We care about your privacy.

Herrera & Company Privacy Statement

The purpose of this Privacy Statement is to inform Individuals about the types of Personal Information that Herrera & Company (H&C) receives, holds and processes in its capacity as a service provider on behalf of our Clients and the State of California.

We are proud to demonstrate our commitment to protecting the Personal Information we receive from our clients by complying with applicable privacy laws.  Any personally identifiable information that is collected or maintained by H&C will be administered in strict compliance with the Information Practices Act of 1977 (Civil Code Section 1798.17) and the Federal Privacy Act (Public Law 93-579).

In order to fulfill this commitment, we have policies and practices intended to appropriately safeguard our facilities, information systems and data.  This Privacy Statement may be revised periodically to maintain its currency and compliance with evolving law and policy and is current as of the “last revised” date that appears at the bottom of this page.

  1. To whom does this Privacy Statement apply? 
  2. What is Personal Information? 
  3. What are our obligations as a processor of Personal Information? 
  4. How do we train and manage our Associates?
  5. How do we ensure the security of our facilities? 
  6. How do we ensure the security of our information systems? 
  7. What additional safeguards do we have in place to protect Personal Information? 
  8. How long will we retain Personal Information? 
  9. How do we update Personal Information such that it is sufficiently accurate for processing purposes?




1. To whom does this Privacy Statement apply?

This Privacy Statement applies to H&C contracts with Clients to provide them with the opportunity to outsource their ETP funding services. Specifically, we provide our Clients with ETP application development, program implementation, administration, record-keeping, and auditing.  Our “Clients” are various entities such as corporations, government agencies, or other businesses that receive our services.  The Personal Information we receive from our Clients relates to a variety of Individuals. An “Individual” is any full-time, California based person employed by a Client to be covered by the services to which this Privacy Statement applies.

2. What is Personal Information?

“Personal Information” is generally any information about an identifiable Individual. The type of information that a Client may collect from an Individual and transfer to us in order for us to provide the Client with our business process outsourcing services may include an Individual’s name, occupational information, Social Security Number  and general demographic information such as age, gender, ethnicity, and education. Personal Information may not, however, include an employee’s bank account information, credit rating, or other personal financial data.

3. What are our obligations as a processor of Personal Information?

As a service provider, we do not independently use or disclose Personal Information transferred to us by, or on behalf of, a Client or an Individual for any purpose other than to process that information in order to fulfill our contractual business processing functions, except as required or permitted by law.  Furthermore, we take all commercially reasonable steps to safeguard the Personal Information we hold against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the Personal Information is held. The precise nature of the safeguards we employ will vary depending on (i) the sensitivity of the Personal Information at issue, (ii) the format in which it is held, and (iii) the manner in which it is stored.

4. How do we train and manage our associates?

Our managing partner is responsible for associate management and training.  We educate our associates about our information security policies and practices, and use reasonable efforts to help ensure that our associates comply with these policies and practices.  These efforts include: Conducting appropriate background checks of all newly-hired associates; Including information on H&C’s policies in our associate orientation process; Requiring associates to execute appropriate non-disclosure agreements; Including information on our policies and practices on the H&C website; Disseminating information on our policies and procedures to associates at appropriate intervals; Limiting access to Personal Information to associates with a business need for seeing it; Promptly ending associate access to systems and facilities upon termination of associate services; Monitoring associates for compliance with policies; and Imposing appropriate disciplinary measures for breaches of policies and procedures.

5. How do we ensure the security of our facilities?

 

The H&C IT Director is responsible for the security of our facilities.  We utilize reasonable security measures at all of our facilities. Such security measures include:

a)     Using access control devices, such as card keys; visit access control, and/or receptionist verification of all associates;

b)     Utilizing enhanced security measures at our data center, including limiting access to specially authorized associates (controlled by computerized access control) and limiting visitors to pre-cleared individuals who must be escorted at all times;

c)    Maintaining secured areas for storage of materials containing confidential information; and,

d)     Implementing other appropriate security measures including security patrols and security cameras, where such measures are judged to be necessary and reasonably appropriate.

6. How do we ensure the security of our information systems?

 

The IT director is responsible for the overall security of our information systems.  Information systems include network and software design, as well as information processing, storage, transmission, retrieval and disposal. We employ policies and practices to protect Personal Information throughout its life cycle – from data entry to data disposal. These policies and practices include, among other things:

a)     Requiring use of virus protection software on all computer systems attached to H&C client server network;

b)     Limiting all access to H&C resources and networks to approved configurations and utilizing appropriate identification and authentication methods;

c)    Utilizing firewalls (which are configured and maintained in accordance with industry-standard procedures and specifications);

d)     Requiring appropriate disposal of all documents and electronic media containing Personal Information;

e)     Employing appropriate intrusion detection, monitoring, and logging capabilities to enable detecting and responding to potential security breaches;

f)     Maintaining appropriate incident handling procedures for responding to any breaches;

g)    Regularly obtaining and installing patches to address software vulnerabilities;

h)      Developing Client applications utilizing appropriate security methods including multiple-factor authentication, strong passwords, session time-outs, and access controls;

i)      Maintaining adequate disaster recovery and business continuity plans for all core functions.

The IT Director is also responsible for maintaining current documentation of our information systems security procedures. These procedures are disclosed to individuals on a need-to-know basis.

7. What additional safeguards do we have in place to protect Personal Information?

Due to the constantly changing nature of technologies and security concerns, we conduct appropriate, periodic reviews of our security policies and practices. Additionally, periodic assessments are conducted as appropriate. All allegations of system or data misuse (by associates, contractors or any third parties) are thoroughly investigated by H&C in accordance with our policies, and reported to law enforcement authorities where appropriate.

8. How long will we retain Personal Information?

We may keep a record of an Individual’s Personal Information, correspondence or comments in a file specific to the Client, to which access by our associates and by any third parties with whom we contract will be strictly limited on a business need-to-know basis. We will retain an Individual’s Personal Information for as long as necessary to fulfill the purposes for which it was transferred to us, or as required or permitted by law. We have established minimum and maximum retention periods, as well as appropriate procedures for the destruction and disposal of Personal Information.

9.  How do we update Personal Information such that it is sufficiently accurate for processing purposes?

As a service provider of business processing functions, we rely on our Clients to provide us with updated Personal Information on an ongoing basis, as necessary in relation to our provision of the services.  In certain cases, Individuals may not be able to update their Personal Information through the Client. Where this is the case, and where we can adequately authenticate the Individual’s identity we will rely on the Individual to provide us with the necessary updated information.  Upon receipt of updated Personal Information, we will amend the Individual’s Personal Information that we hold where such amendment is reasonably necessary to enable us to continue providing the services to the Client in accordance with our contractual obligations as a service provider.  This updating of Personal Information is rarely performed.

HOW TO CONTACT US

Contact us regarding our privacy policies and practices.  All inquiries or complaints regarding our privacy policies and practices should be forwarded to our Managing Partner as follows:

In writing:
Attn: Managing Partner
Herrera & Company
P.O. Box 7127
Stockton, CA  95267
Via telephone: 209-478-9317
Via email: privacy@herreracompany.com

On request, our Managing Partner will inform you of the relevant procedures for challenging our privacy policies and practices, or for filing a complaint.

Last Revised Date: September 12, 2014