General Policy Statement:
The Credit Union recognizes its responsibility to protect the privacy of member nonpublic personal information. The purpose of this policy is to set forth the guidelines under which such information may be shared with third parties. It is the intent of the Credit Union and any of its affiliates to abide by all applicable laws and regulations governing the privacy of nonpublic personal information including NCUA Privacy of Consumer Financial Information rule (Part 716) and the FTC Privacy rule (Part 313) for affiliates, issued to implement the provisions of the Gramm-Leach-Bliley Act and the Right to Financial Privacy Act.
(A) Affiliate. To be considered an affiliate, the Credit Union must have the ownership, control or power to vote 25% of the shares; control election of a majority of the directors, trustees and partners; the power to exercise a controlling influence over the company’s management or policies, or have any ownership interest in a company that is 67% owned by credit unions.
(B) Consumer. A consumer is an individual, or such individual’s legal representative or personal representative (§716.2; §3401), who has obtained a financial product or service from the Credit Union for personal, family or household purposes or for whom the Credit Union is acting as fiduciary (§3401). A consumer is not necessarily a member of the Credit Union.
(C) Member. A member is a consumer with whom the Credit Union has, or has had in the past, a continuing relationship where the Credit Union has provided one or more financial products or services for personal, family or household purposes. Examples:
(i) Members as defined the Credit Union’s bylaws;
(ii) A nonmember joint accountholder held with a member;
(iii) A former member.
(iv) A nonmember who has a loan that the Credit Union services;
(v) A nonmember who has an account with the low-income designated Credit Union; and
(vi) A nonmember who has an account in a federally-insured state-chartered Credit Union pursuant to state law.
(D) Nonpublic Personal Information. Personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information, other than publicly available information. Nonpublic personal information does not include publicly available information (§6809).
(E) Personally Identifiable Financial Information. Any information provided to the Credit Union by a consumer to obtain a financial product or service, or as a result of a transaction with the consumer. Examples:
(i) Information a consumer provides to the Credit Union on an application to obtain membership, a loan, credit card or other financial product or service;
(ii) Account balance information, payment history, overdraft history, and credit or debit card purchase information;
(iii) The fact that an individual is or has been one of the Credit Union’s members or has obtained a financial product or service from the Credit Union;
(iv) Any information about a consumer if it is disclosed in a manner that indicates that the individual is or has been a member of the Credit Union;
(v) Any information that a consumer provides to the Credit Union or that the Credit Union or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
(vi) Any information the Credit Union collects through an Internet "cookie" (an information collecting device from a web server); and
(vii) Information from a consumer report.
(2) COLLECTION OF INFORMATION. In the course of delivering products and services, the Credit Union obtains nonpublic personal information, either directly from the member or from outside sources. This nonpublic personal information is used to comply with federal and state laws and regulations, to provide effective member service and to inform members of products and services which may be of interest to the member.
(3) MAINTENANCE OF ACCURATE INFORMATION. The Credit Union will exercise reasonable caution in the gathering and maintenance of information to ensure its accuracy. When inaccurate information is discovered, it will be corrected as promptly as possible.
(4) DISCLOSING INFORMATION TO THIRD PARTIES. The Credit Union will not disclose personal nonpublic information to third parties without first providing the consumer a clear and conspicuous notice that accurately reflects the Credit Unions privacy policies and practices and providing the consumer a reasonable opportunity to opt out of such disclosure (§716.14). The Credit Union may share personal nonpublic information with its affiliate, if applicable. The Credit Union also may share its experience information about the member with credit bureaus. The Credit Union’s reporting to credit bureaus is governed by the Fair Credit Reporting Act, which affords the member the right to make sure that its credit bureau reports are accurate. The requirement for the Credit Union to provide notice and a reasonable opportunity to opt out does not apply if the Credit Union’s disclosure of nonpublic personal information is necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following (§716.14):
(A) Servicing or processing a financial product or service that a consumer requests or authorizes (§716.14).
(B) Maintaining or servicing the consumer’s account with the Credit Union, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity (§716.14).
(C) A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transactions related to a transaction of the consumer (§716.14).
(D) With the written consent or direction of the consumer (§6802).
(E) To protect the confidentiality or security of the Credit Union’s records pertaining to the consumer, the service or product, or the transaction; to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; for required institutional risk control, or for resolving customer disputes or inquires; to persons holding a legal or beneficial interest relating to the consumer; or, to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety (§6802(e)).
(F) To provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the Credit Union, persons assessing the Credit Union’s compliance with industry standards, and the institution’s attorneys, accounts, and auditors (§6802(e)).
