800-466-1996

Terms and Conditions

Introduction

Initial Statement

This User Service Agreement has been established by Western Reporting Inc., (hereafter referred to as the CRA) as of 06/02/2019. It contains requirements imposed upon all Users of Consumer Reports and/or any ancillary services as may be available for sale by the CRA. It is the responsibility of the User to fully understand and comply with all of its legal obligations as a User of Consumer Reports under the Federal Fair Credit Reporting Act, Gramm-Leach-Bliley Act Financial Privacy and Safeguarding Rules, FTC Disposal Rule and any other federal, state or local laws that may apply to the services the CRA provides.

Definitions

Consumer Information refers to Consumer Reports and other non-public, personally identifiable consumer information obtained from the CRA.

Consumer Report shall have the meaning set forth in the Fair Credit Reporting Act (“FCRA”), 15 USC 1681(a)(d), as may be amended from time to time. For purposes of this Policy, the term Consumer Reports refers to those consumer reports or any information derived therefrom including, but not limited to scores, obtained from the CRA.

End User/User refers to prospective and current customers of the CRA, to whom the CRA will furnish consumer information.

FCRA refers to the Federal Fair Credit Reporting Act, 15 USC 1681 et seq., as amended from time to time.

Compliance Agreement

I have read and understand the “FCRA Requirements”  as listed in “Exhibit A” or “Exhibit B” and “Exhibit C- Notice to Users of  Consumer Reports: Obligations of Users under the FCRA” and the CRA’s “Access Security Requirements” and will take all reasonable measures to enforce them within my facility. I certify that we will use the CRA’s consumer report information solely for the purpose outlined in the “Permissible Purpose/Appropriate Use” section of this application, and for the type of business listed on this application. I will not sell the report to any consumer directly or indirectly. I understand that if this information is used improperly by company personnel, or if company access codes are made available to any unauthorized personnel due to carelessness on the part of any employee of the company, I may be held responsible for financial losses, fees, or monetary charges that may be incurred and that my access privilege may be terminated.

I agree to comply with all policies and procedures instituted by the CRA and required by the CRA’s consumer reporting Vendors. I understand that by not complying with any policies or procedures instituted by the FCRA, the CRA, CRA’s Vendors, any Federal, State or Local Laws that are applicable to consumer reports, my account may be subject to termination.  I agree that the CRA or any of the CRA’s consumer reporting vendors shall have the right to audit my records that are relevant to the provision of services set forth in this Agreement. I further agree that I will respond within the requested time frame for the information requested. In accordance with the Agreement, I understand that the CRA may immediately suspend and/or terminate the Agreement in the event I fail to comply with any of the above.

Policies and Procedures

Onsite Inspection Policy

I am aware that in order to receive a Full Credit Product, I must successfully pass an onsite inspection of my principal place of business. The onsite inspection will be arranged through the CRA or a CRA Vendor.  I understand that the onsite inspection fee has been incorporated into the setup fee and is non-refundable and there is no guarantee of being accepted for an account with the CRA. I recognize that the Owner or Authorized Officer or Manager must be present and available during the onsite inspection. I understand that if the onsite inspection results in a “Failed” status, additional measures and additional costs will be required in order to continue the application process with the CRA.  Furthermore, in the event that my principal place of business changes, I will contact the CRA to arrange and pay for a new onsite inspection of the new location.

Fees & Payment

I am aware that the Business or Owner/Authorized Officer as listed on the New Client Application of this Agreement will be charged for all requests entered online and that a setup fee will be charged upon account origination and an annual renewal fee will be required to keep the account active.  Please be aware that all fees charged are non-refundable.  Unless other payment arrangements are accepted by the CRA, credit cards will be billed upon order for owners of 50 units or less and once per month for owners of over 50 units. Late fees in the amount of $20 or 18% of the balance (whichever is greater) will be assessed to balances over 30 days old.  Online accounts will also be subject to deactivation. 

Turn-Around Policy

All applications received after 3.00 PM MST will be considered the next business day’s work. Most reports not requiring Verifications or County Searches are returned in 1 to 2 hours after receipt.

Verification Policy

Three (3) attempts will be made to verify all references provided.  A completed report will be sent within 3 business days after a 3rd attempt has been made on all pending verifications.  Refunds will not be given if we are unable to obtain the verification – verification results depend on the reference responding to our request.

