STATEMENT OF NEED AND PURPOSE
The Columbia Bank board of directors recognizes that in the financial services industry there is a common interest in protecting consumer and customer data. The privacy of nonpublic personal information is a significant concern when assessing internal controls, procedures, and security programs of Columbia Bank. To minimize privacy breaches, we need to ensure that consumers are aware of Columbia Bank privacy policies and practices and the general types of procedures used, to provide consumers with choices about collection of such information, and allow a "free flow" of information. Senior management and the board of directors have adopted a specific privacy notice to communicate the data sharing policies of the bank and to effectively meet specific regulatory requirements. The notice will assist consumers and customers with long standing relationships with our bank in understanding the risks of information privacy. The notice will also provide each consumer with insights on our data sharing methods.
Through proper communication and by carefully monitoring all facets of transactions entered into, our customers and our institution will benefit. Our primary goal is to protect the privacy of consumers and our customers and, therefore, the integrity of the institution. The purpose of this policy includes setting the institution's privacy objectives and guidelines to ensure that various banking activities are conducted in a controlled and successful manner to protect consumer data.
Nonpublic personal information is nonpublic information about a customer that we obtain in connection with providing a financial product or service. For example, personal information includes information regarding an account balance, payment history and overdraft history.
We may disclose nonpublic personal information to our corporate affiliates and other nonaffiliated third parties under certain circumstances to provide account services. Any nonpublic personal information shared is done so in strict adherence to applicable law. We do not disclose any nonpublic personal information to anyone, except as permitted under law. In order to provide our customers with products or services that we believe may meet their financial needs, we may exchange limited nonpublic personal information to nonaffiliated firms that conduct marketing services on our behalf, or with other financial institutions in order to offer financial products or services pursuant to a joint agreement.
Such information includes:
Information we receive from customers on an application or other forms, such as, name, address, social security number, assets and income;
Information about transactions with us, our affiliates or others, such as account balance, payment history; and
Information we receive from a consumer reporting agency, such as information relating to creditworthiness and credit history.
The general objectives of this policy are to:
- Establish a formal and documented policy of Columbia Bank's data privacy and protection standards. The adopted policy shall serve as a specific guide for management and staff to use in the establishment and maintenance of necessary procedures and controls to ensure the protection of consumer data, and the control over data sharing as required, thereby ensuring awareness of data privacy as a constant priority for all management and staff.
- Establish guidance regarding conditions under which the institution may disclose nonpublic personal information about consumers to affiliated and nonaffiliated parties.
This policy is not designed to act as a substitute for sound risk analysis or judgment; the primary objective of the policy is to serve as a reference and guide to bank management and staff involved in administering Columbia Bank products and services affected by consumer information.
The specific goals of the policy are to:
- Establish privacy practices and procedures by division and by department to protect the privacy of consumer data.
- Establish division and departmental internal controls for proper notice of compilation, storage, retrieval, transmission, and release of consumer information.
- Ensure compliance with appropriate laws and regulations.
- Provide alternative or secondary methods to further ensure that controls and procedures are effective in protecting customer data and privacy. Furthermore, when creating new bank services that may be provided in person, by mail, through voice communications, or electronically (or result in electronic transmissions), Columbia Bank will ensure required procedures, controls, and backup monitoring techniques are in place before introducing new products or services.
- Institute consumer and customer awareness of the bank's commitment to information privacy principles.
- Challenge bank management and staff to personally accept responsibility for consumer information privacy and, therefore, take the utmost care in processing, storing, transmitting, releasing, or destroying consumer and customer data.
Definitions used in this policy are consistent with terms and information used in industry documents and regulatory issuances related to privacy elements in the financial services industry as well as electronic commerce. Significant definitions that may be of assistance in implementing and addressing the requirements of this policy are provided as Attachment A.
STATEMENT OF CONSUMER PRIVACY
To assist each Columbia Bank customer (existing or potential) in understanding general banking and specific electronic banking online security and privacy issues, a privacy disclosure notice will be created. This notice will also provide each consumer with an explanation as to the information we collect and what information we disclose. This statement will reflect the bank's consumer privacy principles.
PROVIDING ANNUAL CUSTOMER PRIVACY NOTICE
On an annual basis, Columbia Bank will provide to those customers with a continuing customer relationship a customer privacy notice. This notice must be provided in a clear, conspicuous manner to each customer. However, it is acceptable to provide a single notice for joint accountholders.
The bank will not disclose directly, or through any affiliate, any nonpublic personal information about a consumer to a nonaffiliated third party unless the bank has provided the consumer with an initial notice.
