Sign up   |   Log in

Privacy Policy

Model Privacy and Data Policy

This Privacy and Data Policy is designed for equipment dealership operations in the United States who obtain and use personal information and machine data collected from customers, either directly or through third parties (such as manufacturers), including systems such as John Deere’s JD LinkTM Telematics system.  It includes certain parameters regarding how a customer’s data will be secured and protected, as well as the limitations on any transfers or sharing of such data.  It is designed to serve as a universal privacy and data policy applicable for all facets of a dealership’s operations including information obtained in stores and through dealer or third-party websites, mobile applications or remote access to equipment information. 

The Privacy and Data Policy Overview page is an optional supplement, which can be provided to customers along with the full policy.  It is not required to be included, but it has become fairly standard to provide a summary of your privacy policy.  If used, it is recommended that the Overview be the first section on privacy that a customer would view on your website with the full policy linked or set out below the Overview.

We contemplate that you will post the privacy policy on your website(s) and applications and otherwise make the policy available to your customers.  If you provide, facilitate, or otherwise assist any customer in obtaining financing for purchases made for personal, family, or household use, then you must comply with the Gramm-Leach-Bliley Act (the “GLB Act”) related to the privacy of personal information collected during the financing process.  The Federal Trade Commission website contains guidance to auto dealerships on compliance with the GLB Act.  This guidance would also be generally applicable to equipment dealerships so we encourage you to visit this website through the following link: (http://business.ftc.gov/documents/bus64-ftcs-privacy-rule-and-auto-dealers-faqs).  This policy and its opt-out provisions are designed to comply with the GLB Act (See “Financial Data” on page 2) but each dealer must ensure that it delivers an initial physical copy of the policy to its customers when required by the GLB Act.  Generally, consumer purchasers using financing must be provided a physical copy of the policy when the customer signs the contract for purchase or lease of the goods or services and a copy of the policy on an annual basis thereafter as long as the customer relationship continues.  In the typical situation where a dealer assigns a retail installment contract to a third-party finance company, then the dealer is not required to provide the annual notices; however, the dealer must continue to comply with its policy related to personal information collected from the customer prior to assignment.  Providing only an electronic copy of the policy on your website is sufficient only if the goods or services financed are purchased electronically.  In addition, the GLB Act requires that you have, and regularly update, a written information security plan that is appropriate to the size of the company and the sensitivity of the information collected.  The written information security plan must (1) designate an employee to coordinate information security; (2) identify and evaluate the risks to customer information; (3) implement appropriate safeguards to protect customer information; (4) require other service providers to implement security policies; and (5) evaluate and revise the information security plan in light of any changes or new threats.

If you send marketing related emails to a mailing list then you are obligated under the CAN-SPAM Act to honor any unsubscribe requests for a particular email address within ten business days for marketing messages.  Please note that even if you receive an unsubscribe request, you may still use the customer’s email address to send transactional or relationship messages that are not marketing messages. 

This document has not been reviewed for compliance with either the European Union or Canadian privacy requirements and is not designed for use outside of the United States.  If you provide or exchange any customer information with entities that do not operate in the United States then you should contact an attorney to ensure your compliance with all applicable laws. 

Please note that this summary and model Privacy and Data Policy is only a guide and is not intended to constitute legal advice.  You should review this policy thoroughly and ensure that its provisions are appropriate for your dealership’s specific business practices and you should consult an attorney if you have any questions or concerns.  Please note that this policy is only intended as a guide.  We cannot guarantee that this policy complies with every law and it is possible that you will also need to update this policy to take into account changes in the law after the date listed below. 

Privacy policies are flexible and can generally be modified to meet your specific needs and intended uses of data that you collect.  Policies can also be changed and the changed terms will apply to data collected after the changes go into effect.  Please remember that the most important component of an effective privacy and data policy is that the dealer actually complies with its own rules.  

