AssureCo Risk Management & Regulatory Compliance LLC, doing business as MuncipalH2O.com, ("MHC", "we", "us" or "our") is committed to protecting and maintaining the confidentiality and security of the information that you provide to us. This statement discloses the privacy practices for www.MuncipalH2O.com (the "MHC Site"), including:
- What personally identifiable information is collected;
- The organization collecting the information;
- How the information is used;
- With whom the information may be shared;
- What choices are available to you regarding collection, use and distribution of the information;
- The kind of security procedures that are in place to protect the loss, misuse or alteration of information under MuniMHCpalH2O.com's control; and
- How you can correct any inaccuracies in the information.
If you have questions or concerns regarding this statement or feel that we are not abiding by our privacy policies, you should contact MHC by sending an e-mail to service@MunicipalH2O.com .
This privacy statement describes the information we collect about you and what may happen to that information. Although this statement may seem long, we have prepared a detailed statement because we believe you should know as much as possible about MHC's practices so you can make an informed decision about submitting information required to use our services. Please review this privacy statement posted on the MHC Site from time to time, as it may be amended without notice for some changes (for example, minor changes not affecting personal information. If, however, we are going to use users' personally identifiable information in a manner different from that stated at the time of collection, we will notify users via email. Users will have a choice as to whether or not we use their information in this different manner. We will always post our most current privacy statement on the MHC Site. Minor changes to our privacy statement will be effective upon such posting. By using the MHC Site, you consent to the use of your information as expressed in this privacy statement. Notwithstanding the above provisions, MHC agrees to not resell, trade or rent any of your information to any third party. This privacy statement is effective January 1, 2005.
AssureCo Risk Management & Regulatory Compliance LLC is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices. This privacy statement covers the site www.MunicipalH2O.com. Because this web site wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.
If you have questions or concerns regarding this statement, you should first contact Chris Eley at Service@MunicipalH2O.com , 501-537-4566, 900 S. Shackleford Rd., Ste. 401 , Little Rock , AR 72211 . If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should then contact TRUSTe at http://www.truste.org/consumers/watchdog_complaint.php. TRUSTe will then serve as a liaison with the Web site to resolve your concerns.
YOUR INFORMATION AND HOW WE MAKE USE OF IT
Visiting the MHC Site:
The MHC Site collects two kinds of information: (i) information that identifies you, your company or your municipality, (collectively, "Identifiable Information"); and (ii) information that does not identify any person, company or municipality (such as your Internet Protocol (IP) address, browser type, operating system type, access time and page views) (collectively, "Non-Identifiable Information"). As a general policy, only Non-Identifiable Information is automatically collected from your visit to the MHC Site.
Information Collected During the Subscription and Set-Up Process:
If you choose to subscribe to MHC's Compliance Alert service, which is required to access other MHC services, you will be asked to provide us with certain specific information about yourself, your company and/or your municipality, including: (i) contact information such as your name, phone number, fax number, mailing/e-mail address, and your company's or municipality's name, phone number, fax number, mailing/e-mail address and primary contact person, and your consultant firm's name, phone number, fax number, mailing/e-mail address and primary contact person, if any (collectively, "Contact Information"); and (ii) information about your company's or municipality's facilities, policies, procedures, operations, processes, and staff as they pertain to compliance with state and/or federal regulatory requirements that are addressed by MHC services (collectively, "Business Information"). During the subscription process and initial set-up process, we will only share your Contact Information and Business Information with the MHC staff and service providers that are involved in assisting MHC in delivering the services that you request. All of these individuals will have executed a non-disclosure confidentiality agreement with respect to information provided to them by MHC.
The Internet service provider that hosts our Web site will have a site administrator (our Webmaster) with the ability to access all such information as part of website maintenance, but this company and the Webmaster have signed a non-disclosure agreement with us. We will maintain your Contact Information and Business Information in our secure and protected information databases as long as you remain a client of MHC. If you or we terminate our service agreement for any reason, we will deactivate this information unless you submit a written request that we retain this information pending further action or transfer this information to you or a third party, which retention or transfer will be subject to a written agreement to be executed by you and MHC.
We do not resell, trade or rent any of your information to anyone.
We may aggregate Non-Identifiable Information to create statistical data, which will be used to help analyze site traffic and improve our services. We may also use such aggregated information to describe MHC's website services to potential partners or other third parties. At no point, however, will the aggregated information identify you, your business or your clients.
