2009 Information Protection & Privacy Overview and Acknowledgement for Supplier Employees
Part 1: We are all Responsible
2
Responsibilities
Keeping our customers’ financial information secure is one of our most important responsibilities as a Bank associate or supplier employee. Customers expect us to appropriately handle and use their information with great sensitivity and consideration. Bank of America is committed to meeting its Privacy promises. We gain and maintain the trust of both our customers and associates by thoughtfully managing and safeguarding information. Bank of America relies on both bank associates and employees of key service suppliers to safeguard the information to which they have access.
3
Key Terms and Definitions Confidential information : •Confidential Information is for limited use and disclosure. •It requires your manager’s approval to share it and must only be shared on a need to know basis in line with it’s level of sensitivity. •Examples include associate, customer and applicant personal or financial data, information protected by law or regulation, passwords and encryption keys, preannouncement information about major new products or services, preannouncement information about financial results, mergers, acquisitions or other capital markets activities, strategic plans and legal strategies. Consumer Customer Information: •Any record containing personal information about a consumer customer, whether in paper, electronic or other form maintained by or on behalf of Bank of America. Sensitive Data: •A consumer’s name, address or telephone number in conjunction with the consumer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. •Any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number. •Associate data that is private in nature and intended for limited disclosure on a need-to-know basis, including Social Security Number, full date of birth with year, personal contact information (home/mobile phone, home address, emergency contact information) and compensation and performance data. Nonpublic Personal Information (NPI): •Confidential information about a customer or associate (e.g., Social Security number or its derivatives {e.g., partial or scrambled Social Security number}, account number, credit or debit card number, or personal identification number) that would permit access to a customer’s account or enable fraud or identity theft. • NPI is a subset of confidential information 4
Key Terms and Definitions Privacy Event: •The unauthorized access to and/or use of sensitive data (1) within a Bank of America or vendor acting on behalf of Bank of America controlled network, system or computer; or (2) that results from the action of a Bank of America associate or vendor acting on behalf of Bank of America. This applies to consumer customers and consumers who are not customers of the Bank. Examples include but are not limited to: - stolen/lost laptops or desktops (even if encrypted) containing Sensitive Data - incidents where documents or other information are provided in error, allowing unauthorized persons to receive and/or view Sensitive Data - stolen Sensitive Data, e.g. an associate or a vendor's associate selling or using customer information for personal gain - lost Sensitive Data, e.g. information lost in transit - incident in which an unencrypted email has been sent in error to an unauthorized third party (NPI violation) - Unauthorized access into Bank of America controlled networks, systems or computers where sensitive data is stolen or compromised. •Privacy events include incidents where Bank of America sensitive data is being handled by companies that work for the Bank (Service Providers) Information Security Incident When any bank computer or data in any form (paper, verbal, electronic) is: ₋ Lost ₋ Stolen ₋ Misused ₋ Unsecured An information security incident exposes sensitive information that could be used for something harmful to our customers such as identify theft. A Privacy Event is a type of Information Security Incident.
5
Part 2: Overview of Primary Information Protection and Privacy Laws
6
Key Information Protection Law Gramm-Leach-Bliley Act (GLBA)
Federal law that governs the use and disclosure of non-public personal information (NPI) collected by financial institutions and applies to “consumers” and to those products and services used primarily for personal, family or household purposes. The law requires financial institutions to develop and maintain privacy and security policies and procedures. The law also requires that contracts between suppliers and the bank must include confidentiality language, restricting reuse and disclosure of non-public personal information.
7
Part 3: Supplier Employee Responsibilities
8
Protecting Customer Information
•
Bank of America’s Information Security Policy establishes steps to be taken to protect the confidentiality, integrity and availability of sensitive confidential information. Information is a valuable asset of Bank of America. Our customers and shareholders expect that: – Confidential Information will be managed properly to ensure that it is complete, accurate, confidential, secure and available for authorized business activities. – Access to information and information systems will be controlled, with access provided only to the extent necessary to support authorized business functions. – Information and information systems will be protected in a manner commensurate with their sensitivity, value and criticality. – Access to the bank’s computer systems be limited to the resources for which authorization has been approved and granted for a valid business need.
•
All bank associates and Supplier employees who have access to or custody of consumer customer information, or Bank of America information and information systems, are expected to make all reasonable efforts to comply with any and all policies, standards, and guidance established to support Information Security Policies of the Bank and its suppliers.
9
Protecting Customer Information
Examples of Information Security Incidents That Should Be Reported (not all-inclusive): •A bag of Bank of America proof work is lost in transit •A package containing Bank of America items is delivered to a non-Bank of America address •Work belonging to Bank of America is stolen •You see a skimming device on a Bank of America ATM
ESCALATION PROCESS •Supplier employees must take every precaution to protect and safeguard customer information to which they may have physical or logical access. •Any information security incident resulting in any compromise of customer sensitive information must immediately be escalated to your manager. •Your manager will immediately inform the Bank of America Supplier Manager of the information security incident. •The Bank of America Supplier Manager will provide guidance as to how to proceed. Information about your information security incident will be provided to the proper area of the Bank for further investigation and resolution, as appropriate.
10
Part 4: Getting Help
11
Where to Get Help
Where can you go for help in these situations? • Have a question • Need clarification • Want to escalate a potential information security incident Here are a few tips for getting help when you need it most: • Ask your supervisor or manager for his or her opinion. Explain what you think about the situation. They might have some insight to offer. They can also contact the Bank of America liaison for guidance and support. • Follow your procedures for reporting any information security incident. The stakes are high when customer information is involved. Your report will be followed up on by Bank of America. They will further investigate the situation. It is your duty to alert them.
12
Where to Get Help Information Security Incidents and Privacy Events Reporting The EIM InfoSafe Hotline provides Bank of America associates and vendors a 24 hours, 7 days a week service to report inappropriate use of and potential compromise of Bank of America computer or information assets. When reporting a potential information security incident or privacy event: • Report as soon as you are aware • Provide as much detail as possible
Information Security Incident Reporting To report a potential information security incident, call the EIM InfoSafe Hotline: 1.800.207.2322, option 1. Associates outside the U.S. should call: (001) 704.317.5350, option 1.
U.S. Privacy Event Reporting To report a potential U.S. consumer privacy event, contact: 1. The EIM InfoSafe Hotline: 1.800.207.2322,option 1 2. Your privacy business unit representative
13
Supplier Employee Acknowledgement
14
Acknowledgement
Supplier Employee Acknowledgement
I have participated in the Bank of America Information Protection and Privacy Overview training and understand my responsibilities. I know that I have a duty to comply with all information protection and privacy policies and procedures that apply. I understand what I should and should not do to avoid violating the policy, laws and regulations. _________________________________________ Supplier Employee printed name _________________________________________ Supplier Employee signature _________________________________________ Date
15
Supplier Manager Attestation
16
Quarterly/Annual Attestation
Supplier Name: ____________________ Location: _________________ Quarter: __________________ Quarterly Attestation: _________ I attest that all new employees, with access to Bank of America customer information, that have reached 60 calendar days of employment have taken the Bank of America Information Protection and Privacy training. _________ I attest that there were no new employees reaching 60 calendar days of employment in the quarter for which reporting is being performed. Annual Attestation – For Fourth Quarter Only: ________ I attest that all employees have taken the Bank of America Information Protection and Privacy training. I further attest that I have signed acknowledgements on file for each employee as evidence that the training was completed. Manager’s Name:
_____________________________________
Date of Attestation: _____________________________________
17