The directors and employees of the Bank of Cave City believe that one of our most valuable assets is the trust and confidence our customers place in us. We take our customers' privacy and the protection of their non-public information very seriously. Reprinted below is the Bank of Cave CIty's Customer Information Security Policy.
Our primary goal is to protect the security, confidentiality, and privacy of our customer information. We will also protect against any anticipated threats and hazards to the security and integrity of customer information. Lastly, it is our objective to protect against unauthorized access to or use of customer information that might result in harm or inconvenience to any customer.
The Board of Directors of The Bank of Cave City acknowledges its business and consumer customers’ expectations that their financial and personal information is private. The Board also acknowledges the legal restrictions on the disclosure of non-public personal information. It is the bank’s policy not to disclose such information unless disclosure is:
1. Required by Law
2. Specifically allowed by Law.
3. Requested by the Customer, directly or indirectly.
Standard objectives are to:
1. Ensure the security and confidentiality of customer information.
2. Protect against any anticipated threats or hazards to the security or integrity of such information.
3. Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer
RECOGNITION OF A CUSTOMER’S EXPECTATION OF PRIVACY
We believe the confidentiality and protection of customer information is one of our fundamental responsibilities. And while information is critical to providing quality service, we recognize that one of our most important assets is our customers’ trust. Thus, the safekeeping of customer information is a priority for Bank of Cave City.
We recognize and respect the privacy expectations of our customers and explain principles of financial privacy in an appropriate fashion.
USE, COLLECTION AND RETENTION OF CUSTOMER INFORMATION
We collect, retain, and use information about customers only where we reasonably believe that it will help administer our business or provide products or services. We collect and retain customer information only for a specific business purposes and upon request will inform customers why we are collecting and retaining the information. We use information to protect and administer records, accounts, and funds; to comply with certain laws and regulations; to help us design or improve our products and services; and to understand the financial needs of our customers. Customer information is defined as any record containing nonpublic personal information about a customer whether in paper, electronic, or other form, that is maintained by or on behalf of the bank.
MAINTENANCE OF ACCURATE INFORMATION
Accuracy of information is a major concern for customers. Data accuracy is important not only for each customer, but also in maintaining our reputation and reducing risks arising from reporting erroneous data about customers. Customers will be allowed to access collected information and review it for potential errors. For each customer request pertaining to potential errors, researching lost data, and/or providing opportunities to review data profiles for a specific product or service, data confidentiality and assurance of customer identity must be assured. Bank management and staff must ensure the identity of the individual or customer requesting data information thru a variety of questions, etc (last deposit date, ss#, address, mother’s maiden name, or written request signed by the customer) . Information that is inaccurate, incomplete or dated will receive immediate attention and will be updated within 48 hours of receipt of correct data.
LIMITATIONS ON EMPLOYEE ACCESS TO INFORMATION
Each employee is trained and briefed that confidential information obtained through or as a consequence of any connection with the Bank must be limited to the proper conduct of the Bank’s business. Each employee will be required to sign a privacy statement which is included as part of the “Information Systems/Processing Systems Operations Policy.” Because of the importance of this issue all Bank of Cave City employees are responsible for maintaining the confidentiality of customer information and employees who violate these Privacy Principles will be subject to disciplinary measures.
PROTECTION OF INFORMATION VIA ESTABLISHED SECURITY PROCEDURES
We will safeguard information according to established security standards and procedures, and we will continue to assess new technology for protecting information. Employees will be trained to understand and comply with these information principles.
In addition, employees will be required to comply with safeguards as instructed in our Bank’s “Information Systems/Processing Systems Operations Policy.”
Please refer to the Incident Response Policy for further procedures.
RESTRICTIONS ON THE DISCLOSURE OF ACCOUNT INFORMATION
We will not reveal specific information about customer accounts or other personally identifiable data to unaffiliated third parties unless: 1) the information is provided to help complete a customer initiated transaction: 2) the customer requests it; or 3) the disclosure is required by or allowed by law (i.e., subpoena, investigation of fraudulent activity, request by regulator, etc.); or 4) the information is provided to third parties for use by the third party to perform services for, or functions on behalf of, the financial institution.
MAINTAINING CUSTOMER PRIVACY IN BUSINESS RELATIONSHIPS WITH VENDORS AND OTHER THIRD PARTIES
Vendors and other independent third parties that provide support or services in conjunction with Bank of Cave City’s banking activities will be required to enter into an agreement that details the vendor’s responsibilities pertaining to data security and privacy. A bank officer will be required to review and sign each agreement. Annual due diligent reviews of vendors and servicers will be conducted and addressed in the IT minutes.
