Client Data Policy

Roaring Fork Help Desk Inc.
Client Data Policy
REVISION DATE 06/17/2015

 

Purpose

The purpose of this policy is to establish a baseline for the handling of Roaring Fork Help Desk Inc. (“Us,” We,” “Our”) your Data. This policy outlines what We promise to do to ensure the security and survivability your Data and to assist Our clients to comply with relevant laws and regulations that may apply to the retention and protection of that Data.

Scope

This policy applies to all of Our employees, interns, and owners.

Definitions

Data

Data is defined as any digital asset including but not limited to documents, spreadsheets, images (pictures), images (hard drive snapshots), configuration files, and emails that is either produced or possessed by you that is transferred to or used by Us on your behalf.

Data Owner

Is the person or entity that is the creator of, has non-frivolous claim to, is the assignee of, is the licensor of, or owner of any Data that is protectable intellectual property of any kind (patent, copyright, trademark, or trade secret).

Our Security Procedures When We Are Entrusted with Client Data

Containerized Encryption

Current best practices require containerized encryption of all sensitive information. Our containerized encryption procedures require you to place sensitive information into a VeraCrypt container. Such container should, at minimum, by encrypted with AES encryption SHA–512 hash with one key file and a 64 bit password or AES encryption SHA–512 hash with a 256 bit password before transfer to Us. We will not decrypt or transfer your containers to a third-party without your express permission or court order and We will not accept unencrypted Data from you.

File Access Management

Current best practices require file access management in certain cases. File access management is typically required when an auditable trail of file access is needed to assure customers, partners, suppliers, regulators, Data Owners, and intellectual property attorneys that authorized users are the only users accessing sensitive files.

If you use file access management, We will preserve the file access management records you provide to Us so that they accompany the sensitive files and are accessible in case of audit.

Data Disguising

While best practices should be enough for your security needs, if you require more security for your Data, We can implement data disguising methods like using oversized containers and hash file names to confuse an unauthorized user and make intrusions more easily identifiable.

Our Procedures to Maintain Legal and Regulatory Compliance

Security is the first step, but to ensure total legal and regulatory compliance when handling your Data requires satisfaction of a variety of laws and regulations. We are not lawyers, however, and cannot express a legal opinion as to whether or not a specific law or regulation applies to your data. If you identify any of your data as covered by the following, We will follow the relevant law or regulation in the maintenance of and access to your data.

Our Default Data Destruction Policy

If you do not specify otherwise, We will retain your Data until the end of our contractual relationship. At the end of our relationship, We will return to you all data on Our equipment and destroy any copies that may remain on Our equipment unless our relationship is renewed.

Data Retention and Protection for Data with Multiple Data Owners

We will follow your instructions where it comes managing the interests of those who are Data Owners. Intellectual property laws, contracts, and ethical obligations may mean that some of your Data may be owned or the usage rights controlled by another party. The rights of your Data Owners must be respected, and to the extent practicable, We will attach and enforce whatever permissions management restrictions required by any Data Owner to your Data but We specifically do not warrant that Our services will prevent Data misappropriation by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to Data misappropriation on your part.

Data Retention and Protection for E-Discovery

We will follow whatever data destruction policy you instruct Us to follow. However, We will also mark any of your data for a “litigation hold” upon your request or court order to prevent its destruction pursuant your data destruction policy. Under no circumstances will We alter or destroy any Data that We have reason to believe is relevant to an ongoing civil or criminal action. We specifically do not warrant that Our services will prevent spoliation and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, or contributes to the spoliation of evidence on your part.

Data Retention and Protection for Sarbanes-Oxley (SOX) Compliance

If you are a “public company” or otherwise desire to comply with the “public company” regulations of SOX for any reason much of the Data you produce and possess must be retained pursuant to SOX. Please discuss with counsel what exactly you need to retain to comply with SOX. If you mark data as covered by SOX, We will specifically segregate this data for preservation outside your data destruction policy and according to the rules promulgated as of the date of this revision. For SOX data, We will specifically refuse to comply with any request to destroy or alter such data or reclassify such data during the retention time required by the rules. However, We specifically do not warrant that Our services will prevent SOX non-compliance by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to SOX violation on your part.

Data Retention and Protection for Personally Identifiable Education Records (PIER) under the Federal Educational Rights and Privacy Act (FERPA)

Student information you possess or generate may be PIER and regulated by FERPA. If you mark data as PIER covered by FERPA, We will specifically segregate this data for retention according to FERPA and perform a compliance check whenever you or a third-party requests this data. Without a valid FERPA waiver or court order, We will not release this information to any third-party. However, We specifically do not warrant that Our services will prevent FERPA non-compliance by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to a FERPA violation on your part.