Service Related Announcements:
Occasionally, you may receive service-related announcements such as compliance alert notices, confirmation emails, critical service updates, etc. Generally, you may not opt-out of these communications, which are not promotional in nature.
If you do not wish to receive them, you have the option to deactivate your account by sending an email to Service@MunicipalH2O.com with the subject of “Cancel Services” along with your MHC number or by calling 501-537-4566.
We use other third parties to provide credit card processing on our site. Our current provider is VeriSign. If you choose to pay for services using a credit card, we will share your billing name, address and email along with your credit card number as necessary for the third party to provide that service. These third parties are prohibited from retaining or using your personally identifiable information for any other purpose.
We reserve the right to disclose any Identifiable or Non-Identifiable Information if required to do so by law or if we believe that such action is necessary in order to (i) conform with the requirements of the law or to comply with legal process served on MHC; (ii) to protect or defend the legal rights or property of MHC, the MHC Site, or its users; or (iii) in an emergency to protect the health and safety of MHC's website users or the general public.
We have security measures in place to protect against the loss, misuse and alteration of the information under our control, both online and offline.
The MHC Site operates secure data networks protected by industry standard firewall and password protection systems. We use a VeriSign Secure Server ID for 128-bit encryption of data being sent via the Internet between the browser and our servers. The servers on which we store your personal information are kept in a secure environment using industry-standard back-up and security procedures and protections.
All of your Contact and Business Information is restricted in our offices. Only employees who need the information to provide the Services are granted access to personally identifiable information. All employees have been verified as U.S citizens having a history of honesty and trustworthiness and have signed a non-disclosure agreement prohibiting the unauthorized disclosure, use or distribution of any of your Contact or Business Information. Furthermore, all employees are kept up-to-date on our security and privacy policies and practices and on the importance of maintaining and working with all client information in a secure and confidential manner.
Access to MHC's offices is restricted after normal business hours with security cards required for entry into the building and keys required for office access. The building is also equipped with security cameras and a burglar alarm system and has a security guard on the premises after normal business hours and on weekends.
Although we use industry-standard equipment and procedures to protect our users' personal information and privacy, please be advised that we cannot guarantee that the security precautions we take will prevent third parties from illegally obtaining your information. However, our procedures have qualified www.MunicipalH2O.com for the "VeriSign Secure Site" designation indicating that we provide you with authentication, confidentiality, and data integrity that meets established industry standards. Also, be advised that any information which you disclose in a “public forum” is considered “public information” and will be treated as such.
ISP Facility/System Reliability & Security
For security reasons, MHC does not disclose the name or location of its Internet Service Provider (hereinafter referred to as “ISP”) on the public portions of its websites, although IP addresses are publicly identifiable and can be traced. MHC will provide the name and contact information of its ISP to authorized representatives of clients and prospective clients for verification and audit purposes. MHC has verified that the systems and facilities of its ISP are as stated in this document. MHC's ISP hosts B2B Intranets and Extranets for a number of financial institutions, and the security policies and procedures have been audited extensively by several third-party organizations.
ISP utilizes a scalable, redundant "bandwidth-on-demand" solution. Depending on network traffic and nationwide bottleneck status, web server traffic is routed down multiple OC-3 Internet connections to national Internet backbones, AT&T and Qwest. Local connectivity is through BellSouth, KDL and Adelphia via high-speed SONET OC-48 connections
ISP uses only Cisco routing and switching equipment. Every server is fed into dual Catalyst 3500 high-speed switches that channel all server traffic into redundant Juniper and Foundry routing equipment, using BGP4 routing protocol for complete redundancy. If one router should have an equipment failure, the other one picks up the traffic. This lowers the possibility of network downtime due to an equipment failure.
ISP's internal network is 100% hardware redundant, with dual load-balanced network cards in EVERY ISP server, connected to dual fail-over switches at all multi-connection points within the internal network. The internal network is connected to the outside world via two fail-over F5 BigIP Enterprise Controllers. This redundancy at every level ensures that the internal network has NO single point of failure. Firewalls are implemented at the core router and internal network level.
ISP provides web application hosting on a zero-hop Internet backbone in a redundant network configuration to ensure the guaranteed uptime and connectivity required of high priority business applications.