Criminal Searches

Criminal searches are pulled by name and verified by DOB.  The CRA advises that you use government-issued ID to verify your applicant’s name, DOB and SSN prior to ordering your report.  MultiState database searches, while expansive and cost-effective, are subject to limitations in coverage and of information related to offense descriptions and applicant identifiers.  For the most thorough screening, direct-court county criminal searches should accompany any database search for all counties in which an applicant has lived, worked or been educated.  These criminal searches should also be run for all AKA’s. 

County Searches

At the client’s cost a county search will be automatically ordered to verify each database hit pursuant to Federal Statute 15 U.S. Code §613.  When a researcher for a Consumer Reporting Agency conducts a search of a potential applicant, and criminal history is found, the CRA must validate that particular criminal “hit” by confirming the information is accurate at the source.  If this information is not validated at the county level, the CRA is not allowed to provide the information to the client.

Customer Service

Our Customer Service personnel are available from 9:00am to 5:00pm MST Monday – Friday to respond to your inquiries and process reports.

Indemnification

Client understands that the CRA obtains the information products from various third party sources “AS IS,” and therefore is providing the information to Client “AS IS.”  The CRA makes no representation or warranty whatsoever, express or implied, including, but not limited to, implied warranties of merchantability or fitness for purpose, and implied warranties arising from the course of dealing or a course of performance with respect to the accuracy, validity, or completeness of any information products and/or consumer reports.  The CRA expressly disclaims all such representations and warranties.

Client shall indemnify and hold harmless the CRA, and each of its affiliated persons and entities, from and against any and all liability, losses, claims, damages, and expenses, including, but not limited to, attorneys’ fees and court costs, arising from or in any way connected with any breach or claimed breach of the terms of this Agreement by Client or any third person acting on behalf of Client, including any breach or claimed breach of any representation, warranty, covenant, or agreement herein including, without limitation, any violation of the FCRA or any applicable federal, state or local law, or any improper publication, disclosure or other misuse of the Information Products by Client or any third person or entity acting on behalf of Client.  The CRA shall indemnify and hold harmless Client, and each of its affiliated persons and entities, from and against any and all liability, losses, claims, damages, and expenses, including, but not limited to, attorneys’ fees and court costs, arising from or in any way connected with any breach or claimed breach of the terms of this Agreement by the CRA or any third person acting on behalf of the CRA, including any breach or claimed breach of any representation, warranty, covenant, or agreement herein including, without limitation, any violation of the FCRA or any applicable federal, state or local law, or any improper publication, disclosure or other misuse of the Information Products by the CRA or any third person or entity acting on behalf of the CRA.

Access Security Requirements

We must work together to protect the privacy of consumers.  The following measures are designed to reduce unauthorized access of consumer credit reports.  In signing the Consumer Reporting Agency Membership Agreement, you agree to follow these measures.

  1. Make all employees aware that your company can access credit information only for the permissible purposes listed in the Permissible Purpose Information section of your membership application.  You and/or your employees may not access your/their own report or the report of a family member or friend if your company does not have permissible purpose for doing so.
  2. Please be aware that there are laws governing the release of a credit report to an individual. In cases of Tenant Screening –  If you wish to deny the applicant on the basis of credit, give him/her  a denial letter. They can submit that to us along with their Driver License/State ID Card within 60 days of the report date and we will provide them a copy of their credit report. If you wish, you may provide a “Consumer Copy” of the report to your applicant within 30 days of the application date.  Copies of the denial letter and Consumer Copy forms are available through our website or by calling Customer Service.  For Employment – Special provisions under the FCRA apply.  Please call our office to obtain form examples.

Record Retention

It is important that you keep credit applications with a signed release on file for a period of 5 years.  This will help to facilitate the investigative process if a consumer claims that your company inappropriately accessed their credit report. However, you may keep the actual copy of the credit report on file for only 6 months (the credit report may be used only once).  After 6 months you are obligated to shred the report. “Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $2,500 per violation.

 

Access Security Requirements for Reseller End-Users

for FCRA and GLB 5A Data

The following information security controls are required to reduce unauthorized access to consumer information.  It is your (company provided access to Experian systems or data through the CRA referred to as the “Company”) responsibility to implement these controls.  If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. The CRA reserves the right to make changes to these Access Security Requirements without prior notification.  The information provided herewith provides minimum baselines for information security.

