Access Security Requirements

  1. ONLINE ACCESS.
    1. As part of the Services, Agency may make available, on a commercially reasonable basis, access to Agency’s online REPORTING SYSTEM, the features and functions of which may change from time to time as determined solely by Agency.
    2. If a user accessing the REPORTING SYSTEM leaves the employ of Customer, Customer acknowledges that until Customer has disabled the user in the REPORTING SYSTEM or submitted a written request to Agency to disable the user, any previously created Usernames and Passwords remain active and will permit access to the REPORTING SYSTEM. Customer is fully liable for any and all acts and omissions of Customer’s agents and representatives.
    3. Agency shall not be liable for any Customer information being disclosed as a result of an outside third party accessing Agency’s or Customer’s computer systems without either party’s authority (i.e., hackers).
    4. The REPORTING SYSTEM, ideas, methods of operation, processes, know-how, aesthetic aspects, documentation, sub-systems and modules included in or relating to the REPORTING SYSTEM, the graphical user interfaces for the REPORTING SYSTEM, and the look and feel of the REPORTING SYSTEM are proprietary materials which contain valuable trade secrets of Agency and all intellectual property rights to the REPORTING SYSTEM are owned exclusively by Agency. Agency will retain title to all intellectual property and other rights related to the REPORTING SYSTEM. Customer will not disassemble, decompile, decode or reverse engineer the REPORTING SYSTEM.
    5. Customer and Agency agree that all usernames, passwords, and access information will be kept confidential and distribution will be limited to those with a legitimate business need to know. Customer further agrees to prevent, as reasonably practical, unauthorized viewing of consumer information through the REPORTING SYSTEM.
  2. DATA SECURITY.
    1. This Section applies to any means through which Customer orders or accesses the Services including, without limitation, system-to-system, personal computer or the Internet; provided, however, if Customer orders or accessing the Screening Services via the Internet, Customer shall fully comply with Agency’s connectivity security requirements specified in section 2.3 below. For the purposes of this Section, the term “Authorized User” means a Customer employee that Customer has authorized to order or access the Screening Services and who is trained on Customer’s obligations under this Agreement with respect to the ordering and use of the Screening Services, and the information provided through same, including Customer’s FCRA and other obligations with respect to the access and use of consumer reports.
    2. Customer will, with respect to handling consumer reports:
      1. Ensure only Authorized Users can order or have access to the Services,
      2. Ensure the Authorized Users do not order consumer reports for personal reasons or provide them to any third party except as permitted by this Agreement,
      3. Ensure that all devices used to Customer to order or access the Services are placed in a secure location and accessible only by Authorized Users, and the such devices are secured when not in use through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures,
      4. Take all necessary measures to prevent unauthorized ordering of or access to the Screening Services by any person other than an Authorized User for permissible purposes, including, without limitation, limiting the knowledge of the Customer security codes, member numbers, User IDs, and any passwords Customer may use, to those individuals with a need to know, changing Customer’s user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing the Services, or if Customer suspects an unauthorized person has learned the password, and using all security features in the software and hardware Customer uses to order or access the Services,
      5. In no event access the Services via any wireless communication device, including but not limited to, web enabled cell phones, interactive wireless pagers, personal digital assistants (PDAs), mobile data terminals and portable data terminals,
      6. Not use personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs, DVDs, software, and code) to store the consumer reports. In addition, consumer reports must be encrypted when not in use and all printed consumer reports must be stored in a secure, locked container when not in use, and must be completely destroyed when no longer needed by cross-cut shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose,
      7. If Customer sends, transfers or ships any consumer reports, encrypt the consumer reports using the following minimum standards, which standards may be modified from time to time by Agency: Advanced Encryption Standard (AES), minimum 128-bit key or Triple Data Encryption Standard (3DES), minimum 168-bit key, encrypted algorithms,
      8. Monitor compliance with the obligations of this Section 10, and immediately notify Agency if Customer suspects or knows of any unauthorized access or attempt to access the Screening Services. Such monitoring will include, without limitation, a review of each Agency invoice for the purpose of detecting any unauthorized activity,
      9. Not ship hardware or software between Customer’s locations or to third parties without deleting all Agency Customer number(s), security codes, User IDs, passwords, Customer user passwords, and any consumer information,
      10. Access, use and store the consumer reports only at or from locations within the territorial boundaries of the United States, US territories and Canada (the “Permitted Territory”). Customer may not access, use or store the consumer reports at or from, or send the consumer reports to, any location outside of the Permitted Territory with first obtaining Agency’s written permission,
      11. Inform Authorized Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment, and
      12. Use commercially reasonable efforts to assure data security when disposing of any consumer report information or record obtained from Agency. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of Customer’s activities (e.g. the FTC, FDIC, NCUA) applicable to the disposal of consumer report information or records.
    3. Customer will, with respect to Customer’s network security;
      1. use commercially reasonable efforts to protect consumer report information when stored on servers, subject to the following requirements:
        1. consumer reports must be protected by multiple layers of network security, including but not limited to, firewalls, routers, intrusion detection device;
        2. secure access (both physical and network) to systems storing consumer report information, must include authentication and passwords that are changed at least every 90 days; and
        3. all servers must be kept current and patched on a timely basis with appropriate security-specific system patches, as they are available,
      2. use commercially reasonable efforts to protect Customer’s connection with dedicated, industry-recognized firewalls that are configured and managed to adhere to industry accepted best practices,
      3. may only hold consumer report information on an application server which can only be accessed by a presentation server, through one of the following:
        1. Dual or multiple firewall method (preferred) – this method consists of a firewall between the Internet and the presentation server(s) and another firewall between the presentation server(s) and the application server holding consumer report information. The network firewall should ensure that only the presentation server(s) is/are allowed to access the application server holding consumer report information,
        2. Single firewall method (acceptable) – when a dual firewall method is not feasible, a single firewall will provide acceptable levels of protection. The firewall should be installed between the Internet and the presentation server(s). Multiple interfaces to separate the presentation server(s) and the application server holding consumer report information are required. The firewall should be configured to allow only the presentation server(s) access to the application server holding Consumer Report information, or
        3. ensure that all administrative and network access to the firewalls and servers must be through an internal network or protected extranet using strong authentication encryption such as VPN and SSH, iv. use commercially reasonable efforts to route communications from Customer’s internal services to external systems through firewalls configured for network address translation (NAT), and v. use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review by Agency.
      4. If Agency reasonably believes that Customer has violated this Section, Agency may, in addition to any other remedy authorized by this Agreement, with reasonable advance written notice to Customer and at Agency’s sole expense, conduct, or have a third party conduct on its behalf, an audit of Customer’s network security systems, facilities, practices and procedures to the extent Agency reasonably deems necessary, including an on-site inspection, to evaluate Customer’s compliance with the data security requirements of this Section.