Company Privacy Policy - EquiTrust Title Company

495 Grand Blvd.,,
Suite 206
Miramar Beach,, FL 32550

EquiTrust Title Company

Privacy Policy Notice
PURPOSE OF THIS NOTICE

Title V of the Gramm-Leach-Bailey Act (GLBA) generally prohibits any financial institution, directly or through its affiliates, from sharing nonpublic personal information (NPI) about you with a nonaffiliated third party unless the institution provides you with a notice of its privacy policies and practices, such as the type of information that it collects about you and the categories of persons or entities to whom it may be disclosed. In compliance with the GLBA, we are providing you with this document, which notifies you of the privacy policies and practices of EquiTrust Title Company.

We may collect NPI about you from the following sources:
-Information we receive from you such as on applications or other forms.
-Information about your transactions we secure from our files, or from your lenders, and others.
-Information we receive from a consumer reporting agency.
-Information that we receive from others involved in your transaction, such as the real estate agent or
lender.

Unless it is specifically stated otherwise in an amended Privacy Policy Notice, no additional NPI will be collected about you.

We may disclose any of the above information that we collect about our clients/customers or former clients/customers to our affiliates or to nonaffiliated third parties as permitted by law.

We may also disclose this information about our clients/customers or former clients/customers to the following types of nonaffiliated companies that perform services on our behalf or which whom we have joint marketing agreements:
-Financial service providers such as companies engaged in banking, consumer finance, securities and
insurance.
-Non-financial companies such as envelope stuffers and other fulfillment service providers.

WE DO NOT DISCLOSE ANY NPI ABOUT YOU TO ANYONE FOR ANY PURPOSE THAT IS NOT SPECIFICALLY PERMITTED BY LAW (EMPHASIS ADDED).

We restrict access to NPI about you to those employees who need to know that information in order to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your NPI.

COMPANY POLICIES & PROCEDURES
Security Information & Records

GENERAL
Scope and Purpose

This policy applies to all regional, branch and subsidiary locations and corporate departments. Its purpose is to provide general guidelines for the security and safeguarding of Company information.

Background

Information flow is vital to the operation and success of the Company. Without timely and relevant information, managers and employees cannot perform efficiently and effectively. However, information contained in the Company's records is Company property. Therefore, this information, particularly information related to the Company and other confidential data, must be accessible only to authorized individuals.

POLICY

Company information classified as confidential or having considerable value to the Company, whether maintained in manual or automated files, must be adequately secured to prevent unauthorized disclosure, manipulation or destruction. Information security procedures should be periodically reviewed by the appropriate manager for adequacy, recoverability and continued compliance with established information security objectives.
Company employees are expected to respect the confidentiality of information and not discuss or disclose to outside parties any confidential or proprietary information obtained. In addition, such information should not be discussed with other employees, except when required in the performance of designated tasks relating to areas of responsibility.

This includes, but is not limited to, the following types of information:
1. Financial information projections, reports and records such as earnings statements, cash securities, investments, budgets, receivables or claims.
2. Human Resources, payroll information and records.
3. Operations related information: e.g., title plants, agency contracts, agency performance reports, commissions, orders and other records.
4. Marketing information, customer listings and National Accounts reports and records.
5. Information that may impact the value of the Company such as mergers and acquisitions, major new lines of business or coverage, major personnel changes, rates, fees or prices, any unusual gains or losses in major operations and major marketing changes.
6. Customer transactions, especially escrows, trusts and collections.
7. Starter files, tract and general indices information.
8. Other information or records vital to Company interests.

GUIDELINES

Access Security

Access security may be provided by physical or selective access methods. Physical methods may include locking files, placement of information in secluded or restricted areas or in the custody of an information librarian. For example, checks or drafts and check signing machines are to be kept under lock and key when not in use.

Selective access is most common in automated systems and incorporates such security features as passwords, security badges or keys. The method and cost of providing security must be appropriate considering the value of the information to the Company.

Amount Security

Security must be tailored to local requirements, needs and operating procedures as determined by local management. The amount of security required is a function of confidentiality, recoverability and value of the information to the Company. At a minimum, access to offices should be restricted to Company personnel and adequately secured at night or on weekends and holidays.

Backup and Recovery

A satisfactory backup and recovery plan should be developed for significant information. The frequency of backup and length of recovery time depends on the information type, usage and statutory requirements. Periodic testing of backup and recovery plans should be performed and documented for management's review to ensure the plans are reliable and workable.

Employee Considerations

To enhance information security, management should assign information maintenance (the responsibility of updating key files and the ability to alter data) to responsible employees and ensure adequate segregation of duties. In the event of an employee transfer or termination, care must be exercised to ensure information is not altered, removed or destroyed and that the employee's ability to access the information is eliminated.

Reports Distribution

Management and supervisors must ensure that reports are delivered promptly and reliably to only those persons authorized to receive them. It is the responsibility of the end user department to establish report distribution. Data processing departments should distribute all report copies to a single primary user that is responsible for further distribution. As much as possible, destroy sensitive printouts before discarding.

Service Bureaus

Operations processing data through service bureaus are subject to periodic review, similar to that of an internal center, recognizing the constraints which apply in reviewing an external service.

It should be stressed that the appropriate time for reviews and discussions of security and backup with a service bureau is prior to entering into an agreement. Items such as rights to backup data and other security and confidentiality concerns should be clearly outlined in the contract. Documentation of, or independent account reports on the internal controls of the service bureau should be obtained before entering into any processing agreement. Of particular concern is the accessibility of Company data in the service bureau environment where multiple title companies may be processed by the same service company.

Physical Security

In the typical office environment, it is difficult to ensure the physical security of computer related equipment. Computer terminals and personal computer equipment is often required to be placed in open, accessible areas. Certain steps may be taken to enhance physical security, including:

1. Keyboard and/or device locking, where applicable, should be used at night and over weekends.

2. Items such as computer tapes, diskettes and original vendor supplied copies of software should be kept under lock and key when not actually in use.
3. Access to actual computer facilities is limited to authorized Company employees. Local management should specifically approve access to other than Company personnel.
4. Computer devices in commonly accessible areas should be powered down at night and over weekends (most applicable to personal computers).

Sale of Services

The sale of computer time and/or processing services is not permitted without specific approval by the Company.

Software

All software developed or purchased by the Company is Company property. Company software is not to be copied except for backup purposes.

Company software may not be given to any outside party except with specific approval by the Systems Committee.

Unauthorized Access

Locations utilizing data communications equipment including dial-up phone lines, may experience unauthorized access by outside parties. Any such unauthorized access, successful or not, is to be considered a security violation until otherwise determined. Incidents of this kind must be documented in writing and brought to the attention of local management and the Chief Information Officer.

Use of Resources

Use of the Company's computer resources is restricted to approved business purposes. The use of computer resources by an employee, including those with approved access to said resources, for personal or non-business related purposes is prohibited.

Security Violations

If security violations are identified, management should take the appropriate action relative to the circumstances, including terminations or prosecution, if deemed appropriate. The General Counsel should be contacted for advice and counsel.

Passwords

All passwords and sign-ons should be kept in utmost privacy. If you feel security has been compromised in any fashion, immediately notify the IT department.

RESPONSIBILITY

All levels of management, including Regional Vice Presidents, Branch managers and Corporate department heads, are responsible for implementing this policy. Although in certain instances an internal data processing center or outside service bureau may act as custodian for information and provide a certain amount of security, the ultimate responsibility for information security rests with management.