(G) To a credit reporting agency in accordance with FCRA (§6802(e)).
(H) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit (§6802(e)).
(I) To comply with Federal, State, or local laws, rules, and other applicable legal requirements, to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State or local authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law (§6802(e)).
(J) Such financial records are disclosed (i) in response to an administrative subpoena; (ii) in response to a search warrant; (iii) in response to a judicial subpoena; or (iv) in response to a formal written request by a proper governmental authority (§3402).
(5) RESPONSIBILITY OF SERVICE PROVIDERS. The Credit Union will only approve service providers with established policies of privacy similar to those of the Credit Union. The Credit Union will require contractual agreements from nonaffiliated third parties that will include confidentiality of member information disclosed by the Credit Union and prohibit the service provider from disclosure and reuse of nonpublic personal information for any reason other than the intended purpose. All contracts entered into after July 1, 2006 must be in compliance with the provisions of NCUA §716.13 (§716.18(c)).
(6) CONFIDENTIALITY AND SECURITY SAFEGUARDS. The Credit Union maintains strict policies and security controls to assure that nonpublic personal information in the Credit Union’s computer systems and files is protected.
(A) Credit Union employees and certain contractors are permitted access to nonpublic personal information that they may need to perform their jobs and to provide service to the members.
(B) Credit Union employees and contractors will have access to such nonpublic personal information only as necessary to conduct a transaction or respond to a member’s inquiries.
(C) All Credit Union employees and contractors will be required to respect member privacy through confidentiality and information security provisions included in the Credit Union’s employee policy manual and service agreements with the contractors.
(D) No one except Credit Union employees and authorized contractors will have regular access to the Credit Union computer system and records storage. The Credit Union has established internal security controls, including physical, electronic and procedural safeguards to protect the member nonpublic personal information provided to the Credit Union and the information the Credit Union collects about the member. The Credit Union will continue to review its internal security controls to safeguard member nonpublic personal information as the Credit Union employs new technology in the future.
(7) PRIVACY OF ELECTRONIC TRANSACTIONS.
(A) Encryption. Electronic interfaces with members (such as Internet transactions) will be encrypted using Secure Socket Layer (SSL) 128-bit encryption.
(B) Account Access. Member account information and transactions will be protected by a password that must be used in conjunction with a username or account number. Members must apply for this capability and be registered with the Credit Union for authentication purposes.
(C) "Cookies". The Credit Union may not use "cookies" as part of its web site interface. A "cookie" is a small file that is placed on the user’s computer. While it contains no member information, it identifies the member’s computer and allows the Credit Union to measure usage of the web site and customize the web site experience.
(D) Links. The Credit Union will frequently link to other sites as a convenience to our members. The Credit Union will seek to link with other sites that adhere to similar privacy standards. However, the Credit Union is not responsible for the content of linked sites, or for their policies on the collection of member information.
(E) Online Privacy of Children’s Information. The Credit Union will not collect, use or disclose online information received from children under age 13 without prior parental notification and consent, which will include an opportunity for the parent to prevent use of information and participation in the activity. Online information will only be used to respond directly to the child’s request and will not be used for other purposes without prior parental consent.
(i) The Credit Union will not distribute to third parties, other than its affiliate, personally identifiable information without prior parental consent.
(ii) The Credit Union will not post or otherwise distribute personally identifiable information without prior parental consent.
(iii) The Credit Union will not entice by the prospect of a special game, prize or other activity, to divulge more information than is needed to participate in the activity.
(iv) Personally identifiable information collected online from their children may be reviewed by a parent or guardian upon written request. The parent or guardian has the right to have information deleted and instruct the Credit Union to cease collecting further information from their child.
(C) Content. As required by law, the initial and annual privacy notices will contain the following information:
1. The categories of nonpublic personal information that the Credit Union collects;
2. The categories of nonpublic personal information that the Credit Union discloses;
3. The categories of affiliates and nonaffiliated third parties to whom the Credit Union discloses nonpublic personal information (other than such disclosures allowed by law);
4. The categories of nonpublic personal information about the Credit Union’s former members that is disclosed and the categories of affiliated and nonaffiliated third parties to whom such information is disclosed (other than such disclosures allowed by law);
5. If the Credit Union discloses nonpublic personal information to a nonaffiliated third party (and no exception applies to that disclosure), a separate statement of the categories of information the Credit Union discloses, and the categories of third parties with whom the Credit Union has contracted;
6. If applicable, an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
7. Any disclosures made by the Credit Union under the Fair Credit Reporting Act (i.e., notices regarding the ability to opt out of disclosures of information among affiliates);
