Confidential — for Internal Use Only
Associate Handbook August 2016 |
102
–– Social Security Numbers (SSN) cannot be used in any correspondence or emails sent externally; instead
use the reference code or the last 4 digits of the SSN.
–– Any reports that contain the SSN must be physically secured and shredded or placed in shred bins
when discarded.
–– Never copy documents or data which include SSNs or other non-public information for use to
unencrypted flash drives, external hard drives, personal home computers, CDs or other remote media
unless absolutely required to meet a critical business need. In that case, follow ICMA‑RC’s USB flash
drive and CD writer copy encryption policy.
–– Never use a personal email account or personal BlackBerry for any ICMA‑RC business emails, business
text messaging or business-related communications. Never forward an ICMA‑RC email containing
client or employer information to a personal email account.
Breaches of Personal Information
To comply with all state laws regarding protection of personal information, associates must report to the
Manager of Information Security any disclosures of any of the following information to an unauthorized person:
Personal information, defined as an individual’s first name or first initial and last name in combination with
one or more of the following data elements:
1
Social Security Number (SSN)
2
Account number, credit card number, debit card number, reference code, PIN or other numbers that can
be used to access the individual’s accounts
3
Driver’s license, state identification or tribal identification number or card
4
Passport or other federally issued identification number or card
5
Taxpayer identification number
6
Medical information or health insurance information
7
Unique biometric data, such as a fingerprint, or other unique physical representation or digital representa-
tion of biometric data
8
Digital or electronic signature
9
Birth date
10
Mother’s maiden name
or
any of data elements 1 through 3 above without a name if the information compromised is sufficient to gain
access to an individual’s financial or credit account, to perform or attempt to perform identity theft, or to
fraudulently assume or attempt to assume the identity of the person whose information is compromised.
For additional information, see the entire ICMA‑RC Corporate Privacy Policy on the intranet at
my.icmarc.org.