Professional Documents
Culture Documents
Acknowledgement for
Supplier Employees
Part 1:
We are all Responsible
2
Responsibilities
3
Key Terms and Definitions
Confidential information :
•Confidential Information is for limited use and disclosure.
•It requires your manager’s approval to share it and must only be shared on a need to know
basis in line with it’s level of sensitivity.
•Examples include associate, customer and applicant personal or financial data, information
protected by law or regulation, passwords and encryption keys, preannouncement information
about major new products or services, preannouncement information about financial results,
mergers, acquisitions or other capital markets activities, strategic plans and legal strategies.
Consumer Customer Information:
•Any record containing personal information about a consumer customer, whether in paper,
electronic or other form maintained by or on behalf of Bank of America.
Sensitive Data:
•A consumer’s name, address or telephone number in conjunction with the consumer’s social
security number, driver’s license number, account number, credit or debit card number, or a
personal identification number or password that would permit access to the customer’s
account.
•Any combination of components of customer information that would allow someone to log
onto or access the customer’s account, such as user name and password or password and
account number.
•Associate data that is private in nature and intended for limited disclosure on a need-to-know
basis, including Social Security Number, full date of birth with year, personal contact
information (home/mobile phone, home address, emergency contact information) and
compensation and performance data.
Nonpublic Personal Information (NPI):
•Confidential information about a customer or associate (e.g., Social Security number or its
derivatives {e.g., partial or scrambled Social Security number}, account number, credit or
debit card number, or personal identification number) that would permit access to a
customer’s account or enable fraud or identity theft.
• NPI is a subset of confidential information
4
Key Terms and Definitions
Privacy Event:
•The unauthorized access to and/or use of sensitive data (1) within a Bank of America or
vendor acting on behalf of Bank of America controlled network, system or computer; or (2)
that results from the action of a Bank of America associate or vendor acting on behalf of
Bank of America. This applies to consumer customers and consumers who are not
customers of the Bank. Examples include but are not limited to:
- stolen/lost laptops or desktops (even if encrypted) containing Sensitive Data
- incidents where documents or other information are provided in error, allowing
unauthorized persons to receive and/or view Sensitive Data
- stolen Sensitive Data, e.g. an associate or a vendor's associate selling or using
customer information for personal gain
- lost Sensitive Data, e.g. information lost in transit
- incident in which an unencrypted email has been sent in error to an unauthorized third
party (NPI violation)
- Unauthorized access into Bank of America controlled networks, systems or computers
where sensitive data is stolen or compromised.
•Privacy events include incidents where Bank of America sensitive data is being handled
by companies that work for the Bank (Service Providers)
Information Security Incident
When any bank computer or data in any form (paper, verbal, electronic) is:
₋ Lost
₋ Stolen
₋ Misused
₋ Unsecured
An information security incident exposes sensitive information that could be used for
something harmful to our customers such as identify theft. A Privacy Event is a type of
Information Security Incident.
5
Part 2:
Overview of Primary Information
Protection and Privacy Laws
6
Key Information Protection Law
7
Part 3:
Supplier Employee Responsibilities
8
Protecting Customer Information
• Bank of America’s Information Security Policy establishes steps to be taken to protect the
confidentiality, integrity and availability of sensitive confidential information. Information is a
valuable asset of Bank of America. Our customers and shareholders expect that:
– Confidential Information will be managed properly to ensure that it is complete,
accurate, confidential, secure and available for authorized business activities.
– Access to information and information systems will be controlled, with access provided
only to the extent necessary to support authorized business functions.
– Information and information systems will be protected in a manner commensurate with
their sensitivity, value and criticality.
– Access to the bank’s computer systems be limited to the resources for which
authorization has been approved and granted for a valid business need.
• All bank associates and Supplier employees who have access to or custody of consumer
customer information, or Bank of America information and information systems, are expected
to make all reasonable efforts to comply with any and all policies, standards, and guidance
established to support Information Security Policies of the Bank and its suppliers.
9
Protecting Customer Information
ESCALATION PROCESS
•Supplier employees must take every precaution to protect and safeguard customer information
to which they may have physical or logical access.
•Any information security incident resulting in any compromise of customer sensitive information
must immediately be escalated to your manager.
•Your manager will immediately inform the Bank of America Supplier Manager of the information
security incident.
•The Bank of America Supplier Manager will provide guidance as to how to proceed. Information
about your information security incident will be provided to the proper area of the Bank for further
investigation and resolution, as appropriate.
10
Part 4:
Getting Help
11
Where to Get Help
• Have a question
• Need clarification
• Want to escalate a potential information security incident
Here are a few tips for getting help when you need it most:
• Ask your supervisor or manager for his or her opinion. Explain what
you think about the situation. They might have some insight to offer.
They can also contact the Bank of America liaison for guidance and
support.
• Follow your procedures for reporting any information security
incident. The stakes are high when customer information is involved.
Your report will be followed up on by Bank of America. They will
further investigate the situation. It is your duty to alert them.
12
Where to Get Help
13
Supplier Employee Acknowledgement
14
Acknowledgement
_________________________________________
Supplier Employee printed name
_________________________________________
Supplier Employee signature
_________________________________________
Date
15
Supplier Manager Attestation
16
Quarterly/Annual Attestation
Quarterly Attestation:
_________ I attest that all new employees, with access to Bank of America customer
information, that have reached 60 calendar days of employment have taken the Bank
of America Information Protection and Privacy training.
_________ I attest that there were no new employees reaching 60 calendar days of
employment in the quarter for which reporting is being performed.
________ I attest that all employees have taken the Bank of America Information
Protection and Privacy training. I further attest that I have signed acknowledgements
on file for each employee as evidence that the training was completed.
17