Date of Policy: March 2001
Dates of Revisions:
Dates of Board Review: April 2003; April 2004; April 2008
The East Central Credit Union has a duty to protect the confidential nature of nonpublic personal information that members provide regarding financial transactions. The Credit Union will not release member nonpublic personal information to any person(s) except as permitted or required by applicable state or federal law. To develop, implement, and revise this policy as needed, the Board of Directors will appoint the CEO as the Financial Privacy Coordinator.
The Financial Privacy Coordinator is responsible for the development and maintenance of procedures that ensure the Credit Union's compliance with the obligations described in this policy. The Coordinator will ensure that the Credit Union develops procedures that safeguard the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any member.
The Financial Privacy Coordinator's specific responsibilities include:
Risk Assessment:
-
Identification and assessment of the risks that may threaten the security, confidentiality, or integrity of member information systems. This process includes an analysis of both internal and external threats to security.
-
Continual assessment of the sufficiency of the Credit Union's policies, procedures, and member information systems.
-
Continual monitoring, evaluation, and adjustment of the Credit Union's risk assessment in light of changes in technology, and both internal and external risks to security.
Management and Control of Risk:
-
Establishment of written procedures that are adequate to control the identified risks and achieve the overall objectives of the Credit Union's Information Security Program as identified in this policy. Definition and implementation of access rights for member information.
-
Implementation of access controls on member information systems, including controls to authenticate and grant access only to authorized individuals.
-
Development of access restrictions at locations containing member information, such as buildings, computer facilities, and record storage facilities.
-
Utilization of appropriate encryption technology of electronic member information to protect all member information, including, but not limited to, information in transit or in storage on networks or systems to which unauthorized individuals may have access.
-
Analysis and confirmation that member information system modifications are consistent with the Credit Union's Information Security Program.
-
Implementation (as applicable) of dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for access to member information.
-
Assurance that all service providers' contracts are reviewed to determine that the contracts contain appropriate provisions whereby the service provider agrees to protect the confidentiality of members' nonpublic personal information in accordance with this policy; and, as applicable, that the service provider maintains oversight mechanisms to ensure compliance with this requirement.
-
Assurance that the Credit Union has appropriate monitoring systems and procedures to detect actual and attempted attacks or intrusions into the Credit Union's member information systems.
-
Adoption of appropriate procedures to protect against the destruction of member information due to physical hazards such as fire and water damage.
-
Design and adoption of appropriate response programs to preserve the integrity and security of member information in the event of computer or other technological failure.
-
Assurance that the Credit Union collects, retains, and uses information about members only when it is believed that the use will help administer business with the members, or to provide services and other opportunities for members.
-
Development of appropriate disciplinary measures to enforce employee privacy responsibilities to ensure compliance with the objectives of this policy.
Employee Training
The Financial Privacy Coordinator is responsible to ensure that appropriate training programs are implemented. The Credit Union's staff should be trained to recognize, respond to, and where appropriate, report any unauthorized or fraudulent attempts to obtain member information. In addition, all staff should be trained with regard to their responsibilities and duties under this policy, and also with any procedures developed by the Financial Privacy Coordinator.
Testing:
The Financial Privacy Coordinator should develop a program that regularly tests all key controls, systems, and procedures relevant to the Information Security Program to confirm that risk is controlled, and to achieve the overall objectives of the Credit Union's Information Security Program. The frequency and nature of such tests are the discretion of the Financial Privacy Coordinator in light of his or her assessment of the risks involved. Where appropriate, tests should be conducted by independent third parties or staff independent of those who develop or maintain the security programs. Test results should be reported directly to the Board of Directors, the Supervisory Committee, and the Credit Union's senior management.
Review and Adjustment:
The Financial Privacy Coordinator will continually monitor, evaluate, and adjust as appropriate the Information Security Program in light of any relevant changes in technology, and any internal or external threats to the Credit Union's information security systems.
Reporting to the Board of Directors and Management:
The Financial Privacy Coordinator will be directly responsible to the Board of Directors and the Supervisory Committee. All revisions or modifications and amendments to the Credit Union's financial information security procedures are subject to approval by senior management of the Credit Union. In addition, the Financial Privacy Coordinator will report to senior management of the Credit Union periodically, but not less than quarterly, regarding all material aspects relating to development, implementation, and maintenance of the Credit Union's financial Information Security Program.
Periodically, but not less than annually, the Financial Privacy Coordinator will report to the Board of Directors with regard to developments, implementation, and maintenance of effective information security under this policy. Further, the Financial Privacy Coordinator will report to the Board of Directors on the overall status of the Information Security Program, including material matters related to risk assessment, risk management and control decisions, results of testing, attempted or actual security breaches or violations and responsive actions taken by management, and any recommendations for improvement in the Information Security Program.
Miscellaneous Security Matters:
The Financial Privacy Coordinator will also ensure the Credit Union's compliance with the following items:
Telephone Consumer Protection Act:
Fair Credit Reporting Act:
The Credit Union is permitted by the Fair Credit Reporting Act to share the following types of information about members with affiliated companies:
- Identification information
- Transactional information
- Account experience (for example, checking and loan accounts)
Right to Financial Privacy Act:
Internet and Electronic Banking Privacy Policies:
The Credit Union does not collect information about visitors to its website. The applications and transactions accepted by the Credit Union electronically (online, by phone or fax, or via automated teller machines) are all subject to the Credit Union's general Privacy Policy. The Credit Union will use encryption devices to ensure that members' transactions over the Internet are safe and secure.
This policy will be reviewed by the Board of Directors on at least a yearly basis. |