DATA SECURITY FOCUS POINTS
Management and staff have been assigned password and identified codes that provide for levels of information access. Employees of Columbia Bank have a need to work with information, but are not granted free access to all types of personal information outside the "need to know to do their job" requirements. Employees should refer any unusual requests for information about customers to their supervisors.
CUSTOMER COMPLAINTS AND RESOLUTIONS
Formal procedures will be developed by departments to document receipt of any customer privacy complaint, privacy exception or privacy security violation for follow-up. Departments will retain documents on file following resolution of complaints, exceptions or security violations on privacy.
VENDORS AND OTHER THIRD PARTIES
Vendors and other independent third parties that provide support or services in conjunction with Columbia Bank's banking activities will be required to have confidentiality clauses in their service contracts. These clauses will bind the parties to the same standards and level of data confidentiality and controls as those instituted by Columbia Bank. Each vendor or third party that provides support services will be asked to provide proof of bonding or insurance.
OTHER COMPLIANCE CONSIDERATIONS
No part of the privacy regulations should be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act.
State laws that are not consistent with the provisions of this policy and which provide greater protection to consumers will take precedence.
AUDIT AND INTERNAL COMPLIANCE
Columbia Bank's internal audit department is charged with responsibility for an annual in-depth review of all consumer privacy matters.
Audit reports will be issued to Columbia Bank's impacted departments, and the audit committee of Columbia Bank's board of directors.
Attachment A: Glossary
Any company that controls, is controlled by, or is under common control with another company.
The process of proving the claimed identity of an individual user, machine, software component, or any other entity.
Process of determining what types of activities are permitted. As a general practice, authorization is used in conjunction with authentication; once authenticated as a user, there may be authorized levels of access or types of activity.
Clear and Conspicuous
A notice of information that is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. For example, information contained in the notice would be in clear, concise sentences, paragraphs, and sections. Short explanatory sentences and bullet lists would be used where possible. Other specific insights and guidelines are provided as part of the regulation.
The process of obtaining information that is organized or retrievable on a personally identifiable basis, regardless of the source of the underlying information.
Any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.
An individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. The regulation provides insight on methods in which a financial institution may obtain nonpublic personal information.
Consumer Reporting Agency
Same as the definition in the Fair Credit Reporting Act (15 USC 1681a(f)), which defines it as anyone who might render a consumer report as defined by the act. Consumer reports are usually defined as reports written or oral, that provide insights on a consumer credit standing, character, credit capacity, general reputation, personal characteristics, or mode of living
- Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons
- Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company
- The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company
Principles, techniques, and methods for rendering information unrecognizable and then for restoring encrypted information to intelligible form.
A consumer who has a customer relationship with a financial institution, per regulatory guidelines.
A continuing relationship between a consumer and financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. Specific examples are provided in the regulation, which sets out what would be a continuing consumer relationship vs. a relationship, which no longer exists.
The process of scrambling data by a device or encoding principle (mathematical algorithms) so that the data cannot be read without the proper codes for unscrambling the data.
Any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as detailed in section 4(k) of the Bank Holding Company Act of 1956 (12 USC 1843(k)).
Financial Product or Service
Any product or service that a financial institution could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 USC 1843(k)).
Includes a bank's evaluation, brokerage, or distribution of information that the bank collects in connection with a request or an application from a consumer for a financial product or service.
One of the eight federal regulatory agencies responsible for enforcing the act, as well as state insurance authorities.
Nonpublic Personal Information
Personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information that is derived using any personally identifiable financial information). Nonpublic personal information would not include any list, description, or other group of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information.
Unique word or string of characters that a programmer, computer operator, or user must supply to satisfy security requirements before gaining access to a system or data.
Personally Identifiable Information
Any information that is provided by a consumer to a financial institution with regard to a financial product or service from the institution; results from any transaction involving a financial product or service between the institution and the consumer; or that is otherwise obtained about a consumer in connection with providing a financial product or service to that consumer.
A reasonable basis to believe that information is lawfully made available to the general public exists if the bank has taken steps to determine that, the information is of the type available to the general public and whether an individual can direct that the information not be made available, and if so, that the consumer has not done so.
Personal Identification Number
A sequence of digits used to verify the identity of a device holder.
With respect to a payment system, the principle that no information that might permit determination of transactions may be collected without the consent of the counterparties involved.
Publicly Available Information
Any information that is lawfully made available to the general public from federal, state, or local government records widely distributed media or disclosures to the general public that are required to be made by federal, state, or local law.
Real Time Monitoring
Monitoring of activity as it occurs rather that storing the data for later review.
Collection of an entity's home page and other propriety pages located on the World Wide Web.