Effective Date: May 17, 2025

Purpose and Scope

This Data Security Plan outlines the procedures and controls used by Summit Judgement Recovery to protect sensitive personally identifiable information (PII) accessed through skip tracing tools, judgement enforcement documents, and court filings. The goal is to comply with:

  • The Fair Credit Reporting Act (FCRA)
  • State consumer protection and data privacy laws
  • Data provider agreements (e.g., TLOxp, IDI, LexisNexis)
  • Industry best practices for information security

Types of Data Handled

Summit Judgement Recovery may collect or access the following types of data:

  • Full names and aliases
  • Social Security numbers (SSNs)
  • Dates of birth (DOB)
  • Addresses (current and historical)
  • Employment information
  • Court records and judgements
  • Contact numbers and emails
  • Financial institution or wage data (if garnishment is sought)

Access Control

All data systems are password-protected and accessible only to authorized personnel

  • User accounts are role-based, ensuring least-privilege access.
  • Passwords follow strong protocols (12+ characters, multi-factor authentication).
  • No third parties may access or use data unless part of a written vendor agreement.

Physical Security

Office is located in a commercial suite with locked entry and secure filing cabinets.

  • Computers and physical files are not accessible to the public or visitors.
  • All paper documents containing PII are stored in locked cabinets when not in use.
  • Disposal of physical documents is done by cross-cut shredding.

Electronic Security

All devices are protected with:

  • Passwords or biometric authentication
  • Up-to-date antivirus and anti-malware software
  • Disk encryption on laptops and desktops
  • Cloud-based tools (if any) are FCRA-compliant and encrypted end-to-end.
  • Sensitive data is never transmitted via unsecured email or messaging platforms.
  • Regular system backups are performed and stored securely offsite.

Data Retention & Disposal

Judgement-related data is retained for a minimum of 7 years or until the debt is resolved, whichever is longer.
Once retention requirements expire, data is securely destroyed:

  • Digital files are permanently deleted and wiped
  • Physical files are shredded using a secure method

Incident Response

  • If a suspected or confirmed data breach occurs:
  • Internal incident response is initiated within 24 hours
  • Affected data subjects and any regulatory bodies are notified if required
  • The source of the breach is identified, contained, and remediated
  • Incident is logged and documented for audit purposes

Employee Training & Awareness

  • All personnel with access to sensitive data are:
  • Trained on FCRA and data privacy at onboarding
  • Required to sign a confidentiality and compliance agreement
  • Refreshed annually on security and ethical use of data

Vendor Management

Summit Judgement Recovery only works with vendors (e.g., skip tracing platforms, file storage services) that meet equivalent data security standards.
Written contracts include:

  • Confidentiality terms
  • Data handling limitations
  • Breach notification obligations

Audits and Compliance Reviews

  • Security practices are reviewed annually or upon material change in operations.
  • Internal audits may include:
  • Reviewing access logs
  • Verifying proper document storage
  • Random spot checks on secure data handling