In accessing the CRA’s services, Company agrees to follow these Experian security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data

  1. Implement Strong Access Control Measures

1.1     All credentials such as User names/identifiers/account numbers (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party.    No one from the CRA will ever contact you and request your credentials.

1.2     If using third party or proprietary system to access the CRA’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing  the CRA’s data/systems.

1.3     If the third party or third party software or proprietary system or software, used to access the CRA’s data/systems, is replaced or no longer in use, the passwords should be changed immediately.

1.4     Create a unique user ID for each user to enable individual authentication and accountability for access to the CRA’s infrastructure.  Each user of the system access software must also have a unique logon password.

1.5     User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities.

1.6     User IDs and passwords must not be shared, posted, or otherwise divulged in any manner.

1.7     Develop strong passwords that are:

  • Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)
  • Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts
  • For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended)

1.8     Passwords (e.g. user/account password) must be changed immediately when:

  • Any system access software is replaced by another system access software or is no longer used
  • The hardware on which the software resides is upgraded, changed or disposed
  • Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements)

1.9     Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above).

1.10   Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.

1.11    Active logins to credit information systems must be configured with a 30 minute inactive session timeout.

1.12    Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of the  membership application.

1.13    Company must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Experian data.

1.14    Ensure that Company employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.

1.15    Implement a process to terminate access rights immediately for users who access Experian credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.

1.16    Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.

1.17    Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.

1.18    Implement physical security controls to prevent unauthorized entry to Company’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.

  1. Maintain a Vulnerability Management Program

2.1     Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and updates.

2.2     Configure infrastructure such as firewalls, routers, servers, tablets,  smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.

2.3     Implement and follow current best security practices for computer virus detection scanning services and procedures:

  • Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
  • Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
  • If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
  1. Protect Data

3.1     Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).

3.2     Experian data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a minimum.

3.3     Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.

3.4     Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above.

3.5     Experian data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.

3.6     When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass-code.

3.7     Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc.

3.8     Only open email attachments and links from trusted sources and after verifying legitimacy.

3.9     When no longer in use, ensure that hard-copy materials containing Experian data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.

3.10    When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).

  1. Maintain an Information Security Policy

4.1     Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguards Rule.

4.2     Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.

4.3     Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe Experian data may have been compromised, immediately notify the CRA within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8).

4.4     The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.

4.5     Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization.

4.6     When using third party service providers (e.g. application service providers) to access, transmit, store or process Experian data, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Company’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section.

  1. Build and Maintain a Secure Network

5.1     Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.

5.2     Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet.  Network address translation (NAT) technology should be used.

5.3     Administrative access to firewalls and servers must be performed through a secure internal wired connection only.

5.4     Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.

5.5     Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.

5.6     For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.

5.7     When using service providers (e.g. software providers) to access the CRA’s systems, access to third party tools/services must require multi-factor authentication.

  1. Regularly Monitor and Test Networks

6.1     Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.)

6.2     Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and applications.  Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.

6.3     Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access the CRA’s systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:

  • protecting against intrusions;
  • securing the computer systems and network devices;
  • and protecting against intrusions of operating systems or software. 
  1. Mobile and Cloud Technology

7.1       Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.

7.2       Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.

7.3     Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.

7.4     Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.

7.5     Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.

7.6     In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application. 

7.7       When using cloud providers to access, transmit, store, or process Experian data ensure that:

  • Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations
  • Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian:

o    ISO 27001

o    PCI DSS

o    EI3PA

o    SSAE 16 – SOC 2 or SOC3

o    FISMA

o    CAI / CCM assessment

  1. General

8.1   The CRA may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices

8.2   In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to the CRA upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.

8.3   Company shall be responsible for and ensure that third party software, which accesses the CRA’s information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.

8.4   Company shall conduct software development (for software which accesses the CRA’s information systems; this applies to both in-house or outsourced software development) based on the following requirements:

8.4.1         Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.

8.4.2         Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.

8.4.3         Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.

8.5   Reasonable access to audit trail reports of systems utilized to access the CRA’s systems shall be made available to the CRA upon request, for example during breach investigation or while performing audits

8.6   Data requests from Company to the CRA must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.

8.7   Company shall report actual security violations or incidents that impact Experian to the CRA within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to the CRA of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 800-466-1996 Email notification will be sent to customerservice@westernreporting.com.

