Protecting Personal Information
You voluntarily provide us with data, including data that can be used to identify, either directly or indirectly, when you purchase or use our services and access our website.
Definition of Personal Information or Personal Data (PI)
An individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the individual:
- Social Security Number
- Driver’s license number
- State or Federal government issued identification card number including Military ID or Passport number
- Financial account number, including any credit card number, with or without any PIN, code or security information that would permit access to the individual’s account
Any information which is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public is not considered PI.
For purposes of GDPR, if you provide your name, address, email, telephone number, username, password, IP address, credit card, debit card, banking or other payment information, or any other information you share with TCG, directly or indirectly, through your use of TCG services or website, you are providing PI.
Use of Personal Information
TCG handles Personal Information (PI) in the conduct of its business operations for many different reasons. Here is how TCG may handle PI:
- We keep employment records including payroll, retirement plan, tax records and health insurance and other benefits information for our employees.
- Some clients may provide credit card information for payments.
- We may have access to the PI of our client’s employees, partners, or associates in the delivery of our crisis management or event management services.
- With your consent, we may send you our newsletter and other marketing materials.
- With your consent, where the processing is necessary for the performance of a contract, such as to facilitate providing to you our PR or event management services, we may use your PI.
- Where necessary to comply with applicable law, court orders, governmental agencies, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases, services, or website, or to take precautions against legal liability, we may use your PI.
- Where the processing is necessary for the purposes of our legitimate business interests, taking into account individual interests. Our legitimate business interests include providing the PR and event management services, internal record-keeping and administrative purposes and to operate, maintain and improve our website.
We do not and will not rent, sell or transfer your PI to vendors or third parties for marketing purposes. We may retain data, including PI, for as long as necessary to deliver our services or as needed for other lawful purposes.
Subject to applicable data protection laws, you have the following rights with respect to TCG’s handling of Personal Information:
- Access. The right to access your PI held by TCG.
- Opt-Out. The right to object to certain processing of PI (unless TCG has overriding compelling grounds to continue processing), including the right to opt-out of receiving direct marketing. We will, however, continue to use PI for the limited purpose of communicating important notices relating to changes to services, and other reasons permitted by law.
- Rectification. The right to request correction of PI that is incomplete, incorrect, unnecessary or outdated.
- Right to be Forgotten. The right to request erasure of all PI that is incomplete, incorrect, unnecessary or outdated within a reasonable period of time. TCG will do everything reasonably possible to erase PI if a user or client so requests. However, TCG will not be able to erase all PI if it is technically impossible due to limitations of existing technology or for legal reasons, such as TCG is mandated by applicable law to retain PI.
- Restriction of Processing. The right to request restriction of processing PI for certain reasons, such as the inaccuracy of PI.
- Data Portability. If requested, TCG will provide PI in a structured, secure, commonly used and machine-readable format.
- Right to Withdraw Consent. If PI is processed solely based on consent, and not based on any other legal basis, users and clients can withdraw consent at any time.
To exercise any of the above listed rights, email TCG’s Information Security Manager at firstname.lastname@example.org, or via mail to The Castle Group, Inc., 38 Third Avenue, Charlestown, MA 02129, Attn: Privacy. TCG will process requests in accordance with applicable law and within a reasonable period of time.
Information Security Manager
Wendy Spivak, Treasurer of TCG, is the designated Information Security Manager for TCG. She is responsible for:
- Drafting this policy and ensuring it is kept up to date.
- Training staff on this policy and any other relevant information security procedures.
- Monitoring compliance with this policy, including staff, contractors, and any service providers impacted by this policy.
- Ensuring vendors with whom we share PI maintain the safekeeping of the information and are compliant with our policy.
- Ensuring implementation of technical and procedural controls contained within this policy that are designed to protect PI.
- Reviewing this policy at least annually to ensure it continues to meet applicable laws and technical and procedural controls remain current.
Personal Information Risk Assessment
We have evaluated the storage and handling of PI by our employees, partners, and vendors and have implemented the following controls to ensure PI is appropriately protected:
- Electronic PI maintained by TCG is stored on a central company file server, which is physically secured from unauthorized access. All PI in electronic form stored on the central file server is protected by Access Control Lists that allow access only to authorized users.
- The company network is protected by an ICSA certified network firewall.
- All company computer systems are also protected by a local software firewall as part of the Symantec Endpoint Protection (SEP) suite, which is deployed to all computer systems on the company network and which provides real time monitoring of potential threats. The SEP software is connected to the Symantec Small Business cloud service and automatically updated with new virus and anti-malware definition files. The SEP software conducts periodic scans of all endpoints.
- The company file server is also protected by Malware Bytes and Avast File Server security software.
- Paper records containing PI are kept in locked file cabinets within the Information Security Manager’s office, which is also locked during non-business hours.
- Access to TCG computers and file server resources is controlled via username/password. Passwords are changed periodically and strong passwords as defined by an active directory policy are implemented.
- Employees are required to keep their account credentials confidential and sharing of account and account credentials is not permitted.
- Password complexity and length rules, history limitations, and periodic password change requirements have all been implemented.
- Automatic account lockout has been configured to counter brute force password attacks.
- Remote connections to the TCG network via VPN are not permitted.
- Account auditing is configured on the company file server.
- Audit logs, firewall logs, antivirus logs, and malware protection logs are routinely reviewed to assess risks to company systems.
- The Symantec Endpoint Protection suite is configured to provide proactive email alerts to the Information Security Manager and the company’s IT consultant when any threats are detected by Symantec services.
- When PI needs to be transferred to or from a service provider or client, the information is encrypted, either by use of TLS security when transport includes email, SSL encryption when information is transferred through a web application, or by the use of file encryption services, or some combination of all of these methods.
- We assess any service providers that may have access to the PI of our staff, contractors, or vendors to ensure they have appropriate data privacy policies and controls in place.
- Our staff are trained on this policy and are also required to review publicly available training related to safe computing practices.
- All staff and contractors are required to promptly report any suspected data breach or suspicious activity to the Information Security Manager.
In the event a data breach is detected, our Information Security Manager will be responsible for assessing the breach and taking necessary measures to secure PI. They will also be responsible for determining the need for and coordinating any notification to impacted parties and/or law enforcement and regulators in accordance with applicable law. Data breach events will be documented and reviewed to determine any necessary changes to improve information security that may be required based on an analysis of the breach. The Information Security Manager may engage outside legal, compliance, information technology, security, or other resources that may be required to respond to a data breach.