W.H. Cornerstone views protecting its customers’ private information as a top priority and, pursuant to the requirements of the Gramm-Leach-Bliley Act (the “GLBA”), the Massachusetts Uniform Security Act (“950 CMR 12”), and the Standards for the Protection of Personal Information of Residents of the Commonwealth (“201 CMR 17”), W.H. Cornerstone has instituted the following policies and procedures to ensure that customer information is kept private and secure.
This policy serves as formal documentation of W.H. Cornerstone’s ongoing commitment to the privacy of its customers. All employees will be expected to read, understand, and abide by this policy and to follow all related procedures to uphold the standards of privacy and security set forth by W.H. Cornerstone. This Policy, and the related procedures contained herein, is designed to comply with applicable privacy laws, including the GLBA, 950 CMR 12, and 201 CMR 17, and to protect nonpublic personal information of W.H. Cornerstone’s customers.
Scope of Policy
Overview of the Guidelines for Protecting Customer Information
In Regulation S-P and 201 CMR 17, the Securities and Exchange Commission (the “SEC”) and the State of Massachusetts published guidelines which address the steps a financial institution should take in order to protect customer information. The overall security standards that must be upheld are:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
- Each employee has a duty to protect the nonpublic personal information of customers collected by W.H. Cornerstone.
- No employee is authorized to disclose or use the nonpublic information of customers on behalf of W.H. Cornerstone.
- Each employee has a duty to ensure that nonpublic personal information of W.H. Cornerstone’s customers is shared only with employees and others in a way that is consistent with W.H. Cornerstone’s Privacy Notice and the procedures contained in this Policy.
- Each employee has a duty to ensure that access to nonpublic personal information of W.H. Cornerstone’s customers is limited as provided in the Privacy Notice and this Policy.
- No employee is authorized to sell, on behalf of W.H. Cornerstone or otherwise, nonpublic information of W.H. Cornerstone’s customers.
- Employees with questions concerning the collection and sharing of, or access to, nonpublic personal information of W.H. Cornerstone’s customers must look to W.H. Cornerstone’s CCO
Violations of these policies and procedures will be addressed in a manner consistent with other Company disciplinary guidelines.
Regulation S-P contains several exceptions, which permit W.H. Cornerstone to disclose customer information (the “Exceptions”). However, the Massachusetts Uniform Security Act requires that all disclosures of non-public information be affirmatively consented to prior to such disclosure. Accordingly, the following represents common disclosures that will be made by W.H. Cornerstone if client consent is granted.
- Service Providers. W.H. Cornerstone may from time to time have relationships with nonaffiliated third parties that require it to share customer information in order for the third party to carry out services for W.H. Cornerstone. These nonaffiliated third parties would typically represent situations where W.H. Cornerstone or its employees offer products or services jointly with another financial institution, thereby requiring W.H. Cornerstone to disclose customer information to that third party. Every nonaffiliated third party that falls under this exception is required to enter into an agreement that will include the confidentiality provisions required by Regulation S-P, which ensure that each such nonaffiliated third party uses and re-discloses customer nonpublic personal information only for the purpose(s) for which it was originally disclosed.
- Processing and Servicing Transactions. W.H. Cornerstone may also share information when it is necessary to effect, administer, or enforce a transaction for our customers or pursuant to written customer requests. In this context, “Necessary to effect, administer, or enforce a transaction” means that the disclosure is required, or is a usual, appropriate, or acceptable method.
- To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer’s account in the ordinary course of providing the financial service or financial product.
- To administer or service benefits or claims relating to the transaction or the product or service of which it is a part
- To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; or
Sharing as Required by Law
W.H. Cornerstone may disclose information to nonaffiliated third parties as required or allowed by law. This may include, for example, disclosures in connection with a subpoena or similar legal process, a fraud investigation, recording of deeds of trust and mortgages in public records, an audit, or examination, or the sale of an account to another financial institution.
W.H. Cornerstone has taken the appropriate steps to ensure that it is sharing customer data only within the above noted Exceptions. W.H. Cornerstone has achieved this by understanding how W.H. Cornerstone shares data with its customers, their agents, service providers, parties related to transactions in the ordinary course or joint marketers.
Safeguarding of Client Records and Information
W.H. Cornerstone has implemented internal controls and procedures designed to maintain accurate records concerning customers’ personal information. W.H. Cornerstone’s customers have the right to contact W.H. Cornerstone if they believe that Company records contain inaccurate, incomplete, or stale information about them. W.H. Cornerstone will respond in a timely manner to requests to correct information. To protect this information, W.H. Cornerstone maintains appropriate security measures for its computer and information systems, including the use of passwords and firewalls.
Additionally, W.H. Cornerstone will use shredding machines, locks and other appropriate physical security measure to safeguard client information stored in paper format. For example, employees are expected to discard documents not required to be kept by placing them in the appropriate bin for shredding.
W.H. Cornerstone protects confidential client information including but not limited to consumer report or any compilation of consumer report information derived from a consumer report by maintaining some information in locked areas and shredding such information when then information is no longer needed by W.H. Cornerstone.
W.H. Cornerstone maintains physical, electronic, and procedural safeguards to protect the integrity and confidentiality of customer information. Internally, W.H. Cornerstone limits access to customers’ nonpublic personal information to those employees who need to know such information in order to provide products and services to customers. All employees are trained to understand and comply with these information principles.
W.H. Cornerstone has developed a Privacy Notice, as required under Regulation S-P, to be delivered to customers initially and on an annual basis. The notice discloses W.H. Cornerstone’s information collection and sharing practices and other required information and has been formatted and drafted to be clear and conspicuous. The notice will be revised as necessary any time information practices change. A copy of W.H. Cornerstone’s Privacy Notice is available on W.H. Cornerstone’s website.
Privacy Notice Delivery
- Initial Privacy Notice – As regulations require, all new customers receive an initial Privacy Notice at the time when the customer relationship is established, for example on execution of the agreement for services.
WH Cornerstone Investments Data Controller
This policy is effective as of June 30, 2020.