No preview available
HomeMy WebLinkAboutECHDA15-004 Rentgrow, Inc. Addendum to Resident Screening Agreement24= February 12, 2015 Via U.S. Mail Daniel Murray Eagle County Housing and Development 500 Broadway P.O. Box 8510 Eagle, CO 81631 Important Notice and Amendment RE: Yardi Resident Screening Agreement Dear Daniel Murray: Equifax, TransUnion* and Experian" (collectively, the "Credit Bureaus") require that all end-users of the consumer data they provide comply with certain terms, conditions and requirements. All screening service providers are required to include these terms in all of their screening agreements with end-users. Because the Credit Bureaus will only authorize the dissemination of the consumer data to end-users who accept the required terms, your screening agreement (the "Agreement") with Yardi Resident Screening (YRS) must be amended. The required terms have been consolidated into the attached amendment. The terms in the amendment have not been drafted, nor are they editable, by YRS. If you wish to continue receiving tenant screening reports from YRS you must accept the amendment. Because the Credit Bureaus have imposed a short time -frame within which YRS must complete this process, you must return: Ilse executed amendment to YRS at YRSLegal@y4E4i.com no later than 10 business days after receipt of this notice. Alternatively, if prefer you can use the enclosed return -addressed envelope and mail it to: YRS c'o Yardi Systems, Inc. Attn: K. Allcr/W. Kosche-Gelinas 430 South Fairview Avenue Santa Barbara, CA 93117 Upon receipt, YRS will promptly countersign the amendment and return a fully executed copy to you for your records. For ease of communication, please also include your company's preferred contact phone number and email address where indicated in the signature block of the amendment. If you should have any questions, please direct those to YRSLe alteryardi.com and your inquiry will be promptly responded to. Thank you in advance for your prompt attention to this matter. Very truly yours, rad( starry Corpora' Counsel itatli 5,yw1 % @s :: t -x Scutft <.aa.. w tk rrsv!� i s.=,=44 8,jfbfsa €:A 931 Y7 I tel fP0IA66 24 1 fax 005. 94 ��W, ! .% tills gdi drag a. . - ,.4z's , A4k5 a4a €:".Whip t $4,, ADDENDW TO RESIDWSCREEHING AGREEMENT BETWEEN RMMROrW, INC, DEA YAROI RESIDENT SCREENING AND ITS PARENT, YARDI SYSTEMS, INC. ("YARD") AND EAGLE COUNTY HOUSING AND DEVELOPMENT JrCUWr) (thus "Addendarn") Yardl Client Pin Number. 100083915 Client and Yard mvM dwk egrsansast for resident baudsgmund aoreaning service, dated on at about 1625013 (the "Agnmenvenfl, as fottowr 1. 111, sat forts M Esddbtt I (Rewlmd Cm* Bureau Tanns and Conditions) aro frmponod into Ura Ag eemonl. Cfkart aguiaea that the teems and foAh in Mbit t (R**4md Craft Bureau Tom and Conditions) oW take pacederm ovw any oonlkft tams In 1»a Awownwd regarding Its ndsM, , lip between Cftt and the Credit Surea& 2. The following text Is added as a now section to the Apsmonew. The RegAred Credit Bureau Tame and Conditions nay be modtMd at any Ilene by the Cradt etaew(s), and Yard) has no cw of war these modifications. Yard will use reaaonahle efforts to Inform Ctfertt d dmn dmWv, such as by eussall. and or through an amines link, arsd CWWs uss of the red" badgmund sa eft samicu provided by Yard slW ammo your acwpbu= of the two-currad terms and oandWons r gAmd by the Credit Bu maua. 3. The text is added as a now section to to Agreement: Darns UWT rRMS �CONDITIONS). Mater and each Cradle Bureau only). SEE EXH INT 1 (REQUIRED CREDIT For do avoldamm of any doubt. thio Damage Waiver does not mortify any such wd nt In the Apraamem between Yard) and Client. but rather only fbnks duutaps duet may miss behmn the Cm* Burem m and gent This In m*dred by Urs Craft Bureaus as a condftlon at uadng thou nddw t background scmwAV sarvicss. 4. The IaMowing Wt Is added ss a new median to U» Agatsm nt LIAMIIV D tLimitTERMS(a AND COND and each Croft Bureau or* SEE EXHWr 1 (REGIARED CREW For tune avoidenoe of any doubt, ihls Lleb* Uv* doaa " madly arty weh &* h the Ag<reamma between Yard) and Cg nt. but rsduer only knks kbit that may ado balwaen Drs Cradle Bureaus and hast. This is rsgsdred by the Cradle Suroaus as a conditton of uming the r* WW badkgrou nd aaaeniq services. S. Aur oshar tams and c=KMI s of the Aproemrnt are UNCHMGED and rasakr in killtaco amt alled. 8. Adusorw(eclpd and agreed am of tie date Iia suAttoAxad repmumtedn of Client. below. executes Ob Addendum OM *Addendum Ellecilve Data: EAGLE COUNTY HOUSING AND REN MOW, INC. DSA YARDt RUSIDEW DEVELOPMENT SCREVIING (rY Data: oar, MA 6 M Print Nan e-Jiu k r bi It r JIGS I? Print Ham je ��x^ Tile: jK talct�r The Phoria umbar 17D - 3Z - '773 L" u eCtflT � V de ex 4� y. cLi PAPORTA�: Pterin mium thrla waded Addenduau✓to Ymcli Ne email atYRUMOvardl.com. P"# 1 d 12 ConflMnpm! Pmparsaon Date: 2r1212013RU AM Exhibit I Required Credit Bureau Terms and Conditions: w Pa Union I End User is a jtandlordiproperty, manager] and has a permtssib'e purpose for obtaining consumer reports in accordance with the Fair Cred=t Reporting Act (15 U &C, § 11381 at seq.) including, wihWA limitation: all amendments thereto ('FCRA ), The End User certifies its pemrssible purpose as: In connection with a credit transaction involving the consumer on whom the Information is to be furnished an involving the extension of credit to, or review or corection of an account Of the consumer, or In connection with the underwriting of insurance involving the consumer or review of existing po icy holders for Insurance underwriting purposes,. or in connection with an Insurance claim where written permission of the consumer has been obtained:. or In connection with a tenant screening application involving the consumer, or In accordance with the written instruc ons of the consumer, or For a legitimate business need in connection with a business transaction that Is initiated by the consumer, or As a potential investor, servicer or current insurer m connection with a valuation of, or assessment of, the credit or prepayment risks. 2 End User certifies that End User shall use the consumer reports; (a) solely for the Subscriber's certified use(s); and (b) solely for End User's exclusive one-time use End User shall not request, obtain or use consumer reports for any other purpose Iricludmg, but not limAed to, for the purpose of selling, leasng„ renting or otherwise providing information obtained under this Agreement to any other party, whether alone, In conjunction with End User's own data, or Otherwise In any service which is derived from the consumer reports. The consumer reports shall be requested by.. and disclosed by End User only to End User's designated and authorized employees having a need to know and orgy to the extent necessary to enable End User to use the Consumer Reports In accordance with this Agreement. End User shall ensure that such designated and authorized employees shall not attempt to Obtain any Consumer Reports on themselves, associates, or any other person except In the exercise of their official duties. 3 End User will mainta'n copies of at written authorizations for a minimum of five (5) years from the date of inquiry 4. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18 OF THE UNITED STATES CODE OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH, 5 End User shall use each Consumer Report only for a one-time use and strap hold the report In strict confidence, and not disclose It to any third parties; provided, however, that End User may, but is not requ-red to, d'sdose the report to the subject of the repot only in connection with an adverse action based on the report. Moreover, unless otherwise explicitly authorized in an agreement between Rese`-ler and its End User for scares obtained from TransUrdon, or as explic tly otherwise auth odzed in advance and In writing by TransUriou through Reseter, End User shall not disclose to consumers or any third party, any or all such scores provided under such agreement, unless clearly required by law. 6 With just cause, such as violation of the terms of the End Users contract or a legal requirement, or a material change in existing legal requirements that adversely affects the End User's agreement, Reseller may, upon its election, discontinue serving the End User and cancel the agreement immediately. For those End Users that wish to receive TransUnion Scores as part of the consumer credit report being delivered, the agreement between Resefler and End User must also contain the (b0owing language.: 1 End User with request scores only for End Users exclusive use End User may store Scores solely for End User's own use in furtherance of End Users original purpose for obtaining Scores End User shall not use the Scares for model development or model cal bration and shall not reverse engineer the Score. All Scores provided hereunder wia be held in suit confidence and may never be sold, I''censed, copied. reused, disclosed reproduced, revealed or made accessible. in whole or in pan, to any Person except (1) to those employees of End User with a need to know and in Nue course of their employment: (lir) to Norse third party process ng agents of End User