Information Security
5 INFORMATION SECURITY GUIDELINES
5.1 RELATED STANDARDS, LAWS, PRACTICES AND POLICIES
As a publicly-traded company listed on the New York Stock Exchange (“NYSE”), Teradata Corporation is subject to the regulations of, disclosure duties of, and oversight by the U.S. Securities and Exchange Commission (“SEC”), as well as the listing standards and requirements of the NYSE. It is also subject to the Sarbanes-Oxley Act of 2002, Section 404 (“SOX”). Collectively, these requirements include controls, validation of compliance and disclosure of material non-compliance with respect to certain procedures, policies and controls. Accordingly, when we process PII that is subject to PDP laws, we implement policies, practices and procedures intended to comply with those requirements, and we implement controls, testing and validation procedures, such as reviews and audits, to help assure they are complied with. PII categories and PDP laws, including related litigation and regulatory rulings, that we monitor and strive to comply with, include, as applicable:
- Health/Medical (e.g., the Health Insurance Portability and Accountability Act of 1996, Security Rule (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”) Act in the U.S., and related Omnibus Rules);
- Financial Accounts/Transactions (e.g., the Graham-Leach-Bliley Act (“GLBA”), Privacy and Safeguards Rules in the U.S.);
- Consumer Credit and Credit Cards (e.g., the Fair and Accurate Credit Transactions Act (“FACTA”), Disposal Rule and Safeguard provisions);
- Electronic records and electronic signatures (e.g., FDA Title 21 CFR Part 11 of the U.S. Code of Federal Regulations regarding Food and Drug Administration (“FDA”) guidelines);
- Deceptive acts/practices with respect to information (e.g., U.S. Federal Trade Commission (“FTC”) regulations, guidelines and rulings);
- Commercial e-mail spam (e.g., Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act of 2003 in the U.S.; the Canadian Anti-Spam Law (“CASL”));
- PII and electronic documents (e.g., the Federal Trade Commission (“FTC”) Act in the United States; the Personal Information Protection & Electronic Documents Act (“PIPEDA”) in Canada; the Federal Data Protection Act in Germany; the PII Act in Sweden; the Data Protection Act in the United Kingdom (“UK”); the Privacy Act in Australia; the Personal Information Protection Act in Japan; CNIL regulations in France; and other privacy protection laws and regulations in China, India and many other countries, provinces and states throughout the world, including the California Online Privacy Protection Act and the Massachusetts Data Security Regulation);
- PII possessed and/or processed by government bodies (e.g., the U.S. Privacy Act and, in Canada, the Freedom of Information and Protection of Privacy Act (“FIPPA”));
- Government-issued identification numbers and related information (e.g., various laws pertaining individually identifiable data and identification numbers pertaining to social benefits, public service, social security, driver licenses, etc.);
- Safeguards and notices/remedies for breached data (e.g., various laws requiring proper storage, handling and protection of PII when disclosed to vendors and service providers, and providing for notices and remedies for certain data breaches);
- California’s ‘Shine the Light’ Law (e.g., Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of certain PII to third parties for the their direct marketing purposes; to request such information from us, please send us an e-mail at the California-specific e-mail address under the “Contact Us” heading of this document, specifying in that request if you are a California resident and that you are making a "Request for California Privacy Information"; you may make such a request up to once per calendar year (or more frequently to the extent provided for by applicable law); if applicable, we will provide you by e-mail with a list of the categories of PII disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, along with the third parties' names and addresses; not all PII sharing is covered by this law);
- Children and students (e.g., the Children’s On-line Privacy Protection Act of the United States (“COPPA”) and California Student Online Personal Information Protection Act (“SOPIPA”). (No one who has not reached the age of majority in his or her country may use our Sites unless supervised by an adult. Whether or not the preceding sentence applies to you, if you are under 13 years of age, do not register on any of our Sites, do not make any purchases through any of our Sites, and do not send any information about yourself to us, including your name, address, telephone number or e-mail address. In the event we learn we have collected PII from a child without verification of parental consent, we will delete that information. We do not knowingly collect information from children under the age of 13 (or the age of majority in applicable countries) and do not knowingly target our websites, social media, offerings, business activities or other Sites to children. We encourage parents and guardians to take an active role in their children’s online, mobile and social media activities and interests. Our goal is to comply with all applicable laws and regulations relating to collection and use of information from children, including COPPA. If you believe we have received information from a child or other person protected under such laws, please notify us immediately by e-mail. We will take reasonable steps not to use or disclose that information further, and to remove that information from our databases);
- Disabled users (e.g., As a matter of practice, we strive to comply with the sixteen standards for Web Accessibility, written by the Access Board for Section 508 of the U.S. Workforce Reinvestment Act of 1998 (select the following link for more information: http://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-section-508-standards), as may be updated from time to time or comparable accessibility standards. We also strive to comply with other accessibility laws, requirements and standards that may apply to our Sites, depending on location and local laws (for example, see the “Teradata Accessibility” link posted at https://www.teradata.com/corporate-social-responsibility/ regarding our accessibility Privacy Statement for Ontario, Canada, which is intended to align with requirements of Ontario, Canada, laws)).
