CREDIT BUREAU OF SANTA MARIA INC DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit

Transcription

1 CREDIT BUREAU OF SANTA MARIA INC DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit SERVICE AGREEMENT This Service Agreement is made and entered into between Credit Bureau of Santa Maria Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit with corporate office located at 1666 Ramona Ave. Suite D, Grover Beach, Ca ("Agency ) ("Client") with business located at. WHEREAS, AGENCY is a credit reporting agency in the business of providing credit reports for permissible purposes and CLIENT is a company who desires to engage the services of AGENCY subject to the terms and provisions of the Agreement. It is understood and agreed that both, AGENCY, Equifax, Experian, Trans Union, and CLIENT will comply with the provisions of the Fair Credit Reporting Act, Public Law CLIENT warrants that it will request credit reports only when there is permissible purpose, as defined by sections 604(a)(3)(E) and 604(a)(3)(F) of the Fair Credit Reporting Act (FCRA) for obtaining a credit report. CLIENT understands that Section 606(b) of the FCRA provides for civil liability for willful noncompliance with the above referenced sections regarding permissible purposes. Client certifies that it is not engaged in credit repair activities and will not refer consumers to such businesses. THEREFORE, the AGENCY and CLIENT agree as follows: I. SERVICES FROM AGENCY. Upon a request made by CLIENT, AGENCY will provide to CLIENT in accordance with AGENCY'S customary practices, reports, which consist of, credit information with respect to individuals for which CLIENT has a permissible purpose to evaluate. Normal hours of operation are, Monday-Friday, 8:00am to 5:00pm, legal holidays excepted. II. PRICING. Charges to CLIENT for services are as shown on attached pricing schedule. III. OBLIGATIONS OF CLIENT. CLIENT agrees to furnish to AGENCY such pertinent information on any applicant of CLIENT or as requested by AGENCY. CLIENT hereby certifies that each report requested by CLIENT shall be used only for legitimated business transactions involving the consumer. Credit information will not be used for consumer credit counseling or any other purpose not identified and approved in this agreement. Employees are forbidden from obtaining reports on themselves, associates, or any other persons except in the exercise of their official duties. CLIENT further affirms that it is not an investigative or detective agency, law firm, government agency, Law enforcement agency, credit counseling firm or credit repair firm. CLIENT shall hold in strict confidence all information received from AGENCY, whether written, printed or verbal. IV. CLIENT hereby agrees to comply with all policies and procedures instituted by AGENCY S consumer reporting vendor. Credit Bureau of Santa Maria Inc, Service 1 st Information Systems and Statewide Credit will give client as much notice as possible prior to the effective date of any such new policies required in the future but do not guarantee that reasonable notice will be possible. CLIENT may terminate this agreement at any time after notification of a change in policy in the event CLIENT deems such compliance as not within its best interest. V. CLIENT agrees that AGENCY S consumer reporting vendor shall have the right to audit records of CLIENT that are relevant to the provision of services set forth in the Agreement. CLIENT further agrees that it will respond 1

