Data Classification Policy - Monstrous Media Group - The World's Best Marketing Agency, Probably.

Published: March, 2010
Revised: March, 2023

I. Introduction

As indicated in the MMG Information Security Charter (the “Charter”) https://www.monstrousmediagroup.com/isc, any person who uses, stores or transmits Data (as defined in the Charter) has a responsibility to maintain and safeguard such Data. The first step in establishing the safeguards that are required for a particular type of Data is to determine the level of sensitivity applicable to such Data. Data classification is a method of assigning such Data.

The first step in establishing the safeguards that are required for a particular type of Data is to determine the level of sensitivity applicable to such Data. Data classification is a method of assigning such levels and thereby determining the extent to which the Data need to be controlled and secured.

Capitalized terms used in this Policy without definition are defined in the Charter.

II. Policy History

The effective date of this Policy is March 30, 2011.
Reviewed and/or revised March 14, 2023.

III. Policy Text

Data security measures must be implemented commensurate with the sensitivity of the Data and the risk to MMG if Data is compromised. It is the responsibility of the applicable Data Owner to evaluate and classify Data for which he/she is responsible according to the classification system adopted by the MMG and described below. If Data of more than one level of sensitivity exists in the same System or Endpoint, such Data shall be classified at the highest level of sensitivity.

A. Data Classification

MMG has adopted the following four classifications of Data:

1. Sensitive Data: any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, the Nebraska State Information Security Breach and Notification Act, similar state laws and PCI-DSS.

For purposes of this Policy and the other Information Security Policies, Sensitive Data include, but are not limited to Personally Identifiable Information, Protected Health Information and Research Health Information, as defined below:

Personally Identifiable Information or PII: any information about an individual that (1) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (2) is linked or linkable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (3) is protected by federal, state or local laws and regulations or industry standards.

Protected Health Information or PHI: Individually Identifiable Health Information that is transmitted or maintained by the MMG Software Service Health Care Component in electronic or any other form or medium, except (1) as provided in the definition of Protected Health Information in Section 160.103 of the Privacy Rule and (2) Research Health Information.

Research Health Information or RHI: Individually Identifiable Health Information that (1) is created or received in connection with research that does not involve a Covered Transaction or (2) although previously considered Protected Health Information, has been received in connection with research pursuant to a valid HIPAA authorization or IRB waiver of HIPAA authorization.

MMG’s Office of the General Counsel is responsible for determining whether particular information created, received, maintained, processed or transmitted by MMG constitutes PHI. Examples of Sensitive Data can be found in Appendix A hereto.

2. Confidential Data: any information that is contractually protected as confidential by law or by contract and any other information that is considered by MMG appropriate for confidential treatment.

For purposes of this Policy and the other Information Security Policies, Confidential Data include, but are not limited to:

Client records that are directly related to prior, current and prospective MMG clients and maintained by MMG or an entity acting on MMG’s behalf, but not including (a) “directory information”, such as a client’s name, address, and other information subject to certain requirements or (b) such records disclosed to MMG officials with legitimate business interests or to organizations conducting certain studies on MMG’s behalf.

Human resources information, such as salary and employee benefits information

Non-public personal and financial data about donors
Information received under grants and contracts subject to confidentiality requirements
Law enforcement or court records and confidential investigation records
Citizen or immigrations status
Unpublished research data
Unpublished MMG financial information, strategic plans and real estate or facility
development plans
Information on MMG facility security systems
Nonpublic intellectual property, including invention disclosures and patent applications
Applicant financial information

3. Internal Data: any information that is proprietary or produced only for use by members of the MMG community who have a legitimate purpose to access such data.

For purposes of this Policy and the other Information Security Policies, Internal Data include, but are not limited to:

Internal operating procedures and operational manuals
Internal memoranda, emails, reports and other documents
Technical documents such as system configurations and floor plans

4. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use.

For purposes of this Policy and other Information Security Policies, Public Data include, but are not limited to:

General access data on www.monstrousmediagroup.com
MMG financial statements and other reports filed with federal or state governments and generally available to the public
Copyrighted materials that are publicly available

B. Protection of Data

The protection requirements applicable to each classification of Data can be found in the MMG Registration and Protection of Systems Policy or the MMG Registration and Protection of Endpoints Policy. https://www.monstrousmediagroup.com/isc

IV. Cross References to Related Policies

The Information Security Policies referred to in this Policy are listed in Appendix B hereto.

Appendix A

Examples of Sensitive Data

Examples of PII include, but are not limited to, any information concerning a natural person that can be used to identify such natural person, such as name, number, personal mark or other identifier, in combination with any one or more of the following:

Social security number
Driver’s license number or non-driver identification card number
Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
Email address with password (in certain narrow instances)

Examples of PHI include, but are not limited to, any health information, including demographic information about an individual, that includes any one or more of the following identifiers:

Name
Geographic subdivision smaller than a state
Any element of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date or date of death
Telephone number
Fax number
Electronic mail address
Social security number
Medical record number
Health plan beneficiary number
Account number
Certificate/License number
Vehicle identifier and serial number, including license plate number
Device identifier and serial number
Web Universal Resource Locator (URL)
Internet Protocol (IP) address number
Biometric identifier, including finger and voice print
Full face photographic image and any comparable image
Any other unique identifying number, characteristic, code or combination that allows identification of an individual.

Appendix A

Related Policies

Policies: https://www.monstrousmediagroup.com/isc