Written comprehensive information security program (“WISP”)
4 Buyers Real Estate.
Effective March 1, 2010
For purposes of this WISP, “personal information” means a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
I. 4 Buyers Real Estate and its agents have made efforts to limit the amount of personal information to the bare minimum necessary to do the business of real estate. We do not collect personal information listed above with the exception of these items:
1. Checking account numbers on retainer and transaction binder checks.
2. Last 4 digits of account numbers for verification of deposit or purchase funds.
II. Handling of private information will be done as follows:
1. All checks will be held in our personal possession or locked in the office until transferred to the seller or seller’s agent. Only Rona Fischman, Dianne Schaefer, Ronald Rothenberg, Dave Twombly, Anna Matveyckuk and Catherine Gillespie will have access to this cabinet.
2. Copies of checks will be made with account numbers covered. Copies of checks will be sent as a PDF by email or by fax to a fax number located in an individual office (no faxes will be sent to machines where many individuals may access the printouts.) These check copies will be sent only to other licensed agents, attorneys or lender personnel for the purpose of transacting business. Encrypted email will be used whenever possible.
3. Copies of checks will be shredded within 5 business days of closing.
4. Electronic copies of checks (PDF copies) will be purged from all business machines within 5 business days of closing.
B. Social security numbers:
1. We do not collect Social Security numbers.
2. In the event that the listing firm requires a signed W-9 form, which will have the client’s social security number and name, that form will be treated in the same manner as checks (II.A., above.)
3. We encourage our clients not to put their social security number on their Purchase and Sales Agreement if there is a line created in the document for this information.
III. Agents will maintain computer equipment with generally recommended levels of firewall protection. Agents will use locked cabinet in the office. While in the middle of a transaction where a check needs to be in the agent’s procession. Agents will store papers in a briefcase which will be in a locked car or home whenever possible.
IV. Email and phone information will be used for communication regarding real estate transactions, related house care communication and occasional notice of events or promotions done by our company. 4 Buyers Real Estate does not share any email or phone information about our clients to any third parties.
V. This WISP policy is enforced by Rona Fischman, Broker owner. In the following ways:
All agents will be trained in the policy annually.
Agents may be asked to present their mobile written files at any time. If copies of checks or social security numbers are in these files, a written warning will be issued. Agents who fail to secure their copies of checks three times in a calendar year will be dismissed.
VI. In the event of a breach, the client will be notified by phone or email, followed up by a written apology. Any banking fees due because of stopped checks or reprinting checks with a new number will be paid for by 4 Buyers Real Estate.
DATA SECURITY COORDINATOR:
We have designated Rona Fischman to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for: a. Initial implementation of the WISP; b. Training employees; c. Regular testing of the WISP’s safeguards; d. Evaluating the ability of each of our third party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access, consistent with 201 CMR 17.00; and requiring such third party service providers by contract to implement and maintain appropriate security measures. e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information. f. Conducting an annual training session for all owners, managers, employees and independent contractors.