2 within a requested time frame for information requested by AGENCY S consumer reporting vendor regarding information provided by such vendor. CLIENT understands that such vendor may suspend or terminate access to the vendor s information in the event CLIENT does not cooperate with such an investigation. VI. CLIENT understands and agrees that, notwithstanding the fact that under federal law CLIENT may have several permissible purposes to obtain consumer reports, CLIENT shall only obtain such reports in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of the consumer. The Federal Fair Credit Reporting Act provides that Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both. VII. CERTIFICATION. Client certifies that they will not resell the report to any third party. VIII. ACCESS SECURITY POLICIES. A. During the term of this Agreement, CLIENT agrees to comply with all federal, state local statutes, regulations and rules applicable to it, including, without limitation the FCRA, with any changes enacted to FCRA during the term of this Agreement, the Gramm Leach Bliley Act and its implementing regulations, any state or local laws governing the disclosure of consumer credit information, and any regulations or limitations promulgated by AGENCY S consumer reporting vendor. Without limiting the foregoing, AGENCY S may from time to time notify CLIENT of additional, upgraded or new requirements relating to such laws, compliance with which will be a condition of AGENCY S continued provision of the credit information to CLIENT, and CLIENT shall utilize training materials to train and educate its employees in proper security procedures consistent with industry standards. In addition, such new requirements might require price increases. CLIENT agrees to comply with any such new requirements no later than thirty (30) days after it actually receives notice from AGENCY and such requirements shall be incorporated into this Agreement by this reference. CLIENT understands and agrees that AGENCY may require evidence, including a certification that CLIENT understands and will comply with applicable laws. B. CLIENT will implement strict procedures designed to ensure that CLIENT S employees and customers use the services and the credit information in accordance with this Agreement and for no purposes other than as permitted by the Agreement. CLIENT will treat and hold the services and the credit information in strict confidence and will restrict access to the services and the credit information to CLIENT S employees and customers who agree to act in accordance with the terms of this Agreement and applicable law. CLIENT will inform CLIENT S employees and customers to whom any credit information is disclosed of the provisions of this Agreement. CLIENT agrees to indemnify AGENCY for any claims or losses incurred by AGENCY as a result of the misuse of the services or the credit information by CLIENT or CLIENT S affiliates, employees, agents, subcontractors or customers in violation of this Agreement. IX. DATA BREACH. A. CLIENT shall notify AGENCY of any breach of the security of consumer reporting data if the personal information of consumers was, or is reasonably believed to have been, acquired by an unauthorized person within 24 hours following discovery thereof. B. In the event of such a breach, CLIENT agrees to cooperate with AGENCY and with AGENCY S consumer reporting vendor in any investigation relating thereto. The nature and timing of any notifications required herein shall be under the control of AGENCY S consumer reporting vendor, unless otherwise required by law. C. For purposes of the Agreement, breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. D. For purposes of the Agreement, personal information means an Individual s first name of first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver s license number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. 2

3 E. For purposes of this Agreement, personal information does not included publicly available information that is lawfully made available to the general public from federal, state, or local government records. F. For purposes of the Agreement, notice may be provided by one of the following methods: (1) Written notice (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code. (3) notice when the CLIENT has an address for the subject persons. (4) Conspicuous posting of the notice on the web site of the CLIENT. G. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. H. The notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation. I. In the event the breach is determined by AGENCY S consumer reporting vendor to be within the control of CLIENT, (1) CLIENT shall provide to each affected or potentially affected consumer, credit history monitoring services for a minimum of one year in which the consumer s credit history is monitored and the consumer receives daily notification of changes that may indicate fraud or ID theft from at least one of the national consumer credit reporting bureaus, and (2) AGENCY S consumer reporting vendor and AGENCY may assess CLIENT an expense recovery fee. X. END-USER NOTIFICATION. If approved by AGENCY and AGENCY S consumer reporting vendor, CLIENT may deliver the consumer credit information to a third party, secondary user with which CLIENT has an ongoing business relationship for the permissible use of such information. AGENCY S consumer reporting vendor may charge a fee for the subsequent delivery to secondary users. Client agrees that AGENCY may verify, through audit or otherwise, that CLIENT is in fact the end user of the credit information with no intention to resell or otherwise provide or transfer the credit information in whole or in part to any other person or entity. CLIENT agrees to notify AGENCY of any change of ownership or control fifteen days prior to any such change. AGENCY will require the new ownership to re-apply for the services provided for herein and will require to new physical inspection in the event the office location is changed. Client hereby authorizes AGENCY to provide copies of any information regarding CLIENT to AGENCY S consumer reporting vendor. XI. MONITORING. CLIENT agrees that AGENCY may monitor CLIENT on an ongoing basis to determine CLIENT S compliance with applicable law and the provisions of this Agreement. In the event AGENCY determines that CLIENT is not in compliance with applicable law or this Agreement, CLIENT may immediately discontinue services under this agreement. CLIENT shall remain responsible for the payment for any services provided to CLIENT by AGENCY prior to any such discontinuance. XII. TRAINING MATERIALS. AGENCY will provide, and CLIENT will utilize, training and training materials to CLIENT in order for CLIENT to comply with the Federal Fair Credit Reporting Act and with the policies and procedures required by AGENCY S consumer reporting vendor. XIII. GENERAL DISCLAIMER. CLIENT shall indemnify and hold AGENCY, Equifax, Experian, and Trans Union, harmless from and against any and all claims, demands, suits, cause of action, judgments, liabilities, damages, losses and expenses resulting and due to the acts of omissions of CLIENT in performing pursuant to this Agreement. In WITNESS WHEREOF, the parties hereto enter into this Service Agreement as of the day of, 2. IX. BILLING/ PAYMENT TERMS. Account invoices/statements will be issued monthly under net 30 day billing terms. Any balance unpaid after 30 days of invoice is subject to interest charges equal to one-and-one-half percent (1.5%) per month, or eighteen percent (18%) per annum. If Client is delinquent in any payment provided for herein or is in violation of any term of the Agreement forthwith. Client agrees to this term of severance without notice and waives any claim for any resulting damages. Accounts 30 days delinquent or those exceeding established credit limits are automatically placed on credit hold. In the event of non-payment, the Client agrees to pay 3