Privacy and Data Policy Overview

Effective Date: 01-01-2014

This is only a summary of our Privacy and Data Policy.  For more information you can review a complete version of our Privacy and Data Policy located on our website at www.haugimp.com or by requesting a copy at 320-235-8115 / PO BOX 1055, Willmar, MN 56201 / [email protected]

This Privacy and Data Policy Overview provides a description of the privacy and data use practices of Haug Implement Co. (“us”, “we” or “our”) in connection with our receipt, collection and use of data and information from you as our customer, visitor, or user, as applicable.  The policy may be changed or updated from time to time.  If there is any conflict between this Overview and our full Privacy and Data Policy, the terms of our full Privacy and Data Policy will control.

Collection of Data:

The types of information we collect and share depend on the products or services you purchase, license or access from us or third parties through which you have authorized us to receive information (such as through John Deere’s JD LinkTM Telematics system Ag Leader Ag Infinity or Trimble’s “Connected Farm” system).  We generally receive, collect, use and share both Customer Data (including social security numbers, names, addresses, phone numbers, and other personal information) and Machine Data (information related to the performance, use, and location of equipment or computers with various information collection devices) as described in this Policy (collectively “Data”).  You agree to notify all personnel that use any tracked equipment that their use and location is remotely monitored.  If you need to update or change any information which you previously provided to us then you may contact us at [email protected] or by phone at 320-235-8115.

Protection of Data:

We strive to protect your Data using commercially reasonable standards.  We use a variety of commercially reasonable security technologies to help protect your Data from unauthorized access, use, or disclosure.  However, the use of such standards and security technologies is not, and should not be considered to be, any type of guarantee or warranty by us that your Data will not be accessed by third parties.

Sharing and Use of Data:

We use your Data to provide products, services and information to you.  Some of the services are designed to allow faster communications and responsiveness between you and us to ensure that we provide services to you as efficiently as possible.  We may also review equipment diagnostic information remotely to diagnose and recommend equipment maintenance and repairs.  We share your information with certain third parties in order to better serve you or upon your request or approval.  These third parties may include equipment suppliers, financing institutions or other third party service providers who assist us in providing the products and services you request or their respective subsidiaries or affiliates.  We also may share your information with our marketing, technical, accounting, legal or other professionals to assist us in our business operations.  If you purchase products for personal, family, or household use through financing that is provided by us or facilitated by us, you may request that we not share your personal information derived from that transaction with unaffiliated third parties by returning the opt-out form at the bottom of our Privacy and Data Policy.  This is only an overview of our Privacy and Data Policy. If would like a copy of our full Privacy and Data Policy, please contact us at PO BOX 1055, Willmar, MN 56201. 320-235-8115, [email protected]

Privacy and Data Policy

Effective Date: 01-01-2014

The following Privacy and Data Policy (“Policy”) discloses the Privacy and data use practices of Haug Implement co. (“us,” “we,” or “our”) for ALL DATA OR INFORMATION WHICH WE receive From you, either DIRECTLY OR THROUGH A THIRD PARTY, including, without limitation, in person or by phone at our retail locations or through WEBSITEs, APPLICATIONS, EQUIPMENT, devices or the provision of PRODUCTS OR services to you.  We created this Policy to communicate OUR privacy and data policies to each of our CUSTOMERs (collectively a “Customer,” “you” OR “your”) WITH RESPECT TO YOUR INFORMATION. 

1.What and How Information is Collected

We collect and share both your Customer Data and Machine Data (collectively “Data”) as described in this Policy.

a.Customer Data.  To purchase, access, receive, download, upload or use goods or services from us, you may be required to create an account with us, John Deere or another equipment supplier and/or provide various information, which may include personally identifying information (collectively, “Customer Data”).  Personally identifying information is information that can be used to identify, locate or contact you.  If you have a user account with us then you are responsible for maintaining the confidentiality of your user name and password and all uses of your account and password.  You agree to immediately notify us of any unauthorized use of your account.  If a Customer directly or indirectly communicates with us by e-mail, posts or uploads content or information to a website or application to which we are provided access or otherwise completes online forms, any information provided in such communication will also be collected by us as Customer Data (or Machine Data, as applicable).  Data may be collected by us directly from you or your equipment or it may be delivered to us by third parties if you authorize such access be provided by the third party (such as through the JD LinkTM Telematics system for John Deere Equipment).  By providing Customer Data directly to us or granting us access to Customer Data from a third party, you grant us a royalty-free, non-exclusive, perpetual license to use such Customer Data in accordance with this Policy.