who have executed an agreement that limits the use of the Scores by the third party to the use permitted to End User and contains the prohibitions set forth herein regarding model development, model calibration and reverse engineering'. (iii) when accompaned by the corresponding reason codes, to the consumer who is the subject of the Score or (v) as required by iow, Confidential �i!'fII17IIl Required Credit Bureau Terms and Conditions: EQUIFAX' Equifax information as LLC ("Equifax") Equifax Information rvtces (as defined below) will be received by Property Manager (aka Qualified Subscriber) through CRA (aka Yard) subject to the following Conditions (the "Terms and Cc inions"): 1. Any Inlormation s rvices and data originating from Equifax (the 'Equifax Information Services" or "Equifax Information") will be requested only for Subscriber's exclusive use and held In strict co idance except to the extent that disclosure to others Is required or permitted under the last sentence of this Paragraph. Only designated representatives of Quallfied Subscri r will request Equifax Information Services on Qualified Subscriber's employees, and employees are forbidden to obtain consumer reports on themselves, associa es or any other persons except In the exercise of their official duties. Qualified Subscriber will not disclose Equifax Information lathe subject of the report except as permitted required by law, but will refer the subject to Equifax. 2. Qualified Subscriber will hold Equifax and all its agents harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of Equifax Information by Qualified Subscriber, Its employees or agents contrary to the conditions of Paragraph 1 or applicable law. 3. Recognizing that Information for the Equifax Infonnal'ron Services is secured by and through fallible human sources and that, for the fee charged, Equifax cannot be an insurer of the accuracy of the Equifax Information Services, Qualified Subscriber understands that the accuracy of arty Eguilax Information Service received by Qualified Subscriber is not gulitrainteed by Equifax, and Qualified Subscriber releases Equifax and its affiliate companies, agents, employees, and independent contractors from liability. even If caused by n Iigence, in connection with the Equifax Information Services and from any loss or expense suffered by Qualified Subscriber resulting directly or indirectly from Equifax Inform ti on. 4. Qualified Subscd r will be charged for the Equifax Information Services by CRA, which is responsible for paying Equifax for the Equifax Information Services. S. Written nice by ther pony to the other will terminate these Terms and Conditions effective ten (10) days after the date of that notice, but the obligations and agreements set forth h Paragra s 1, 2, 3, S, 7, and 8 herein will remain In force. B. Qualified Subscrier certifies that it will order Equifax Information Services that are consumer reports, as defined by the federal Fair Credit Reporting Act, 15 U.S.C. 1681 at seq. ("FCRA'), only en Qualified Subscriber intends to use that consumer report Information; (a) in accordance with the FCRA and all state law counterparts; and (b) for one of the following permissible purposes: (1) in connection with a credit transaction Involving the consumer on whom the consumer report Is to be furnished and involving the extension of credit I , or review or collection of an account of, the consumer, (ii) In connection with the underwriting of insurance Involving the consumer; (iii) as a potential investor or servicer, r current Insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obigaton; (iv)vAen Qualified Sub liber otherwise has a legitimate business need for the Information either in connection with a business transaction that is Initiated by the consumer, or to review an accountdetermine whether the consumer continues to meet the terms of the accounts; or (v) for employment purposes: provided, however, that QUALIFIED SUBSCRIBER IS T AUTHORIZED TO REQUEST OR RECEIVE CONSUMER REPORTS FOR EMPLOYMENT PURPOSES UNLESS QUALIFIED SUBSCRIBER HAS ArIlt1G TO THE TERMS AND CONDITIONS OF THE EQUIFAX PERSONA SERVICE. Qualified Subscriber will comply with the applicable provisions of the FCRA, Federate Equ I Credit Opportunity Act, Gramm -Leach -Bliley Act and any amendments to them. all state law counterparts of them, and all applicable regulations promulgated under�ny of them Including, without limitation, any provisions requiring adverse action notification to the consumer. Qualified Subscriber will use each consumer report ordered and these Terms and Conditions for one of the foregoing purposes and for no other purpose, 7. It is recognized arid understood that the FCRA provides that anyone "who knowingly and willfully obtains Information on a consumer from a consumer reporting agency under false preterm s shall be fined under Tike 18, United States Code, imprisoned for not more than two (2) years, or both " Equifax may periodically conduct audits of Qualified Subscribe regarding its compliance with these Terns and Conditions, including, without limitation, the FCRA, other certifications and security provisions In these Terms and Condit . Audis will be Conducted by mail whenever possible and will require Qualified Subscriber to provide documentation as to permissible use of particular Consumer reports. alified Subscriber gives Its consent to Equifax to Conduct such audits and agrees that any failure to cooperate fully and promptly in the conduct of any audi, cr Ouaified S bscribei's material breach of these Terms and Conditions, constitute grounds for Immediate suspension of service or termination of these Terms and CondiBons, n=11 ending Paragraph 5 above. If Equifax terminates these Terms and Conditions due to the conditions In the preceding sentence, Qualified Subscriber (t) unconditionally rete ses and agrees to hold Equifax harmless and indemnify It from and against any and all liabilities of whatever kind or nature that may arise from or relate to such temhination, a d (11) covenants It will not assert any claim or cause of action of any kind or nature against Equifax In conneclion with such termination. 8. California Low Oertification. Qualified Subscriber will refer to Exhibit 1-A In making the following certification,. and Qualified Subscriber agrees to comply with all applicable provisions of the Califforrila Credit Reporting Agencies Act. (QUALIFIED SUBS RIBER'S AUTHORIZED REPRESENTATIVE MUST PLACE HIS/HER INITIALS NEXT TO THE APPLICABLE SPACE BELOW) 1. Do yoju, Qualified Subscriber certify you are a "retail sailer,` as defined in Section 1802 3 of the California Civil Code and referenced in Exhibit A1? ,yes X no (Initials appear below) 2. Do you, Qualified Subscriber Issue credit to consumers who appear in person on the basis of an application for credit submitted in person? yes X no (initials appear below) 9. Vermont Cartifil ation, Qualified Subscriber certifies that it will comply with applicable provisions under Vermont law. In particular. Qualified Subscriber certifies that it will order information s4 rvices relating to Vermont residents that are credit reports as defined by the Vermont Fair Credit Reporting Act ("VFCRA"), only after Qualified Subscriber has received prior c Drisurner consent In accordance with VFCRA Section 2480e and applicable Vermont Rules Qualified Subscriber further certifies that the attached copy of Section 24809 (Ext bit 1-8) of the Vermont Fair Credit Reporting Statute was received from Equifax. 10. Data Security. 10.1. This Paragra 10 applies to any means through which Qualified Subscriber orders or accesses the Equifax Information Services Including, without limitation, system -lo - system, personal ci mputer or the Internet. For the purposes 0 this Paragraph 10, the term 'Authorized User" means a Qualified Subscriber employee that Qualified Subscriber has authorized to order or access the Equifax hfornatlon Services and who is trained on Qualified Subscriber's obligations under these Terms and Conditions with respect to the ordering and use of the Equifax Information Servicels including Qualified Subscriber's FCRA and other obligations with respect to the access and use of consumer reports. 