4 reasonable attorney s fees and cost of suit and all fees incurred in the cost of collection. Clients not meeting credit standards for a line of credit may be required to provide a security deposit before services are provided. XV. This Agreement shall continue in force without any fixed date of termination, subject to cancellation by either party upon ten (10) days prior written notice mailed or delivered to the office of the other party; further subject to the right of AGENCY at any time and without prior notice, to terminate this Agreement in event of any federal or state law or decision which affects the economic operation of AGENCY or any violation by Client of any provision of the Agreement. OWNERSHIP INFORMATION (EXCLUDES PUBLICLY TRADED CORPS, BANKS, SAVINGS & LOANS AND CREDIT UNIONS) As Owner, Partner, Principal or Officer of Client, I hereby give my consent to Credit Bureau of Santa Maria, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit to obtain any and all information concerning my business, personal history and financial credit report, which Credit Bureau of Santa Maria Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit may require in connection with this Agreement. Such Information maybe gathered through the use of any investigative or credit agencies of its choice. Date: Date: Credit Bureau of Santa Maria Inc DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1st Information Systems Statewide Credit CLIENT SIGNATURE 4

5 Credit Bureau of Santa Maria Inc DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit CLIENT SERVICE APPLICATION / INFORMATION Legal Company Name: Other Names (DBAs): Street Address: City/State/Zip: Office Phone: Type of Business: Federal Tax I.D. #: (of SSN if Sole Proprietorship with no Fed Tax I.D.) Date Company Established: Website address (if applicable): Address: Professional License: Name on License: Address: City: Telephone: License Number: Expiration Date: BANK INFORMATION: 1) Bank Name Account # Phone Verified with Date Date opened Account History/comments 5

6 PRINCIPALS/MANAGING OFFICERS and SHAREHOLDERS who own 25% or more of company shares Full Name: SSN: D.O.B.: Title: Percentage of Ownership: Home Address: Apartment/Unit #: City: State: Zip: Address: Full Name: SSN: D.O.B.: Title: Percentage of Ownership: Home Address: Apartment/Unit #: City: State: Zip: Address: Business/Trade References Company Name: City/State: Account Number: Contact: Telephone: Company Name: City/State: Account Number: Contact: Telephone: Company Name: City/State: Account Number: Contact: Telephone: Billing Information Street Address: City/State/Zip: Office Phone: Office fax: Contact: Title: 6

7 Acknowledgment & Authorization The undersigned person(s) hereby acknowledge and certify that the information contained herein is true and correct and may be disclosed by Credit Bureau of Santa Maria Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit to lenders or third parties with Broker's and/or Subject Company's officers and principal's prior written permission. The undersigned person(s) authorize Credit Bureau of Santa Maria Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit to verify the information and to conduct business credit and public information source inquires regarding this company and to obtain personal credit reports. The undersigned person(s) waive any indemnify, defend and hold Credit Bureau of Santa Maria, Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit, Equifax, Experian, Trans Union, harmless for any injuries, claims or damages against the undersigned and caused by disclosure of information by Credit Bureau of Santa Maria Inc, DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit to others. Broker of Record: Company Officer or Principal: Signature Date Signature Date Name: Title: Name: Title: 7

8 Credit Bureau of Santa Maria Inc. DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit CLIENT ACKNOWLEGEMENT Access to our services requires acknowledgement and acceptance of the below: You may not transfer use of our services to another person or entity. That you are not operating an unauthorized business as listed on page 9. If you utilize our services via software, you are required to secure the program and at all times protect against access from unauthorized persons You are required to keep all passwords confidential. In the event an employee with access to our services is no longer employed your organization, you are required to notify us immediately. You may not resell information obtained from Credit Bureau of Santa Maria Inc., DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit You are accessing personal credit only for the permissible purpose as stated on your Letter of Intent. Company Date Authorized Representative (print name) Authorized Representative Signature 8