All electrical power supplied by local utilities is fed to the data center via three separate power grids. All electrical connections are backed up using multiple Liebert UPS battery backup systems in an N+1 configuration. In the event of an extended outage, power is supplied to the datacenter using a Caterpillar 750Kva diesel generator supplied with a 30-hour full capacity and a proactive refueling contract with a local supplier.
Internal atmospherics are monitored 24x7x365 to ensure the temperature and humidity of the data center is providing an optimal environment for all servers and network equipment.
ISP's data center is both physically and logically secure. It is protected 24x7x365 by internal and external cameras, which are monitored by the Network Operations Center. The front door is protected by a badge reader system, and badge access is required to enter the building. Before access to the data center is permitted, one must first pass through the "man trap" area, which is a concrete hallway protected with a badge reader for initial access and then a biometric hand scanner, personal security code and a camera to ensure physical and visual confirmation of identity. This entire process is monitored 24x7x365 by the Network Operations Personnel, and ONLY ISP Microsoft Certified Engineers have physical access to the web servers used for all applications.
All of ISP servers sit behind dedicated ISP Firewalls and F5 BigIP Controllers, which constantly monitor and analyze all network traffic. Multiple security policies are in place to assist in the prevention of a network interruption in the event of a malicious attack.
MHC Facility/System Reliability & Security
MHC facilities include its development headquarters located in Tennessee and its corporate headquarters in Arkansas. Client websites and databases are located on separate and isolated primary production servers at MHC's ISP, which is located in another state. Client websites and databases are located on separate and isolated servers to provide redundancy in the event of a disaster at one location. All servers are backed up offsite each night in an encrypted manner and stored in a secure location. All locations have backup power supplies of adequate capacity.
The security of MHC's system as hosted on MHC servers is three-fold. The first level is the security of information as it moves from user's computer to the server. This security is provided via a 128bit Secure Server Certificate provided by VeriSign, Inc. (www.verisign.com) The SSL Certificate provides data encryption as the information flows over the internet, and it also provides corporate authentication.
The second level of security is server specific. This level includes Windows passwords, SQL Server passwords and network firewall/routers. Industry-standard best practices are followed for all internet attached servers.
The third level of security is the encryption and protection of data housed within the database. All personally identifiable information is encrypted prior to insertion to the database. Also, all FDF data created by PDF forms is encrypted using Triple DES encryption algorithms to provide 168 bit protection of the data. Triple DES encryption algorithms also are used by MHC to encrypt all information related to water facilities that has been designated as highly sensitive for homeland security purposes.
Encryption is the process of turning a clear-text message (Plaintext) into a data stream which looks like a meaningless and random sequence of bits (ciphertext). Symmetric encryption is the backbone of any secure communication system. Dozens of symmetric algorithms have been invented and implemented, both in hardware and software. MHC uses the symmetric algorithms provided by Microsoft as described below.
Block Ciphers . Block ciphers are cryptographic algorithms which operate on 64-bit blocks of plaintext. The encryption procedure usually consists of multiple and complex rounds of bit shifts, XORs, permutations and substitutions of plaintext and key bits. Decryption is similar to encryption except that some operations may be performed in the reverse order. Some algorithms use fix-length keys, for others the key length may vary.
DES . Data Encryption Standard (DES) is a block cipher invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. It has been a worldwide cryptographic standard since 1976 . DES is a fixed-key-length algorithm. It uses 56-bit keys. Any 56-bit number can be a key. DES is implemented by the Microsoft Enhanced Cryptographic Provider.
RC2 . RC2 was developed for RSA Data Security, Inc. RC2 is a variable-key-length cipher. However, when using the Microsoft Base Cryptographic Provider, the key length is hard-coded to 40 bits. When using the Microsoft Enhanced Cryptographic Provider, the key length is 128 bits by default and can be in the range of 40 to 128 bits in 8-bit increments.
TripleDES . Triple DES improves the security of DES by applying DES encryption three times using three different keys. This way the effective key length becomes 56 x 3 = 168 bits which makes brute-force attacks virtually impossible. Triple DES is implemented by the Microsoft Enhanced Cryptographic Provider.
TRANSFER OF ASSETS
NOTIFICATION OF CHANGES
CHANGES TO INFORMATION AND QUESTIONS
Each participating user can access and update their personal information online. Each participating firm and municipality also has one or more designated account administrators that can add or delete users and access and update the information of the participating firm or municipality and that of all of its users.