized by the Director of Technology and must only take place in environments authorized by the Director of Technology.
Developers should identify potential information security risks and resolve them early in the development process. Developers should seek advice and assistance from the Director of Engineering to identify best practices and avoid application-level security risks. Developers should use defensive coding techniques and regular code review and application-level scanning to identify and remediate any information security issues before releasing software or other application.
Employees and contractors must properly handle, store, and securely dispose of the Company's information. You are responsible for any personal identifiable information, confidential information, or trade secrets that you access or store. Do not allow others to view, access, or otherwise use any such information unless they have a specific business need to know.Store files or other data critical to the Company's operations on regularly maintained (backed up) servers or other storage resources. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices.Physically secure any media containing the Company's information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, or USB drives), or other media in a locked area. When the Company determines that any personal identifiable information, confidential information, or trade secrets are no longer required to meet business needs or contractual obligations, you must shred all such information prior to disposal and delete any electronic versions of such information pursuant to the direction of the Director of Engineering.
If you have a business need to access the Company's network, systems, clouds, and/or servers from home, while traveling, or at another location, you must use a private network connection. Employees and contractors are expressly forbidden to conduct any Company business using a public network or an unsecured private network.
Internet Safe Use & Threat Awareness
The Company may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using the Company's resources or on any personal device used to access the Company's resources. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) on Company-owned devices or personal devices used to access the Company's networks, systems, clouds, applications, and/or servers to business purposes or as otherwise permitted by this Policy.
Never use internet peer-to-peer file sharing services. Do not disclose personal identifiable information, confidential information, or trade secrets to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages.
Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) email senders. The Company may block some attachments or emails, based on risk.
Do not respond to an email or other message that requests personal identifiable information, confidential information, or trade secrets unless you have separately verified the request and the requestor.
If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact the Director of Engineering immediately and before interacting with the message.
Do not reply to suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.
Do not make postings or send messages that speak for the Company or imply that you speak for the Company unless you have been authorized to do so by the Company's Chief Executive Officer.
Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional and appropriate for your business role. 16. Monitoring You should have no expectation of privacy when using the Company's network or systems, including, but not limited to, transmitting and storing files, data, and messages. The Company reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using the Company's systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, access attempts, traffic, key strokes, activity, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media including, but not limited to, the Company's services and cloud-based networks. 17. Security Incident Reporting Immediately notify the Director of Engineering if you discover a security incident or suspect a breach in the Company's information security controls. The Company maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to the Company.
Treat any information regarding security incidents as highly confidential and do not share it, internally (except with the Director of Engineering or one of the Company's officers) or externally.
Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:
If you become aware of a compromised computer or other device you should immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and immediately contact the director of engineering.
Change Management refers to a formal process for making changes to the Company's network, systems, clouds, applications, devices, software, databases, and/or servers. A change is defined as the addition, modification, or removal of approved, supported, or baselined hardware, network, software, application, environment, system, or associated documentation. The goal of change management is to increase the understanding of proposed changes across the Company and ensure that all changes are made in a way that minimize negative impact to services and customers.
Change Management Process Change management generally includes the following steps:
Process Documentation The Change Management Process will be documented on the Process Log and will include the following information:
The individual requesting the change is responsible for the preparation of the Process Log and responsible for submission of the final process log to the Director of Engineering at the conclusion of each Change Management Process.
All changes will be documented on the Change Log and will include the following information:
The Change Log will be maintained by the Director of Engineering.
Data Breach Laws
Various information security laws, regulations, and industry standards apply to the Company and the data we handle. The Company is committed to complying with applicable laws, regulations, and standards.
Various laws protect individuals' personal identifiable information, such as government-assigned numbers, financial account information, and other sensitive data.
Many states have enacted data breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information about the Company's employees, customers, business partners, and others.
When a data breach occurs, the Company must follow the specific laws of the state where each affected individual resides. If you become aware that any of the following information about a Company's employees, customers, business partners, or others has been comprised due to unauthorized access or disclosure, you must immediately notify the Company's Director of Engineering.
Acknowledgment of the Company's Internal Privacy Practices and Protocols
I affirm that I have read the Company's Internal Privacy Practices and Protocols Policy in its entirety and fully understand the same. I affirm that I will abide by this Policy. I understand that failure to abide by this Policy may result in the termination of relationship with the Company.
DATA & INFORMATION INCIDENT RESPONSE PLAN
Last Updated: December 16, 2021.
The purpose of FactorCloud, LLC's (the "Company") Data & Information Incident Response Plan is to outline the Company's strategy for responding to and recovering from the exploitation of threats, attacks, risks, and vulnerabilities posed against the Company's network, systems, clouds, applications, software, hardware, or servers.
Incident Response Team
The Incident Response Team includes the Director of Engineering, the Chief Executive Officer, and the Vice President of Information Technology. The Incident Response Team is responsible for the maintenance and implementation of the Company's Data & Information Incident Response Plan. The Incident Response Team is also responsible for coordinating with other stakeholders such as outside counsel.
Data & Information Incidents Situations that will be classified as an incident include but are not limited to:
Communication with external parties (including customers, general public, law enforcement entities, and others) will be approved by the Incident Response Team.
If an incident has an impact on customers, the Incident Response Team will be according to agreed-upon contracts with customers, aﬀected customers of unauthorized access to or disclosure of nonpublic personal information, as soon as is practical, after conﬁrmation of such an event. This notiﬁcation to customers and partners is coordinated with assistance from outside legal counsel and will be performed in conformance with applicable legal requirements.
During the response phase, all data required to conduct a thorough forensic investigation are collected and stored securely in order to conduct a thorough evaluation in conformance with accepted forensic standards.