9 BUSINESSES THAT CANNOT BE PROVIDED CREDIT BUREAU INFORMATION Adult entertainment service of any kind Asset Location Services Business that operates out of an apartment or unrestricted location within a residence Attorneys or Law Offices (except collection attorneys or for employment purposes and bankruptcy attorneys) Bail bondsman Check cashing Company that handles third party repossession Company that locates missing children Company or individual involved in spiritual counseling Company or individual who is known to have been involved in credit fraud or other unethical business practices Company or individual listed on repository alert report notifications Company seeking information in connection with timeshares Credit counseling Credit repair clinic or any type of company involved in credit repair activity Dating Service Financial Counseling Foreign company or agency of a foreign government Genealogical or heir research firm Individual seeking information for their private use Insurance Claims Internet Locator Services Judgment Recovery Entities (other than bona fide third party collection agencies) Law Enforcement Agencies (except for employment purposes) Massage service News agencies (journalists) Pawnshop Private detectives, detective agencies or investigative companies Repossession company Security services Subscriptions (magazines, book clubs, record clubs, etc.) Tattoo service Weapons dealer, seller or distributor Other reseller Initial 9

10 Credit Bureau of Santa Maria Inc. DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit FCRA REQUIREMENTS Federal Fair Credit Reporting Act (as amended by the Consumer Credit Reporting Reform Act of 1996) Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. The FCRA can be found on the web at AGENCY suggests you and your employees become familiar with the following sections in particular: 604. Permissible Purpose of Reports 607. Compliance Procedures 615. Requirements on Users of Consumer Reports 616. Civil Liability for Willful Noncompliance 617. Civil Liability for Negligent Noncompliance 618. Obtaining Information Under False Pretenses 621. Administrative Enforcement 622. Responsibilities of Furnishers of Information to Consumer Reporting Agencies Each of these sections is of direct consequences to users who obtain reports on consumers. As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such an investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of report for employment purposes. Credit Bureau of Santa Maria, Inc., DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit, Trans Union, Experian and Equifax all strongly endorse the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce. In addition to the Federal Fair Credit Reporting Act other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, we expect that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate. We support consumer-reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information. Company Date Authorized Representative (print name) Authorized Representative (signature) 10

11 Credit Bureau of Santa Maria Inc. DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit PERMISSIBLE PURPOSES ACKNOWLEDGEMENT Pursuant to the Fair Credit Reporting Act (FCRA) Section 604 Permissible Purpose of Consumer Reports (15 USC 1681b), you may access our services if: You intend to use the information as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation. Under your existing agreement with us, you may access personal credit for mortgage related purposes only, such as a loan to purchase property or a loan to refinance an existing loan initiated by the consumer only, or; Otherwise have a legitimate business need for the information and in connection with a business transaction that is initiated by the consumer. In connection with a tenant screen application involving the consumer. In addition to immediate termination of service, section 616 of the FCRA provides for civil liability for willful noncompliance (15 USC 1681n); specifically, Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure to damages of not less than $100 and not more than $1,000. In the instance of obtaining a consumer report under false pretenses or knowingly without a permissible purpose, actual damages sustained by the consumer as a result of the failure or $100, whichever is greater or such amount of punitive damages as the court may allow. Any person obtaining a consumer report under false pretenses or knowingly without a permissible purpose shall be liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency or $1,000, whichever is greater. Additionally, any person who is negligent in failing to comply with any requirement imposed under the above title with respect to any consumer is liable to that consumer in an amount equal to the sum of any actual damages sustained by the consumer as a result of the failure. All persons employed by your organization that will be utilizing our services will be required to certify that they understand and will comply with all requirements under the FCRA as it pertains to permissible purpose before they will be allowed access to our services. Company Date Authorized Representative (print name) Authorized Representative (signature) 11

