ICMARC Associate Handbook August 2016

–– Social Security Numbers (SSN) cannot be used in any correspondence or emails sent externally; instead use the reference code or the last 4 digits of the SSN. –– Any reports that contain the SSN must be physically secured and shredded or placed in shred bins when discarded. –– Never copy documents or data which include SSNs or other non-public information for use to unencrypted flash drives, external hard drives, personal home computers, CDs or other remote media unless absolutely required to meet a critical business need. In that case, follow ICMA‑RC’s USB flash drive and CD writer copy encryption policy. –– Never use a personal email account or personal BlackBerry for any ICMA‑RC business emails, business text messaging or business-related communications. Never forward an ICMA‑RC email containing client or employer information to a personal email account. Breaches of Personal Information To comply with all state laws regarding protection of personal information, associates must report to the Manager of Information Security any disclosures of any of the following information to an unauthorized person: Personal information, defined as an individual’s first name or first initial and last name in combination with one or more of the following data elements: 1 Social Security Number (SSN) 2 Account number, credit card number, debit card number, reference code, PIN or other numbers that can be used to access the individual’s accounts 3 Driver’s license, state identification or tribal identification number or card 4 Passport or other federally issued identification number or card 5 Taxpayer identification number 6 Medical information or health insurance information 7 Unique biometric data, such as a fingerprint, or other unique physical representation or digital representa- tion of biometric data 8 Digital or electronic signature 9 Birth date 10 Mother’s maiden name or any of data elements 1 through 3 above without a name if the information compromised is sufficient to gain access to an individual’s financial or credit account, to perform or attempt to perform identity theft, or to fraudulently assume or attempt to assume the identity of the person whose information is compromised. For additional information, see the entire ICMA‑RC Corporate Privacy Policy on the intranet at my.icmarc.org .

Confidential — for Internal Use Only

Associate Handbook August 2016 | 102