COMPANY, INC.

Privacy and IT Security Policy

Definitions
“Company” means [INSERT].

“Employee” means any Company employee and/or independent consultant, as appropriate.

“Personal Data” means an individual’s personal (private) information. Examples of personal

information include: name, telephone, e-mail account, address, date of birth, and social security
number.

“Protected Information” means a client’s proprietary, private and confidential information.

“Protected Information” also includes Personal Data of a client’s employees, prospective
employees, and customers.

Security of Protected Information

Employees shall keep all Protected Information confidential and secure. Employees shall not
copy, give or otherwise disclose Protected Information to any other person except as required in
furtherance of the services being provided. Any such disclosures shall be subject to appropriate
confidentiality obligations.

Employees shall shred (rather than bulk recycle) all work notes, client-provided files and printed
copies of documents that contain Protected Information.

Intentional disclosures of Protected Information in violation of this Policy may be basis for civil
or criminal penalties. For an Employee’s intentional or negligent disclosure of Protected
Information, Company may impose disciplinary action up to or including termination with cause
of the responsible Employee’s employment or consultant’s contract with Company.

Upon any unauthorized disclosure or inappropriate access of Protected Information, Company

shall promptly advise affected clients of the occurrence and extent of the disclosure or access.
Unless required for Company’s ongoing provision of services, Employees shall physically and/or
electronically return or destroy any Protected Information related to a completed project.

Rev. 5/6/2016 Page 1

COMPANY, INC. Privacy and IT Security Policy

Information Technology Requirements

Employees are responsible for the security of computers and devices that they use or manage.
Employees shall take appropriate steps to secure Protected Data that they possess, manage, or
have access to in connection with their provision of services. Security can be provided by means
such as, but not limited to, encryption, access controls, physically securing the storage media, or
any combination thereof as deemed appropriate.

To prevent unauthorized access, Employees shall password protect all computers and electronic
devices under their control. Prior to leaving unattended, Employees shall physically secure all
desktop and portable electronic devices in which Protected Data is stored.

Employees shall password protect any database, spreadsheet, or word processing files that
contain Personal Data.

Employees shall keep all operating systems up to date with the latest software security updates
and patches.

Employees shall keep virus protection and anti-malware software on all computers and
electronic devices under their control and keep such software up-to-date.

Employees shall keep all potentially vulnerable software (Flash, Java, etc.) up to date with the
latest security updates and patches.

To protect against intrusion, Employees shall maintain all browsers at the latest version,
provided, however, where upgrades affect only functionality and not security, Employees may
delay upgrades for purposes of coordinating functionality upgrades with software upgrades
necessary for the ongoing performance of Company’s operating systems or applications used for
the performance of Company’s products or services.

Services or applications running on systems manipulating Protected Data should implement

secure communications as appropriate.

When transmitting data that includes Protected Information, Employees shall employ
encryption technology, as appropriate based upon the information being transmitted.

Employees shall promptly report all cyber security incidents of which they become aware.

Rev. 5/6/2016 Page 2