We also have in place physical, technical, procedural and administrative safeguards designed to implement reasonable and appropriate security measures to protect PII from unauthorized access, disclosure and use. Teradata uses security protocols and mechanisms to exchange and transmit sensitive data, such as sensitive financial account data. When sensitive data, such as a credit-card or payment-card account number or security code is entered on our Sites, we encrypt it using secure socket layer (“SSL”) technology (or like replacement technology that is at least as secure as SSL).
5.2 OPERATING PROCEDURES
Teradata also has developed and complies with standard operating procedures designed to meet or exceed various internationally-recognized standards related to PDP to the extent relevant to us and our activities:
- National Institute of Standards and Technology (“NIST”) Cybersecurity Framework with regard to our cyber crisis response planning and procedures, and our cybersecurity incident management process
- ISO 15408 for Common Criteria security certification has been achieved for various versions of our flagship Teradata Relational Database Management System (“RDBMS”) software
- ISO 27001:2013 certification and compliance has been achieved regarding information security management practices for a Global Consulting Center (“GDC”) location of our professional services organization
- Service Capability and Performance (“SCP”) Support Standard certification has been achieved by us for best practices in the services industry, including with respect to PDP
- ISO 9001 certification for Teradata Research & Development (“R&D”, also referred to as “Teradata Labs” or “Product Engineering”) has been achieved for the quality management system also known as Teradata’s Product Lifecycle (TPL). Teradata’s TPL provides products which fulfill customer and regulatory requirements and aim to enhance customer satisfaction - including with respect to features and functions in our products and product development pertaining to the TPLCapability Maturity Model Integration (“CMMI”) Level 3 including Integrated Product and Process Development (“IPPD”) has been achieved by us for development of products and services from conception through delivery and maintenance, including with respect to PDP features and functions
- IT Infrastructure Library Framework for high-quality, effective, compliant and proactive managed services
- Payment Card Industry - Data Security Standards (“PCI-DSS”) have been satisfied and verified for credit/payment-card transactions where we are the merchant or are hosting such a solution for a customer who is the merchant
- Other indicators – our commitments to and achievements regarding excellence in corporate governance, responsibility and controls has been validated and recognized by us repeatedly having been included in the World’s Most Ethical Companies listing and Dow-Jones Sustainability Indices.
5.3 OTHER PRIVACY FRAMEWORKS AND PRINCIPLES
Our privacy and information security-related policies reflect many additional major frameworks and principles applied around the world, including:
- ISO 29100:2011 (Privacy Framework)
- ISO 27002:2013 (Information Technology – Security Techniques – Code of Practice for Information Security Controls)
- ISO 27018:2014 (Protection of customer PII/data privacy in public cloud environments)
- Online Privacy Alliance Guidelines
- Organisation for Economic Co-operation and Development (“OECD”) Guidelines on the Protection of Privacy and Trans-border Flows of PII
- OECD Guidelines for Multinational Enterprises (Article VIII regarding Privacy)
- OECD Guidelines for the Security of Information Systems and Networks
- United Nations (“UN”) Guidelines for the Regulation of Computerized PII Files
- International Standards on Privacy and PII Protection (the “Madrid Resolution” on International Privacy Standards)
- European Privacy and Electronic Communications Directive (EU Directive 2002/58/EC)
- Asia Pacific Economic Cooperation (“APEC”) Privacy Framework
- European General Data Protection Regulation (“GDPR”)
- Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of PII, and its Additional Protocol regarding Supervisory Authorities and Trans-border Data Flows
- Cybersecurity in the Golden State, a 2014 guide by the California Attorney General for businesses regarding PDP
- Australian Privacy Guide by the Office of the Australian Information Commissioner, Mar. 2015
- Article 29 Working Party opinions (“WP29”) regarding PDP
- Self-Regulatory Principles for Online Behavioral Advertising (“OBA Principles”)
- Council of Better Business Bureaus (“BBB”) and Direct Marketing Association (“DMA”) PDP principles
- Mobile Marketing Associations Code of Conduct for Mobile Marketing.
