AMERICAN SOCIETY OF ANIMAL SCIENCES, INC.
It is the objective of American Society of Animal Sciences, Inc. (“ASAS”) in the development and implementation of this comprehensive information security program (“CISP”) to create effective administrative, technical and physical safeguards for the protection of personal information, and to comply with obligations under 201 CMR 17.00. This CISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information. For purposes of this CISP, “personal information” means an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. ASAS generally acquires personal information in connection with hiring employees and payroll, and in accepting donations and conference fees from members and the public.
The purpose of the CISP is to:
- Ensure the security and confidentiality of personal information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
III. DATA SECURITY COORDINATOR
ASAS appoints Meghan Wulster-Radcliffe to be its Data Security Coordinator. The Data Security Coordinator will be responsible for:
- Initial implementation of the CISP;
- Regular testing of the CISP’s safeguards;
- Evaluating the ability of each of ASAS’s third party service providers to implement and maintain appropriate security measures for the personal information to which ASAS permits them access, and requiring such third party service providers to implement and maintain appropriate security measures;
- Reviewing the scope of the security measures in the CISP at least annually, or whenever there is a material change in ASAS’s business practices that may implicate the security or integrity of records containing personal information; and
- Conducting an annual training session for all directors, officers, employees, volunteers and independent contractors, including temporary and contract employees who have access to personal information on the elements of the CISP.
IV. HANDLING PERSONAL INFORMATION
A. Paper Records
All paper records containing personal information shall be kept in a locked file cabinet with restricted access. Paper records will be destroyed regularly in accordance with ASAS’s document destruction policy using an office-grade shredder. Records containing personal information may not be taken out of the office and may be accessed only by personnel with a business necessity. Checks that need to be transported from the office to the bank may be sent by US mail or hand delivered by the responsible employee, and if hand delivered, will not be left unattended at any point in the transition.
Checks. When ASAS receives checks from conference registrants or donors, it will make only one hard copy and keep it in a locked file cabinet with restricted access. The checks themselves will also be kept under lock and key until they are deposited.
Paper employment records. Paper employment records must be kept under lock and key and accessed only by staff members responsible for employment issues and/or by the Chief Operating Officer or by the Chief Executive Officer.
B. Electronically Held Records
ASAS requires the following security systems with respect to the maintenance of personal information on its computers:
Authentication Protocols. The Data Security Coordinator shall secure user authentication protocols including:
- Control of user IDs and other identifiers;
- A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- Restricting access to active users and active user accounts only; and
- Blocking access to user identification after multiple unsuccessful attempts to gain access.
Access Protocols. The Data Security Coordinator shall implement the following secure access control measures:
- Restrict access to records and files containing personal information to those who need such information to perform their job duties; and <
- Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
Restriction on E-mailing Personal Information. ASAS will not, as a general rule, send or accept personal information by e-mail. To the extent exceptions must be made, the security measures described in this CISP shall be taken.
Encryption. Should any records and files containing personal information be transmitted across public networks or wirelessly, such records or files shall be encrypted. Personal information stored on laptops and other portable devices shall also be encrypted.
Monitoring. ASAS shall take all steps necessary to reasonably monitor its computer network for unauthorized use of or access to personal information.
Firewalls. All files containing personal information on a system that is connected to the Internet shall be protected by a reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the personal information.
Virus protection. All computers containing personal information shall be protected by reasonably up-to-date versions of system security agent software, including malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
ASAS routinely shares personal and financial information with its payroll service, its CPA firm, legal counsel, and credit card vendors. ASAS requires each of these organizations to send written evidence, signed by an authorized person, confirming that they follow a security plan that fully complies with 201 CMR 17.
The Data Security Coordinator shall ensure that all employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers who have access to personal information are trained on the data security requirements provided in this CISP.
VI. PERSONS SEPARATING FROM ASAS
All employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers upon termination or resignation shall immediately be denied access to physical and electronic records containing personal information and will be required to return or destroy all records and files containing personal information in any form that may at the time of such termination or resignation be in their possession or control, including all such information stored on laptops, portable devices, or other media, or in files, records, notes, or papers.
VI. SECURITY BREACH AND NOTIFICATION
All employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers, shall as soon as practicable and without unreasonable delay notify the Data Security Coordinator when such person knows or has reason to know of a security breach or when the person knows or has reason to know that personal information was acquired or used by an unauthorized person or used for an unauthorized purpose.
A “security breach” is any unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for lawful purposes, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
When the Data Security Coordinator is informed of a security breach, he/she will (1) notify the individual whose information was compromised, and (2) notify the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation.
The notice to the individual will be in writing, possibly by electronic mail, and will include the following information:
- A general description of the incident;
- Identification of the personal information that may be at risk;
- A description of ASAS’s security program;
- A phone number to call within ASAS for further information;
- Suggestion of extra caution, to review account statements, and to obtain a credit report; and
- Phone numbers and addresses of the Federal Trade Commission, state agencies that may be of assistance, and major consumer reporting agencies.
The notice will not be provided if law enforcement personnel advise against it. The notice to the Office of Consumer Affairs and Business Regulation and to the Attorney General will include the following:
- A detailed description of the nature and circumstances of the breach of security;
- The number of people affected as of the time of notification;
- The steps already taken relative to the incident;
- Any steps intended to be taken relative to the incident subsequent to notification; and
- Information regarding whether law enforcement is engaged investigating the incident.
Non-Retaliation. ASAS will not retaliate against anyone who reports a security breach or non-compliance with CISP, or who cooperates in an investigation regarding such breach or non-compliance. Any such retaliation will result in disciplinary action by ASAS up to and including suspension or termination.
Documentation. ASAS shall document all responsive actions taken in connection with any incident involving a security breach.