Customer Data may consist of the following types of information:

Personal Data.  Personal Data includes your name, user name, mailing address, e-mail address, phone number, zip code, social security number and similar personal information.  We use Personal Data to send Customers e-mail, written or other forms of communications regarding:

i.Goods or services requested or purchased by Customers;

ii.Promotional or informational materials about our company, affiliates and/or third parties with whom we conduct business and the related goods and services provided by such businesses;

iii.Machine-specific information to participating Customers; and

iv.Updates, advertisements, offers and announcements relating to the goods and services of our company, affiliates and/or third parties with whom we conduct business. 

You consent to receive communications from us electronically, but have the ability to opt-out of receiving future e-mails of the type described in (ii)-(iv) by contacting us at the following email address [email protected] or changing your account preferences, if applicable.  Notwithstanding anything to the contrary in this Policy, we may communicate with each Customer by e-mail if such e-mail communication is sent for the purpose of protecting the interests of Customer, including any Customer Data, property or other data, or to provide Customer with any notification or disclosure that may be required under applicable law or our Policy.  Accordingly, as a Customer, you agree that all communications, disclosures, and notices sent to you by e-mail satisfy any requirement that notice be provided in writing.

Transaction and Demographic Data.  We collect transaction information about your purchases, inquiries and customer accounts to fulfill orders or for our general business needs, including maintenance and warranty services.  We also may collect general demographic or preference data regarding your interests, goals or needs to understand who you are and what products and services may interest you or meet your needs. 

Financial Data.  We may collect financial information from you to complete purchases of goods or services, such as credit card information or your billing address.  If you purchase products for personal, family, or household use through financing that is provided by us or facilitated by us, then you have the right to request that we not share any of your personal information derived from that transaction with unaffiliated third parties outside of the requirements to complete your requested transaction by submitting the opt-out form attached to the bottom of this Privacy and Data Use Policy.  We may also assist you in applying for financing with certain third parties or engage in direct financing with you.  We may report information about your account to credit bureaus.  Late payments, missed payments, or other defaults on your account may be reflected in your credit report. 

b.Machine Data.  Machine Data includes information that is generated by, collected by or stored on your equipment or any hardware or device interfacing with your equipment, and may be provided directly through such equipment, hardware or device or indirectly when reported to us through you or a third party (collectively, “Machine Data”).  Machine Data includes, without limitation, the following data, which we may track, collect, receive and use in accordance with this Policy:

i.Technical information including IP addresses, persistent identifiers, statistical utilization, transmission and access methods and sources, and preference information that is collected by cookies, web beacons, or other similar device based collection technologies.  This may include any search that led you to our website, your connection speed or type, and your browser or device information.  You may block all cookies by following the instructions applicable to your browser at http://www.aboutcookies.org/page-1;

ii.Equipment use history including fuel usage, number of engine hours, diagnostic data, software and hardware version numbers, geolocation data, and other equipment data; and

iii.Agronomic information including plant, chemical and fertilizer application rates, recorded yields, soil types and moisture levels, and similar crop or field based information. 

Machine Data may be collected by us directly from you or your equipment or it may be delivered to us by third parties if you authorize or allow such delivery or access from the third party (such as through the JD LinkTM Telematics system for John Deere Equipment).  By providing Customer Data directly to us or granting us access to Machine Data from a third party, you grant us a royalty-free, non-exclusive, perpetual license to use such Machine Data in accordance with this Policy.  We are not liable for any errors, omissions, interception, loss of data, lack of capacity, lack of coverage or lack of availability, or other errors related to the transmission of any Machine Data by any third party.

