You are the designated information security coordinator for Advanced Compliance Technology, Inc.. As BSA/AML Compliance Officer, you are responsible for protecting all customer nonpublic personal information generated through check cashing, money transmission, payment instrument sales, foreign currency exchange operations.
\nAdvanced Compliance Technology, Inc. classifies customer data in three tiers. Restricted data includes government-issued ID copies, Social Security numbers, check images, transaction records, and SAR/CTR workpapers. Restricted data must be stored encrypted. Access is limited to you and personnel you designate. Confidential data includes customer names, contact information, risk ratings, and check cashing history. Access is limited to operational staff with a documented need to know. Internal data covers general business records and uses standard employee access controls.
\nAssign system access based on each employee's role and operational need. Shared credentials are prohibited. Revoke access within 24 hours of termination or role change.
\nProvide each customer an initial privacy notice at their first transaction. Provide an annual privacy notice to all customers thereafter. The notice must identify: categories of nonpublic personal information collected; parties with whom it may be shared; and applicable opt-out rights. Honor opt-out requests within 30 days.
\nReview access logs for all systems holding customer or compliance data monthly. Investigate any anomalies. Apply antivirus, firewall, and patch management controls to all systems processing nonpublic personal information. Apply critical security patches within 72 hours of release.
\nReview the information security program annually and after any material change in operations or systems.
\nWhen you discover a security incident involving nonpublic personal information, immediately assess scope and isolate affected systems. Engage legal counsel within 24 hours. If the incident affects 500 or more Florida residents, notify the Florida Department of Legal Affairs within 30 days of breach determination. Send written notice to affected individuals within the statutory deadline. Document the incident, all response actions, and remediation steps. Retain that documentation for five years. If the breach involved exploitation of customer accounts to facilitate financial crime, file a SAR.
\nBefore sharing customer nonpublic personal information with any service provider, execute a written data security agreement. The agreement must require the vendor to maintain safeguards consistent with federal information security requirements. Service providers include check verification services, IT vendors, and document storage providers. Do not share check images with third parties except as required by law or under a qualifying data security agreement. Review vendor security controls annually and at each contract renewal. Replace vendors that cannot demonstrate adequate controls before the next contract term.
\nWhen retention periods expire, destroy records containing nonpublic personal information so they cannot be reconstructed. Cross-cut shred paper documents. Electronically wipe digital media using a certified process or physically destroy it. Log and verify each disposal.
", "narration_text": "You are the designated information security coordinator for Advanced Compliance Technology, Inc.. As BSA/AML Compliance Officer, you are responsible for protecting all customer nonpublic personal information generated through check cashing, money transmission, payment instrument sales, foreign currency exchange operations.\r\n\r\nAdvanced Compliance Technology, Inc. classifies customer data in three tiers. Restricted data includes government-issued ID copies, Social Security numbers, check images, transaction records, and SAR/CTR workpapers. Restricted data must be stored encrypted. Access is limited to you and personnel you designate. Confidential data includes customer names, contact information, risk ratings, and check cashing history. Access is limited to operational staff with a documented need to know. Internal data covers general business records and uses standard employee access controls.\r\n\r\nAssign system access based on each employee's role and operational need. Shared credentials are prohibited. Revoke access within 24 hours of termination or role change.\r\n\r\nProvide each customer an initial privacy notice at their first transaction. Provide an annual privacy notice to all customers thereafter. The notice must identify: categories of nonpublic personal information collected; parties with whom it may be shared; and applicable opt-out rights. Honor opt-out requests within 30 days.\r\n\r\nReview access logs for all systems holding customer or compliance data monthly. Investigate any anomalies. Apply antivirus, firewall, and patch management controls to all systems processing nonpublic personal information. Apply critical security patches within 72 hours of release.\r\n\r\nReview the information security program annually and after any material change in operations or systems.\r\n\r\nWhen you discover a security incident involving nonpublic personal information, immediately assess scope and isolate affected systems. Engage legal counsel within 24 hours. If the incident affects 500 or more Florida residents, notify the Florida Department of Legal Affairs within 30 days of breach determination. Send written notice to affected individuals within the statutory deadline. Document the incident, all response actions, and remediation steps. Retain that documentation for five years. If the breach involved exploitation of customer accounts to facilitate financial crime, file a SAR.\r\n\r\nBefore sharing customer nonpublic personal information with any service provider, execute a written data security agreement. The agreement must require the vendor to maintain safeguards consistent with federal information security requirements. Service providers include check verification services, IT vendors, and document storage providers. Do not share check images with third parties except as required by law or under a qualifying data security agreement. Review vendor security controls annually and at each contract renewal. Replace vendors that cannot demonstrate adequate controls before the next contract term.\r\n\r\nWhen retention periods expire, destroy records containing nonpublic personal information so they cannot be reconstructed. Cross-cut shred paper documents. Electronically wipe digital media using a certified process or physically destroy it. Log and verify each disposal." }