2009 Information

Protection & Privacy

Overview and
 

Acknowledgement for
Supplier Employees
 Part 1:
We are all Responsible

2
 Responsibilities

Keeping our customers’ financial information secure is one of our most

important responsibilities as a Bank associate or supplier employee.
Customers expect us to appropriately handle and use their information
with great sensitivity and consideration. Bank of America is committed
to meeting its Privacy promises.  We gain and maintain the trust of
both our customers and associates by thoughtfully managing and
safeguarding information. Bank of America relies on both bank
associates and employees of key service suppliers to safeguard the
information to which they have access.

3
 Key Terms and Definitions

Confidential information :
•Confidential Information is for limited use and disclosure. 
•It requires your manager’s approval to share it and must only be shared on a need to know
basis in line with it’s level of sensitivity.
•Examples include associate, customer and applicant personal or financial data, information
protected by law or regulation, passwords and encryption keys, preannouncement information
about major new products or services, preannouncement information about financial results,
mergers, acquisitions or other capital markets activities, strategic plans and legal strategies.
  Consumer Customer Information:
•Any record containing personal information about a consumer customer, whether in paper,
electronic or other form maintained by or on behalf of Bank of America.
Sensitive Data:
•A consumer’s name, address or telephone number in conjunction with the consumer’s social
security number, driver’s license number, account number, credit or debit card number, or a
personal identification number or password that would permit access to the customer’s
account.
•Any combination of components of customer information that would allow someone to log
onto or access the customer’s account, such as user name and password or password and
account number.
•Associate data that is private in nature and intended for limited disclosure on a need-to-know
basis, including Social Security Number, full date of birth with year, personal contact
information (home/mobile phone, home address, emergency contact information) and
compensation and performance data.
Nonpublic Personal Information (NPI):
•Confidential information about a customer or associate (e.g., Social Security number or its
derivatives {e.g., partial or scrambled Social Security number}, account number, credit or
debit card number, or personal identification number) that would permit access to a
customer’s account or enable fraud or identity theft.
• NPI is a subset of confidential information
4
 Key Terms and Definitions

Privacy Event:
•The unauthorized access to and/or use of sensitive data (1) within a Bank of America or
vendor acting on behalf of Bank of America controlled network, system or computer; or (2)
that results from the action of a Bank of America associate or vendor acting on behalf of
Bank of America. This applies to consumer customers and consumers who are not
customers of the Bank. Examples include but are not limited to:
- stolen/lost laptops or desktops (even if encrypted) containing Sensitive Data
- incidents where documents or other information are provided in error, allowing
unauthorized persons to receive and/or view Sensitive Data
- stolen Sensitive Data, e.g. an associate or a vendor's associate selling or using
customer information for personal gain
- lost Sensitive Data, e.g. information lost in transit
- incident in which an unencrypted email has been sent in error to an unauthorized third
party (NPI violation)
- Unauthorized access into Bank of America controlled networks, systems or computers
where sensitive data is stolen or compromised.
•Privacy events include incidents where Bank of America sensitive data is being handled
by companies that work for the Bank (Service Providers)
Information Security Incident
When any bank computer or data in any form (paper, verbal, electronic) is:
₋ Lost
₋ Stolen
₋ Misused
₋ Unsecured
An information security incident exposes sensitive information that could be used for
something harmful to our customers such as identify theft. A Privacy Event is a type of
Information Security Incident.

5
 Part 2:
Overview of Primary Information
Protection and Privacy Laws

6
 Key Information Protection Law

Gramm-Leach-Bliley Act (GLBA)

Federal law that governs the use and disclosure of non-public personal
information (NPI) collected by financial institutions and applies to
“consumers” and to those products and services used primarily for
personal, family or household purposes. The law requires financial
institutions to develop and maintain privacy and security policies and
procedures. The law also requires that contracts between suppliers
and the bank must include confidentiality language, restricting reuse
and disclosure of non-public personal information.

