top of page
States Privacy Law status.PNG

JPA Information, Cybersecurity and Privacy

Intro
Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy.
Several states have their own cybersecurity and data breach notification laws.
This poses a considerable challenge for organizations conducting business across all 50 states and worldwide This page summarizes the compliance requirements for US cybersecurity laws and federal cybersecurity laws.
1. JPA GLBA Policy

GLBA: Gramm-Leach-Bliley Act

15 U.S. Code Subchapter I

The Gramm-Leach-Bliley Act (GLBA) is both an information security and a privacy law.

Applicability:

The law applies to financial institutions, but the definition is very broad and includes banks, insurance companies, securities firms, non-bank mortgage lenders, auto dealers, and tax preparers.

There is a Security Rule and a Privacy Rule. The Security Rule (16 CFR Part 314) requires organizations to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (15 USC §6801 (a))

Penalties and enforcement:

Penalties for violation could exceed $1 million. There is also the possibility of termination of FDIC insurance, which could mean the end of the business for a financial firm.

Policy Purpose
NPPI - Consumer Info

 

JPA Policy:

sign and return

 

For more information click here:

JPA PDF Policy AGMT
2021 Additional Info
2. JPA Information Security Policy

Policy Purpose


The purpose of the Information Security Policy is to protect sensitive, confidential and/or   proprietary   information   belonging   to   consumers,   clients   and   to   the Company and to ensure compliance with our Gramm-Leach-Bliley Act (“GLBA”) and Red Flag Policies.


Applicability


The   Policy   applies   to   all   individuals   who   have   access   to   the   Company’s information and resources.


Definitions


Non Public Personal Information (NPPI) includes the following, whether contained in printed or electronic format:

  • Bank account information, including:

  • Date of Birth

  • Bank account numbers, including checking, savings and trust accounts, loan accounts, medical savings account or any other account numbers held in a financial institution, etc.

  • Certificate of Citizenship

  • Copies Passports

  • Non-Public phone numbers or phone records

  • Credit Card information including: Credit Card Number (in part or whole),Expiration Date, Cardholder Name, Address

  • Payroll information, including: Paychecks, Pay stubs, Pay rates

  • Child Support information

  • Credit Information, including copies of credit reports

  • Drivers license number or photo copies of drivers license and/or abstract

  • Taxpayer ID numbers, including: Social Security Number, Social Insurance Number, Business Identification Number, Employer Identification Numbers

  • Unemployment information

  • Medical information, including but not limited to: doctor name(s) and medical claims, insurance claims, prescriptions, treatment(s) or diagnoses, and any related personal medical information.

  • Bankruptcy information.

  • Financial information, including bank balances, payment amounts, past due amounts, etc.


Procedures: Physical Documents


All documents containing Personal Identifiable Information, sensitive, confidential or  proprietary  information  must  be  stored  in  a  secure  location  on  Company property  such  as  a  securely  locked  drawer  or  cabinet.  In  accordance  with  the records  retention  policy,  information  no  longer  needed  must  be  shredded  by  an
authorized vendor or in-house approved shredding device.


Electronic Information


Password Policies
All Company electronic devices must be password protected. Company passwords must be single user, non-trivial, hard-to-guess, and  non-repetitive  passwords  that have no direct relationship to the password user and/or creator.

 

Initial  passwords  will  be  unique  and  must  require  a  password  change  upon  first login.

 

Passwords used will be of sufficient complexity that they are not easily guessed. This includes such characteristics as:

  • Passwords will use at least eight alphanumeric characters, articulating a semi-pronounceable  string  where  possible.  

  • Passwords  must  contain  at least 3 of the 4 following  characters:    Number,  special  character,  upper case and lower case letters.

  • Passwords should not be obviously related to the user. This includes such items as spouse, children, or pet names or nicknames, license numbers, or phone numbers.

Passwords  will  not  be  shared  across  multiple  users,  or  across  multiple  computer systems.


Passwords will be changed periodically as determined by the password policy for each system--in general this will be every 60 days. On automated systems with the capability, users should receive prior notice that their password is about to expire so that they are provided ample opportunity to change their password.


Passwords will not be re-used for at least 1 year, regardless of the number of times a password is changed in that year.

 

Administrator passwords will not be shared.


Training in proper password selection, protection, and in administration password policies  should  be  conducted  with  all  new  employees  and  reviewed  annually  as part of the Company’s annual Security Awareness Training.

 

Company users will protect their passwords from any and all other individuals, and users should also respect this requirement of co-workers. This guideline is intended to include such items as:
•   Disclosure of a Company user's password to any person other than the password’s owner is prohibited
•   A Company user should not enter his or her password if someone else is watching.  Respect personal privacy zones.

  • Company users should not watch any other Company user enter their password.

  • Passwords   will   not   be   written   down   in   any   readable   form,   or programmed  into  any  computer  system  or  key  for  automatic  login, recall, display or other use.

  •  Passwords created  for training  purposes will be unique and  changed regularly and will be restricted to access from systems designated as training resources.

  • All training systems will have passwords. Training passwords will be activated only when training is in session.


