SAGE DIRECT, INC.
INFORMATION SAFEGUARD PLAN
The Types Of Customer Information
Sage Direct, Inc. hereafter referred to as “the Company”, provides statement processing and direct marketing services for its customers that may contain account numbers, social security numbers, account balances, account transactions and addresses (“Customer Information”).
How Do We Use Customer Information?
We will not disclose any Customer Information to any organization or entity, affiliated or non-affiliated, unless this disclosure is necessary to initiate, administer, or enforce a transaction or service for which we have been contracted to perform.
How Do We Keep Customer Information Private?
We take steps to safeguard Customer Information. We maintain physical, electronic and procedural safeguards to guard the information against unauthorized access. We also utilize appropriate corrective action when needed to enforce employee compliance with our procedures with regard to privacy of information.
- Only the Company’s employees that have received training (described below) are authorized to receive or make phone calls to discuss Customer Information.
- The Company is only authorized to request validation of information. Company procedures state responsibilities and confidentiality responsibilities of each associate.
- Sage has fire alarms and extinguishers throughout the building which are professionally monitored. The fire department and the owners will be notified in the event of a fire. The staff has been trained in the proper use of both the fire alarm system and the extinguishers.
- All Customer Information is kept in restricted office areas and is only available to authorized employees.
- Any Customer Information that needs to be disposed of is placed in locked shred bins located in the restricted areas within the Company. The Company’s personnel lock these bins during all office non-business hours.
- All paper statements produced from the customer data are either placed directly by employees or vendors in the United States Mail or are placed in locked shred bins if they cannot be mailed for some reason. No paper copies of statements are maintained.
Information System Safeguards
- All Customer statement information (not including eStatements) is maintained on our computer system for no more than 31 days.
- Clients of customers who have opted for eStatements can access their own information on the network through the use of a password. This Customer information is stored solely on a secure network server and is deleted after no more than three statement cycles, which can be monthly, quarterly or annually.
- Any hardware that is no longer in use has the memory and all programs erased and are destroyed by a qualified computer technician.
- The system information is backed up by using magnetic media. This back up occurs weekly and monthly. All monthly back up media is stored at a secure location offsite.
- All computers are protected with anti-virus software, which is updated on a daily basis and renewed annually. In addition, inbound and outbound e-mails are scanned prior to reaching the e-mail recipient’s destination. All internal networks are isolated from outside intrusion via Firewalls. The FTP server only allows access to two directories, incoming and outgoing. They are both blind directories, which means anyone outside of the internal network will not “see” any files in these directories. Any files containing personal information deposited in the incoming directory are required to be encrypted and password protected. Passwords are sent separately via e-mail.
Employee Hiring and Training
- Security background checks are performed on all full-time employees that have access to financial data that is processed and/or printed at the Company. No employee is hired that has been convicted of a felony. Employees with background checks will be considered to have full security clearance to work on financial data and/or printed statements. These employees are trained to monitor part-time staff without the same level of security clearance. Part time employees never perform work on financial data files and do not have access to computers that have this information or any other customer information on them. The work part time employees perform on printed statements is monitored at all times by full time staff with full security clearance.
- Each employee is required to attend a privacy training session that is presented by a Manager of the Company once per year.
- Employees are required to verify any request for Customer Information in order to be certain that the person requesting the information has the right to receive it. This may be done by validating the phone number of the caller or knowing the caller. In the event this cannot be done, the employee is instructed to return the call to insure that the phone number is appropriate to the company or individual requesting the information. In any case, the owner of the data will be informed of the request and written permission will be required if the information is going to a third party.
- Employees are also trained in recognizing any fraudulent attempt to obtain Customer Information and the steps to take in the event fraudulent attempts are identified. A Manager is informed of the possible attempt and is to notify our Customer and the appropriate law enforcement agency in the event the attempt is confirmed.
Our Conduct upon Discovery of Unauthorized Access
In the event we discover that there has been any form of unauthorized access to Customer Information, we will immediately advise our Customer of such unauthorized access so that it can expeditiously implement its response program to such unauthorized disclosure as set forth in the Interagency Guidelines Establishing Information Security Standards pursuant to Section 505(b) of the Gramm-Leach-Bliley Act.