1. Describing how the business will implement and maintain reasonable security procedures
and practices to protect PII;
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 2
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
2. Providing for the destruction or proper disposal of paper and electronic documents
containing PII when they are no longer needed; and
3. Planning for investigation and notification when the business becomes aware that a
security breach has or may have occurred.
IV. Definition of “Personal Identifying Information”
As of the adoption of this Policy, “Personal identifying information” (“P.I.I.”) is defined
by Colorado state law as:
A social security number;
An official state or government-issued driver's license or ID card number;
A government passport number;
An employer, student, or military identification number;
A personal identification number (aka a “PIN” number);
A password or pass code;
Biometric data
o “Biometric data” means “unique biometric data generated from measurements or
analysis of human body characteristics for the purpose of authenticating the
individual when he or she accesses an online account” (for example, fingerprints)
A financial transaction device;
o “Financial transaction device” means “any instrument or device whether known
as a credit card, banking card, debit card, electronic fund transfer card, or
guaranteed check card, or account number representing a financial account or
affecting the financial interest, standing, or obligation of or to the account holder,
that can be used to obtain cash, goods, property, or services or to make
financial payments, but shall not include a check”
If you are ever unsure about whether something you are using contains PII, please refer to
this policy first and then reach out to the Data Protection Coordinator if you have further
questions.
This Policy applies to all PII collected, maintained, transmitted, stored, retained or
otherwise used by the Company regardless of the media on which that information is stored (for
example, on computers, servers, laptops, smart phones, or in paper files, correspondence, etc.)
and regardless of whether it relates to employees, customers, or any other person.
The list below is not exhaustive, but some examples of PII that the Company has that
may arise in the regular course of business include:
Social Security Numbers (or Employer Identification Numbers for brokers who have
established an entity such as an LLC or S-Corp) and/or bank account information of
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 3
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
employees or independent contractors, contained on applications and/or for tax and wage
administration purposes.
Bank account information and/or Social Security numbers contained in mortgage
documents and closing statements.
A photocopy of a client’s driver’s license, either as a safety precaution when agents leave
the office with a new client for the first time or in connection with a notary’s records.
Credit card numbers if a client asks for a broker to coordinate a payment for an
inspection, appraisal, etc.
V. Guiding Principles
When interpreting the policies and procedures described in this Policy, please keep the
following principles in mind:
Be aware of what personal information you have in your files and on your computer or
other devices.
PII should be acquired and used to the extent it is strictly necessary for a legitimate
business purpose of the Company. Keep only what is needed.
PII should not be used for unauthorized purposes.
PII should be stored securely.
PII should not be kept for longer than necessary. Properly dispose of what you no longer
need.
To summarize:
If the Company does not have a legitimate business need for the PII — then do not collect it. If
there is a legitimate business need for the information, then keep it only as long as it’s necessary,
and keep it reasonably protected. Once that business need is over, then properly dispose of the
PII.
VI. General Responsibilities for Everyone in the Company
A copy of this Policy shall be distributed to each employee1
of the Company who shall,
upon receipt of the Policy, acknowledge in writing that he/she has received and read a copy of
the Policy. Any new employees hired after the effective date of this Policy shall be provided
with a copy and shall acknowledge, in writing, receipt of the Policy.
1
The term “employee” is used throughout this Policy for purposes of convenience only. This Policy
should be distributed to and signed by any individuals working for the Company who have access
to PII held by the Company, even if such individuals are classified as “independent contractors” or
some other designation under applicable law. The delivery of this Policy to any individual working
for the Company does not affect and is not intended to affect any individual’s classification status
as an employee or otherwise.
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 4
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
The amount of PII collected by the Company shall be limited to that amount reasonably
necessary to accomplish our legitimate business purposes, or necessary to comply with other
state or federal regulations. As a result, if there is a way you can complete a task without
acquiring PII, do not ask for it in the first place. If you are given PII and do not need it to
complete a task (for example, if you receive a copy of a document for a certain purpose that
happens to contain PII such as a client’s social security number, but you do not need the PII
contained in that document for that purpose) please permanently redact the PII from that
document if possible.
Everyone within the Company should strive to support the security measures in place by
the Company to safeguard PII. Such measures include access controls (such as individual
passwords on computers and smart phones that have access to any PII the Company has),
training on the proper handling of PII, and storing records containing PII in secure locations.
You may not handle PII inconsistently with the guidelines in this Policy. Anyone
violating this Policy may be subject to disciplinary action, up to and including dismissal. When
in doubt about anything related to this Policy, please reach out to the Data Protection
Coordinator.
Access to records containing PII should be limited to those persons who are reasonably
required to know such information in order to accomplish a legitimate business purpose or to
enable the Company to comply with applicable laws or regulations
Anyone who has knowledge of unauthorized access, use or disclosure of PII, or any
action or inaction with the Company violating the terms of this Policy, should reach out
immediately to the Data Protection Coordinator.