You agree that you WILL clearly and conspicuously notify any affected personnel that the Machine Data is continuously monitored and delivered, including potentially personal and location data, and that you will obtain all necessary consents and approvals from your personnel as required by applicable law to collect and provide such data to us. 

2.Confidentiality, Security and Storage of Data

Except as otherwise provided in this Policy, we will keep all of your Data that personally identifies you (e.g., your name and address) as private and will not share it with third parties, unless such disclosure is necessary to:

i.Comply with a law (or based upon our good-faith belief that disclosure is necessary to comply with a law);

ii.Protect our rights or property; or

iii.Enforce this Policy or any of our other policies and guidelines.

We may also share your Data as provided below, when required by a third party through whom you authorized or allowed Data to be transmitted to us or when otherwise authorized or requested by you. 

We will not sell your Data to third parties except in the case of a sale of substantially all of our business or assets or the business or assets of one or more of our locations or business divisions or as otherwise permitted below with respect to aggregate Data.  We may permanently delete or destroy any and all Data at any time as determined by us.  We use a variety of commercially reasonable security technologies to help protect your Data from unauthorized access, use, or disclosure.  However, the use of such security technologies is not, and should not be considered to be, any type of guarantee or warranty by us that your Data will not be accessed by third parties, or that we will use all available security technologies to prevent unauthorized access to, use, or disclosure of your personally identifying information. 

3.Sharing and Use of Information

We share your Data with our affiliates, suppliers, vendors, and/or their agents and employees as we deem necessary for the provision of goods and services to you.  Specifically, we may share your Data: (i) with third parties assisting us in the provision, administration, and management of goods and services generally; (ii) with third parties that assist us in providing goods and services that you request; (iii) with third parties that support our business operations or provide marketing or advertising services on our behalf, including marketing, technical, accounting, legal or other professionals; and (iv) as otherwise permitted by law or approved by you.  We may use your Data for our general business operations and goods and services provided by us if it is in a form that is not capable of being personally identified with you or if it is combined with Data from one or more other customers in aggregate form that does not personally identify any particular customer.  We may also sell, license or otherwise provide such de-identified or aggregated data to third parties. 

While we use commercially reasonable efforts to safeguard your Data when transmitted to third parties, we do not warrant that your Data will be transmitted without unauthorized interception or modification or that your Data will not be accessed or compromised by unauthorized third parties. 

4.Collection of Your Information by Third-Party websites

Our website may contain links to other websites.  We are not responsible for the privacy practices or the content of such websites.  We may allow third-party advertisers to place ads on our website.  These third-party advertisers may use cookies or similar technologies to help present the advertisements to you or to help measure the effectiveness of their advertisements.  Some advertisers may use cookies to serve ads to our users or Customers based on their visits to our website and other websites on the Internet.  The use of such technologies is subject to the privacy policies of the third-party advertisers and is not covered by this Policy.  As a result, if you respond to any such third-party advertisers by clicking on the advertisements and/or visiting their websites or the websites of any other third party, be sure you evaluate their privacy policies before providing them any of your information.  To opt-out of a third party’s use of cookies, you must visit such third party’s website and follow its specified opt-out procedures.  You may opt-out of Google’s use of the DoubleClick cookie by visiting the Google Advertising Policies and Principles page at http://www.google.com/policies/privacy/ads/.  You can opt out of some, but not all, of third-party advertiser cookies in one location at the Network Advertising Initiative opt-out website, located at www.networkadvertising.org/managing/opt_out.asp.  You may block all cookies by following the instructions applicable to your browser at http://www.aboutcookies.org/page-1.

5.Updates and Changes to Policy

We reserve the right, at any time and without notice, to add to, change, update, or modify this Policy by posting such addition, change, update, or modification on our website.  Any such addition, change, update, or modification will be effective immediately upon posting on our website. 