PIER regulated by FERPA includes but is not expressly limited to:

• Transcripts
• GPA
• Social Security Number
• Academic Evaluations
• Certain Psychological Evaluation
• Attendance Records
• Records pertaining to lawsuits or other claims that are related to a current or former student
• Reference letters and resumes with student educational information
• Disciplinary Records

Data Retention and Protection for Personally Financial Identifiable Information (PIFI) under the Graham-Leach-Bliley Act (GLBA).

Personal financial information that you retain is regulated by GLBA. If you mark data as covered by GLBA, We will specifically segregate this data for retention according to GLBA and perform a compliance check whenever you or a third-party requests this data. However, We specifically do not warrant that Our services will prevent GLBA non-compliance by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to a GLBA violation on your part.

Information regulated by GLBA includes but is not expressly limited to:

• Social security numbers
• State-issued driver’s license numbers
• Date of Birth
• Financial account number in combination with a security code, access code or password that would permit access to the account

Data Retention and Protection for Payment Card Information under the Payment Card Industry Data Security Standard (PCI DSS)

If you process payment cards, you are subject to PCI DSS. If you mark data as covered by PCI DSS, We will specifically segregate this data for protection according to the latest PCI DSS and perform a compliance check whenever you or a third-party requests this data. However, We specifically do not warrant that Our services will prevent PCI DSS non-compliance by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to PCI DSS non-compliance on your part.

Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

• Cardholder name
• Service code
• Expiration date
• CVC2, CVV2 or CID value
• PIN or PIN block
• Contents of a credit card’s magnetic stripe

Data Retention and Protection for Protected Health Information (PHI) under the Health Insurance Portability and Affordability Ace (HIPAA)

If you produce or possess “individually identifiable” medical information it may be regulated as PHI by HIPAA. If you mark data as PHI covered by HIPAA, We will specifically segregate this data and perform a compliance check whenever you or a third-party requests this data. Without a valid HIPAA waiver or court order, We will not release this information to any third-party. However, We specifically do not warrant that Our services will prevent HIPAA non-compliance by you and We shall not be liable to you for damages sustained (under any legal or equitable theory) if Our conduct, as specified in this document or any other agreement between you and Us, causes or contributes to HIPAA non-compliance on your part.

PHI is defined as any “individually identifiable” information that is stored by a Covered Entity, and related to one or more of the following:

• Past, present or future physical or mental health condition of an individual.
• Provision of health care to an individual.
• Past, present or future payment for the provision of health care to an individual.

PHI is considered “individually identifiable” if it contains one or more of the following identifiers:

• Name
• Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
• All elements of dates (except year) related to an individual including birth date,
admissions date, discharge date, date of death and exact age if over 89).
• Telephone/Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate number
• Device identifiers and serial numbers
• Universal Resource Locators (URLs)
• Internet protocol (IP) addresses
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number or characteristic that could identify an individual

Data Protection for Miscellaneous State and Federal Data Retention Laws and Regulations

Every state has its own set of laws and, to the extent you have to comply with them, We can assist you with complying with other protection and retention laws and regulations. Additionally, the Federal Government could change the statutes, rules, and regulations consulted when crafting this policy and We can assist you with complying with these changes. However, We cannot guarantee Our assistance will bring you into compliance with those laws and regulations not specifically identified in this policy as of the policies’ revision date.

Password Strength Table

When We require you to use a password, or whenever We create a password for your Data, this table must be consulted to determine how the password should be created given the desired level of password entropy.

Desired password entropy H

Arabic numerals

Hexadecimal

Case insensitiveLatin alphabet

Case insensitivealphanumeric

Case sensitiveLatin alphabet

Case sensitive alphanumeric

All ASCII printable characters

All extended ASCII printable characters

Dicewareword list

8 bits (1 byte)

3

2

2

2

2

2

2

2

1

32 bits (4 bytes)

10

8

7

7

6

6

5

5

3

40 bits (5 bytes)

13

10

9

8

8

7

7

6

4

64 bits (8 bytes)

20

16

14

13

12

11

10

9

5

80 bits (10 bytes)

25

20

18

16

15

14

13

11

7

96 bits (12 bytes)

29

24

21

19

17

17

15

13

8

128 bits (16 bytes)

39

32

28

25

23

22

20

17

10

160 bits (20 bytes)

49

40

35

31

29

27

25

21

13

192 bits (24 bytes)

58

48

41

38

34

33

30

25

15

224 bits (28 bytes)

68

56

48

44

40

38

35

29

18

256 bits (32 bytes)

78

64

55

50

45

43

39

33

20

384 bits (48 bytes)

116

96

82

75

68

65

59

50

30

512 bits (64 bytes)

155

128

109

100

90

86

78

66

40

1024 bits (128 bytes)

309

256

218

199

180

172

156

132

80