Cash Witthaus complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Cash Witthaus has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Cash Witthaus’ certification, please visit http://www.export.gov/safeharbor/
Cash Witthaus deems the following confidential data: Employee or customer social security numbers or personal information, medical and healthcare information, electronic Protected Health Information (EPHI), customer data, company financial data (if company is closely held), sales forecasts, product and/or service plans, details, and schematics, network diagrams and security configurations, communications about corporate legal matters, passwords, bank account information and routing numbers, payroll information, credit card information, information regarding private networks Cash Witthaus has been granted access to. Please note that this list is not exhaustive but can provide information regarding what type of information Cash Witthaus deems confidential.
Users of the Cash Witthaus network are expected to adhere to the company’s standards involving the treatment of confidential data. The following is a brief explanation of how CW network users must interact with confidential data:
• Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated “confidential.”
• Users must only access confidential data to perform his/her job function.
• Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information.
• Users must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.
• Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor.
• If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties’ use of confidential information. Refer to the company’s outsourcing policy for additional guidance.
• If confidential information is shared with a third party, the company must indicate to the third party how the data should be used, secured, and, destroyed. Refer to the company’s outsourcing policy for additional guidance.
Data classified as confidential requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:
• Strong Encryption. Strong encryption must be used for confidential data transmitted internal or external to the company. Confidential data must always be stored in encrypted form, whether such storage occurs on a user machine, server, laptop, or any other device that allows for data storage.
• Network Segmentation. The company must use firewalls, access control lists, or other security controls to separate the confidential data from the rest of the corporate network.
• Authentication. Two-factor authentication must be used for access to confidential data.
• Physical Security. Systems that contain confidential data, as well as confidential data in hardcopy form, should be stored in secured areas. Special thought should be given to the security of the keys and access controls that secure this data.
• Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
• Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
• Emailing. Confidential data must not be emailed inside or outside the company without the use of strong encryption.
• Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information. When sent inside the company, confidential data must be transported in sealed security envelopes marked “confidential.”
• Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
• Confidential data must be removed from documents unless its inclusion is absolutely necessary.
• Confidential data must never be stored on non-company-provided machines (i.e., home computers).
As Cash Witthaus is a meeting planning company, personal information is obtained from the individuals planning to attend said meeting, or their respective employers. Individuals can choose whether they would like to share their personal information with Cash Witthaus and its vendors. In the event that a person chooses not to share their information, Cash Witthaus will work with its client to figure out the best way to proceed with that particular invitee.
Confidential data must not be A) shared or disclosed in any manner to non-employees of the company or its vendors, B) should not be posted on the Internet or any publicly accessible systems, and C) should not be transferred in any insecure manner. Please note that this is only a brief overview of how to handle confidential information, and that other policies may refer to the proper use of this information in more detail.
If a security incident or breach of any security policies is discovered or suspected, the user must immediately notify his or her supervisor and/or follow any applicable guidelines as detailed in the corporate Incident Response Policy. Examples of incidents that require notification include:
• Suspected compromise of login credentials (username, password, etc.).
• Suspected virus/malware/Trojan infection.
• Loss or theft of any device that contains company information.
• Loss or theft of ID badge or keycard.
• Any attempt by any person to obtain a user’s password over the telephone or by email.
• Any other suspicious event that may impact the company’s information security.
Users must treat a suspected security incident as confidential information, and report the incident only to his or her supervisor. Users must not withhold information relating to a security incident or interfere with an investigation.
Cash Witthaus is committed to resolving any question or compliant and we encourage you to raise any concerns or complaints directly with us by sending us an email at email@example.com. This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. Cash Witthaus will cooperate and comply with the EU DPAs and the Swiss FDPIC to investigate unresolved complaints involving Cash Witthaus human resources data, and use a specific private sector developed dispute resolution mechanism to investigate unresolved complaints involving other types of data (e.g., client and customer data).
Data is retained only as long as necessary and is backed up frequently to ensure data is not lost. Data to be backed up will include:
• All data determined to be critical to company operation and/or employee job function.
• All information stored on the corporate file server(s) and email server(s). It is the user’s responsibility to ensure any data of importance is moved to the file server.
• All information stored on network servers, which may include web servers, database servers, domain controllers, firewalls, and remote access servers, etc.
Cash Witthaus does not withhold confidential data from the organization, or persons, to which it pertains. Should a corporation or person wish to access the confidential data Cash Witthaus holds about it/them, they can contact firstname.lastname@example.org or call 480-444-1111 to discuss accessing such information.
*Please note, as stated above this is not the entirety of the Cash Witthaus data security policy and is meant to only briefly summarize the guidelines Cash Witthaus and its employees adhere to. Should you wish to see the full policy or inquire further about Cash Witthaus’ adherence to the Safe Harbor principles, please email email@example.com or call 480-444-1111.