9
B. The DSC or designated authorized representative will immediately train all existing employees on the
detailed provisions of the Plan. All employees will be subject to periodic reviews by the DSC to ensure
compliance.
C. All employees are responsible for maintaining the privacy and integrity of the Firm’s retained PII. Any
paper records containing PII are to be secured appropriately when not in use. Employees may not keep
les containing PII open on their desks when they are not at their desks. Any computer le stored on the
company network containing PII will be password-protected and/or encrypted. Computers must be locked
from access when employees are not at their desks. At the end of the workday, all les and other
records containing PII will be secured by employees in a manner that is consistent with the Plan’s rules for
protecting the security of PII.
D. Any employee who willfully discloses PII or fails to comply with these policies will face immediate
disciplinary action that includes a verbal or written warning plus other actions up to and including
termination of employment.
E. Terminated employees’ computer access logins and passwords will be disabled at the time of termination.
Physical access to any documents or resources containing PII will be immediately discontinued.
Terminated employees will be required to surrender all keys, IDs or access codes or badges, and
business cards that permit access to the Firm’s premises or information. Terminated employees’ remote
electronic access to personal information will be disabled; voicemail access, e-mail access, Internet
access, Tax Software download/update access, accounts and passwords will be inactivated. The DSC
or designee shall maintain a highly secured master list of all lock combinations, passwords, and keys,
and will determine the need for changes to be made relevant to the terminated employee’s access rights.
PII Disclosure Policy
A. No PII will be disclosed without authenticating the receiving party and without securing written
authorization from the individual whose PII is contained in such disclosure. Access is restricted for areas
in which personal information is stored, including le rooms, ling cabinets, desks, and computers with
access to retained PII. An escort will accompany all visitors while within any restricted area of stored PII data.
B. The Firm will take all possible measures to ensure that employees are trained to keep all paper and
electronic records containing PII securely on premises at all times. When there is a need to bring records
containing PII offsite, only the minimum information necessary will be checked out. Records taken offsite
will be returned to the secure storage location as soon as possible. Under no circumstances will
documents, electronic devices, or digital media containing PII be left unattended in an employee’s car,
home, or in any other potentially insecure location.
C. All security measures included in this WISP shall be reviewed annually, beginning [annual calendar
review date] to ensure that the policies contained in the WISP are adequate and meet all applicable
federal and state regulations. Changes may be made to the WISP at any time they are warranted. When
the WISP is amended, employees will be informed in writing. The DSC and principal owners of the Firm
will be responsible for the review and modication of the WISP, including any security improvement
recommendations from employees, security consultants, IT contractors, and regulatory sources.
D. [The Firm] shares Employee PII in the form of employment records, pension and insurance information,
and other information required of any employer. The Firm may share the PII of our clients with the state
and federal tax authorities, Tax Software Vendor, a bookkeeping service, a payroll service, a CPA rm,