Freeman takes the privacy of our clients’ personal data very seriously, and we have developed a comprehensive information security program that allows us to protect personally identifiable information in a secure, managed environment that is protected from unauthorized access, use or disclosure. Freeman’s information security team strives to continuously improve this program as technology and threats to data security evolve. The key aspects of this program are described below for your reference.
Freeman conducts routine internal and external assessments to ensure that our systems and processes adequately meet expected thresholds of compliance with our regulatory and contractual obligations. For example, Freeman adheres to PCI-DSS standards and has a third-party PCI assessment performed annually. Freeman also adheres to data privacy protections as required by the EU GDPR and US state privacy laws, such as CCPA. As new privacy laws take effect, Freeman will continue to work with clients and data subjects to stay committed to compliance.
Freeman has published security policies, standards and procedures that cover safe handling and protection of data
and refreshes this documentation annually. Freeman employees are required to take annual Security Awareness training, and background screening is performed as part of the hiring process. Freeman limits access to sensitive information and logs access to that data. Systems are in place to monitor and alert staff to potential security incidents. Change management standards are followed to ensure that changes to network and systems are tested, reviewed and approved prior to implementation. Freeman also provides industry-standard contractual protections that are generally sufficient to permit clients to transfer data to Freeman or its permitted third parties under GDPR and CCPA. Disclosure and data subject right requests are available as well.
Cutting Edge Technology
Where possible, Freeman takes advantage of available technology to maintain critical characteristics of a secure environment. Freeman’s systems reside in a highly secure enterprise-class data center that complies with PCI-DSS and SSAE 16 controls. Freeman’s systems are protected by layers of firewalls, designed for redundancy, and protected by Intrusion Prevention System (IPS) controls, security monitoring and regular patching and vulnerability testing. If personal information (such as a credit card number) is
transmitted to any Freeman website, it is done using Transport Layer Security (TLS) encrypted protection. Freeman’s laptops are also encrypted.
The California Consumer Privacy Act (“CCPA”) goes into effect January 1, 2020. It is similar to the GDPR that the EU passed in 2018.
1. Who and What are Governed by CCPA?
The CCPA applies to companies like us, with operations in California and revenue over $25 million.
The CCPA protects California residents and businesses which they call “Consumers”.
2. Key Differences from GDPR
Notification to Consumers
We must tell Consumers
• What categories of PII we are collecting from them (e.g., name, banking information, address, etc.)
• Our intended use for their PII (e.g., To bill you, to process your orders, etc.)
Use of PII
We cannot collect PII for one purpose and use it for another later on.
Be sure to only retain PII for as long as you need it.
Selling Personally Identifiable Information (“PII”)
The law requires companies to:
• Explicitly tell Consumers if we are selling their PII
• Give them the opportunity to opt-out of us selling their PII
• Have a “Do Not Sell My Personal Information” link on our website if our website collects PII to sell
• Not ask them for permission to sell their PII for 12 months after they opt-out
*We have not identified areas where we are selling PII, but if you know of any please contact [email protected]
$2,500 – $7,500 per violation