COMMUNICATING PRIVACY INFORMATION TO CUSTOMERS
Bank of Cave City must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. The establishment of a customer relationship will occur when the bank and consumer enter into a continuing relationship; at this time, an initial notice must be provided. Bank of Cave City may reasonably expect a consumer has received actual notice of its privacy policies and procedures if the detailed notice is handed in printed format to the customer.
Initial notices are not required to be given to a consumer who approaches the bank for information about pre-qualifying for a product or service, since the bank does not:
1. Disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized per the
2. Have a customer relationship with the consumer
If two or more consumers jointly obtain a financial product or service, the bank may satisfy the regulation requirements by providing one initial notice to those consumers jointly.
Existing customers also represent another disclosure focus consideration and therefore specific control. When an existing customer obtains a new financial product or service from the bank that is to be used for personal, family, or household purposes, the bank satisfies the initial notice requirement if:
1. The bank provided an initial, revised, or annual notice to the customer which was accurate with respect to the new financial
product or service (the bank does not need to provide a new privacy notice); or
2. The bank provided a revised policy notice that covers the customer’s new financial product or service
On an annual basis, not less than every 12 months, Bank of Cave City will provide to those customers with a continuing consumer relationship a privacy disclosure.
The bank will provide a notice annually as management has adopted the term of the 12-consecutive-month period as a calendar year. Accordingly, the bank shall provide the annual notice to the customer once in each calendar year following the calendar year in which the bank provided the initial notice. Accordingly, if a customer opens an account on any day of year 1, the bank must provide an annual notice to that customer by December 31 of the following year.
Management has also chosen to provide the annual privacy notice as a statement stuffer each year for each customer that maintains a checking or savings account. Customers who do not maintain such accounts will receive the notice in a separate mailing.
The bank is not required to provide an annual notice to former customers.
In addition, the regulation notes that a bank does not have a customer relationship with a consumer under the special rule of loans, e.g., if the bank subsequently transfers the servicing rights to a loan to a consumer for personal, family, or household purposes, the customer relationship transfers with the servicing rights, then the bank does not have to provide an annual notice to that consumer under this section.
The notice must be provided in a clear, conspicuous manner to each customer.
The privacy notice provided initially, and in subsequent annual issuances, will contain the following information:
1. Categories of nonpublic personal information that the bank collects.
2. Categories of nonpublic personal information that the bank disclose
3. Details on Bank of Cave City’s policies and practices with respect to protecting the confidentiality, security, and integrity of
nonpublic personal information.
Each employee of Bank of Cave City have a need to work with information, but are not granted free access to all types of personal information outside the “need to know to do their job” requirement.
Any employee of Bank of Cave City who violates information security or online privacy codes will be referred to their supervisor, with a report to the bank President.
Security breaches are not acceptable. Depending on the severity of the security breach and the related issues, an employee may receive an initial warning, be placed on probation, or be terminated immediately. Each situation will be judged on a case-by-case basis.
Please refer to the Incident Response Policy for further procedures.
DISPOSAL OF CUSTOMER INFORMATION AND CONSUMER INFORMATION
The Bank has entered into a contract with a shredding disposal company to shred and disposal of all material containing the Customer and Bank’s information. Lock containers are maintained in a lock storage building to collect shredding material prior to disposal. A locked container is kept inside the Bank for daily collection of shred material.
Management and staff will receive training annually on the entire customer information security program including privacy. This training will be provided annually as a refresher to all management and staff. It is critical that new hires receive this training before having access to any customer information. Training schedules will be established and monitored by the security officer.
AUDIT AND INTERNAL COMPLIANCE
The Bank of Cave City internal auditor is charged with responsibility for an annual review of all banking activities, related controls, training support, supporting operations and related policies and procedures, internal reporting systems, and management’s follow-up on previously cited exceptions. Continued annually testing of the customer information security program will be by an independent auditor.
As part of this audit scope, specific procedures will address consumer data protection and privacy. Audit reports will be issued to the Board of Directors and President.
Bank of Cave City’s security officer will maintain an ongoing regulatory compliance monitoring system regarding customer data protection/privacy, which will address compliance with various laws, regulations, and interpretations.
OTHER COMPLIANCE CONSIDERATIONS
Bank of Cave City must not, directly, indirectly, or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account to a nonaffiliated third party that intends to use the information for telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
No part of the privacy regulations should be construed, however, to modify, limit, or supersede the operation of the Fair Credit Reporting Act.
State laws that provide greater protection to consumers than these regulations take precedence.