8. The Credit Union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
9. A statement that the Credit Union makes disclosures to nonaffiliated third parties as required by law.
(9) MEMBERS’ RIGHT TO "OPT OUT". Privacy regulations allow members to "opt out" of having their information disclosed to third parties in certain situations. Before the Credit Union discloses any member information to a nonaffiliated third party that is not otherwise covered by a disclosure exception under Part 716, the Credit Union must properly inform members of their right to "opt out" and to record and honor "opt out" requests which notice shall include the address and toll free phone number of the appropriate notification system used for processing of notices of opt out and will be presented in a format acceptable to the National Credit Union Administration/Federal Trade Commission.
(A) Content. As required by law, the opt out notice will state the following information:
(i) That the Credit Union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party (including the categories of information and the categories of nonaffiliated third parties to whom it is disclosed);
(ii) That the consumer has a right to opt out of that disclosure; and
(iii) A reasonable means by which the consumer may exercise that opt out right. Examples:
a) Designating check-off boxes in a prominent position on the relevant forms with the opt out notice;
b) Including a reply form together with the opt out notice;
c) Providing an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the Credit Union’s web site, if the consumer agrees to the electronic delivery of information; or
d) Providing a toll-free telephone number that consumers may call to opt out.
(B) Exceptions to Providing an Opt Out Notice. Under the following scenarios, an opt out notice need not be provided to members when nonpublic personal information is disclosed to nonaffiliated third parties:
(i) Sharing nonpublic personal information with a nonaffiliated third party in order to carry out a service on the Credit Union’s behalf, and with whom the Credit Union has a written agreement (i.e., joint marketing agreement) that prohibits further disclosure by the third party;
(ii) Disclosure that is necessary to effect, administer or enforce a transaction that a consumer requests or authorizes;
(iii) Disclosure with the consent of the consumer (provided it has not been revoked);
(iv) Disclosure in order to protect the confidentiality or security of the Credit Union’s records pertaining to the consumer, service, product or transaction;
(a) To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
(b) For required institutional risk control or for resolving consumer disputes or inquiries;
(c) Disclosure to persons acting in a fiduciary or representative capacity on behalf of a consumer;
(v) Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the Credit Union, persons that are assessing the Credit Union’s compliance with industry standards, and the Credit Union’s attorneys, accountants and auditors;
(vi) Disclosure to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act, to law enforcement agencies, a state insurance authority, self-regulatory organizations, or for an investigation on a matter related to public safety;
(vii) Disclosure to a consumer reporting agency in accordance with the Fair Credit Reporting Act;
(viii) Disclosure in connection with an actual sale, merger, transfer or exchange of all or a portion of business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
(ix) To comply with federal, state or local laws, rules and other applicable legal requirements.
(10) DELIVERY. The Credit Union may reasonably expect that a consumer will receive actual notice of the privacy notice and opt-out right (if applicable) if the Credit Union uses one of the following methods of delivery:
(A) Hand-delivery or mailing a printed copy of the notice to the consumer’s last known address;
(B) For a consumer who conducts transactions electronically, posting the notice on the electronic site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or
(C) For an isolated transaction with a consumer (such as an ATM transaction), posting the notice on the ATM screen and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.
(11) PRIVACY COMPLIANCE. The Credit Union and all of its affiliates will comply with all applicable laws and regulations governing the privacy, confidentiality, security, and integrity of nonpublic personal information including the NCUA privacy rule (Part 716), the FTC privacy rule (Part 313) for affiliates, and all other applicable state and federal privacy laws and regulations as amended.
(12) ADMINISTRATION AND AMENDMENTS.
(A) Protecting member privacy is an ongoing process and the Credit Union will continue to evaluate and review the measures taken to safeguard member information.
(B) The Credit Union will provide training to employees on how to recognize and control risk to nonpublic personal information, how to handle nonpublic personal information, and how to report unauthorized or fraudulent attempts to gain access to nonpublic personal information.
(C) The Credit Union will create controls and procedures whereby any new product, service, or delivery method shall be reviewed and modified to insure that it conforms to existing Credit Union privacy policies with regards to nonpublic personal information.
(D) If nonpublic personal information is shared with vendors for a business purpose, all contracts and agreements between the vendors and the Credit Union will include a guarantee that the vendor will safeguard such information.
Approved: August 26, 2008
By: Board of Directors
710 W. Miller St. • Alpena, MI 49707