6.Eligibility; Compliance with Children Privacy Issues

We do not knowingly collect or maintain personally identifiable information from children under the age of 13.  If you know of someone using our website that is under the age of 13, please notify us immediately.  If we are informed that anyone under the age of 13 is using the website, his or her account will be cancelled and all of his or her information will be deleted from the website as soon as practical.

7.How to Contact Us

If you have any questions or concerns about this Policy, or need to request corrections or deletions to the information you have provided to us, then please contact [email protected] or 320-235-8115. 

Model Information Security Program (ISP)
Model Identity Theft Prevention Program (ITPP)

The information security program (ISP) and the identity theft prevention program (ITPP), are designed for equipment dealership operations in the United States who obtain, store, or use personal data collected from customers or other parties, either directly or through third parties (such as manufacturers), including through systems such as John Deere’s JD LinkTM Telematics system. 

The ISP and ITPP are not designed for dissemination to the general public or your customers.  Rather, they are designed as internal compliance programs that document the dealership’s overall data security plan and policies for compliance with federal and state laws and regulations applicable to data security, integrity, and breach notifications.  The programs must be reviewed initially to determine if they reflect your dealership’s actual practices and then reviewed at least annually thereafter.  They should be adopted by the board of directors or owners of the dealership and copies should be provided to all current and future employees.  It is not required, but would be prudent to have each employee sign an acknowledgment of their receipt of such programs in a form similar to the attached “Employee Acknowledgment.”

It is considered a best practice for every business that handles sensitive information to maintain an ISP and it is required by certain data security and privacy laws.  The principal data security laws and standards relevant to the ISP include the Gramm-Leach-Bliley Act and the FTC’s related “Safeguards” rule; the Payment Card Industry (PCI) Data Security Standard (required by most major credit card companies if you store a customer’s credit/debit card number or account); state data security laws; and the state laws that require notification whenever certain personal information is improperly disclosed or breached (46 states have such laws - for more information on the state notification laws that impact you visit http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx).  Many of these state breach notification laws ostensibly apply to every business, including out of state businesses, which collect information about residents of the applicable state, often making multiple state laws apply whenever there is a breach of sensitive information.  The ISP is designed to comply with the most stringent standards required by any state for data security; however, it only includes a general statement regarding compliance with data breach notification laws as the form, content and timing of these notifications varies by state.  Accordingly, to comply with your policy, you must consult and apply the applicable laws to determine your notification obligations as soon as you suspect or know there has been a breach of a customer’s information. 

In addition to applicable laws, you should also review your agreements with third parties such as manufacturers or finance companies to determine whether such agreements impose any legal or contractual security obligations on the dealership when collecting, storing or transmitting the data relating to those agreements. 

The ISP applies to the receipt of any personal information regardless of whether it is received orally, in writing, or electronically (including text messages, e-mails and instant messages stored on company or personal devices).  The definition of personal information varies under each applicable law but it generally includes a customer’s first initial/name and last name, any financial or transactional information, any personal identifier (such as a social security or customer number), or any contact/address information. 

With respect to the ISP, some of the legal requirements involved are flexible and vary with the size and scope of your business; however, you should consult an attorney if you wish to make material changes to these programs to ensure that your dealership’s practices are compliant with all applicable laws.  In particular, the requirement that data be encrypted at all times, including while stored or transmitted, varies from state to state.  It is recommended that you encrypt all personal data when it is stored and when it is transmitted wirelessly to comply with the most stringent standards and recommended data practices; however, it is currently legally permissible to not encrypt data unless you store data related to a Massachusetts resident.  Successful implementation of an encryption program can significantly reduce any required mitigation or notification steps (and related costs), following any breach or loss of data.  One study estimates that the average cost for a breach of unencrypted personal data is $214.00 per individual whose information was breached or lost, which translates to a total cost of over $100,000.00 if the personal data of only five hundred customers is breached or lost. 