Unattended User Equipment


•   Company equipment will be kept in controlled Company spaces.
•   Mobile devices will not be left unattended unless they are logged off
and kept in a secure area such as a hotel room or home.
•   Unattended  systems  will  automatically  lock  after  10  minutes  of  no
activity.
•   Sessions will automatically  terminate on  systems that have not been
accessed for 30 minutes or more.
•   All   Company   laptops   will   use   appropriate   full   disk   encryption
technology.
Firewalls
•   A firewall shall be used to protect computers from hackers while
connected to the Internet.
•   The computer network shall have a “border” where it connects to the
Internet.  Access controls shall be set to allow only trusted employees
with an authorized business need to access the network.
•   Additional firewalls shall be used to protect computers containing
Personally Identifiable Information.
•   Firewalls shall be reviewed periodically.
Laptop Security
•   Laptop use is restricted to employees who need them to perform their
job responsibilities.
•   Laptops shall be stored in a secured area.
•   Authorized  laptop  users  will  have  access  to  Personally  Identifiable
Information but shall not store such information on laptops.
•   Laptops   containing   Personally   Identifiable   Information   shall   be
encrypted  and  configured  so  users  cannot  download  software  or
change  security  settings  without  approval  from  the  company’s  IT
specialist(s).

•   Laptops  shall  be  configured  with  an  “auto-destroy”  function  so  that
data on a computer that is reported stolen will be destroyed when the
computer is used to try to access to Internet.
•   Employees must not leave a laptop visible in an automobile, residence
or  hotel  luggage  stand  or  in  “checked”  luggage  at  an  airport  unless
directed to do so by airport security.
•   If a laptop must be left in a vehicle, it must be locked in the trunk.
Remote Access (Computers & Laptops)
This  policy  applies  to  all  Company  employees,  contractors  and  vendors  that  are
required to connect to the Company network from outside sources.
Any  outside  access  to  all  or  any  part  of  the  Company  networks  are  to  be  done
through  secure,  hardened  &  verified  electronic  equipment.  Secure  equipment  is
limited  to  computers,  laptops,  and  mobile  devices  that  must  meet  the  following
requirements:
•   Updated and current Anti-virus software.
•   Locally installed firewall software.
•   Remote manage software.
•   Updated OS and application patches.
•   Authorized VPN or Citrix client software.
•   RSA SecurID two factor authentication.
Storing or printing Company or Client information from remote devices is strictly
prohibited
Mobile Device Management solutions must be configured to meet and enforce the
document MDM Baseline standard as a minimum.
It  is  the  responsibility  of  Company  employees,  contractors  and  vendors  with
remote  access  privileges  to  the  Company’s  network  to  ensure  that  their  remote
access connection is given the same consideration as the user's on-site connection
to Company.
General  access  to  the  Internet  for  recreational  use  by  employees  and  their
immediate  household  members  on  firm  provided  computers  is  not  permitted.
Employee contractors and vendors with remote access privileges to the Company’s

network bear all responsibility for the consequences should the access be found to
be misused.
Sharing passwords, access codes or any other identification for purposes of gaining
access to the Company network is strictly prohibited.
Company  employees  and  contractors  with  remote  access  privileges  must  ensure
that  their  Company  owned  computer,  laptop,  or  other  mobile  device,  which  is
remotely  connected  to  the  Company’s  network,  is  not  connected  to  any  other
network  at  the  same  time  (split  tunneled  or  dual  homing),  unless  it  is  under
complete control and same security guidelines are applied and monitored.
Home   wireless   networks   must   use   acceptable   security   measures   to   include
WPA/WPA2  encryption  and  access  lists.    These  home  networks  are  the  sole
personal responsibility of the owner and will not be supported by the Company.
Company   employees   and   contractors   with   remote   access   privileges   to   the
Company’s  network  must  not  use  non  Company  email  accounts  (i.e.,  Hotmail,
Gmail,  Yahoo,  AOL,  Blackberry  Internet  Server),  or  other  external  resources  to
conduct  Company  business,  thereby  private  data  is  not  shared  across  public
networks and official business is never confused with personal business.
Static entry of a user ID and/or password to permit mobile device synchronization
is explicitly prohibited.
Reconfigurations of provided equipment is strictly prohibited.
Non-standard hardware configurations must be reviewed and approved by security
and network managers prior to connection to any and all parts of the Company’s
network.
Activation of services must be an active process.   Automated discovery processes
to search for and connect to available Wi-Fi access points must be shut off.   The
use of Wi-Fi services must be an active user action.
Remote Access (iPhones, PDA’s & Smartphones)
Portable  communications  devices  have  become  an  essential  part  of  business
operations.  The following guidelines apply:

•   Only  Company  owned  devices  will  be  permitted  to  connect  to  the
network.
•   Use  of  Blackberry  Internet  Service  or  any  other  external  providers
where an email or network user ID and password are statically entered
into setup are strictly prohibited.
•   Communication  paths  must  be  secured  and/or  encrypted  using  a
minimum of 128 bit encryption.
•   Personal  devices  will  not  be  tethered  to  Company  computers  or
laptops for sharing/synchronizing outlook information.

bottom of page