It is the policy of the ACPE that sensitive data, specifically credit card information and social security numbers, are to be stored and handled securely to avoid improper use or access of this information by unauthorized individuals.
All software systems (purchased and developed in-house) are required to encrypt sensitive data. If it is not possible to encrypt the data, access to electronic files must be restricted through the secure log-in procedures.
Printed reports that contain credit card or social security information shall display only truncatednumbers. Some reports may require the display of all information for analysis purposes, and electronic access to these reports must be obtained through secure log-in procedures. These reports must be stored in locked cabinets or a locked storage area. When the reports are no longer required, they must be shredded.
Sensitive data is not to be requested or provided in email form. If a member or customer provides this information in an email, the message shall be deleted as soon as possible. The preferred methods for obtaining information are via telephone, in person, through the postal system, or the secure online system.
Faxed information is to be kept in a secure location and when no longer needed, shredded.
ACPE management is responsible for the proper storage, use, and protection of sensitive information. It is not acceptable to leave sensitive information unattended. At the end of the day, all sensitive information must be secured in a locked location.
When ACPE management is working offsite, they must keep sensitive data in a locked box and keep it shielded from exposure to non-ACPE management. This information shall be sent back to the office via overnight mail or secured appropriately.
Staff with access to sensitive data electronically must use screen savers that require a password to unlock. No passwords are to be shared with any other individual, other than the Communications/IT Director.
In the event that sensitive data may have been compromised or lost, ACPE management must contact the Treasurer and the Board Chair within 24 hours of the suspected compromise or loss.
ACPE management and the accounting staff shall determine and recommend the appropriate course of action to the Treasurer, if he/she is available. Legal opinion or action may be requested.