Personally Identifiable Information (PII) is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers. We restrict access to personal information to our employees, our affiliates' employees, or others who need to know that information to service the account or in the course of conducting our normal business operations. The identification, service, notice and training associated with information of this nature is identified below in accordance with the California Consumer Privacy and Protection Act effective January 1, 2020. The policy herein as identified will be broadly applied to all jurisdictions.
The identification of PII begins at or before the time of data collection. When materials are identified, we make every effort to secure them by restricting access to only those individuals approved to handle the PII. All documentation where PII has been identified AND is needed in the regular course of business, shall be identified and subject to the terms and conditions of this policy. MFH, LLC and Affiliates do not sell personally identifiable information (PII).
At or before the time of data collection consumers and stakeholders are directed to our website for notifications of rights. Specific notices are sent out departmentally as required.
Where records are being subpoenaed, documents containing PII should not be disclosed unless one of the following conditions applies:
Verification of the legality of the request and requesting parties has been confirmed as an approved third party.
Records have been reviewed and authorized by counsel
PII is most often contained in documents that are considered to be Confidential Work Product and these would not be discoverable. Counsel should be consulted for creating that layer of protection (insulation) in response to the subpoena and in supporting the Work-Product Doctrine
The CCPA shall not apply where compliance by the business would violate evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by evidentiary privilege under California as part of a privileged communication. In accordance with CCPA sections 1798.110 to 1798.135 the CCPA shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law.
Companywide PII training is completed annually by all staff.
All Midwest service providers are required to provide immediate notification in the event of a breach. If a breach is identified, we require the vendor to complete a prompt and thorough investigation. We require that the service providers effectively exercise good faith practices involving PII, CCPA, Gramm Leach Bliley, HHCPA and NAIC.
All Midwest service providers shall defend and indemnify Midwest and hold its officers, directors, employees and agents harmless from any and all damages resulting from or arising out of the negligent acts, errors, omissions, or willful misconduct of the service provider or their partners. Service providers shall promptly notify Midwest of any damages or threatened damages.
All Midwest service providers, at their sole cost and expense, will maintain general and professional liability insurance, cyber insurance covering data loss and data breach response and other insurance as necessary or required by law to insure them and their employees against any claims for damages arising out of or resulting from services provided by said provider under agreement, with limits of not less than $1 million per occurrence unless otherwise specifically requested at a higher limit. All service providers shall provide Midwest with a Certificate of Insurance verifying existence of this coverage upon execution of an agreement and every subsequent anniversary, including the one-year period following the agreements termination.
In accordance with CCPA 1798.130. (a)(5) this policy is reviewed annually for efficacy and updating to evolving standards.
Any data breach is handled in accordance with our existing Information Systems Security and Enterprise Risk Policy.