The Company views protecting its customers’ private information as a top priority and, pursuant to the requirements of the Gramm-Leach-Bliley Act (the “GLBA”), the Company has instituted the following policies and procedures to ensure that customer information is kept private and secure.
This policy serves as formal documentation of the Company’s ongoing commitment to the privacy of its customers. All employees will be expected to read, understand and abide by this policy and to follow all related procedures to uphold the standards of privacy and security set forth by the Company. This Policy, and the related procedures contained herein, is designed to comply with applicable privacy laws, including the GLBA, and to protect nonpublic personal information of the Company’s customers.
Scope of Policy
Overview of the Guidelines for Protecting Customer Information
In Regulation S-P, the SEC published guidelines, pursuant to section 501(b) of the GLBA, that address the steps a financial institution should take to protect customer information. The overall security standards that must be upheld are:
Cyber Security Practices
The Company stores its information on a secure server owned, managed, and backed up by Microsoft to safeguard client information and other sensitive data. Microsoft’s Azure cloud storage solution is an industry leading platform with built in security and privacy controls that are updated on a consistent basis. The company’s Microsoft Office365 subscription provides the following tools to assist its cyber security practices:
In addition, each employee of the company maintains a password protected interface to access Company records store on the network. Each employee is a subscriber to Microsoft Office365 which provides real-time security patches that automatically update Company operating systems to mitigate against data breaches.
The Company collects nonpublic personal information about customers from various sources. These sources and examples of types of information collected include:
Disclosure of Information to Nonaffiliated Third Parties – “Do Not Share” Policy
Under no circumstances does the Company share credit-related information, such as income, total wealth and other credit header information with these nonaffiliated third parties.
Types of Permitted Disclosures – The Exceptions
Regulation S-P contains several exceptions which permit SkyOak to disclose customer information (the “Exceptions”). For example, SkyOak is permitted under certain circumstances to provide information to non-affiliated third parties to perform services on the Company’s behalf. In addition, there are several “ordinary course” exceptions which allow SkyOak to disclose information that is necessary to effect, administer or enforce a transaction that a customer has requested or authorized. A more detailed description of these Exceptions is set forth below.
Service Providers. The Company may from time to time have relationships with nonaffiliated third parties that require it to share customer information enabling the third party to carry out services for the Company. These nonaffiliated third parties would typically represent situations where SkyOak or its employees offer products or services jointly with another financial institution, thereby requiring the Company to disclose customer information to that third party. Every nonaffiliated third party that falls under this exception is required to enter into an agreement that will include the confidentiality provisions required byRegulation S-P, which ensure that each such nonaffiliated third party uses and re-discloses customer nonpublic personal information only for the purpose(s) for which it was originally disclosed.
Processing and Servicing Transactions. The Company may also share information when it is necessary to effect, administer or enforce a transaction for our customers or pursuant to written customer requests. In this context, “Necessary to effect, administer, or enforce a transaction” means that the disclosure is required, or is a usual, appropriate or acceptable method:
Sharing as Permitted or Required by Law. The Company may disclose information to nonaffiliated third parties as required or allowed by law. This may include, for example, disclosures relating to a subpoena or similar legal process, a fraud investigation, recording of deeds of trust and mortgages in public records, an audit or examination, or the sale of an account to an other financial institution.
The Company has taken the appropriate steps to ensure that it is sharing customer data only within the Exceptions noted above. The Company has achieved this by understanding how the Company shares data with its customers, their agents, service providers, parties related to transactions in the ordinary course or joint marketers.
Provision of Opt Out
As discussed above, SkyOak currently operates under a “do not share” policy and therefore does not need to provide the right for its customers to opt out of sharing with nonaffiliated third parties. If our information sharing practices change in the future, we will implement opt-out policies and procedures and make appropriate disclosures to our customers.
Safeguarding of Client Records and Information
The Company has implemented internal controls and procedures designed to maintain accurate records concerning customers’ personal information. The Company’s customers have the right to contact the Company if they believe that Company records contain inaccurate, incomplete or stale information about them. The Company will respond in a timely manner to requests to correct information. To protect this information, SkyOak maintains appropriate security measures for its computer and information systems, including the use of passwords and firewalls.
Additionally, the Company will use shredding machines, locks and other appropriate physical security measures to safeguard client information stored in paper format. For example, employees are expected to secure client information in locked cabinets when not in use.
SkyOak maintains procedural safeguards to protect the integrity and confidentiality of customer information. Internally, SkyOak limits access to customers’ nonpublic personal information to those employees who need to know such information to provide products and services to customers. All employees are trained to understand and comply with these information principles.
SkyOak has developed a Privacy Notice, as required under Regulation S-P, to be delivered to customers initially and annually thereafter. The notice discloses the Company’s information collection and sharing practices and other required information and has been formatted and drafted to be clear and conspicuous. The notice will be revised as necessary any time information practices change.
Privacy Notice Delivery
Initial Privacy Notice - As regulations require, all new customers receive an initial Privacy Notice at the time when the customer relationship is established, for example on execution of the agreement for services.
Revised Privacy Notice