10.2. Qualified Subilicriber will, Win respell to handling Equifax Information: (a) ensure that only Authorized Users can order or have access to the Equifax Credit Information: (b) ensure that Au*rized Users do not order consumer reports for personal reasons or provide them to any third pany except as permitted by this Agreement; (c) Inform Authodzdd Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and Confidential Exhibit t Required Credit Bureau Terms and Conditions: Imprisonment, (d) ensure that all devices used by Qualified Subscriber to order or access the Equifax Credo Information are placed In a secure location and accessible only by Authorized Users, and that such devices are secured when not in use, through such means as screen locks, shutting power controls oft, or other commercially reasonable security procedures; (e) take all necessary measures to prevent unauthorized ordering of or access to the Equifax Cred t Information by any person other then an Authorized User for permissible purposes, including, without I'fmltation, gm==ting the knowledge of the Qualified Subscriber security codes, member numbers, User IDs. and any passwords Qualified Subscriber may nue (collectively, "Security Information'), to prose Individuals with a need to know. In addition, the User IDs must be unique to each person, and the sharing of User IDs or passwords Is prohibited, (f) change Qualified Subscriber's user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing the Equifax Credit Information, or if Qualified Subscriber suspects an unauthorized person has learned the password. Ad&tlonagy, perform at least quarterly entitlement reviews to recertify and validate Authorized Users access privileges. (g) adhere to all security features m the software and hardware Qualified Subscriber uses to order or access the Equifax Credit Information, including the use of IP restriction; (h) implement secure authentication practices when providng User ID and passwords to Authorized Users, including but not limited to using individually assigned email addresses and not shared email accounts, (I) in no event access the Equifax Credit Information via any hand-held wireless communication device, including, but not limited to, web enabled cell phones, Interactive wireless pagers, personal digital assistants (PDAs), mobile data terminals and portable data terminals; 0) not use non -company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs and DVDs) to store the Equifax Credit Information, In addition, Equifax Credit Information must be encrypted when it Is not In use and all printed Equifax Credit Information, must be stored in a secure, locked container when not in use and must be completely destroyed when no longer needed by cross -cul shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose; (k) h Qualified Subscriber sends, transfers or ships any Equifax Cred',t Information, encrypt the Equifax Credit Information using minimum standards of Advanced Encryption Standard (AES), minimum 128 -bit key; or Triple Data Encryption Standard (MES), minimum 168 -bit key, encrypted algorithms, which standards may be modified from time to time by Equifax, (1) not ship hardware or software between Qualified Subscribers locations or to third parties without deleting all Security Information and any consumer Information, (m) monitor compliance with the obligations of this Section 6., and immediately notify Equifax A Qualified Subscriber suspects or knows of any unauthorized access or attempt to access the Equifax Credit Information, inchAng, without limitation, a review of each Equifax invoice for the purpose of detecting any unauthorized activity, (n) if, subject to Equifax approval.. Qualified Subscriber uses a service provider to establish access to the Equifax Credit information, be responsible for the service providers use of Security Informatlon, and ensure the service proRder safeguards such Security Information through the use of security requirements that are no less stringent than those applicable to Qualified Subscriber under this Section 10 (o) use commercially reasonable efforts to assure data security when disposing of any consumer report information or record obtained from Equifax. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of Qualified Subscribers activities (e.g. the Federal Trade Commission, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records. (p) use commercially reasonable efforts to secure Equifax Credit Information when stored on servers, subject to the following requirements: (1) servers storing Equifax Credit Information must be separated from the Internet or other public networks by firewalls which are managed and configured to meet Industry accepted best practices, (11) protect Equifax Credit Information through multiple layers of network security, Including but not limited to industry -recognized firewalls, routers, and intrusion detectiordprevention devices (IDS/IPS), (01) secure access (both physeal and network) to systems storing Equifax Credit Information, which must include authentication and passwords that are charged at least every ninety (90) days, and (ill) ai servers must be kept current and patched on a timely basis with appropriate security -specific system patches, as they are available; (q) not allow Equifax information to be displayed via the Internet unless utilizing, at a minimum. a three-tier architecture configured In accordance with industry best practices (r) use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis In the event there Is a compromise, and maintain an audit trail Wstory for at least three (3) months for review; (s) provide Immediate notifi aeon to Equifax of any change in address or office location and Is subject to an onsite visit of the new location by Equifax or its designated representative, and. (t) In the event Qualified Subscriber has a security incident involving Equifax Credit Information, Qualified Subscriber will fully cooperate with Equifax in a security assessment process and promptly remediale any finding. 11. These Terms and Conditions will be governed by and construed in accordance with the laws of the State of Georgia, without giving effect to Its conflicts of laws provisions These Terms and Conditions constitute the entire agreement of the parties with respect to Qualified Subscriber receiving Equifax Information Services and no changes In these Terms and Conditions may be made except in writing by an after of Equifax. X Qualified Subscriber has read and understands these Terms and Conditions. (Initials appear below) . Qualified Subscriber has read the attached Exhibit 1-C "Notice to Users of Consumer Reports, Obligations of Users` which explains Qualified Subscribers obligations under the FCRA as a user of consumer report information. (initials appear below) California Retail Seiner Provisions of the California Consumer Credit Reporting Agencies Act, as amended effective July 1, 1998, will Impact the provision of consumer reports to Qualified Subscriber under the following circumstances: (a) if Qualified Subscriber Is a "retail seller' (defined in part by California law as "a person engaged in the business of selling goods or services to retail buyers") and Is selling to a "retall buyer (defined as "a person who buys goods or obtains services from a retail seller in a retail Installment sale and not principally for the purpose of resale') and a consumer about whom Qualified Subscriber is Inquiring is applying, (b) in person, and (c) for credit. Under the foregoing circumstances, Equifax, before delivering a consumer report to Qualified Subscriber, must match at least three (3) items of a consumer's Identification within the file maintained by Equifax with the Information provided to Equifax by Qualified Subscriber In connection with the in-person credit transaction. Compliance with this law further Inclines Qualified Subscribers Inspection of the photo Identification of each consumer who applies for In-person credit, malting extensions of credit to consumers responding to a mail solicitation at specified addresses, taking special actions regarding a consumer's presentment of a police report regarding fraud, and acknowledging consumer demands for reinvestigations within certain time frames. If Qualified Subscriber designated In Paragraph 8 of the Tema and Conditions that It Is a `retail seller," Qualified Subscriber certifies that It will instruct its employees to inspect a photo Identification of the consumer at the time an application is submitted In person. If Qualified Subscriber is not currently, but subsequently becomes a 'retail seller," Qualified Subscriber agrees to provide written notice to Equifax prior to ordering credit reports in connection with an in-person credit transaction, and agrees to comply with the requirements of rine California taw as outlined In this Exhibit, and with the specific certifications set forth herein. Qualified Subscriber certifies that, as a "retail seller; ft wig either (a) acquire a new Qualified Subscriber number for use in processing consumer report Inquiries that result from in-person credit applications covered by California law, with the understanding that ail inquiries using this new Qualified Subscriber number will require that Qualified Subscriber supply at least three hems of identifying information from the applicant; or (b) contact Qualified Subscriber's Equifax sales representative to ensure that Qualified Subscribers existing number Is property coded for these transactions. Vermont For Credit Reporting Contract Certification The undersigned, ("Qualified Subscriber'), acknowledges that It subscribes to receive various information services from Equifax information Services LLC ('Equifax') in accordance with the Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999), as amended (the 'VFCRA') and the Federal Fair Credit Reporting Act, 15, U.S.C. 1681 at. Seq., as amended (the'FCRA") and Its other state law counterparts. In connection with Qualified Subscribers continued use of Equifax Information services in relation to Confidential Exhibit i Required Credit Bureau Terms and Conditions: EqUIFAX Vermont