I. OVERVIEW
Plaintiff Finders is required to collect and store information such as potential class member data records which contain names, addresses, phone numbers, emails, and occasionally sensitive information such as social security numbers, and takes seriously its obligation to secure information systems and protect the privacy of this data.
As a standard operating procedure, Plaintiff Finders regularly reviews its policies related to data collection, privacy and security. All who are employed by Plaintiff Finders or retained as a contractor for Plaintiff Finders (“Users”) are provided with this Data Security & Information Privacy Policy document as a part of their training or onboarding to ensure that this information is communicated and understood through explicit acknowledgment. Any material revisions to this document are immediately communicated to Users with an emailed memo which calls out the revisions, as well as an updated copy of the Data Security & Information Privacy Policy document.
Plaintiff Finders complies with the policies and processes encompassed within this Data Security & Information Privacy Policy document.
II. PURPOSE
The purpose of this Policy is to establish the rules for handling the collection, storage, and use of data. These rules are necessary to preserve the integrity, availability, and confidentiality of information.
III. SCOPE
This policy applies to all Plaintiff Finders employees and contractors that use company assets such as computers, laptops, or mobile devices and/or has access to Plaintiff Finders’ networks and information resources. All devices, whether owned by Plaintiff Finders or owned by employees, that have access to Plaintiff Finders’ networks and information resources are governed by this Data Security & Information Privacy Policy. Usage of applications, including cloud storage software, by employees on their own personal devices, are also subject to this policy.
IV. POLICY
1. Data Governance
Plaintiff Finders is committed to protecting and safeguarding the data that it collects and recognizes this data as a critical asset. Plaintiff Finders maintains a tiered data governance structure, managed by the Director of Information Technology and enforced by Plaintiff Finders executive leadership, that governs individual Users access to data. This governance structure is further maintained through enforced processes, standards, and procedures to ultimately ensure appropriate use of data and/or management of data.
2. Internal Use of Data
Any data records that Plaintiff Finders collects, and stores are used only to fulfill Plaintiff Finders’ requirement as A third-party marketing administrator. This information is only available to Users as set forth by Plaintiff Finders tiered data governance structure.
3. External Use & Disclosure of Data
Plaintiff Finders follows the direction and instructions outlined by our clients for handling potential class member data records. All sensitive and non-public client data, potential class member data, and information for a case that is provided to Plaintiff Finders, is the property of Plaintiff Finders and may not be shared, used or otherwise communicated outside of Plaintiff Finders or outside the scope of the project. In cases where a contractor partner is used, only those who have been approved and authorized by Plaintiff Finders’ management, and have a privacy policy (or data security policy) consistent with Plaintiff Finders’ Data Security & Information Privacy Policy are allowed to be used.
4. Data Security & Information Privacy Policy
Electronic transmission, delivery or receipt of sensitive data is only permitted using SFTP technology. Delivery or receipt of hardcopy sensitive data is only permitted using the US Mail System or a courier as approved by Plaintiff Finders management. Plaintiff Finders complies with all state and federal regulations that apply to data security.
Once a case has closed, Plaintiff Finders will destroy all hardcopy documents containing sensitive data within twelve months. Regarding all electronic case data (including sensitive data), Plaintiff Finders maintains this data for up to five years following the closure of the case..
5. Computing Devices & Access to Plaintiff Finders Information Database and Network
Only Plaintiff Finders IT approved devices may be used to access Plaintiff Finders’ information database and network. All devices must be protected with an employee’s user access level systems username and password required at the time the device is powered on.
Access to database and network information must be authenticated using two-factor authentication.
Sensitive data shall not be stored on the device. However, in the event there is no alternative to device storage, all sensitive data must be encrypted with password protection.
Plaintiff Finders’ prohibits the use of public cloud storage for any client specific data.
Unattended devices must be logged out and locked when unattended, and additionally configured to automatically be logged out of and screen locked after 10 minute or more of inactivity.
All devices that access Plaintiff Finders’ information database and network infrastructure shall have active and up-to-date antimalware and firewall protection.
6. Breaches in Security and Policy Violation
Breaches in security, whether actual or suspected, must be reported immediately to Plaintiff Finders’ Director of Information Technology. The Director of Information Technology and executive management will assess the breach for scope and severity and take appropriate action to mitigate and/or eliminate.
If the Director of Information Technology and/or executive management, is made aware a User has failed to comply with Plaintiff Finders’ Data Security & Information Privacy Policy, they will identify and apply appropriate consequences to the User.
Consequences may be as severe as termination of employment or termination of contract and/or further legal action. If there is a concern about a breach involving the Director of Information Technology, concerns should be immediately directed to the Chief Operating Officer.
If there is a data breach with a vendor/contractor, the contractor must comply with all applicable state and federal laws that require the notification to individuals (or other affected parties) in the event of unauthorized release of sensitive personal information or confidential data. Contractors must notify Plaintiff Finders within 24 hours of the incident.
Plaintiff Finders reserves all rights to act under the terms of any applicable contract, including indemnification and/or termination of the contract.
7. General Plaintiff Finders Information Security and Privacy Standards
Annual security training. Training and review of the Information Security and Privacy Standards are provided to Plaintiff Finders Employees on an annual basis. Periodic security reminders may be used to reinforce computing device security procedures, updates, or changes.
Minimum necessary. Employees shall only have access to the minimum amount of data necessary to perform their job duties.
Lost devices. Employees must immediately report any lost or stolen devices so access to systems can be deactivated.
Unauthorized access. Any unauthorized access to a device or company data must be immediately reported.
Rooting Mobile computing devices. Mobile computing devices must not be “rooted” or have unauthorized software/firmware installed. A mobile device is considered “rooted” if the internal protections of the device have been compromised or modified to allow control access to the operating system.
Content. Employees shall not load illegal content or pirated software onto devices.
Software installs. Only approved applications are allowed on the computing devices that connect to Plaintiff Finders’ information database and network.
Patch management. Computing devices and applications must be kept up-to-date. Patches should be installed within 30 days of release.
Anti-malware. All computing devices must have active and up-to-date anti-malware protection software.
Encryption. Encryption shall be used to protect sensitive information.
Firewalls. Firewall is maintained at the headquarters location for the network and administered by the Director of Information Technology.
Work habits. Employee shall use Plaintiff Finders’ company applications and systems while at work. Access to certain outside applications, websites, and/or systems may be blocked within each Plaintiff Finders’ computing device.
Backups. Backups are performed twice daily on the network terminal server environment.
Internal applications. Computing devices are installed with company internal applications on an as needed basis to Users. User access rights are maintained by the Director of Information Technology.
Exemptions. A risk assessment and risk analysis shall be performed for any requests for exemptions from this Policy.
V. ENFORCEMENT
Any User found to have violated this policy may be subject to disciplinary action. Such action may be as severe as termination of employment or termination of contract and/or further legal action.
VI. DISTRIBUTION
This policy has been distributed to all Users.