When an individual is no longer employed by the Company, access to computer systems
should be immediately and permanently blocked; his/her voicemail access, email access, internet
access, and passwords shall be invalidated; his/her keys to any buildings, file cabinets, and/or
storage areas shall be immediately returned to the Company. The terminated individual must
return all records containing PII, in any form, which may at the time of such termination be in
the individual’s possession or control (including all such information stored on laptops or other
portable devices or media, and in files, records, work papers, etc.).
Other Guidelines and Rules:
You may not use PII for any reason unrelated to your job duties.
Employees should keep all PII secure, by taking sensible precautions and by following
the data storage and other guidelines below.
PII should be stored in as few places as necessary.
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 5
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
Strong passwords should be used for any and all computers or other devices that have
the ability to access PII the Company has, and passwords should not be shared.
Paper documents containing any PII should be stored in secure locations when not in
use.
PII should not be accessed by or disclosed to unauthorized people.
If records containing PII are no longer required, they should be deleted and disposed of
in accordance with the Company’s record retention and destruction policies.
o If you have any questions about the Company’s record retention and destruction
policies, please contact the Data Protection Coordinator.
Employees should ensure the screens of their computers are locked when left
unattended for any significant amount of time.
When traveling away from the office, employees should not leave laptops or other
devices with access to PII the Company has unattended in unsecure locations.
People should request help from their supervisor or the Data Protection Coordinator if
they are unsure about anything related to this Policy.
If you know or suspect that an incident has occurred that could compromise the security
of PII held by the Company, members of the Company should immediately report any
information they have regarding that knowledge or suspicion to the Data Protection
Coordinator.
o Prompt reporting of any such incident to appropriate persons within the Company
is important because it maximizes the potential for the Company to be able to: 1)
prevent, end, and/or mitigate the effects of any security breach, and 2) rapidly and
appropriately evaluate any legal requirements the Company may have in the event
of an actual breach, including whether the Company must notify individuals or
regulatory authorities.
VII. Data Protection Coordinator and Others with Specific Responsibilities
These people within the Company have key areas of responsibility:
The Data Protection Coordinator, Tanner Cole, is responsible for:
o Handling data protection questions from employees.
o Keeping the owners of the Company updated about data protection
responsibilities, risks and issues.
o Periodically reviewing and, when appropriate, proposing changes to this Policy,
as well as any other related policies, to be discussed with the owners of the
Company.
o Arranging for reasonable data protection training and advice for individuals
within the Company who have access to PII.
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 6
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
The IT Manager, Tanner Cole, is responsible for:
o Evaluating any third-party services the Company is considering using to store or
process data or store files that could contain PII, for example cloud computing
services, and discussing the same with the owners of the Company.
o Ensuring the Company maintains up-to-date firewall protection, reasonably
designed to maintain the integrity of any PII, installed on all computer network
systems electronically storing PII.
o Ensuring the Company maintains up-to-date computer software, including a
program or programs with anti-virus, anti-spyware, and anti-malware functions,
installed on all computer network systems electronically storing PII.
o Ensuring that access to any files that could include electronically stored PII shall
be limited to employees using a unique log-in ID and password; and ensuring that
re-log-in shall be required when a computer has been inactive for more than a set
period of time.
The HR Manager, Tanner Cole, is responsible for:
o Safeguarding PII in accordance with the terms of this Policy for employees,
independent contractors, or other staff in connection with employment
applications and personnel records.
o Evaluating any third-party services the Company is using or considering using for
things like insurance or other benefits, whenever any such services might include
the potential sharing of PII from the Company or its employees, and discussing
the same with the owners of the Company.
The Bookkeeper, Tanner Cole, is responsible for:
o Safeguarding PII in accordance with the terms of this Policy for employees,
independent contractors, or other staff in connection with tax and wage
administration purposes.
o Evaluating any third-party services the Company is using or considering using for
things like billing, payroll, or credit card processing, whenever any such services
might include the potential sharing of PII from the Company or its employees or
clients, and discussing the same with the owners of the Company.
VIII. Data Storage
Any specific questions about storing data safely can be directed to the Data Protection
Coordinator.
When data is stored on paper (these guidelines also apply to data that is usually stored
electronically but has been printed out for any reason):
Employees should make sure paper and printouts containing PII are not left unattended
where unauthorized people could see them.
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 7
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
Paper documents containing PII should be shredded or otherwise disposed of securely
when no longer required in accordance with the Company’s record retention and
destruction policies.
When not being used, the paper or files containing PII should be kept in a locked filing
cabinet or locked room when possible. Any paper files containing PII that are not
stored in a locked filing cabinet or locked room should be kept in a building or portion of
a building that is always locked when the Company is not open for business.
Access to paper files containing PII should be limited to individuals with a legitimate
business need.
When data is stored electronically:
Data with PII should only be stored on designated drives and servers, and should not be
saved directly to laptops or other devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security
software and a firewall.
o The Company should run up-to-date anti-virus/anti-spyware/anti-malware
programs on individual computers and on servers on the Company’s network.
Strong passwords should be used for any and all computers or other devices that have
the ability to access PII the Company has, and passwords should not be shared.