Please note that data security insurance or cyber insurance policies may be available to assist with the expenses of responding to data breaches that cover your dealership’s data, claims by third parties due to a breach, and related costs.  Up to $50,000 of coverage is available for this type of insurance through Federated Insurance and the current annual premium is $161.  Federated informed us that supplemental coverage with significantly higher limits ($1,000,000 is the most commonly quoted limit) is also available through other insurers at correspondingly higher premium levels.  It is advisable to discuss these issues with your insurance broker to determine what claims and losses are currently covered by your policies and what additional insurance is available to your dealership. 

The ITPP is designed to meet the minimum requirements of the FTC’s “Red Flags” rule on identity theft prevention that applies to equipment dealerships if you allow any delayed or deferred payment for any customer accounts used primarily for personal, family or household purposes.  If that does not apply to your dealership, then the ITPP does not need to be adopted. 

These programs have not been reviewed for compliance with European Union or Canadian data security requirements and are not designed for use outside of the United States or as part of the EU-US Safe Harbor Program.  If you provide or exchange any information with entities that do not operate in the United States, then you should contact an attorney to ensure your compliance with all applicable laws.  

Please note that this summary and model Information Security Program and model Identity Theft Prevention Program is only a guide and is not intended to constitute legal advice.  You should review these programs thoroughly and ensure that their provisions are appropriate for your dealership’s specific business practices and you should consult an attorney if you have any questions or concerns.  Please remember that the most important component of an effective program is that the dealer actually complies with its own rules.  Failure to follow a dealer’s own rules may be a factor in determining whether you violated a law or duty to such party.  We cannot guarantee that these programs comply with every law and it is possible that you will also need to update them to take into account changes in the law after the date listed below.  

Information Security Program

Program Scope

This program is designed to implement physical, administrative, and technical safeguards of the Personal Data we collect from our customers. “Personal Data” includes an individual customer’s last name and first name or first initial, a customer’s social security or other identification number, financial or transactional information, any private access code or PIN, contact or address information, or any other personally identifying information.  Personal Data also includes any additional information required by applicable law to be protected but does not include any publicly available information.

Program Coordinator

Kody Aasen is designated as the Program Coordinator of our Dealership’s Information Security Program until such Coordinator is replaced by the Dealership.  The Program Coordinator reports directly to Paal Haug, the general manager of the Dealership.  In the event the Program Coordinator ceases to be employed by the Dealership or is unable to perform his/her responsibilities then a new Program Coordinator will be appointed, and in the interim period, Cal Knudsen shall serve as the interim Program Coordinator.

It is the Program Coordinator’s responsibility to design, implement and maintain the Dealership’s privacy policy(ies) and information security program as he/she determines to be necessary from time to time based upon the size of the business and scope of the business activities.  The Program Coordinator’s specific responsibilities include:

Identifying and assessing the risks to Personal Data in each relevant area of the Dealership’s operation, and evaluating the effectiveness of current safeguards that have been implemented to control these risks.  These risks include but are not limited to:
Intentional or unintentional breaches of Personal Data by our employees or agents.
Hacking, spoofing, phishing, malware, or other malicious programs, schemes, or devices to gain access to Personal Data by unauthorized individuals.
Failure of a third party vendor to properly secure and encrypt the transmission or storage of Personal Data.
Inadvertent disclosure of a customer’s Personal Data to another customer.
Natural disasters or similar events disrupting our security measures.
Designing and implementing privacy policies, information security programs, and identity theft prevention programs that are appropriate for the size and complexity of our Dealership and its operations, the nature and scope of our activities and the sensitivity of the Personal Data we collect, store and share with others and any other data security related programs or policies required by law.
Evaluating and adjusting the Dealership’s privacy policies, information security programs, and identity theft prevention programs in light of relevant circumstances, including changes to the Dealership’s operations, business relationships, technological developments and/or other matters that may impact the security or integrity of the Dealership’s Personal Data.
Coordinating the Dealership’s response to any breach of the Dealership’s privacy policies, information security programs, identity theft prevention programs or other policies or applicable laws.
Assisting with the selection of appropriate service providers.
Employee Management and Training

During employee orientation, each new employee will receive a copy of all current privacy policies, policies regarding non-disclosure of confidential information and trade secrets, information security programs and identity theft prevention programs and be trained regarding the importance of confidentiality of Personal Data.  Training will include: (i) all policies and programs and the obligation to comply with such policies and programs, (ii) proper use of computers and passwords, (iii) controls and procedures to ensure that employees only access appropriate information, (iv) controls to prevent employees from providing confidential information to unauthorized parties, and (v) proper disposal of Personal Data.  Employees should receive any amendments to such policies and programs and re-training as appropriate.    