12 Credit Bureau of Santa Maria Inc. DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties Service 1 st Information Systems Statewide Credit LETTER OF INTENT A letter of Intent must be submitted on your company letterhead and must be signed by an officer, owner or authorized manager of your company. The Letter of Intent must include, at a minimum, the following information: Pursuant to our agreement with your company, we request access to personal credit for the purpose of: (be specific please) The nature of our business is:. Our anticipated monthly volume of reports is:. Access to reports is anticipated to be: Local / Regional / National. All billings for the above should be sent to: Company Name Attention Address City, State, Zip By: Date: 12

13 END USER CERTIFICATION OF COMPLIANCE California Civil Code - Section (a) Section (a), as amended, states that a consumer credit reporting agency does not have reasonable grounds for believing that a consumer credit report will only be used for a permissible purpose unless all of the following requirements are met: Section (a)(1) states: If a prospective user is a retail seller, as defined in Section , and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the consumer credit reporting agency shall, with a reasonable degree of certainty, match at least three categories of identifying information within the file maintained by the consumer credit reporting agency on the consumer with the information provided to the consumer credit reporting agency by the retail seller. The categories of identifying information may include, but are not limited to, first and last name, month and date of birth, driver s license number, place of employment, current residence address, previous residence address, or social security number. The categories of information shall not include mother s maiden name. Section (a)(2) states: If the prospective user is a retail seller, as defined in Section , and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the retail seller must certify, in writing, to the consumer credit reporting agency that it instructs its employees and agents to inspect a photo identification of the consumer at the time the application was submitted in person. This paragraph does not apply to an application for credit submitted by mail. Section (a)(3) states: If the prospective user intends to extend credit by mail pursuant to a solicitation by mail, the extension of credit shall be mailed to the same address as on the solicitation unless the prospective user verifies any address change by, among other methods, contacting the person to whom the extension of credit will be mailed. In compliance with Section (a) of the California Civil Code, ( End User ) hereby certifies to Consumer Reporting Agency as follows: (Please circle) End User (IS) (IS NOT) a retail seller, as defined in Section of the California Civil Code ( Retail Seller ) and issues credit to consumers who appear in person on the basis of applications for credit submitted in person ( Point of Sale ). End User also certifies that if End User is a Retail Seller who conducts Point of Sale transactions, End User will, beginning on or before July 1, 1998 instruct its employees and agents to inspect a photo identification of the consumer at the time an application is submitted in person. End User also certifies that it will only use the appropriate End User code number designated by Consumer Reporting Agency for accessing consumer reports for California Point of Sale transactions conducted by Retail Seller. If End User is not a Retail Seller who issues credit in Point of Sale transactions, End User agrees that if it, at any time hereafter, becomes a Retail Seller who extends credit in Point of Sale transactions, End User shall provide written notice of such to Consumer Reporting Agency prior to using credit reports with Point of Sale transactions as a Retail Seller, and shall comply with the requirements of a Retail Seller conducting Point of Sale transactions, as provided in this certification. Authorized Representative (print name) Authorized Representative (signature) Company Date 13

14 VERMONT FAIR CREDIT REPORTING CONTRACT CERTIFICATION The undersigned ( CLIENT ), acknowledges that is subscribes to receive various information services from the Credit Bureau of Santa Maria, Inc., DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit, Trans Union, Experian, and Equifax in accordance with the Vermont Fair Credit Reporting Statute 9 VSA 2480e (1999), as amended (the VFCRA ) and the Federal Fair Credit Reporting Act, 15, USC 1681 et. seq. as amended (the FCRA ) and its other state law counterparts. In connection with CLIENT S continued use of credit services information in relation to Vermont consumers, CLIENT hereby certifies as follows: VERMONT CERTIFICATION CLIENT certifies that it will comply with applicable provisions under Vermont law. In particular, CLIENT certifies that it will order information services, relating to Vermont residents that are credit reports as defined by the VFCRA, only after CLIENT has received prior consumer consent in accordance with VFCRA 2480e and applicable Vermont Rules. Vermont Fair Credit Reporting Statute, 9 V.S.A. 2480e (1999) 2480e. Consumer Consent (a) A person shall not obtain the credit report of a consumer unless: (1) the report is obtained in response to the order of a court having jurisdiction to issue such an order; or (2) the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer. (b) Credit reporting agencies shall adopt reasonable procedures to assure maximum possible compliance with subsection (a) of this section. (c) Nothing in this section shall be construed to affect; (1) the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account; and (2) the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission Vermont Rules Current Through June 1999 Agency 06 Office of the Attorney General Sub-Agency 031 Consumer Protection Division Chapter 012 Consumer Fraud Fair Credit Reporting Rule CF 112 Fair Credit Reporting CVR , CF (1999) CF Consumer Consent (a) A person required to obtain consumer consent pursuant to 9VSA 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 VSA 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction. (b) Consumer consent required pursuant to 9 VSA 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicated his or her consent by providing his or her signature. (c) The fact that a clear and adequate written consent from is signed by the consumer, after the consumer s credit report has been obtained pursuant to some other form of consent, shall not affect the validity of the earlier consent. Company Authorized Representative (signature) Date Authorized Representative (print name) 14

