PRIVACY DISCLOSURE NOTICE______________________________________________

At Union State Bank, we know how important personal privacy is to you. We recognize that you expect privacy and security for your personal and financial affairs. We understand the need to safeguard the sensitive information about you that you have entrusted to us within our institution. We maintain standards and procedures designed to prevent misuse of this information.

We collect nonpublic personal information about you from the following sources:

     Information we receive from you on applications or other forms;
     Information about your transactions with us, our affiliates, or nonaffiliated third parties; and
     Information we receive from a consumer reporting agency.

We do not disclose any nonpublic personal information about our customers or former customers to anyone, including nonaffiliated third parties, except as permitted by law.

“Nonpublic personal information” is nonpublic information about you that we may obtain in connection with providing a financial product or service to you. This could include information such as account balances, payment history, or overdraft history. If you decide to close your account(s) or become an inactive customer, we will adhere to the privacy policies and practices as described in this notice.

We restrict access to nonpublic personal information about you to those employees who need to know that information to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.

If you have any questions regarding this policy, please contact Union State Bank at 701-748-2233 or toll free at 877-684-2233.

Information Security Policy                                                                       

The Gramm-Leach-Bliley Act (Financial Privacy Legislation) of 2001 applies to consumer information/transactions and does not apply to business, commercial or agricultural information/transactions. The federal law establishes appropriate standards for financial institutions relating to the administrative, technical and physical safeguards of customer records and information.

The standards' objectives are to:
– Ensure the security and confidentiality of customer information;
– Protect against any anticipated threats or hazards to the security or integrity of such information; and
– Protect against unauthorized access to or use of customer information that could either result in    substantial harm or inconvenience to any customer, or present a safety and soundness risk to the    institution.

Financial institutions are required to:
– Identify and assess the risks that may threaten customer information;
– Develop a written plan containing policies and procedures to manage and control these risks;
– Develop a written privacy policy notice that must be mailed to customers initially and annually thereafter    and are provided to any new customer;
– Implement and test the plan; and
– Adjust the plan on a continuing basis to account for changes in technology, sensitivity of customer    information and internal or external threats to information security.

Compliance was mandatory starting July 1, 2001, or by the date the bank opens for business if later.
As in all regulations, the involvement of the Board of Directors enhances compliance and the Board will review reports and comments on a regular basis.

In response to this regulation, Union State Bank will adhere to the following to include, but is not
limited to:

Union State Bank is to assess the risks involving the security of customer information:
– Identify reasonable, foreseeable, internal and external threats that could result in unauthorized disclosure,    misuse, alteration or destruction of customer information or customer information systems.
– Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of    customer information.
– Assess the sufficiency of policies, procedures, customer information systems and other    arrangements in place to control risks.

USB is to establish a program with procedures to manage and control risk involving the security of customer information:
– Design an information security program to control the identified risks, commensurate with the sensitivity of    the information as well as the complexity and scope of the institution’s activities. The institution must    consider whether the following security measures are appropriate and adopt those measures it concludes    are appropriate:

    • Access controls on customer information systems, including controls to authenticate and permit
      access only to authorized individuals and controls to prevent employees from providing customer       information to unauthorized individuals who may seek to obtain this information through fraudulent       means.
    • Access restrictions at physical locations containing customer information, such as buildings, computer       facilities, and records storage facilities, to permit access only to authorized individuals.
    • Encryption of electronic customer information while in transit or in storage on networks or systems to       which unauthorized individuals may have access.
    • Procedures designed to ensure that customer information system modifications are consistent with
      the bank’s information security program.
    • Dual control procedures, segregation of duties and employee background checks for employees with       responsibilities for or access to customer information.
    • Monitoring systems and procedures to detect attempted attacks on or intrusions into customer       information systems.
    • Response programs that specify actions to be taken when the institution suspects or detects that       unauthorized individuals have gained access to customer information systems, including appropriate       reports to regulatory and law enforcement agencies.
    • Measures to protect against destruction, loss or damage of customer information due to potential       environmental hazards, such as fire and water damage or technological failures.

– Train staff to implement the institution’s information security program.
– Regularly test the key controls, systems and procedures of the information security program. The     frequency and nature of such tests are to be determined by the institution’s risk assessment results.
– Tests are to be conducted or reviewed by independent third parties or staff independent of those that     develop or maintain the security programs.

– Oversee service provider arrangements:
    • Exercise appropriate due diligence in selecting the institution’s service providers.
    • Require the service providers by contract to implement appropriate measures designed to meet the       objectives of these Guidelines.
    • Where indicated by the institution’s risk assessment results, monitor the service providers to confirm       that they have satisfied their obligations as required earlier. As part of the monitoring, USB should       review audits, summaries of test results or other equivalent evaluations of its service providers.

– Adjust the program:
    • The institution shall monitor, evaluate and adjust as appropriate, the information security program in        light of any relevant changes in technology, the sensitivity of its customer information, internal or        external threats to information and the institution’s own changing business arrangements, such as        mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to        customer information systems.

Breach of Security                                                                       

Recognizing that even the most carefully designed and implemented information security program may sometimes fail in its purpose of preventing unauthorized access to customer information, Union State Bank has established the following Security Breach Policies. 

Management is instructed to develop and maintain an appropriate Security Breach Response Program for Union State Bank. 

COMPONENTS of RESPONSE PROGRAM                                                                       

At a minimum, the response program should contain procedures for the following:

  • Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
  • Notifying the bank’s primary Federal regulator as soon as possible when the bank becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;
  • Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations,notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;and
  • Notifying customers when warranted.

Where an incident of unauthorized access to customer information involves customer information systems maintained by the bank’s service providers, the bank shall notify the customers and its regulator. However, the bank may authorize or contract with its service provider to notify its customers or regulator on its behalf.

Standard for Providing Notice                                                                       

When the Bank becomes aware of an incident of unauthorized access to sensitive customer information, the Bank will conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the Bank determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.

Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the Bank with a written request for the delay. However, the Bank should notify its customers as soon as notification will no longer interfere with the investigation.

Sensitive Customer Information                                                                       

Under the Guidelines, a bank must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft.

For purposes of this Guidance, sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.

Affected Customers                                                                       

If the bank, based upon its investigation, can determine from its logs or other data precisely which customers’ information has been improperly accessed, it may limit notification to those customers with regard to whom the bank determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the bank determines that a group of files has been accessed improperly, but is unable to identify which specific customers’ information has been accessed. If the circumstances of the unauthorized access lead the bank to determine that misuse of the information is reasonably possible, it should notify all customers in the group.

Content of Customer Notice                                                                       

Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the bank has done to protect the customers’ information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance.The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution.

The notice should include the following additional items, when appropriate:

  • A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;
  • A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;
  • A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
  • An explanation of how the customer may obtain a credit report free of charge; and
  • Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft.15

The bank will notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

Delivery of Customer Notice                                                                       

Customer notice should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it. For example, the bank may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.



Reporting
USB shall report to its Board of Directors or a Board designated committee at least annually. This report should describe the overall status of the information security program and the institution’s compliance with these guidelines. The report, which can vary depending on the complexity of the institution’s program, should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations (and management’s responses); and recommendations for changes in the information security program.

The Risk Assessment Report to the Board of Directors shall include the following topics:
– Controls
– Facilities Restrictions
– Encryption
– Procedures
– Dual Control Procedures
– Monitoring
– Response Programs
– Protection From Destruction, Loss or Damage
– Staff Training
– Testing
– Service Provider Oversight
– Service Provider Audit

 

Site created and maintained by K2 Interactive
Copyright © 2004, Union State Bank Hazen
Comments: info@k2interactive.com