Site Compliance

COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM (“WISP”)

SECTION 1. PURPOSE AND OBJECTIVE:

BBAOR’s objective, in the development and implementation of this WISP, is to create effective administrative, technical and physical safe guards for the protection of personal Information of residents of the State of California, and to comply with obligations under California Data Protection Act – Civil Code 1798.80 – 1798.84

This WISP sets out BBAOR’s procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Personal Information of residents of the State. For purposes of this WISP, “Personal Information” as defined by Civil Code 1798.80 – 1798.84 means a California resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a)Social Security number; (b) driver’s license number or state-issue indication card number; or (c) an account number, or credit or debit card number, with or without any required security code, access code, Personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from area, state, or local government records lawfully made available to the general public. The purpose of the WISP is, consistent with Civil Code 1798.80 – 1798.84, to (a) Ensure the security and confidentiality of Personal Information;(b) Protect against any anticipated threats or hazards to the security or integrity of such information; (c) Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

SECTION 2. SCOPE OF WISP:

This WISP specifically seeks to protect Personal Information by:

Identifying any foreseeable internal and external risk to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information; Assessing the likelihood and potential damage of these threats, turning into consideration the sensitivity of the Personal Information; Evaluating the sufficiency of existing policies, procedures, customer information systems, and other safe guards in place to control risk;. Designing and implementing a WISP that puts safe-guards in place to minimize those risks, consistent with the requirements of Civil Code 1798.80 – 1798.84; and, Regularly monitoring the effectiveness of those safe guards.

SECTION 3. DATA SECURITY COORDINATOR:

We have designated the Association Executive and Association Treasurer to implement, supervise, and maintain BBAOR’s WISP. That designated employee (the “Data Security Coordinator”) will be responsible for: 

a. Initial implementation of the WISP;

b.  Training employees;

c.  Regular testing of the WISP’s safe guards;

d.  Evaluating the ability of each of BBAOR’s third-party service providers, to implement and maintain appropriate security measures for the Personal Informationto which we have permitted them access, consistent with Civil Code 1798.80 – 1798.84; and requiring such third-party service providers by contract to implement and maintain appropriate security measures.

e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in BBAOR’s business practices that may implicate the security or integrity of records containing Personal Information.

f. Conducting ongoing training for all employees who have access to Personal Information on the elements of the WISP. 

SECTION 4. INTERNAL RISKS:

As part of its regular business actions and in providing services to its members, BBOAR needs to collect Personal Information as defined by Civil Code 1798.80 – 1798.84. BBOAR recognizes the sensitivity of this information and the need to protect this information, and as such, seeks to limit the amount of Personal Information that is collected. In all cases, Personal Information will be collected only in those instances where it is deemed necessary to carry on the business, services, and functions of BBOAR. BBOAR recognizes that Personal Information, as defined in Civil Code 1798.80 – 1798.84, is regularly collected in the areas identified below. BBOAR shall take consistent steps to ensure that such information is adequately protected.

Employee Records 

1. Records containing Personal Information of employees of BBOAR shall be maintained by the Association Executive. Files shall be restricted and maintained in a locked file cabinet at all times.

Educational Courses

2. Conferences, and Programs

BBOAR regularly hosts professional education and conferences for members. Payment for such programs is typically made via credit card or debit card. Information received via the BBOAR website or in person shall never be stored on the website. Any electronic records of said Personal Information shall be deleted upon printing. Any hard copy records shall be destroyed by shredding. 

Product sales

3. BBOAR regularly sells goods to members and non-members of the Association, including, for example, books, apparel, REALTOR® paraphernalia, real estate forms, brochures, etc. When items are purchased with a Personal check containing a bank account number, a credit card or debit card, Personal Information will be collected. Information received via the BBOAR website or via email shall be processed on a daily basis and immediately be deleted from the BBOAR website. Any electronic record of all Personal Information shall be deleted upon printing. All paper copies of records (including Personal check, credit card, or debit card shall be maintained in locked filing cabinets with limited access for a period determined by the Data Security Coordinator.

REALTOR® Political Action Committee 

4. BBOAR collects contributions from members and affiliates for its Political Action Committee (RPAC). BBOAR also engages in joint fundraising for RPAC and the NATIONAL ASSOCIATION OF REALTORS® Political Action Committee (NAR PAC) and  Advocacy Fund (NAR PAF). When a Personal contribution is collected by BBOAR, Personal Information is, in most cases, collected. Personal Information is collected when contributions are collected via Personal check, credit card or debit card. Contributions made by Personal check shall be deposited into BBAOR’s bank account on a weekly basis. Checks shall be kept in a locked drawer of the appropriate staff person upon receipt of such contributions. This drawer shall remain locked at all times when not in use and access shall only be provided to employees depositing and recording such contributions. Personal Information regarding contributions shall not be kept in an electronic manner. Contributions received via the BBOAR website shall be processed as detailed above, and any electronic record of shall be deleted.