15 ACCESS SECURITY REQURIEMENTS We must work together to protect the privacy and information of consumers. The following information security measures are designed to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. Capitalized terms used herein have the meaning given in the Glossary attached hereto. The credit-reporting agency reserves the right to make changes to Access Security Requirements without notification. The information provided herewith provides minimum baselines for information security. In accessing the credit reporting agency s services, you agree to follow these security requirements: 1. Implement Strong Access Control Measures i. Do not provide your credit reporting agency Subscriber Code(s) or password(s) to anyone. No one from the credit-reporting agency will ever contact you and request your Subscriber Code number or password. ii. Proprietary or third party system access software must have credit reporting agency Subscriber Code(s) and password(s) hidden or embedded. Account numbers and password(s) should be known only by supervisory personnel. iii. You must request your Subscriber Code password be changed immediately when: Any system access software is replaced by another system access software or is no longer used; The hardware on which the software resides is upgraded, changed or disposed of. iv. Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s). v. Create a separate, unique Login for each user to enable individual authentication and accountability for access to the credit reporting agency s infrastructure. Each user of the system access software must also have a unique logon on password. vi. Ensure that User IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users profiles. vii. Keep User password(s) confidential. viii. Develop strong passwords that are: Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) Contain a minimum of seven (7) alpha/numeric characters for standard user accounts ix. Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. x. Active logins to credit information systems must be configured with a thirty (30) minute inactive session, timeout. xi. Restrict the number of key personnel who have access to credit information. xii. Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application. Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose. xiv. Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information. xv. After normal business hours, turn off and lock all devices or systems used to obtain credit information. Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information. xiii. xvi. 15

16 2. Maintain a Vulnerability Management Program i. Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates. ii. Configure infrastructure(s) such as Firewalls, Routers, personal computers, and similar] components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks. iii. Implement and follow current best security practices for Computer Virus detection scanning services and procedures: Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks. If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated. On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files. iv. Implement and follow current best security practices for computer anti-spyware scanning services and procedures: Use, implement and maintain a current, commercially available computer anti-spyware scanning product on all computers, systems and networks. If you suspect actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated. Run a secondary anti-spyware scan upon completion of the first scan to ensure all Spyware has been removed from your computer. Keep anti-spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-spyware definition files weekly, at a minimum. If your company s computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sties), then it is recommended that anti-spyware scans be completed more frequently than weekly. 3. Protect Data i. Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e. tape, disk, paper, etc.) ii. All credit reporting agency data is classified as Confidential and must be secured to this requirement at a minimum. iii. Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information. iv. Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum. v. Only open attachments and links from trusted sources and after verifying legitimacy. 4. Maintain an Information Security Policy i. Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule. ii. Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. 16

17 iii. iv. The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information. Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization. 5. Build and Maintain a Secure Network i. Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices. ii. Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used. iii. Administrative access to Firewalls and servers must be performed through a secure internal wired connection only. iv. Any stand-alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic. v. Encrypt Wireless access points with a minimum of WEP 128-bit encryption, WPA encryption where available. vi. Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point. 6. Regularly Monitor and Test Networks i. Perform regular test on information systems (port scanning, virus scanning, vulnerability scanning). ii. Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: Protecting against intrusions. Securing the computer systems and network devices And protecting against intrusions of operating systems or software Record Retention: Section 618 of the Fair Credit Reporting Act (FCRA) requires that you retain the credit application and if applicable, a purchase agreement for a period of not less than 60 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. Under Section 621 (a) (2) (A) of the FCRA, any person that violates any provisions of the FCRA may be liable for a civil penalty of not more than $2,500 per violation. I agree to implement and adhere to the above controls set forth in this Access Security Agreement. Date Signature Company Name Print Name/Title Account number/subscriber code: 17