8.8   Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to the CRA’s services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.

8.9   Company understands that its use of the CRA’s networking and computing resources may be monitored and audited by the CRA without further notice.

8.10           Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access the CRA’s services or data are secure and in compliance with its membership agreement.

8.11           When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by the CRA.

Record Retention:  The Federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months.  In keeping with the ECOA, Experian requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months.  When conducting an investigation, particularly following a consumer complaint that your company impermissibly accessed their credit report, Experian will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.

“Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.”

 Internet Delivery Security Requirements

In addition to the above, following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to the CRA provided services via Internet (“Internet Access”).

General requirements:

  1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with the CRA on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to the CRA provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
  2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each the CRA product based upon the legitimate business needs of each employee. The CRA shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
  3. Unless automated means become available, the Company shall request employee’s (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by the CRA. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User ID”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). The CRA’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. The CRA may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
  4. An officer of the Company agrees to notify the CRA in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.

Roles and Responsibilities

  1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with the CRA on systems access related matters. This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with the CRA on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to the CRA systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to the CRA immediately.
  2. As a Client to the CRA’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
  3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to the CRA product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with the CRA’s Security Administration group on information and product access matters.
  4. The Head Designate shall be responsible for notifying their corresponding the CRA representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.

Designate

  1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
  2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
  3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.
  4. Is responsible for ensuring that Company’s Authorized Users are authorized to access the CRA products and services.
  5. Must disable Authorized User ID if it becomes compromised or if the Authorized User’s employment is terminated by Company.
  6. Must immediately report any suspicious or questionable activity to the CRA regarding access to the CRA’s products and services.
  7. Shall immediately report changes in their Head Security Designate’s status (e.g. transfer or termination) to the CRA.
  8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.
  9. Shall be available to interact with the CRA when needed on any system or user related matters.

Glossary

Term Definition
Computer Virus A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user.  A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying.
 Confidential  Very sensitive information. Disclosure could adversely impact your company.
 Encryption  Encryption is the process of obscuring information to make it unreadable without special knowledge.
 Firewall  In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.
 Information Lifecycle  (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained.
 IP Address  A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices – including routers, computers, time-servers, printers, Internet fax machines, and some telephones – must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network.  It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices.  
 Peer-to-Peer   A type of communication found in a system that uses layered protocols.  Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission.
 Router  A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets.
 Spyware  Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer’s operation without the consent of that machine’s owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet.
Experian Independent Third Party Assessment Program

The Experian Independent 3rd Party Assessment is an annual assessment of an Experian Reseller’s ability to protect the information they purchase from Experian.

EI3PA℠ requires an evaluation of a Reseller’s information security by an independent assessor, based on requirements provided by Experian.

EI3PA℠ also establishes quarterly scans of networks for vulnerabilities.
ISO 27001 /27002

IS 27001 is the specification for an ISMS, an Information Security Management System (it replaced the old BS7799-2 standard)

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
SSAE 16 SOC 2, SOC3

Statement on Standards for Attestation Engagements (SSAE) No. 1

SOC 2 Report on Controls Related to Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The SOC 3 Report , just like SOC 2, is based upon the same controls as SOC 2, the difference being that a SOC 3 Report does not detail the testing performed (it is meant to be used as marketing material).
FISMA The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
CAI / CCM

Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

 

Database Products Disclosure

 National/MultiState and Single State Database Searches pull records from various databases available nationwide, but not every jurisdiction provides complete information.  Coverage is not exhaustive and can change without notice.  For the most thorough screening, direct-court county criminal searches should accompany any database search for all counties in which an applicant has lived, worked or been educated.  Contact us to obtain a current coverage document.

Important Notice – Death Master File

Access to the Death Master File as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1).

The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the Death Master File (“DMF”). Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). As many Experian services contain information from the DMF, Experian would like to remind you of your continued obligation to restrict your use of deceased flags or other indicia within the Experian services to legitimate fraud prevention or business purposes in compliance with applicable laws, rules and regulations and consistent with your applicable Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or Gramm-Leach- Bliley Act (15 U.S.C. § 6801 et seq.) use. Your continued use of Experian services affirms your commitment to comply with these terms and all applicable laws.

You acknowledge you will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the Experian services.