1. Overview
Consumer and client information is the core of our business, and protecting it is a board-level responsibility. Our program is built to satisfy the safeguarding requirements of the Gramm-Leach-Bliley Act (GLBA), FTC guidance, and the information security expectations reflected in Regulation F and state law.
2. Governance
An officer of the company is designated as responsible for the information security program. Written policies are reviewed on a periodic basis, at least annually, and following any material change in operations. Program activity is reported to leadership on a regular cadence.
3. Regulatory framework
The program is designed to comply with, and align to, the following where applicable:
- Gramm-Leach-Bliley Act (GLBA), including the FTC's Safeguards Rule.
- Fair Credit Reporting Act (FCRA) safeguarding requirements for furnishers.
- Payment Card Industry Data Security Standard (PCI DSS) for card handling in coordination with our processor.
- State information-security and data-breach notification laws.
- Regulatory expectations articulated by the CFPB and by state regulators.
4. Administrative safeguards
- Written information security policies and procedures.
- Background checks for personnel who handle consumer information, to the extent permitted by law.
- Confidentiality and acceptable-use agreements for all staff.
- Role-based access provisioning and periodic access reviews.
- Mandatory annual privacy and information-security training for all personnel, with additional targeted training for roles that handle payment or health-related information.
- Documented change management for material system changes.
5. Technical safeguards
- Encryption of consumer information in transit using industry-standard protocols.
- Encryption of consumer information at rest on systems that store it.
- Multi-factor authentication for administrative access to systems containing consumer information.
- Centralized logging and monitoring of production systems, with alerting on anomalous activity.
- Network segmentation between production, corporate, and payment environments.
- Timely application of security patches under a documented patch management process.
- Endpoint protection and hard-drive encryption on managed devices.
- Regular vulnerability scanning and periodic third-party security assessments.
- Documented data backup and tested restoration procedures.
6. Physical safeguards
- Access-controlled office space with visitor logging and escort requirements.
- Locked storage for physical records containing consumer information.
- Secure shredding of paper records at end of retention.
- Sanitized decommissioning of hardware that has stored consumer information.
7. Payment card handling
Card and bank information provided to make a payment is captured directly by our PCI DSS-compliant payment processor. SERG does not store full card numbers on its own systems. Where a payment authorization is taken by telephone, we follow procedures designed to prevent card data from being recorded or written down.
8. Vendor oversight
Third-party providers that handle consumer information are subject to a documented vendor management program that includes:
- Due diligence review before engagement.
- Written contracts with confidentiality, data-use, and security obligations.
- Periodic reassessment based on the risk and criticality of the service.
9. Incident response
We maintain a written incident response plan that covers detection, containment, investigation, notification, and post-incident review. When a security incident is suspected, personnel escalate promptly through defined channels. If applicable law requires notification to consumers, regulators, or credit reporting agencies, we provide notice within the timelines the law prescribes.
10. Consumer safeguards
We recommend that consumers help protect their own information by:
- Never providing full Social Security numbers or card numbers to a caller you did not verify.
- Calling us back at the number posted on this website — [PHONE] — to confirm any suspicious communication.
- Reporting any communication that threatens arrest, garnishment, or seizure — see our Company Disclosure.
- Not sharing account details on unsecured messaging platforms.
11. Report a security concern
To report a suspected security incident, vulnerability, or a communication you believe is impersonating SERG:
State Entity Recovery Group LLCAttn: Information Security
[MAILING ADDRESS]
Email: [SECURITY EMAIL]
Telephone: [PHONE]
We investigate every report we receive and coordinate with law enforcement where appropriate.