7
 Part 3:
Supplier Employee Responsibilities

8
 Protecting Customer Information

• Bank of America’s Information Security Policy establishes steps to be taken to protect the
confidentiality, integrity and availability of sensitive confidential information. Information is a
valuable asset of Bank of America. Our customers and shareholders expect that:
– Confidential Information will be managed properly to ensure that it is complete,
accurate, confidential, secure and available for authorized business activities.
– Access to information and information systems will be controlled, with access provided
only to the extent necessary to support authorized business functions.
– Information and information systems will be protected in a manner commensurate with
their sensitivity, value and criticality.
– Access to the bank’s computer systems be limited to the resources for which
authorization has been approved and granted for a valid business need.

• All bank associates and Supplier employees who have access to or custody of consumer
customer information, or Bank of America information and information systems, are expected
to make all reasonable efforts to comply with any and all policies, standards, and guidance
established to support Information Security Policies of the Bank and its suppliers.

9
 Protecting Customer Information

Examples of Information Security Incidents That Should Be Reported (not all-inclusive):

•A bag of Bank of America proof work is lost in transit
•A package containing Bank of America items is delivered to a non-Bank of America address
•Work belonging to Bank of America is stolen
•You see a skimming device on a Bank of America ATM

ESCALATION PROCESS
•Supplier employees must take every precaution to protect and safeguard customer information
to which they may have physical or logical access.
•Any information security incident resulting in any compromise of customer sensitive information
must immediately be escalated to your manager.
•Your manager will immediately inform the Bank of America Supplier Manager of the information
security incident.
•The Bank of America Supplier Manager will provide guidance as to how to proceed. Information
about your information security incident will be provided to the proper area of the Bank for further
investigation and resolution, as appropriate.

10
 Part 4:
Getting Help

11
 Where to Get Help

Where can you go for help in these situations?

• Have a question
• Need clarification
• Want to escalate a potential information security incident

Here are a few tips for getting help when you need it most:

• Ask your supervisor or manager for his or her opinion. Explain what
you think about the situation. They might have some insight to offer.
They can also contact the Bank of America liaison for guidance and
support.
• Follow your procedures for reporting any information security
incident. The stakes are high when customer information is involved.
Your report will be followed up on by Bank of America. They will
further investigate the situation. It is your duty to alert them.

12
Where to Get Help

Information Security Incidents and Privacy Events

Reporting
The EIM InfoSafe Hotline provides Bank of America associates and vendors a
24 hours, 7 days
a week service to report inappropriate use of and potential compromise of
Bank of America
computer or information assets.

When reporting a potential information security incident or privacy event:

• Report as soon as you are aware
• Provide as much detail as possible

Information Security Incident Reporting

To report a potential information security
incident, call the EIM InfoSafe Hotline:
1.800.207.2322, option 1.
Associates outside the U.S. should call: (001)
704.317.5350, option 1.

U.S. Privacy Event Reporting

To report a potential U.S. consumer privacy
event, contact:
1. The EIM InfoSafe Hotline: 1.800.207.2322,option 1
2. Your privacy business unit representative

13
Supplier Employee Acknowledgement

14
 Acknowledgement

Supplier Employee Acknowledgement

I have participated in the Bank of America Information Protection and Privacy

Overview training and understand my responsibilities. I know that I have a duty to
comply with all information protection and privacy policies and procedures that
apply. I understand what I should and should not do to avoid violating the policy,
laws and regulations.

_________________________________________
Supplier Employee printed name

_________________________________________
Supplier Employee signature

_________________________________________
Date

15
Supplier Manager Attestation

16
 Quarterly/Annual Attestation

Supplier Name: ____________________

Location: _________________ Quarter: __________________

Quarterly Attestation:

_________ I attest that all new employees, with access to Bank of America customer
information, that have reached 60 calendar days of employment have taken the Bank
of America Information Protection and Privacy training.

_________ I attest that there were no new employees reaching 60 calendar days of
employment in the quarter for which reporting is being performed.

Annual Attestation – For Fourth Quarter Only:

________ I attest that all employees have taken the Bank of America Information
Protection and Privacy training. I further attest that I have signed acknowledgements
on file for each employee as evidence that the training was completed.

Manager’s Name: _____________________________________

Date of Attestation: _____________________________________

17