Protection of Private Data Policy
It is the policy of The Technology Group, LLC to protect personal information, regardless of whose information it might be. As part of this overall policy, this document outlines the specific measures in place at the Firm to ensure compliance with Massachusetts Standard 201 CMR 17.00 and Connecticut Public Act No. 08-167. Protection of personal information is to prevent the unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data and the confidential password capable of compromising the data’s security, that creates a substantial risk of identity theft or fraud against an individual or individuals.
This document applies to all employees of The Technology Group whenever, and wherever, they have, hold or are responsible for personal information. Specifically, this information includes a person’s first name (or initial) and last name in combination with one or more of the following: (a) Social Security number; (b) driver’s license number; (c) state-issued identification card number; (d) financial account number; or (e) credit/debit card number.
The scope of this document includes both electronic and/or written files. It applies to all employees of the Firm.
Record or Records: Any material on which personal information, as defined in the Scope, is written, spoken, drawn, or electronically recorded. It is important to note that records referred to apply to any person, regardless of status as employee, client, prospect, etc.
It is the policy of the Firm to protect all personal data from potential breach of security. For the purposes of this document, records containing personal information will be broken down into two categories: hard copy files and electronic files. The first, and most important, step in protecting both types of records is building security.
The Technology Group maintains a secure building location. There are two access points, the front and rear doors, and these doors are locked to the exterior at all times. Non-employee access can only be achieved when “buzzed in” from the reception desk. Non-employees will only be allowed access after visual and/or audio identification at the front door, or by audio identification at the rear door. The reception desk is manned during normal business hours from 0800 to 1700, Monday through Friday.
Non-employees are only allowed unsupervised access to the Common Areas of the facility. It is generally discouraged to allow non-employees to move beyond the Common Areas, however, if it is necessary for them to do so, they will be under supervision of an employee.
Protecting Hard Copy Records
Hard copy records include any written/printed personal information. This information is typically located either in client file folders or in employee personnel folders, however, this document applies to any record of personal information. The following steps are to be followed when handling hard copy records.
- Personal information must only be used for business purposes. It is expressly forbidden to use, distribute, license or sell personal information for any reason outside of normal business purposes. Personal information may, however, be released for a legitimate, properly documented request of a governmental or regulatory body upon approval of the managing partner of the Firm. Personal information may also be released to a third party for legitimate business purposes under the guidelines of IRS Code Section 7216 upon receipt of a signed consent form by the relevant party.
- Hard copy records are generally stored in the facility file room or at the secure, off-site file storage company. Work in process files may be stored in work areas, file cabinets or offices.
- Records containing personal information may never be disposed of in the trash, whether at the Technology Group facility or at any other location. When disposal is necessary, any portion of the record containing personal information as defined in this document must be shredded in a suitable, cross-cut shredding machine.
Protecting Electronic Records
Overview: The IT administrator is responsible for overall security of the Firm’s technology infrastructure under the direction of the chief operating officer, the IT Committee and the Change Control Committee. The Firm will take any and all prudent measures to ensure that its network is protected against security breach using industry best practices and current-technology hardware.
The Firm’s IT security program is a multi-faceted approach that includes hardware, software, security auditing, and employee training working synergistically to minimize the threat of security breach. The intricacies of this program are beyond the scope of this document, however, the following are key points:
- The Technology Group Electronic Mail, Internet, Personal Computer, and Portable Media Storage Policy outlines overall guidelines that all employees must follow. This document includes information on passwords and proper usage of email. All employees receive this document.
- The Firm’s IT security program includes regular auditing of personal computers and the network for the purpose of verifying compliance and assessing risk. Sampling includes verification of Windows® and security software updates; verification of network integrity; and monitoring of computer usage.
- All employees involved with handling of client-private information receive training on using the secure client portal for upload/download of files. In addition, these employees are trained to not send personal information in the body of emails. This information must be encrypted or transmitted via the portal.
- The Firm’s network is protected by a current-technology firewall.
- All computers have a screen saver policy that locks out access and requires a log-on password after 30 minutes of inactivity.
- All personal computers that may process personal information have password-protected, encrypted drives. Furthermore, employees may not store personal information on local drives unless the employee will need to access this information at a client site where no Internet access is available.
- The Firm’s wireless network is secure and requires a password for access.
- The Firm’s IT Committee shall be scheduled to meet monthly to oversee the administration and monitoring of network integrity and technology.
Electronic records include any data files with personal information. This information is typically used in processing client work and subsequent storage of client data. Confidential employee records may also be stored electronically. The following steps are to be followed when handling records.
- Electronic records containing personal information must only be used for business purposes. It is expressly forbidden to use, distribute, license or sell personal information for any reason outside of normal business purposes. Personal information may, however, be released for a legitimate, properly documented request of a governmental or regulatory body upon approval of the Managing Partner of the Firm. Personal information may also be released to a third party for legitimate business purposes under the guidelines of IRS Code Section 7216 upon receipt of a signed consent form by the relevant party.
- Electronic records containing personal information must not be transmitted in the body of an email. Files must be encrypted or uploaded/downloaded via the secure Client Portal. These records must be stored on the Firm’s network drives, and not locally on personal computers, unless required for on-site client work where Internet access is not available.
- Personal computers that may have confidential electronic records must be treated with care when transported outside the Firm’s secure facility.
In general, the Firm is the only party with access to personal information. Third party vendors or business partners that the Firm may engage will be made aware of the scope of this policy and will, as a condition of engagement, be required to comply.
Upon termination, either voluntarily or involuntarily, all employees must surrender the building access key fob, any office/file keys, any hard copy records and their personal computer (if applicable) to the department head or director of Human Resources. At the time of termination, the IT administrator will disable the employee’s network login credentials. These actions will prevent both physical access to the building and electronic access to the network.