consumers, Qualified Subscriber hereby certifies as follows: Vermont Certifxa . Qualified Subscriber certifies that It will comply with applicable provisions under Vermont law In particular, Qualified Subscriber certifies that it will order intormatiam service relating to Vermont residents, that are credit reports as defined by the VFCRA, orgy after Qualified Subscriber has received prior consumer consent in accordance with VF RA § 2480e and applicable Vermont Rules Qualified Subscriber further certifies that the attached copy of § 2480e of the Vermont Fair Credit Reporting Statute was receive from Equifax. Qualified Subscriber: (please print) Vermont Fair Credo Reporting Statute, 9 V.S.A. § 2480e (1999) § 2480e. Consumer consent (a) A person shall rot obtain the credit report of a consumer unless. (I) the report is obtained in response to the order of a court having jurisdiction to Issue such an order, or (2) the person has siscured the consent of the consraner, and the report is used for the purpose consented to by the consumer. (b) Credit reporting ilgencies shall adopt reasonable procedures to assure maximum posslWe compliance with subsection (a) of this section. (c) Nothing In this section shall be construed to affect (1) the ability of a pn who has secured the consent of the consumer pursuant to subdivision (aH2) of this section to include in his or her request to the consumer permission to also taro credit reports, In connection with the same transaction or extension of credit, for the purpose of reviewing the account, Increasing the credit line on the account, for the urpose of taking collection action on the account, or for other legitimate purposes associated with the account; and (2) the use of credit Information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission. AGENCY 06.OFFf OF THE ATTORNEY GENERAL SUB -AGENCY 031 CONSUMER PROTECTION DIVISION CHAPTER 012. Co sumer Fraud—Fair Credit Reporting RULE CF 112 FAR CREDIT REPORTING CVR 06031-012, CF 112.03 (1999) CF 112.03 CONSUMER CONSENT (a) A person requlr to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtaol sold consent a writing 9 the consumer has made a written application or written inquest 1 credit, Insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental bene t in a manner other than In writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 24809 shall obtain said consent In writing in the some manner In which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumersent initiates the transaction. (b) Consumer coict m required pursuant to 9 V.S.A. % 2480e and 2480g sha^I be deemed to have been obtained in writing If, after a clear and adequate written disclosure of the circumstanceder which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer Indicates his or honsent by providing his or her signature (c) The fact that aar and adequate written consent fort is signed by the consumer atter the consumer's credit report has been obtained pursuant to some other form of consent shall notthe validity of the earlier consent. Confidential Exhibit I Required Credit Bureau Terms and Conditions: Experian • A ward of insnght Access Security Requirements for FCRA and GLB 5A Data The following information security contra°s are required to reduce unauthorized access to consumer information. it is your (company provided access to Experian systems or data referred to as the "Company") responsibility to Implement these controls. if you do not understand these requirements or need asslstance, a is your responsib. ity to get an outside service provider to assist you. Experian reserves the right to make changes to these Access Security Requirements without prior notification. The Information provided herewith provides rnnlmum basetines for information security. In accessing Experian's services,: Company agrees to follow these security requirements. These requirements are applkabe to all, systems and devices used to access, transmit, process, or store Experian data: implement Strong Access Control Measures 1,1 All credentials such as Subscriber Code number, Subscriber Code passwords. User names/Wentiiters (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from Experian will ever contact you and request your credentials. 12 If using third party or proprietary system to access Experian s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e,gapplication based authentication, Active Directory, etc.) utilized for socewng Experlan data/systems. 1-3 If the third party or third party software or proprietary system or software, used to access Experian data/systems, is replaced or no longer in use, the passwords should be changed immediately. 1 Create a unique user ID for each user to enable individual authentication and accountability for access to Expertan s infrastructure, Each user of the system access software must also have a unique logon password. 1,5 User IDs and passwords shelf only be assigned to authorized Individuals based on least privi'ege necessary to perform Job responsibilities. 1.6 User IDs and passwords must not be shared, posted. or otherwise divulged in any manner 1.7 Deveop strong passwords that are; • Not easfy guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) • Contain a minimum of seven (7) alphanumeric characters for standard user accounts • For interactive sessions (i.e, non system4o-system) ensure that passwords/passwords are changed pertodkatiy (every 40 days Is recommended) 1.6 Passwords (e.g. subscriber code passwords, user password) must be charred immediately when • Any system access software is replaced by another system access software or is no Longer used • The hardware on which the software resides is upgraded, changed or disposed • Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements) 1.9 Ensure that passwords are not transmitted, displayed or stored In clear text; protect all end user (e.g. Internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as 'one-way" encryption, When using encryption, ensure that strong encryption algorithms are utilized (e.g. AES 256 or above). 1.10 knp'ement password protected screensavers with a maximum fifteen (11 5) minute timeout to protect unattended workstations Systems should be manually locked before being left unattended. 111 Active logins to credit information systems must be configured with a 30 minute Inactive season timeout. 1.12 Ensure that personnel who are authorized access to credit Information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permiss'ble Purpose Information sect on of your membership application, 113 Company must NOT install Peer -to -Peer fie sharing software on systems used to access, transmit or store Experian data. 1,14 Ensure that Company employees do not access their own credt reports or those reports of any family member(s) or friend(s) unless lir is in connection with a credit transaction or for another permissible purpose 115 Implement a process to terminate access rights Immediately for users who access Experian credit information when those users are terminated or when they have a change In their Job tasks and no longer require access to that credit information. 1.16 Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned. 1.17 implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responslN, ty, business need, and in fine with contractual obi-gations. 1.18 Implement physical security controls to prevent unauthorized entry to Company's facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems„ or devices Including authorized lock and key. Maintain a Vulnerability Management Plan 2.1 Keep operating system(s), firewalls, routers, servers, pemonsi computers (laptops and desktops) and all other systems current with appropriate system patches and updates. 2.2 Configure Infrastructure such as firewalls, routers, servers„ tablets, smart phones, personal computers (laptops and desktops), and similar components to Industry best security practices, Including disabling unnecessary services or features, and removing or changing default passwords, IDs and sampe files/programs, and enabling the most secure configuration features to avoid unnecessary risks. 23 Implement and follow current best security practices for computer virus detection scanning services and procedures: • Use, Implement and maintain a current. commercially avalable anti-virus software on all systems, if applicable anti-virus technology exists. Ant -virus software deployed must be capable to detect, remove, and protect against all known types of malicious software such as viruses, worms, spyware., adware.. Trojans, and root -kits. • Ensure that as anti-virus software is current, actively rwhn ng, and generating audit togs; ensure that anti-virus software Is enabled for automatic updates and performs scans on a regular basis. • If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the Inquiry process until the virus has been eliminated. 3, Protect Date 31 Develop and folmw procedures to ensure that data Is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regard'ess of the media used to store the data (I e:, tape, disk, paper, etc.). 3.2 Experian data Is dassdied Confidential and must be secured to in accordance with the requirements mentioned In this document at a minimum. 