Eagle Ridge Investment Management, LLC
Regulation S-P (“Reg S-P”) requires registered investment advisers to adopt and implement policies and procedures that are reasonably designed to protect the confidentiality of nonpublic personal records. Reg S-P applies to “consumer” records, meaning records regarding individuals, families, or households. Although Reg S-P does not explicitly apply to the records of companies, investors in private funds, or individuals acting in a business capacity, the Firm is committed to protecting the confidentiality of all information of all clients, investors, and prospective investors (“Nonpublic Personal Information”).
Reg S-P requires the Firm to provide its customers with notices describing its privacy policies and procedures. These privacy notices must be delivered to all new clients upon inception of an arrangement, and at least annually thereafter. Although Reg S-P does not require the distribution of privacy notices to companies, investors in Private Funds, or individuals acting in a business capacity, the Firm provides initial and annual privacy notices to all clients and investors as a best practice.
In addition to Reg S-P, certain states have adopted additional consumer privacy laws that may be applicable to investment advisers with clients or investors who are residents of those states.
The Firm will seek to limit its collection of Nonpublic Personal Information to that which is reasonably necessary for legitimate business purposes. The Firm will not disclose Nonpublic Personal Information except in accordance with these policies and procedures, as permitted or required by law, or as authorized in writing by the client. The Firm will never sell Nonpublic Personal Information.
With respect to Nonpublic Personal Information, the Firm will strive to: (a) ensure the security and confidentiality of such information; (b) protect against anticipated threats and hazards to the security and integrity of such information; and (c) protect against unauthorized access to, or improper use of, such information. The Chief Compliance Officer is responsible for administering these policies and procedures. Notify the Chief Compliance Officer promptly of any threats to, or improper disclosure of, Nonpublic Personal Information.
Although these procedures apply specifically to Nonpublic Personal Information, employees must be careful to protect all of the Firm’s proprietary information.
Protecting Confidential Information
Employees will maintain the confidentiality of information acquired in connection with their employment, with particular care being taken regarding Nonpublic Personal Information. Improper use of the Firm’s proprietary information, including Nonpublic Personal Information, is cause for disciplinary action, up to and including termination of employment for cause and referral to appropriate civil and criminal legal authorities.
Nonpublic Personal Information will be restricted to employees who have a need to know such information.
Disclosure of Nonpublic Personal Information
Nonpublic Personal Information may only be provided to third parties under the following circumstances:
- To broker/dealers opening brokerage accounts;
- To accountants, lawyers, and others as directed by clients;
- To specified family members as directed by clients, or as authorized by law;
- To third party service providers, as necessary to service client accounts; and
- To regulators and others, as required by law.
Employees should take reasonable precautions to confirm the identity of individuals requesting Nonpublic Personal Information. Employees must be careful to avoid disclosures to identity thieves, who may use certain Nonpublic Personal Information, such as a social security number, to convince an employee to divulge additional information. Any contacts with suspected identity thieves must be reported promptly to the CCO.
To the extent practicable, Employees will seek to remove nonessential Nonpublic Personal Information from information disclosed to third parties. Social security numbers must never be included in widely distributed lists or reports.
Nonpublic Personal Information may be reviewed by the Firm’s outside service providers, such as accountants, lawyers, consultants, and administrators. The Firm will review such service providers’ privacy policies to ensure that Nonpublic Personal Information is not used or distributed inappropriately.
Access to The Firm’s Premises
The Firm’s premises will be locked outside of normal business hours, meetings with clients should be held in conference rooms or other locations where Nonpublic Personal Information is not available or audible to others, and visitors will not be left in the Firm’s offices unattended.
