We handle three types of customer information, and each one has rules about who can see it.
\nRestricted data — things like Social Security numbers, government IDs, transaction records, and compliance documents — must be encrypted. Only you and specific, approved staff may access it. Confidential data — like customer names, contact information, and account history — is limited to employees who need it to do their job. Never share login credentials with coworkers. If an employee leaves or changes roles, their access must be removed within 24 hours.
\nWhen a customer does business with us for the first time, you must give them a privacy notice. This notice explains what information we collect, who we might share it with, and their right to opt out of certain sharing. You must also send this notice to all customers once a year. If a customer asks to opt out, you must honor that request within 30 days.
\nTo keep data safe, review access logs on all systems that hold customer data every month. Look for anything unusual. All systems that process customer information must have antivirus software, a firewall, and up-to-date patches. Critical security patches must be applied within 72 hours of release.
\nIf a security breach happens, act immediately: assess the damage, isolate affected systems, and contact legal counsel within 24 hours. If the breach affects 500 or more Florida residents, you must notify the Florida Department of Legal Affairs within 30 days. Send written notice to affected individuals by the required deadline. Document everything and keep those records for five years. If financial crime was involved, file a SAR.
\nBefore sharing customer information with any outside vendor, you must have a written data security agreement in place. Review vendor security controls every year.
\nWhen it is time to dispose of records, you must destroy them completely — cross-cut shred paper, and wipe or physically destroy digital media. Log every disposal.
", "narration_text": "We handle three types of customer information, and each one has rules about who can see it.\r\n\r\nRestricted data — things like Social Security numbers, government IDs, transaction records, and compliance documents — must be encrypted. Only you and specific, approved staff may access it. Confidential data — like customer names, contact information, and account history — is limited to employees who need it to do their job. Never share login credentials with coworkers. If an employee leaves or changes roles, their access must be removed within 24 hours.\r\n\r\nWhen a customer does business with us for the first time, you must give them a privacy notice. This notice explains what information we collect, who we might share it with, and their right to opt out of certain sharing. You must also send this notice to all customers once a year. If a customer asks to opt out, you must honor that request within 30 days.\r\n\r\nTo keep data safe, review access logs on all systems that hold customer data every month. Look for anything unusual. All systems that process customer information must have antivirus software, a firewall, and up-to-date patches. Critical security patches must be applied within 72 hours of release.\r\n\r\nIf a security breach happens, act immediately: assess the damage, isolate affected systems, and contact legal counsel within 24 hours. If the breach affects 500 or more Florida residents, you must notify the Florida Department of Legal Affairs within 30 days. Send written notice to affected individuals by the required deadline. Document everything and keep those records for five years. If financial crime was involved, file a SAR.\r\n\r\nBefore sharing customer information with any outside vendor, you must have a written data security agreement in place. Review vendor security controls every year.\r\n\r\nWhen it is time to dispose of records, you must destroy them completely — cross-cut shred paper, and wipe or physically destroy digital media. Log every disposal." }