When an employee ceases to be employed by the Dealership, he/she is required to turn in any keys, passwords, computers, hard drives, devices or other access mechanisms in his/her possession.  In addition, any security codes or passwords to which such employee had access will be changed or removed.  Employees will not be permitted to take any Personal Data with them when their employment ceases.

Customer Information Collection

Customer information may be collected through a variety of collection methods including verbally, in writing, or via electronic means including transmission via the internet, e-mail, text message, wirelessly from connected equipment or hardware, or through third party access portals.  Collection of Personal Data through any of these sources is covered by this program.  When Personal Data is collected electronically, we will maintain appropriate security protocols, which may include encrypting information while at rest and/or in wireless transmissions.

Customer Identity Verification

The following procedures will be implemented with respect to customer identity verification from customer information:

Forms used by the Dealership request certain customer information, such as names, addresses, telephone numbers, birth dates, social security numbers, tax identification numbers, and driver’s license and insurance information, to enable the Dealership to verify the identification of its customers.
Employees may request to see the customer’s driver’s license or other form of government-issued identification bearing a photograph to verify the customer’s identity and may make a copy of the same to retain in the customer’s file.  
If a customer requests financing in connection with a transaction, the customer may be required to provide employment information and references and may be required to authorize the Dealership to obtain a credit report, all of which may be used to verify the identity of the customer.
Paper and electronic records containing customer information and relevant to the Dealership’s identity verification process will be retained by the Dealership in accordance with any applicable federal and state laws.
Information Security Safeguards

The following information security standards will be implemented in order to appropriately safeguard Personal Data collected and maintained by our Dealership:

Employees are only authorized to have access to the Personal Data necessary to complete their responsibilities.  Employees shall not access or provide any other unauthorized person access to Personal Data.  Requests for Personal Data that are outside the scope of the Dealership’s ordinary business or the scope of an employee’s authorization must be directed to the Program Coordinator.
Access to electronic Personal Data will be protected by a password or equivalent protection.  Every employee with access to the Dealership’s computer system, electronic devices and electronic records will have a unique password consisting of at least 8 characters and must include both numbers and letters.  Employees will be instructed to not share their password with others or post or save their passwords in locations that are accessible to others in the Dealership or otherwise.  After multiple failed login attempts from a single device or user, additional login attempts may be restricted.
All paper and electronic records will be stored in secure locations to which only authorized employees will have access.  Electronic Personal Data will be stored on a secure server that is located in a locked room and is accessible only with a password or key.  Any remote access to Personal Data shall be conducted in a secure manner using a minimum of 128 bit encryption or other similar technology.  Paper records will be stored in an office, desk, or cabinet that is locked when unattended.  Customers, vendors and service providers shall not be left in areas with access to unsecured Personal Data.
Backups of the computers and/or server will be made at regular intervals as deemed necessary.  Virus protection software will be installed on computers and new virus updates will be checked at regular intervals.  Firewalls and security patches from software vendors will be downloaded on a regular basis.
All Personal Data will be erased from computers, disks, hard drives or any other electronic media that contain Personal Data before disposing of them.  Any paper records will be shredded and disposed of securely.
Employees will be instructed to log off of all internet, e-mail, social media or other accounts when they are not being used.  Employees will be trained to not download any software or applications to Dealership computers or open e-mail attachments from unknown sources.  Employees will be instructed to not download, upload, or save electronic records to external media or an individual’s computer without explicit authorization from the Program Coordinator.  If electronic records will be transmitted or accessed over an external network, including the internet, employees will be instructed to not use unprotected public Wi-Fi networks for such activities.
Service Provider Selection and Review