18 GLOSSARY Computer Virus - A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying. Confidential - Very sensitive information. Disclosure could adversely impact your company. Encryption - Encryption is the process of obscuring information to make it unreadable without special knowledge. Firewall - In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle. Information Lifecycle - (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained. IP Address - A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All-participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have it's own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices. Peer-to-Peer - A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission. Router - A Router is a computer-networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets. Spyware - Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the Internet. SSID - Part of the Wi-Fi Wireless LAN, a service set identifier (SSID) is a code that identifies each packet as part of that network. Wireless devices that communicate with each other share the same SSID. Subscriber Code - Your credit reporting agency account number. WEP Encryption - (Wired Equivalent Privacy) a part of the wireless networking standard intended to provide secure communication. The longer the key used, the stronger the encryption will be. Older technology reaching its end of life. WPA - (Wi-Fi Protected Access) A part of the wireless networking standard that provides stronger authentication and more secure communications. Replaces WEP. Uses dynamic key encryption verses static as in WEP (key is constantly changing and thus more difficult to break than WEP). 18

19 IP ADDRESS REQUEST Please use the IP Address that can be Employee (User) Name: Address: IP Address: 19

20 Score Addendum Client ( End User ) warrants that it has an agreement for service and an account in good standing with Credit Bureau of Santa Maria Inc., DBA Credit Bureau of San Luis Obispo & Santa Barbara Counties, Service 1st Information Systems and Statewide Credit ( Agency ) for a permissible purpose under the Fair Credit Reporting Act to obtain the information in a Fair Isaac Credit Repository Score(s), (Empirica, FICO, and Beacon) and their reason codes. End User certifies that all scores and reason codes whether oral or written shall be maintained by the applicant in strict confidence and disclosed only to employees whose duties reasonably relate to the legitimate business purpose for which the report is requested and will not sell or otherwise distribute to third parties any information received there under, except as otherwise required by law. Unless explicitly authorized in this Agreement or in a separate agreement, between Client and End User, for scores obtained from credit repository, or as explicitly otherwise authorized in advance and in writing by credit repository through Client, End User shall not disclose to consumers or any third party, any not all such scores provided under this Agreement, unless clearly required by law. Reason codes may be utilized to assist in preparing an adverse action (denial letter) to consumer. End User shall comply with all applicable laws and regulations in using the Scores and reason codes. End User may not use the trademarks, service marks, logos, names, or any other proprietary designations, whether registered or unregistered, of the credit repositories, Fair Isaac and Company, Client, the affiliates of them or of any other party involved in the provision of the Score without such entities written consent. End User agrees not in any manner either directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Credit Repository/Fair Isaac in performing the Credit Repository Score. Warranty: Credit Repository, Fair Isaac warrants the Credit Repository Score Model is empirically derived and demonstrably and statistically sound and that to the extent the population to which the Credit Repository Score Model is applied is similar to the population sample on which the Credit Repository Score Model was developed, Credit Repository Score Model may be relied upon by Broker and/or End Users to rank consumer s in order of the risk of unsatisfactory payment such consumers might present to End Users. Credit Repository/Fair Isaac further warrants that so long as it provides the Credit Repository Score Model, it will comply with regulations promulgated from time to time pursuant to the Equal Credit Opportunity Act, 15 USC Section 1691 et seq. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES CREDIT REPOSITORY/FAIR ISAAC HAVE GIVEN BROKER AND/OR END USERS WITH RESPECT TO THE CREDIT REPOSITORY SCORE MODEL AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED CREDIT REPOSITORY/FAIR ISAAC MIGHT HAVE GIVEN BROKER AND/OR END USERS WITH RESPECT THERETO, INCLUDING,FOR EXAMPLE, WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Client and each respective End User s rights under the forgoing warranty are expressly conditioned upon each respective applicant s periodic revalidation of the Credit Repository Score Model in compliance with the requirements of regulation B as it may be amended from time to time (12 CFR section 202 et seq.) Signature Print Name/Title Date Company 20