It is the Policy of ESHQ, LLC. (“ESHQ” or the “Company”) to ensure the administrative, physical and technical safeguards in order to protect the privacy and security of personal information of employees and clients of the Company.
PURPOSE & SCOPE
The purpose of this Policy is to ensure the administrative, physical and technical safeguards in order to protect the privacy and security of any information that allows an individual to identify employees or clients ("Personal Information") revealing financial information of any kind, racial or ethnic origin (if not freely provided); political opinions; religious or philosophical or moral beliefs; any information regarding the suspicion of, charging with, indictment of or conviction of criminal activity; trade-union membership; and data concerning physical or mental health, health conditions, sex or sexual life, sexual habits or behavior of an individual ("Sensitive Personal Information").
Unless otherwise specified, any reference to Personal Information will include Sensitive Personal Information. Further, the purpose of this Policy is to protect from unauthorized access to or acquisition of electronic or hard copy files, media or data containing Personal Information that compromises the security, confidentiality or integrity of the Personal Information ("Security Incident").
This Policy pertains to ESHQ, its subsidiaries and affiliates. This Policy applies to any and all Personal Information accessed, received, maintained, processed, used, disclosed, modified, or destroyed by employees of the Company. The Personal Information may be in the form of Company electronic devices, computer equipment and hardware, electronic communications, telecommunication networks, and telecommunications equipment licensed, owned or leased by or to the Company; including, but not limited to, servers, computers, software, software accessories, documentation supporting any electronic communications, electronic attachments, stored data and files, storage devices (including flash or thumb drives), media, computer records, computer accounts, facsimile machines, Blackberry (or similar devices),personal data assistants, mobile messaging telephones, voicemail systems, webpages and the Internet ("Information and Communication Systems").
GUIDELINES FOR ACCESSING PERSONAL INFORMATION
All Employees must take reasonable measures, as applicable and appropriate, to protect Personal Information from unauthorized or improper access, use, processing, disclosure, modification or destruction. Except as specifically provided in this Policy, Employees may access, use, disclose, process, maintain, modify, and destroy Personal Information to the extent either (i) permitted by the employee's job description and reasonably necessary and appropriate to carry out such employee’s assigned responsibilities as set forth in his or her job description; or (ii) directed by the Company's Privacy Officer. An Employee shall access, use, disclose, process, maintain, modify, and destroy Personal Information in accordance with the guidelines of this Policy, provided doing so does not result in a violation of any applicable law, rule, or regulation. ESHQ, LLC.
Routine and Non-Routine Uses and Disclosures. In the case of routine uses and disclosures of Personal Information, and unless otherwise required under this Policy, an Employee may make the use or disclosure which he or she reasonably believes is the minimum necessary to accomplish the purpose of the use or disclosure. Any non-routine use or disclosure of Personal Information shall be reviewed by the Privacy Officer in collaboration with Counsel. In the event an Employee believes the disclosure is warranted because it is required by law, the disclosure must be approved by the Privacy Officer. A disclosure of Personal Information generally is "required by law" when an enforceable mandate contained in law compels the Company to disclose Personal Information. Examples include disclosures made:
in response to an order of a court or an administrative body;
to a law enforcement official for certain law enforcement purposes; and
pursuant to laws or regulations that require the production of information.
SPECIAL PROTECTIONS FOR CERTAIN CLASSIFICATIONS OF PERSONAL INFORMATION
General. The Company recognizes that certain Personal Information requires special protections, including limitations on access and use. Local laws and regulations typically define what categories of Personal Information require additional protection or to which special procedures apply.
When working with files containing Personal Information, Employees must take steps to minimize access by others to that information such as by keeping their work areas, including desks, office space or other areas, wherever they may be, free of Personal Information or closing files when they are not actively working with the information.
Paper files containing Personal Information must be kept in locked filing cabinets. Employees accessing a filing cabinet should be sure the cabinet remains locked. File cabinets with broken locks or no locks should be reported to the Privacy Officer as soon as possible.
Access to electronically stored Personal Information should be password protected. (See IT electronic file Storage Policy).
Employees shall log on to the appropriate electronic systems that access Personal Information only when there is a need to do so for immediately pending work and shall log off from such systems when they are no longer working on the pending matter.
Whenever an Employee receives a request for Personal Information, whether via telephone, the mail, or in person, the Employee must verify the identity and authority of the person making the request and to whom Personal Information will be accessible or disclosed.
In General. Employees shall not use or disclose Personal Information except where pursuant to a valid authorization from the individual or his or her lawful representative to whom the Personal Information relates. When the Company receives a valid authorization, the use and disclosure of the Personal Information shall be made according to the terms of the authorization. Procedure for Authorizations. When an Employee receives a request for Personal Information, he or she shall verify the identity of the requestor. Prior to using or disclosing Personal Information, the Employee shall determine whether an authorization is required to make such use or disclosure pursuant to this Policy. ESHQ, LLC.
LOSS OF ACCESS TO PERSONAL INFORMATION
Any individual who ceases to be an Employee for whatever reason shall no longer access, use, disclose, process, maintain, modify, or destroy Personal Information and shall immediately return to the Company his or her security clearance, passwords, keys, ID badges, and all other equipment, device or information that enables him or her to access, process, download, modify, or destroy Personal Information. In addition, such Employee shall immediately return any and all Personal Information, in whatever format, that is in his or her possession.
VIOLATION OF POLICY AND/OR GUIDELINES
In order to ensure the integrity of Personal Information, the IT Department will:
Identify scenarios that may result in modification to Personal Information by unauthorized sources (e.g., hackers, disgruntled employees, malicious or misapplied software such as peer-to-peer networks, etc.), as well as more innocent scenarios including negligent data entry and deletion of files, or other circumstances under which Personal Information may be compromised.
Implement reasonably up-to-date firewalls, system security agent software, malware and reasonably up-to-date patches and virus definitions that are reasonably designed to maintain the integrity of the Personal Information on the Company’s Information and Communication Systems connected to Internet. As appropriate, the Company’s Information and Communication Systems should be designed to receive current security updates on a regular basis.
Information and Communications Systems should be reviewed and have in place mechanisms to ensure that identified Personal Information has not been altered or destroyed in an unauthorized manner.
ENCRYPTION AND DECRYPTION
Where required by law, the Company shall implement a mechanism to encrypt and decrypt Personal Information. The Privacy Officer shall determine whether Personal Information or other Company information should be encrypted, considering legal mandates, cost of encryption and implementation.