3.3 Procedures for transm ssio n, disclosure, storage, destruction and any other information modalities or media should address all aspects of the Ifecycle of the informatmn, 3.4 Encrypt ad Experian data and Information when stored electronically on any system including but not Limited to laptops, tablets, personal computers, servers, databases using strong encryption such as AES 256 or above. 3.5 Experian data must not be stored locally on smart tablets and smart phones such as (Pads, iPhones, Android based devices, etc. Confidential Eshibit 1 Required Credit Bureau Terms and Conditions: ;:Experian A e�ix7.�$ h?2fP 3.6 When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass -carie. 3. Applications utilized to access Expedan data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, ale. 3.0 Only open emal attachments and links from trusted sources and after verifying legitimacy. 3.9 When no longer in use, ensure that hard -copy materials containing Experian data are crosscut shredded, Incinerated,, or pulped such that there Is reasonable assurance the hard -copy materials cannot be reconstructed . 3.10 When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry -accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing). ailan Information Security Policy 4.1 Develop and follow a security plan to protect the confidentiality and Integrity of personal consumer Information as required under the GLB Safeguards Rule. 4.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies Identifying user responsibilities aril addressing requirements In line with this document and applicable rules and regulations 4.31 Establish processes and procedures for responding to security violations. unusual or suspicious events and similar'`ncidents to limit damage or unauthorized access to Information assets and to permit identification and prosecution of violators. If you believe Expedan data may have been comprnmrsed, fmmeallafely notify Expeden within twenty -torr (24) hours or per agreed contractual notification limellne (See also Section e). 4.4 The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information. 4.d Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the Importance of security in the organization. 4.0 When using third party service providers (e.g. application service providers) to access, Imnsmit, store or process Experian data, ensure that service provider Is compliant with Experian Independent Third Party Assessment (E13PA) program, and reglstered n Experian Inst of conpllarit service providers. If the service provider is in process of becoming compliant, it is Company responsibility to ensure the service provider is engaged with Experian and exception is granted in writing. Approved codifications in lieu of E13PA can be found in the Glossary section, wilda M I l a Secure Network 5. Protect Internet connection with dedicated. Industry -recognized Firewalls that are configured and managed using Industry best security practices. 5.2 internal private internal Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used. 5.3 Administrative access to Firewalls and servers must be performed through a secure internal wired connection only. 5.4 Any stand -atone computers that directly access the Internet must have a desktop Firewall deployed that is Installed and configured to block unnecessarylunused ports, services, and network traffic 54 Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any otter vendor defaults. 5.6 For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 602.11[) for authentication and transmission over wireless networks, 5.71 When using service providers (e.g, software providers) to access Experian systems, access to third party tools/services must require multi factor aut ientkation. RagNMonitor and -Test Networks 6. Perform regular tests on Information systems (port scanting, virus scanning, internal/external vulnerability scanning). Ensure that issues Identified via testing are remediated according to the Issue severity (e.g, fix critical Issues immediately, high severity In 15 days. etc,) 6.7 Ensure that audit traps are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and app',cations. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that falow-up to exceptions Is required. 6.� Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Serview hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of Infiltration, hacking, access penetration or exposure to an unauthorized third party by: • protecting against intrusions; • securing the computer systems and network devices • and protecting against intrusions of operating systems or software {i! !#1451 iLL4ncklEl aped T. Storing Experian data on mobile devices is prom+iblted. Any exceptions must be obtained from Experian in wiling; additional security requirements will apply. 74 Mobile applications development must follow ndustry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks. 7.y Mobile applications development processes must fol'ow secure software assessment methodology which Includes appropriate application security testing (for example:. static, dynamic analysis, penetrating testing) and ensuring vulnerabilities are remediated. 7.4 Mobility solution servertsystem should be hardened In accordance with Industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA. DISA and/or other. 7.1 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non -secured applications on the mobile device. 7.4 In case of non -consumer access, that is commemaltbusiress-to-business (62B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi -factor authentication and/or adaptveiisk-based authentication mechanisms are utilized to authenticate users to application. 74 When using cloud providers to access, transmit, store, or process Experian data ensure that: • Appropriate due diligence Is conducted to maattain complance with applicable laws and regulations and contractual obligations; • Cloud providers must have gone through Independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: ISO 27001 PCI DSS E13PA SSAE 16 — SOC 2 or SOC 3 FISMA CAEICCM assessment Confidential Exhibit Required Credit +Surean Terms and Conditions: Experian 8 General 8.1 Experian may from time to tme audit the security mechanisms Company maintains to safeguard access to Experian Information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices. 8.2 In cases where the Company Is accessing Experian Information and systems via third party software, the Company agrees to make ovai€able to Experian upon request. audit trait information and management reports generated by the vendor software, regarding Company individual Authorized Users 8.3 Company shat be responsib=e for and ensure that third party software, which accesses Experian information systems, is secure; and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use. 8.4 Company sha+I conduct software development (for software which accesses Experian information systems this applies to both in-house or outsourced software development) based on the following requirements; 8.4.1 Software deveopmenl must follow Industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks. 8 4.2 Software deveopment processes must follow secure software assessment methodology which includes appropriate apptcatlon security testing (for example: static, dynamic analysis. penetration testing) and ensuring vulnerabilities are remed,sted. 84.3 Software solution serverlsystem should be hardened in accordance with Industry and vendor best practices such as Center for Wemet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 8.5 Reasonable access to audit trail reports of systems utilized to access Experian systems shag be made available to Experian upon request, for example during breach investigation or white performing audits 8.6 Data requests from Company to Experian must Include the IP address of the device from which the request originated (Le., the requesting client's IP address), where applicable. 87 Company shall report actual security violations or incidents that impact Experian to Experian within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to Experian of any confirmed security breach that may Involve data re'ated to the contractual relationship, to the extent required under and In compliance with applicable law. Telephone notification is preferred at 800-295- 4305, Email notification wit be sent to rul°t ram ti,c = ox net r c era . Be Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shad have access to Experian services, systems, or data. and (d) wit abide by the Prov ns of these requirements when accessing Experian data. 89 Company understands that its use of Experian networking and computing resources may be monitored and aud'iled by Experian, without further notice. 8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/Authorized users, and for assuring that mechanlsms to access Experlan services or data are secure and In comphiance with its membership agreement. 