{
  "body_html": "<h2>Consumer Privacy and Information Security</h2>\n<p>Customer data has three tiers. <strong>Restricted data</strong> — government IDs, SSNs, check images, transaction records, SAR/CTR workpapers — must be encrypted. Only you and designated personnel may access it. <strong>Confidential data</strong> — customer names, contact info, risk ratings, cashing history — is limited to staff with a documented need to know. <strong>Internal data</strong> uses standard employee access controls.</p>\n<p><strong>Access management:</strong></p>\n<ol>\n<li>Assign access based on each employee's role and operational need. Prohibit shared credentials.</li>\n<li>Revoke access within 24 hours of termination or role change.</li>\n</ol>\n<p><strong>Privacy notices:</strong></p>\n<ol>\n<li>Provide each customer an initial privacy notice at their first transaction.</li>\n<li>Provide annual notices to all customers. The notice must identify: categories of nonpublic personal information collected; parties it may be shared with; and opt-out rights.</li>\n<li>Honor opt-out requests within 30 days.</li>\n</ol>\n<p><strong>Ongoing security:</strong></p>\n<ol>\n<li>Review access logs for all systems holding customer or compliance data monthly. Investigate anomalies.</li>\n<li>Apply antivirus, firewall, and patch management to all systems processing nonpublic personal information.</li>\n<li>Apply critical security patches within 72 hours of release.</li>\n<li>Review the information security program annually and after any material change in operations or systems.</li>\n</ol>\n<p><strong>Security incidents:</strong></p>\n<ol>\n<li>Immediately assess scope and isolate affected systems.</li>\n<li>Engage legal counsel within 24 hours.</li>\n<li>If the incident affects 500 or more Florida residents, notify the Florida Department of Legal Affairs within 30 days of breach determination.</li>\n<li>Send written notice to affected individuals within the statutory deadline.</li>\n<li>Document all response actions and remediation steps. Retain for five years.</li>\n<li>If the breach involved exploitation of customer accounts to facilitate financial crime, file a SAR.</li>\n</ol>\n<p><strong>Vendors:</strong></p>\n<ol>\n<li>Before sharing nonpublic personal information with any service provider, execute a written <strong>data security agreement</strong> requiring safeguards consistent with federal requirements.</li>\n<li>Do not share check images with third parties except as required by law or under a qualifying data security agreement.</li>\n<li>Review vendor security controls annually and at each contract renewal. Replace vendors that cannot demonstrate adequate controls.</li>\n</ol>\n<p><strong>Record disposal:</strong></p>\n<ol>\n<li>When retention periods expire, destroy nonpublic personal information so it cannot be reconstructed.</li>\n<li>Cross-cut shred paper. Electronically wipe or physically destroy digital media using a certified process.</li>\n<li>Log and verify each disposal.</li>\n</ol>",
  "narration_text": "Customer data has three tiers. Restricted data — government IDs, SSNs, check images, transaction records, SAR/CTR workpapers — must be encrypted. Only you and designated personnel may access it. Confidential data — customer names, contact info, risk ratings, cashing history — is limited to staff with a documented need to know. Internal data uses standard employee access controls.\r\n\r\nAccess management:\r\nAssign access based on each employee's role and operational need. Prohibit shared credentials.\r\nRevoke access within 24 hours of termination or role change.\r\n\r\nPrivacy notices:\r\nProvide each customer an initial privacy notice at their first transaction.\r\nProvide annual notices to all customers. The notice must identify: categories of nonpublic personal information collected; parties it may be shared with; and opt-out rights.\r\nHonor opt-out requests within 30 days.\r\n\r\nOngoing security:\r\nReview access logs for all systems holding customer or compliance data monthly. Investigate anomalies.\r\nApply antivirus, firewall, and patch management to all systems processing nonpublic personal information.\r\nApply critical security patches within 72 hours of release.\r\nReview the information security program annually and after any material change in operations or systems.\r\n\r\nSecurity incidents:\r\nImmediately assess scope and isolate affected systems.\r\nEngage legal counsel within 24 hours.\r\nIf the incident affects 500 or more Florida residents, notify the Florida Department of Legal Affairs within 30 days of breach determination.\r\nSend written notice to affected individuals within the statutory deadline.\r\nDocument all response actions and remediation steps. Retain for five years.\r\nIf the breach involved exploitation of customer accounts to facilitate financial crime, file a SAR.\r\n\r\nVendors:\r\nBefore sharing nonpublic personal information with any service provider, execute a written data security agreement requiring safeguards consistent with federal requirements.\r\nDo not share check images with third parties except as required by law or under a qualifying data security agreement.\r\nReview vendor security controls annually and at each contract renewal. Replace vendors that cannot demonstrate adequate controls.\r\n\r\nRecord disposal:\r\nWhen retention periods expire, destroy nonpublic personal information so it cannot be reconstructed.\r\nCross-cut shred paper. Electronically wipe or physically destroy digital media using a certified process.\r\nLog and verify each disposal."
}