In order to protect the Personal Data our Dealership collects, we will take reasonable steps to initially select and then oversee our service providers that routinely access or utilize Personal Data.  The following evaluation criteria may be utilized in selecting service providers:

Compatibility and willingness to comply with the Dealership’s privacy policies, information security program, and identity theft prevention program, as applicable. 
Adequacy of the service provider’s own privacy policies and information security standards.
Experience and ability to provide the necessary services and supporting technology for current and anticipated needs, which may include an evaluation of the service provider’s knowledge and understanding of laws and regulations that are relevant to the services and information being provided.
Financial stability of the service provider and reputation with industry groups, trade associations and other dealerships.
Contractual obligations and requirements, which, among other legal and business term considerations, include requirements to implement and maintain appropriate security safeguards, maintain the confidentiality of Personal Data, only use Personal Data for purposes of providing services under the contract and reporting breaches to the Dealership. 
Response to Breaches and Other System Failures

The Program Coordinator will implement audit and oversight procedures as he/she deems necessary to detect the improper disclosure or theft of customer information and to ensure that employees, independent contractors and service providers are complying with our Dealership’s Privacy and Data Policy and Information Security Program and applicable law.

If the Dealership’s Privacy and Data Policy or Information Security Program is breached, the Program Coordinator will assess the breach and determine whether notification to any parties is advisable or required by applicable law.  To the extent determined to be advisable or required by law by the Program Coordinator, he/she will take appropriate steps to notify counsel, service providers and customers, as applicable, of any breach, damage or loss of information and the risks associated with the same.  Further, as determined to be appropriate by the Program Coordinator based upon the breach and circumstances surrounding such breach, the Program Coordinator will take measures to limit the effect of the breach, identify the reason for the breach and implement procedures to prevent further breaches.  In the event of a breach, or at any other time as the Program Coordinator deems appropriate, the Program Coordinator may modify or supplement our Privacy and Data Policy and Information Security Program, subject to any required Dealership approval. 

General; Review

This Information Security Program was adopted and approved by the management team at Haug Implement Co on 01-01-2014.  This Information Security Program will be reviewed at least annually by the Program Coordinator to assess its level of appropriateness for our Dealership.

Identity Theft Prevention Program

Our Dealership uses the following procedures as part of our Identity Theft Prevention Program (the “ITPP”) to help mitigate the risk of identity theft.

We look for the following factors (“Red Flags”) to indicate that identity theft may be occurring in connection with an account at our Dealership:

1. Notice from a customer, a victim of identity theft, a law enforcement agency, or someone else that an account has been opened or used fraudulently, including a fraud alert in a customer’s credit file.

2. Mismatched or inconsistent information or images between a customer’s provided information, documentation, or appearance and any verification documents, including credit reports that raises suspicions.

3. Indications of forgery, alteration, replication, or assembly of any documentation.

We may detect Red Flags by:

1. Checking a customer’s credit report and verifying that the address used by the customer corresponds to an address in the credit report.

2. Reviewing a customer’s photo identification and requesting their name and address when they open an ongoing payment account.

When detected, we may respond to Red Flags by:

1. Contacting an existing customer by an alternate communications method, if available, to verify whether a particular transaction or account is authorized.

2. Closing, preventing the opening of, or changing the number of an account.

3. Notifying law enforcement.

4. Notifying a credit reporting agency.

5. Not responding if warranted.

This ITPP was adopted and approved by the management team at Haug Implement Co on 01-01-2014. The ITPP will be administered by Kody Aasen.  We train our front-line customer service personnel and management employees to identify the Red Flags set out in the ITPP using materials and programs. We only work with service providers who institute an identity theft program that is appropriate to their function and the information they receive from us.  Generally, we do not work with service providers in connection with detecting or responding to the Red Flags set out in the ITPP.  This ITPP will be reviewed and updated periodically to ensure it remains appropriate for our business.