Rules Regarding the Use and Security of all information from Equifax Information Services
Gregory Whittaker will be responsible for Data Security with respect to handling Equifax Information Services by:
- Ensure that only Authorized Users can order or have access to Equifax Information Services
- Ensure that Authorized Users do not order consumer reports for personal reasons or provide them to any third party except as permitted.
- Inform Authorized Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment
- Ensure that all devices used to order or access Equifax Information Services are placed in a secure location and accessible only by Authorized Users, and that such devices are secured when not in use, through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures.
- Taking all necessary measures to prevent unauthorized ordering of, or access to, Equifax Information Services by any person other than an Authorized User for permissible purposes, including without limitation, limiting the knowledge of security codes, member numbers, User IDs, and any passwords that may be used to access "Secure Information" to those individuals with a need to know. In addition, the User IDs must be unique to each person, and the sharing of User IDs or passwords is strictly prohibited.
- Changing user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing Equifax Information Services, or if there is a suspicion that an unauthorized person has learned the password
- Adhere to all security features in the software and hardware used to order or access Equifax Information Services, including the use of IP restriction
- Implementing secure authentication practices when providing User ID and passwords to Authorized Users, including but not limited to using individually assigned email addresses and not shared email accounts.
- In NO event, access Equifax Information Services via ANY hand-held wireless communication device, including, but not limited to, web enabled cell phones, interactive wireless pagers, personal digital assistants (PDAs) mobile data terminals, portable data terminals or ANY transfer of non-public information or Information Services, by means of Bluetooth transfer.
- Not use non-company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs and DVDs) to store the Equifax Information Services. In addition, Equifax Information must be encrypted when not in use and all printed Equifax Information must be stored in a secure, locked container when not in use and must be completely destroyed when no longer needed by cross-cut shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose. Storage areas, when not in use, must be locked securely. No access (or giving keys to any unauthorized person) is allowed in the Storage Area by any unauthorized person.
- Everyone who sends, transfers or ships any Equifax Information, encrypt the Equifax Information using minimum 128-bit key, or Triple Data Encryption Standard (3DES), minimum 168-bit key, encrypted algorithms, which standards may be modified from time to time by Equifax.
- Not shipping hardware or software between locations or to third parties without deleting all Equifax number(s), security codes, User IDs, passwords, and any consumer information
- Monitor compliance and immediately notify Equifax if suspecting or knowing of any unauthorized access or attempt to access the Equifax Information Services, including, without limitation, a review of Equifax Invoices for the purpose of detecting any unauthorized activity.