8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by Experian. Record Retention: The federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, the credit reporting agency requ±+res that you retain the credit application and, I applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly fallowing a consumer complaint that your company Impermissibly accessed their credit report Expertan will contact you and will request a copy of the original application signed by the consumer or, If apps cable, a copy of the sales contract. 'Under Section 621(a) (2)(A) of the FCRA, any person that vioistas any of the provisions of the FCRA may be fiable for a cfvfi penalty of not more than S3,500 per viulation Internet Delivery Security Requirements In addition to the above, following requirements apply where Company and their employees or an authorized agentis acting on behalf of the Company are provided access to Experian provided services v Internet ('Internet Access'). General Requirements 1. The Company shalldesignate In writing, an employee to be its Head Security Designate, to act as the primary Interface with Experian an systems access related maters The Company's Head Security Designate will be responsible for establish rig, administering and monitoring all Company employees' access to Experian provided services which are desvered over the Internet ('Internet access"). or approving and establishing Security Designates to perform such functions. 2. The Company's Head Security Designate or Security Designate shalt in tum review all employee requelts for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each Experian product based upon the legitimate business needs of each employee. Experian shall reserve the right to terminate any accounts it deems a security threat to Its systems and/or consumer data. 3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate In writing, in the format approved by Experian. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be dndividualy assigned unique access Identification accounts ('User ID') and posswor"passphrases (this also applies to the unique Server -to -Server access IDs and passwordsipassphuases). Experian's approval of requests for (Internet) access may be granted or withheld in its sole discretion. Experian may add to or change its requirements for granting (Internet) access to the services at any time (including, without €mitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwordsipassphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests well not be accepted. 4. An officer in the Company agrees to notify Experian in writing immediately it it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the Identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User. Roles and Responsibilities 1. Company agrees to Identify an employee it has designated to act on Its behalf as a primary interface with Experian on systems access and related matters. This Individual shall be Identified as the 'Head Security Designale' The Head Security Designate can further identify a Security Deslgnate(s) to provide the day to day administration of the Authorized Users, Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to Interact with Experian on information and product access, In accordance with these Experian Access Security Requirements. The bead Security Designate Authorization Form must be signed by a duty authorized representative of the Company, Company's du'y authorized representative (e.g. contracting officer, security manager, etc ) must authorize changes to Company's Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to Experlan's systems and Information (via the Internet). Changes In Head Security Designate status (e,g, transfer or termination) are to be reported to Experian immediately. 2. As a Client to Expedan's products and services v a the Internet, the Head Security Designate is acting as the duty authorized representative of Company. 3. The Security Designate may be appo-nted by the Head Security Designate as the Individual that the Company authorizes to act on behalf of the business In regards to Experian product access control (e.g. request to add/changetremove access). The Company can opt to appoint more than oma Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) It appoints shall be someone who wilt generally be available during nomhai business hours and Confidential Exhibit 1 Required Credit Bureau Terms and Conditions., Experian Ax ,td ofmsrg*l can liaise with Experian's Security Administration group on information and product access matters 4. The Head signate shall be responsible for notifying their corresponding Expedan representative kr a timely fashion of any Authorized User accounts (with their corresponallng privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity. Designate 1. Must be an employee and duly appointed representative of Company, identified as an approval point for Comparrys Authorized Users. 2. is msponsible for the Initial and on-going authentication and validation of Comparrys Authorized Users and must maintain current information about each (phone number. v d email address, etc.) 3. Is responsi a for ensuring that proper privileges and permissions have been granted le alignment with Authorized Users Job responsibilities. 4. Is responst a for ensuring that Company's Authorized Users are authorized to access Experian products and services. 5. Must dlsab Authorized User ID it it becomes compromised or if the Authorized User's employment is terminated by Company, 8. Must I lately report any suspicious or questionable activity to Experian regard ng access to Expedans products and services. 7. Shall Immo telly report changes In their Head Severity Designate's status (e.g transfer or termination) to Experian. I. Will provl first levet support for Inquiries about passwords/passphrases or IDs requested by your Authorized Users. 9. Shall be av*gable to Interact with Experian when needed on any system or user related matters.. " Term Definition Computer Virus A Computer Virus Is a segaeplicaling computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes Itself. While viruses can be destructive by destroying data, for example, some viruses are benign or morel anno Confidential Very sensitive information. Disclosure could adversely,Impact your comp2ny.. Encryption Enc tion Is the process of obscuring information to make it unreadable without Wreciall kqo Ae. Frewall in computer science, a Firewall is a piece of hardware andfor software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to tura function of Firewalls In building construction. The ultimate goal Is to provide controlled connectivity between zones of differing trust levels through the enforcement of a securily.policyand connectivity model based on the least privilege EdevEal. Information Utecycl (Or Data Lifecycle) is a management program that considers the value of the Information being stored over a period of time, the cost of its s e. Its need for avallairNt torr use b autbotzed users. and tiro eriod of time for which t must 6e retained. IP Address A unique number that devices use In order to Identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any participating network device — Including routers, computers, time -servers, printers, Internet fax machines, and some telephones — must have its own Its own unique IP address Just as each street address and phone number uniquely Identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It Is Important to keep your IP address secure as hackers can 2aln control of y2ur devices and possibly launch an attack on other devices. Peer -to -Peer A type of commurication fond Ina system that uses layered protocols. peer -to -Peer networking Is the protocol often used for EnroduciC2 and distributin music without permission. Router A Router is a computer networking device that forwards data packets across a network via routing, A Router acts as a Junction between two or more networks transferLng data packets, Spyware Spyware refers to a broad category of malicious software designed to Intercept or take partial control of a computer without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their com uter and then sends that information of the Internet. Subscriber Code Your seven digit credit reporting nc account number. Experian independ Third The Experlan Independent 3rd Party Assessment Is an Annual assessment of an Experian Resellers ability to protect the Information Party Assessment Firogram they purchase from Experian. E13PAs"r requires an evaluation of a Resellees information security by an independent assessor, based on requirements pMvided by Ex edan. E13PAsm also establishes guartedy scans of networks for vulnerabilities. ISO 27001127002 ISO 27001 Is the specification for an ISMS, an Information Security Management System (it replaced the old 857799-2 standard). The ISO 27002 standard Is the rename of the ISO 17799 standard, and is a code of practice for Information security. It basically outlines hundreds of potential controls and control mechanisms, which may be Implemented, in theory, subject to the guidance provided within ISO 27001. PCI DSS The Payment Card Indugtry Data Severity Standard (PCI DSS) Is a proprietary information security standard for organizations that handle cardholder Information for the m 'or debit, credit, prepald, urse. ATM, and