IX. Third Parties
Whenever the Company needs to share PII with third parties such as an outside
accountant, a payroll company, a credit card processor, etc., the Company will choose such
service providers carefully. The Company should engage reputable contractors in good standing
with applicable regulatory requirements, if any, and undertake appropriate due diligence. The
Company’s contracts with such third parties should require them to implement and maintain
appropriate security measures to ensure any PII is kept reasonably secure and is used in
accordance with the Company’s instructions or as otherwise provided by law.
X. Breach Investigations and Notification
Under Colorado state law, the Company is required to promptly conduct an investigation
when it becomes aware that a “security breach” of certain electronic data may have occurred.
As of the adoption of this Policy, a “Security Breach” is defined by Colorado state law
as:
“Unauthorized acquisition of unencrypted computerized data that compromises the
security, confidentiality, or integrity of personal information.”
o As of the adoption of this Policy, “encrypted” is defined by Colorado state law as
“rendered unusable, unreadable, or indecipherable to an unauthorized person
through a security technology or methodology generally accepted in the field of
information security.”
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 8
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
For example, a Security Breach can occur by:
A hacker electronically accessing and acquiring computerized data;
Unauthorized access of a computer network through weak passwords;
Theft of unencrypted data sent through a payment system; or
A briefcase, smartphone, laptop computer, or data storage device containing client files
that is stolen or misplaced.
The definition of “personal information” for purposes of Colorado’s Notification of
Security Breach statute is very similar, but not identical to, the definition of PII discussed above.
For purposes of this Policy, “personal information” under Colorado’s Notification of
Security Breach statute will be referred to as “Breach PI”. As of the adoption of this Policy,
Breach PI is defined as:
A Colorado resident’s username or e-mail address, in combination with a password or
security questions and answers, that would permit access to an online account;
A Colorado resident’s account number or credit or debit card number in combination
with any required security codes, access code, or password that would permit access to
that account; and
A Colorado resident’s first name or first initial and last name in combination with any
one of the following:
o Social Security number
o Driver’s License number or Identification Card number
o Student, military, or passport identification number
o Medical information
o Health insurance identification number
o Biometric data
Personal information does not include information that is lawfully made available to the
general public from government records or widely distributed media.
When it becomes aware that a Security Breach may have occurred, the Company will
conduct a good faith and prompt investigation to determine the likelihood that Breach PI has
been or will be misused. The Data Protection Coordinator will work with the owners of the
Company, along with the IT Manager, HR Manager, Bookkeeper, and any other individuals
connected with the Security Breach, to first isolate all affected systems to limit the potential
further data loss. After all affected systems have been isolated, the Company will investigate the
incident and prepare a report containing the following information:
Date, time, duration, and other basic details related to the Security Breach
How the Security Breach was discovered, including who discovered the Security Breach,
what led that person (or persons) to suspect a Security Breach, and how quickly this
information was communicated to the Data Protection Coordinator
T Cole Realty LLC
DATA PROTECTION POLICY
Data Protection Policy prepared for T Cole Realty LLC 9
© 2019 Frascona, Joiner, Goodman and Greenstein, P.C., 4750 Table Mesa Drive Boulder, CO 80305 (303) 494-3000 Initials_______
Details about the compromised data that does or may include Breach PII, including:
o What types of Breach PII have been or may be compromised
o Number of records affected
o A list of affected individuals
o Whether any compromised data was encrypted (if so, which fields)
Other known details regarding the Security Breach, for example:
o Method of breach
o Compromised systems
o Whether data was deleted, modified, copied and/or viewed
A determination of whether special consultants or other professionals are necessary to
perform forensic analysis or otherwise further investigate
After the Company conducts its investigation, unless this investigation determines
that the misuse of Breach PI has not occurred and is not reasonably likely to occur, the Company
will give notice to the affected Colorado residents as soon as reasonably possible, but in any case
not later than thirty (30) days after the date at which there is sufficient evidence to conclude that
a Security Breach has taken place (unless a law enforcement agency has directed the Company
not to send notice, or if longer than 30 days is necessary to determine the scope of the breach and
to restore the reasonable integrity of the computerized data system.)
The Company will provide notice to any affected Colorado residents in accordance with
the notification procedures set forth in C.R.S. § 6-1-716.
XI. Destruction and Disposal Policies
PII that is no longer needed after the expiration of applicable legal or business processrelated retention periods should be deleted, destroyed, or otherwise properly disposed of. The
Company has implemented specific retention and disposal protocols set forth in its File
Retention Policy, a copy of which has been attached here as Exhibit A. All members of the
Company should review and comply with the requirements included in that File Retention Policy
document.
XII. Effective Date of this Policy; Future Modifications
This Policy may be revised from time to time, and the Company has the maximum
discretion permitted by law to interpret, administer, change or modify this Policy. This policy
was last revised on May 11, 2023, the “Effective Date”.
All of the rules, guidelines, and procedures set forth above shall be implemented as of the
Effective Date. This version of the Policy supersedes and replaces any previous version(s) of the
Policy that may have been in place prior to the Effective Date. The terms of this Policy cannot
be modified by any statements, written or oral, by anyone within the Company absent a formal
amendment of this Policy.