2.1.1 Social Security number, driver's license number, or other government-issued identification numbers, including any passport number, or tribal identification number.
2.1.2 Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual's financial accounts.
2.1.3 Any personally identifiable financial information or consumer list, description, or other grouping derived from personally identifiable financial information, where “personally identifiable financial information” includes any information:
184.108.40.206 A consumer provides Brand 27 to obtain a financial product or service.
220.127.116.11 About a consumer resulting from any transaction involving a financial product or service with Brand 27.
18.104.22.168 Information Brand 27 otherwise obtains about a consumer in connection with providing a financial product or service.
2.1.4 Health information, including information regarding the individual's medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional created or received by Brand 27. “Health information” includes any information which identifies or for which there is a reasonable basis to believe the information can be used to identify the individual and which relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual.
2.1.5 Health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer.
2.1.6 Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris.
2.1.7 Electronic mail (“email”) or other communications address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
2.1.8 Brand 27 considers to be highly confidential information that, if accessed by or disclosed to unauthorized parties, could cause significant or material harm to Brand 27, its customers, or its business partners.
3.2.1 Assessing internal and external risks to Personal Information and maintaining related documentation, including risk assessment reports and remediation plans (see Section 4).
3.2.2 Coordinating the development, distribution, and maintenance of information security policies and procedures (see Section 5).
3.2.3 Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal [and other sensitive] information (see Section 6).
3.2.4 Ensuring that the safeguards are implemented and maintained to protect Personal Information throughout Brand 27, where applicable (see Section 6).
3.2.5 Overseeing service providers that access or maintain Personal Information on behalf of Brand 27 (see Section 7).
3.2.6 Monitoring and testing the information security program's implementation and effectiveness on an ongoing basis (see Section 8).
3.2.7 Defining and managing incident response procedures (see Section 9).
3.2.8 Establishing and managing enforcement policies and procedures for this WISP, in collaboration with Brand 27 human resources and management (see Section 10).
3.3.1 Providing periodic training regarding this WISP, Brand 27’s safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to Personal Information;
3.3.2 Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms.
3.3.3 Retaining training and acknowledgment records.
4.2.1 Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing Personal Information.
4.2.2 Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the Personal Information.
4.2.3 Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
22.214.171.124 Employee, contractor, and (as applicable) stakeholder training and management.
126.96.36.199 Employee, contractor, and (as applicable) stakeholder compliance with this WISP and related policies and procedures.
188.8.131.52 Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal.
184.108.40.206 Brand 27’s ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
4.3.1 Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;
4.3.2 Reasonably and appropriately address any identified gaps.
4.3.3 Regularly monitor the effectiveness of Brand 27’s safeguards, as specified in this WISP (see Section 8).
5.2.1 Information classification.
5.2.2 Information handling practices for Personal Information, including the storage, access, disposal, and external transfer or transportation of Personal Information.
5.2.3 User access management, including identification and authentication (using passwords or other appropriate means).
5.2.5 Computer and network security.
5.2.6 Physical security.
5.2.7 Incident reporting and response.
5.2.8 Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD).
5.2.9 Information systems acquisition, development, operations, and maintenance.
6.4.1 Designating one or more employees to coordinate the information security program (see Section 3).
6.4.2 Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks (see Section 4).
6.4.3 Training employees in security program practices and procedures, with management oversight (see Section 3).
6.4.4 Selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract (see Section 7).
6.4.5 Adjusting the information security program in light of business changes or new circumstances (see Section 11).
6.5.1 Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices.
6.5.2 Restricting access to active users and active user accounts only, including preventing terminated employees or contractors from accessing systems or records.
6.5.3 Blocking access to a particular user identifier after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.
6.6.1 Restricting access to records and files containing Personal Information to those with a need to know to perform their duties.
6.6.2 Assigning unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) to each individual with computer or network access that are reasonably designed to maintain security.
6.6.3 Encryption of all Personal Information traveling wirelessly or across public networks.
6.6.4 Encryption of all Personal Information stored on laptops or other portable or mobile devices, and to the extent technically feasible, Personal Information stored on any other device or media (data-at-rest).
6.6.5 Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to Personal Information or other attacks or system failures.
6.6.6 Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) Personal Information.
6.6.7 Reasonably current system security software (or a version that can still be supported with reasonably current patches and malware definitions) that (1) includes malicious software ("malware") protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.
6.7.1 Defining and implementing reasonable physical security measures to protect areas where Personal Information may be accessed, including reasonably restricting physical access and storing records containing Personal Information in locked facilities, areas, or containers.
6.7.2 Preventing, detecting, and responding to intrusions or unauthorized access to Personal Information, including during or after data collection, transportation, or disposal.
6.7.3 Secure disposal or destruction of Personal Information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.