POS cards. SSAE 18, SOC 2, C 3 Statement on Standards for Attestation Engagements (SSAE) No.1 SOC 2 Report on Controls Related to Security. Availability, Processing Integrity, Confidentiality, and Privacy. The SOC 3 Report, Just Ike SOC 2, Is based upon the same controls as SOC 2, the difference being that a SOC 3 Report does not detail the testing ormed it is meant to be used as marketing material), FISMA The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002. CAl1CCM Cloud Security Alliance Consensus Assessments 1Ntiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. The Cloud Security Atllarxa Cloud Controls Matrix (CCM) Is specifically des gned to.provide fundamental security principles to guide cloud vendors and to assist ro active cloud customers In assessh the averag securit risk of a cloud provider. End User Responsibilities under the FORA AP users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financ at Protection Sureau'awebsite, t gA mgr4 n gr2vll a vsa2M, NOTICE TO USERS OF CONSUMER REPORTS; OBLIGA71ONS OF USERS UNDER THE FCRA The Fair Credit Re ng Act (FORA), 15 U.S.C. §1881-1881y, requires that this notice be provided to Inform users of consumer reports of their legal obligations. Stale law may Impose add'Itio at requirements. The text of the FCRA is set forth in Feil at the Consumer Financial Protection Bureau's (CFPB) website at www.consurnerlina ce.gov/Ieammore. At the end of this document Is a list of United States Code citations for the FCRA. Otho information about user duties Is also available at the Bureau`s It, Users must consult the relevant provisions of the FCRA for details about their obligations under the FORA. Confidential Required Credit Bureau Terms and Conditions: ,; fiion, EQUIF"' axperiar The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. N you are a furnisher of Information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher. 1. Obligations of All Users of Consumer Reports A. Users Must Have a Permissible Purpose Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to able a consumer report. Section 604 contains a list of the permissible purposes under the law. These are: • As ordered by a court or federal grand jury subpoena. Sectlon 604(aX 1) • As instructed by the consumer In writing. Section 604(aX2) • For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer's account. Section 604(aX3XA) • For employment purposes, Including hiring and promotion decisions, where the consumer has given written permission. Section 604(ax3XB) and 604(b) • For the underwriting of Insurance as a result of an application from a consumer, Section 604(aX3XC) • When there Is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(aX3XFXi) • To review a consumer's account to detemdne whether the consumer continues 10 meet the terms of the account. Section 604(aX3XFX€i) • To determine a consumer's eligibility for a license or other benefit granted by a governmental Instrumentality required by law to consider an apps cant's financial responsibility or status. Section 604(aX3XD) • For use by a potential Investor or servicer, or current Insurer, In a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(aX3XE) • For use by state or local officials In connection with the determination of child suppoi payments, or modifications and enforcement thereof. Sect ons 604(aX4) and 604(aX5). In addition, creditors and insurers may obtain certain consumer report Information for the purpose of making "prescreened" unsoilelted offers of creditor insurance. Section 604(c), The particular obligations of users of'prescreened" information are described in Section VII below S. Users Must Provide Cenificat€ons Section 6114(() prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has candied to the CRA the permissible purpose(s) for which the report Is being obtained and certifies that the report will not be used for any other purpose. C. Users Must Notify Consumers When Adverse Actions Are Taken The term 'adverse action' is defined very broadly by Section 603. 'Adverse actions" include all business, credit. and employment actions affecting consumers that can be considered to have a negative Impact as defined by Section 603(k) of the FCRA — such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs In a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. 1. Adverse Actions Based on information Obtained From a CRA If a user takes any type of adverse action as defined by the FCRA that Is based a1 least In part on information contained In a consumer report Section 615(a) re qu'res the user to notify the consumer, The notification may be done In writing, orally, at by electronic means It must include the lofowing • The name, address, and telephone number of the CRA (including a toll-free telephone number, if it IS a nationwide CRA) that provided the report, • A statement that the CRA did not make the adverse decision and Is not able to explain why the decision was made • A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA 9 the consumer makes a request within 60 days. • A statement setting forth the consumers right to dispute directly with the CRA the accuracy or completeness of any Information prov°,ded by the CRA 2. Adverse Actions Based on Information Obtained from Third Parties Who Are Not Consumer Reporting Agencies It a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon Information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(bX 1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the Information that was rolled upon If the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer's written request 3. Adverse Actions Based on Information Obtained From Affiliates If a person takes an adverse action Involving insurance, employment, or a credit transaction initiated by the consumer, based on infommati in of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the Information by common ownership or control, Section 615(bX2) requires the user to notfy the consumer of the adverse action, The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. It the consumer makes such a request. the user must disclose the nature of the Information not later than 30 days after receiving the request. If consumer report Information Is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure set forth in I.C.1 above. D. Users Have Obligations When Fraud and Active Duty Military Alerts are In Flies When a consumer has placed a fraud alert, including one relating to identity theft, or an active duly military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) Imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, €nciuding the establishment of a new credit plan and the issuance of additional credit cards. For Initial fraud alerts and active duty alerts, the user must have reasonable pokcies and procedures in place to form a belief that the user knows the Identity of the applicant or contact the consumer at a telephone number specified by the consumer in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact Information provided in the consumer's alert. E. Users Have Obligations When Notified of an Address Discrepancy Section 605(h) requires nationwide CRAB, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the ronsumees file. When this occurs, users must comply with regulations specifying the procedures to be followed. Federal regulations are available at wvwv, consumerfrnance.govtleammore. F. Users Have Obligations When Disposing of Records Section 626 requires that all: users of consumer report Information have in place procedures to properly dispose of records containing this Information Federal regulations have been issued that cover disposal Wt Confidential Exhibit I Required Credit Bureau Terms and Conditions: Tian Union: EQU/FAX" XT Experian II. Creditors Must i&Ake Additional Disclosures If a person uses a sumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the st favorable terns available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provid a risk-based pricing notice to the consumer in accordance with regulations prescribed by the Consumer Financial Protection Bureau. Section 609(8) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores: These persons must provide credit scores and other Information about credit scores to applicants, Including the disclosureset forth In Section 609(gK 1 XD) ("Notice to the Home Loan Applicant"). III. Obligations Ofsers When Consumer Reports Are Obtained For Employment Purposes A. Empicyment Other Than in the Trucking Industry If information from al CRA is used for employment purposes, the user has specific duties, which are set forth In Section 604(b) of the FCRA. The user must: • Make a dear and conspicuous written disclosure to the consumer before the report Is obtained, in a document that consists solely of the disclosure, that a consumer report may be Obtained. • Obtain from Use consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment. • Certify to this CRA that the above slaps have been followed, that the Information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, > nd that, V any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer. • Beforetakingn adverse action, the user must provide