Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the __x__ domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/wp-includes/functions.php on line 6114
Biometrics - ateautomotive

Input your text here! The text element is BOMETRIC POLICY

(Last updated 02/06/2025)

I. APPLICABILITY

This Policy applies to all employees of Crash Champions (the “Company”) who, in the course of performing their regular job responsibilities, are involved in the collection, use, handling, safeguarding, storage, retention, or destruction of Biometric Identifiers or Biometric Data (collectively, “Biometric Information”).

II. PURPOSE AND ROLE

The Company recognizes the need to maintain the confidentiality of Biometric Information and understands that such information is unique to each individual. This Policy describes the Company’s requirements for the collection, use, disclosure, security, storage and destruction of Biometric Information throughout the Company, both on and off work premises.

III. DEFINITIONS

For purposes of this Policy, the following definitions shall apply:

A. “Biometric Identifier” means data generated by the technological processing, measurement, or analysis of an employee’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. "Biometric Identifier" includes, for example:

   1. A fingerprint;

   2. A scan of hand geometry;

   3. A voiceprint;

   4. A scan or record of an eye retina or iris;

   5. A facial map, facial geometry, or facial template; or

   6. Other unique biological, physical, or behavioral patterns or characteristics.

Biometric Identifiers do not include, for example, photographs, demographic data, tattoo descriptions, or physical descriptions, such as height, weight, hair color, or eye color.

B. “Biometric Data” means (a) one or more Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other personal information, for identification purposes, and (b) information based on one or more Biometric Identifiers used to identify an individual.

C. “Encrypted” means the transformation of information through the use of an algorithm or other means to render information unreadable in accordance with standards established by the National Institute of Standards and Technology or other industry, standard-setting body.

D. “Security Breach” means a Security Incident for which notification to affected individuals and/or government agencies is required under applicable law.

E. For purposes of this Policy, “Security Incident” means (a) the loss or theft of, or attempted or successful unauthorized access to, or use, disclosure, acquisition, modification or destruction of, Biometric Information that is not Encrypted; or (b) interference with system operations in an information system containing Biometric Information that is not Encrypted, which interference materially compromises the confidentiality, integrity or availability of Biometric Information.

F. “SIRT” means the Security Incident Response Team, responsible for responding to Security Incidents. The members of the SIRT are designated in the Company’s Incident Response Plan.

IV. POLICY ON HANDLING BIOMETRIC INFORMATION

A. Collection Of Biometric Information By The Company: Before collecting Biometric Information from an employee, the Company will: (a) provide the employee with a notice which explains the specific purpose for the collection of Biometric Information and the retention period for the Biometric Information as well as any other information required by applicable law; and (b) obtain the employee’s written consent to the collection, storage, use, and disclosure of the Biometric Information.

B. Prohibited Conduct: The Company will not sell, lease trade, or otherwise profit from an employee’s Biometric Information.

C. Restrictions On The Company’s Disclosure Of Biometric Information: The Company will not disclose or otherwise disseminate Biometric Information unless:

   1. The employee consents to the disclosure; or

   2. The disclosure is required by state or federal law.

D. Security For Biometric Information Collected By The Company: The Company will implement administrative, technical and physical safeguards for Biometric Information in its possession that are at least as stringent as the safeguards that the Company has implemented for its other confidential information. In addition, Biometric Information in electronic form will be encrypted when in storage and in transmission. Paper documents containing Biometric Information, when unattended, will be stored in a locked filing cabinet, storage area, or office. Only employees with a legitimate business need may access Biometric Information. Authorized employees should avoid creating paper documents containing Biometric Information whenever possible. No employee may disclose Biometric Information to any non-agent third party without the prior authorization of VP, InfoSec or CIO.

E. Retention Of Biometric Information Collected By The Company: All Biometric Information will be permanently destroyed promptly after the initial purpose for collecting or obtaining the Biometric Information has been satisfied or within one year after the employee’s employment with the Company terminates, whichever occurs first.

To the extent permitted by applicable law or court order, the Company will suspend the destruction of Biometric Information when, and to the limited extent, necessary to satisfy the Company’s duty to preserve information that would be discoverable in litigation.

F. Destruction Of Biometric Information: Paper documents containing Biometric Information will be shredded or burned. Biometric Information in electronic form will be destroyed in a manner that renders the information irretrievable. The Company’s Human Resources Department shall be responsible for directing the destruction of such information upon expiration of the retention period described in paragraph E, above.

IV. PROTOCOL ON RESPONDING TO INCIDENTS INVOLVING BIOMETRIC INFORMATION

This incident response protocol is specific to Biometric Information and supplements the Company’s separate Incident Response Plan.

A. Security Incident Reporting:

  1. Reporting By Employees: Each employee is required to report any Security Incident to the company’s IT Department.

  2. Reporting By Vendors: Each vendor will be directed to notify the Cyber Security team or a designee of any Security Incident.

B. Upon receipt of a report of a Security Incident, the VP, InfoSec will assign roles and responsibilities to the members of the SIRT or their designees. The SIRT’s investigation into the Security Incident should seek, at a minimum, the following information:

  1. The date the Security Incident occurred;

  2. The date the employee or service provider who reported the Security Incident became aware of it;

  3. The root cause, nature and scope of the Security Incident;

  4. The identity of, and last known contact information for, the individuals affected, or potentially affected, by the Security Incident;

  5. The affected types of Biometric Information for each affected or potentially affected individual;

  6. Any other categories of affected, or potentially affected, Biometric Information; and

  7. Whether the Security Incident has been reported to law enforcement, and, if so, to whom and when.

C. Notice Of Security Breach To Affected Individuals: Upon completion of the investigation, the SIRT in conjunction with the Legal Department will determine whether the Security Incident constitutes a Security Breach based on the law of the jurisdiction(s) where affected individuals reside. If the SIRT determines that the Security Incident is a Security Breach, the Company, with the advice of the Legal Department and/or outside counsel, shall notify affected individuals consistent with the requirements of applicable law. Any notices will be delivered in the time and manner required by applicable law.

D. Other Notices Related To A Security Breach: The SIRT in conjunction with the Legal Department and/or outside counsel will determine whether the Security Breach must be disclosed to any government agency, the media, or any other person or entity, such as the nationwide credit bureaus. If the Company has a legal obligation to provide notice to any government agency, the media, or any other person or entity, the SIRT, with the advice of the Legal Department and/or outside counsel will ensure the Company’s compliance with all applicable legal obligations.

V. CONSEQUENCES OF NON-COMPLIANCE

Violations of this Policy may result in disciplinary action, up to and including termination of employment.