Information Stored in Hard Copy Formats
The Firm has implemented the following procedures to protect Nonpublic Personal Information stored in hard copy formats:
- To the extent practicable, Nonpublic Personal Information will be kept in lockable filing cabinets;
- All Nonpublic Personal Information, as well as The Firm’s proprietary information, should be locked up at the end of each workday;
- Documents containing Nonpublic Personal Information must never be left unattended in public spaces, such as lobbies or conference rooms;
- Documents being printed, copied, or faxed must not be left unattended;
- Employees will exercise due caution when mailing or faxing documents containing Nonpublic Personal Information to ensure that the documents are sent to the intended recipients; and
- Employees may only remove documents containing Nonpublic Personal Information from the Firm’s premises for legitimate business purposes. Any documents taken off premises must be handled with appropriate care and returned as soon as practicable.
Electronic Information Systems
The Firm has implemented the following procedures to protect Nonpublic Personal Information stored on electronic systems:
- The Firm uses passwords to protect Employee computers, computer networks, and web- based systems administered by third parties. Employees must never share their passwords or store passwords in a place that is accessible to others;
- Employees must shut down or lock their computers when they leave the office for any extended period of time;
- Employees must change passwords periodically. If a password is compromised, the Employee must change his or her password immediately and promptly notify the Chief Compliance Officer of the breach;
- The Chief Compliance Officer must ensure that The Firm’s computer systems require relatively “strong” passwords, such as those that contain combinations of lower case letters, upper case letters, and numbers or symbols.
- Employees will refrain from including Nonpublic Personal Information in unencrypted e-mails sent outside of The Firm’s network, except as requested by a client;
- Any theft or loss of electronic storage media must immediately be reported to the Chief Compliance Officer;
- The Chief Compliance Officer is responsible for ensuring the implementation of appropriate protections for electronic information systems, including:
o Anti-virus software,
o Prompt implementation of system patches and updates,
o Lock-out periods following repeated unsuccessful login attempts,
o Encryption of all wireless data transmissions
o When technically feasible, encryption of files containing Nonpublic Personal Information traveling across public networks, and
o Monitoring of The Firm’s computer systems for unauthorized use.
- To the extent practicable, Nonpublic Personal Information will be kept on portions of the network that are only available to employees with a legitimate need to access the information;
- The Chief Compliance Officer will ensure the prompt disabling of system access for any terminated employee; and
- Prior to sale or disposal, electronic media containing Nonpublic Personal Information will be permanently erased or destroyed.
Access to Client Accounts
The Firm may access client accounts to debit fees and for limited other purposes. Employees must utilize the utmost care to prevent improper or unauthorized use of such access. Any actual or suspected breach of security involving Client accounts must immediately be reported to the CCO.
Working in Public Places
Employees should avoid discussing Nonpublic Personal Information in public places where they may be overheard, such as in restaurants and elevators. Employees should be cautious when using laptops or reviewing documents that contain Nonpublic Personal Information in public places to prevent unauthorized people from viewing the information.
Employees may only discard or destroy Nonpublic Personal Information in accordance with the Document Destruction policy contained in the Recordkeeping portion of these polices and procedures. Employees are reminded that electronic and hard copy media containing Nonpublic Personal Information must be destroyed or permanently erased before being discarded.
Employees may only process an address change on behalf of a client after confirming the identity of the requestor. Confirmation could be achieved over the phone if an employee has a close relationship with the client, but written authorization should be obtained if there is any question as to the identity of the requestor.
Complaints and Security Breaches
Employees must promptly inform the Chief Compliance Officer of:
- Any complaints from clients regarding the improper disclosure of Nonpublic Personal Information;
- Any suspected or actual identity theft involving clients; or
- Any suspected or actual disclosure of Nonpublic Personal Information in violation of the Firm’s policies and procedures.
The Chief Compliance Officer is responsible for coordinating The Firm’s response to any complaints or security breaches. Among other things, the Chief Compliance Officer will be responsible for documenting the Firm’s response to any incident, and for conducting a retrospective review to determine whether policy or procedure changes are appropriate.
The Firm will provide a Privacy Notice to all clients upon establishment of an advisory relationship. The Firm will also provide a copy of the Privacy Notice to all clients annually.
The Firm will provide clients with prompt notice of any significant changes to the Company’s privacy policies, and will give clients sufficient opportunity to opt out of any new disclosure provisions.