a copy of the report to the consumer as well as the summary of the consumers rights. (The user should receive this summary the CRA.). A Section 615(a) adverse action notice should be sent after the adverse action is taken. An adverse action notice also is required In employment s uallons It credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section • 615(bX2).The rocedures for Investigative consumer reports and employee misconduct Investigations are set forth below. B. E yment In the Trucking Industry Special rules apply r truck drivers where the only Interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may pro consent orally or electronically, and an adverse action may be made orally, in wdthhg, or electronically The consumer may obtain a copy of any report retied upon by the eking company by contacting the company. IV. Obligations When Investigative Consumer Reports Are Used Investigative con reports are a special type of consumer report In which information about a consumers character, general reputation, personal characteristics, and mode of living Is obtained through personal Interviews by an entity or person that is a consumer reporting agency. Consumers who are the subject of such reports are g+Yen special rights under a FCRA. If a user Intends to obtain an investigative consumer report, Section 606 requires the following- • The user mus disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that Is mailed, or otherwise delivered, to t1 is consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must Include a statement lnfc Tning the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below. and the summary of consumer r ghts required by Section 609 of the FORA. (The summary of consumer rights will be provided by the CRA that conducts the Investigation,) • The user mus certify to the CRA that the disclosures set forth above have been made and that the user will make the dtsclosure below. Upon written v 9quest of a consumer made within a reasonable period of tine atter the disclosures required above, the user must make a complete disclosure of the nature and sc pe of the investigation. This must be made In a written statement that is malled, or otherwise deihnere$ to the consumer no later than fine days after the date on whit Phe request was received from the consumer or the report was first requested, whichever is later in time, V. Special Proced res for Employee Investigations Section 603(x) prov as special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a sell r ulatary organization, and compliance with written policies of the employer. These Investigations are not treated as consumer reports so long as the employer or its age complies with the procedures set forth in Section 603(x). and a summary describing the nature and scope of the inquiry Is made to the employee if an o e adverse action is tn based on the Investigation. VI. Obligations Of Users Of Medical Information Section 604(8) lima the use of medical information obtained from consumer reporting agenc'as (other than payment information that appears in a coded font that does not Identify the medical rovider). If the information Is to be used for an insurance transaction, the consumer must give consent to the user of the report or the Information must be coded. If the report to be used for employment purposes - or in connection with a credit transaction (except as provided In federal regulations) - the consumer must provide specific written can ani and the medical Information must be relevant, Any user who receives medical €nformatiom shall not disclose the Information to any other person (except where n nary to carry out the purpose for wtvch the Information was disclosed, or as permitted by statute, regulation, or order). VII. Obligations Of Users Of "Prescreened" Lists The FCRA permits editors and Insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circurnstances S ton 603(1) 604(c), 604(e), and 615(d). This practice is known as "prescreening* and typ'cally involves obtaining from a CRA a list of consumers who meet certain p Wished witeda. If any person intends to use prescreened lists that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer a to grant credit or insurance: and (2) ma'Intain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. to additi n, any user must provide with each written sofcitation a clear and conspicuous statement than. information contained in a consumers CRA rite was used :n connection with the transaction. • The consumer received the offer because he or she satisfied the criteria for credit worN,ness or insurability used to screen for the offer. • Creditor insu nce may not be extended If, after the consumer responds. It is determined that the consumer does not meet the criteria used for screening or any applicable q i ria bearing on credit wotNness or Insurability, or the consumer does not furnish required collateral. • The consumei, may prohibit rte use of information in his or her fl.e in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. This statement must include the address and the toll -free telephone number of the appropriate notification system. In aition, once the CFPB has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The relevant magus tion Is 12 CFR 1022.54. Vlll. Obligations all Resellers II Confidential Exhibit I Required Credit Bureau Terms and Conditions: Union. EQiUIFAX' . Experian - A n F A. D sciosure and Certification Requirements Section 607(e) requires any person who obtains a consumer report for resale to take the foll-owing steps: • Disclose the identity of the end-user to the source CRA. • Identify to the source GRA each permissible purpose for which the report will be furnished to the end -user. • Estab+sh and follow reasonable procedures to ensure that reports are resold only for permissible purposes, Including procedures to obtain: 1) the identity of all end-users; 2) certifications from all users of each purposes for which reports will be used; and 3) certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this Information before selling the report. 8. Reinvestigations by Resellers Under Section 611(f), if a consumer disputes the accuracy or completeness of Information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, If so; correct at delete the mfomiation. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an Investigation.. the reseller must immediately convey the Information to the consumer. C Fraud Alerts and Resellers Section 605A(Q requires resellers who receive fraud alerts or active duty alerts from another consumer reporting agency to include these In their reports IX. Liability For Violations Of The FCRA Failure to comply with the FCRA can result In state government or federal government enforcenvent actions, as well as private lawsuits. Sections 616, 617. and 621. In addition, any person who knowingly and wildully obtams a consumer report under false pretenses may face criminal prosecution. Section 619.The CFP8's website, v.c n umerf;n nc .oqa1(earnm2r ,, has more information about the FCRA; Including publications for businesses and the full text of the FCRA. Citations for the FCRA sections In the U.S. Code, 15 U S C § 1681 et seq.: Section 602 15 U.S.C. 1681 Section 610 15 U.S C. 1681h Section 620 15 U.SC- 168ir Section 603 15 U.SC. 1681a Section 611 15 U.S.C. 16811 Section 621 15 U.S.0 1681s Section 604 15 U,S.C. 1681b Section 612 15 U.S.C. 1681j Sectlon 622 15 U.S.0 1661s•1 Section 605 15 U.S C. 1681c Section 613 15 U.S.C. 1681k Section 623 15 US.C, 1681s-2 Section 605A 15 U.S.C. 1681cA Section 614 15 U,S.C. 16811 Section 624 15 U S.C. 16811 Section 6058 15 U SC. 1681cB Section 815 15 U.S.C. 1681m Section 825 15 U.S.0 1681u Section 606 1S U,S.0 1681d Section 616 15 U.S.C. 1681n Section 626 15 U.S.0 1681v Section 607 15 U.S,C. 1681e Sectlon G17 15 U.S C. 16810 Section 627 15 U S.0 1661w Section 608 15 U SC 1681f Section 616 15 U.S C. 1681p Section 628 15 U.S.0 1681x Section 609 15 U,S C. 1681g Sectlon 619 15 U.S.C.1681q Section 629 15 U.S.0 1661y X. Limited Access and Use of Information Obtained from the Social Security Administration's Database of Deceased Persons The Natrona'Technical Information Service has issued the interim Final Rule for temporary certification permitting access to the Death Master File (*DMF"): Pursuant to Sect,on 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF Is restricted to only those entities that have a legitimate fraud prevention Interest or a leg timate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C F.R. § 1110,102(aj(1). As many credit bureau serv4es conta'n information from the DMF,. It is essential to restrict the use of deceased flags or similar indicia to legitimate fraud prevention or business purposes In compliance with applicable laws, rules and regulations and consistent with applicable Fair Credit Reporting Act (15 U.S.C.. § 1681 et seq:} or Gramm1each•Sfiley Act (15 U.S.C. § 6801 or seq,) use. You acknowledge you wM not take any adverse action aga>nst any consumer without further investigation to vewfy the information from the deceased flags or other similar 'ndicia within the services provided by the credit bureaus. 12 Confidential