Charitable Foundation

5. BBOAR collects contributions from members and associates for its Cantree Foundation. Contributions made by Personal check shall be deposited into BBAOR’s account on a weekly basis. 

Records 

6.  To combat internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information, and evaluating and improving, the effectiveness of the current safeguards for limiting such risks, the following measures shall be implemented by BBOAR:

a. A copy of this WISP shall be distributed to each employee, upon receipt of the WISP, acknowledge in writing that he/she has receive and read a copy of the WISP. 

b. There shall be immediate retraining of employees on changes to the appropriate provisions of the WISP. 

c. Any new employees shall be notified of BBAOR’s WISP, provided with a copy, and shall be trained on the details of this WISP. And such employees shall acknowledge, in writing, receipt of the WISP. Any amount or Personal Information collected by BBOAR shall be limited to that amount reasonably necessary to accomplish our legitimate business purposes, or necessary to comply with other state or federal regulations’

d. Access to records containing Personal Information shall be limited to those persons who are reasonably required to know such information in order to accomplish your legitimate business purpose or to enable us to comply with other state or federal regulations.

e. Security measures shall be reviewed at east annually, or whenever there is a material change in BBAOR’s business practices that may reasonably implicate the security or integrity of records containing Personal Information. The Data Security Coordinator shall be responsible for this review and fully apprise BBOAR’s Board of Directors of the results of that review and any recommendations for improved security arising out of that review.

f. Terminated employees must return all records containing Personal Information, in any form, that may at the time of such termination be in the former employee’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.).. terminated employees’ physical and electronic access to   Information shall be immediately blocked. Such terminated employee shall be required to surrender all keys to BBAOR’s building and storage. Moreover, such terminate employee’s remote electronic access to Personal Information shall be disabled; including/voicemail access, email access, internet access, and passwords and shall notify the Data Security Coordinator of such.  g.Information Tecnology shall maintain a secured master list of passwords and system log ins. Employees must report any suspicious or unauthorized use of customer information to the Data Security Coordinator. Whenever there is an incident that requires notification under Civil Code 1798.80 – 1798.84, shall be immediate mandatory post-incident review of event(s) and actions taken, if any, with a view to determining what, if any, changes in our security practices are required to improve the security of Personal Information for which BBOAR is responsible.

h. Employees are prohibited from keeping open files containing Personal Information on their desks when they are not at their desks.

i. At the end of the workday, any files and or other records containing Personal Information must be secured in a manner that is consistent with the WISP’s rules for protecting the security of Personal Information.

j. Access to electronically stored Personal Information shall be electronically limited to those employees having a unique login ID.

k. Paper or electronic records (including records stored on hard drives or other electronic media) containing Personal Information shall be disposed of only in a manner that complies with California Code. BBAOR shall maintain a paper shredder (or contract for the services of a professional third-party shredding service) on the premises to destroy all paper records containing Personal Information that are no longer needed.

l. Current employees’ user IDs and passwords must be changed periodically. 

m. Access to Personal Information shall be restricted to active users and active user accounts only.

SECTION 5. EXTERNAL RISKS:

To combat external risk to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing Personal Information, and evaluating and improving, where necessary, the effectiveness of the current safe guards for limiting such risk, the following measures shall be completed:

1. BBOAR shall, at all times, maintain an up-to-date firewall protection and operating system security designed to maintain the integrity of the Personal Information, installed on all systems processing Personal Information.

2. BBOAR shall, at all times, maintain an up-to-date version of system security agent software, which must include malware protection and reasonably up-to-date patches and virus editions, installed on all systems processing Personal Information.

3. Certain BBOAR staff maintain portable electronics. BBOAR phones and laptops owned by BBOAR and provided to staff for official employment duties. To the extent technically feasible, any Personal Information stored on laptops or other portable devices shall be encrypted, as well as all records  files transmitted across public networks or wirelessly, to the extent technically feasible.

4. Computer systems must be monitored for unauthorized use of or access to Personal Information.

5. There shall be secure user authentication protocols in place, including: (a) protocols for control of user ID and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies; 

(c) control of data security passwords to ensure that such passwords are kept in a secure location.