We also have an Information Security, Privacy and Regulatory Compliance (“InfoSec”) Center of Expertise (“COE”) through which we have experienced and certified experts and consultants who provide information, training, tools, resources, best practices and consultation to our business and our customers and business alliance partners regarding privacy protection, privacy compliance and information security. These include encryption, intrusion detection and prevention, vulnerability management, risk assessments, operating system hardening, authentication, identity management, control of access rights, virus protection, disk scrubbing, auditing and monitoring, network security, physical security, database security, security policies and procedures, certification and accreditation.
5.4 INTERNAL POLICIES, GUIDANCE AND PRACTICES
Teradata has numerous internal written global policies (plus local policies in many jurisdictions and supplemental business, organizational, departmental and function/role-specific policies) that pertain to PDP, including:
- Protecting Information within Teradata (CMP 1402)
- Protection of Personal (Employee/Workforce) Data (CMP 204)
- Information Technology Infrastructure Requirements (CMP 1404)
- Record Retention (CFAP 111)
- Publication of Proprietary Technical Information (CMP 911)
- Responding to Governmental Requests for Information (CMP 916)
- Corporate Security (CMP 1700)
We publish an “Information Security” ethics guide for our employees that all relevant employees are required to read, receive training on, and certify to – shortly after they are hired by us and annually thereafter in connection with our Code of Conduct training and certification processes. We also publish a “Social Media Guide” for our employees, reinforcing that our PDP policies and practices also apply to their uses of social media.
We publish a “Rules of the Road” IT Security reference document for all Teradata employees and contractors, as well as “Data Protection Awareness – Frequently Asked Questions (FAQ)”. In addition to PDP being addressed in our Code of Conduct, our employee Code of Conduct training, our Supplier Code of Conduct and our Business Partner Code of Conduct, we also provide our employees with standalone periodic training regarding PDP.
We have internal IT practices and procedures that pertain to PDP. Our internal written IT Information Protection Standards (“IPS”s) include:
- IPS Administration (IPS 101)
- Information Protection Data Center and Operations Requirements (IPS 102)
- Application Development/Deployment Standards (IPS 103)
- Secure Firewall Implementation (IPS 107)
- User ID and Password Management (IPS 109)
- Platform Compliance Monitoring, Administration & Oversight (IPS 115)
- Server Operating System Security Requirements (IPS 119)
- IT Service Production System Access Authorization Requirements (IPS 125)
- Wireless Network Security Requirements (IPS 127)
- Teradata Information at Non-Teradata Sites (IPS 128)
- Information Security for Connecting Outsourced Development & Support (IPS 129)
- Information Security for Teradata Global Consulting Centers (IPS 130)
- Encryption Standard for Teradata (IPS 131)
- Uses of Non-Teradata-Owned Apple Laptops on the Teradata Network (IPS 132)
Other IT practices we employ to help protect privacy and information include: penetration, vulnerability and firewall tests; anti-virus tools on all workstations; deployment of anti-spam and anti-phishing tools; URL and e-mail filtering; deployment of patch management tools; deployment of host-based intrusion detection system (“IDS”) and firewall protection tools; deployment of data loss prevention (“DLP”) tools; deployment of network access control tools; scans and blocks for advance persistent threats (“APT”); tests, scans, spot-checks, validations and reviews by internal auditing, as well as third-party subject-matter-expert service providers; deploying full disk encryption on all Teradata laptop computers; encryption on all Teradata servers and selected desktops; deploying Mobile Device Management (“MDM”) security tools and requirements for certain mobile devices used to access the Teradata network; and, deploying Multi-Factor-Authentication (“MFA”) tools and requirements such as for remote/mobile access to PII through our internal-use apps and Sites. We maintain and regularly update an IT Security internal online site for our employees where information relevant to information security is aggregated and made accessible to our employees.
Our main IT infrastructure production systems are operated from highly secure data centers that are designed and implemented to help assure PDP is achieved. Those systems are routinely backed-up, the back-up data is secured, and redundancy, disaster recovery and business continuity planning are built-in to our practices and procedures with respect to that data.
We conduct background checks and screening (subject to applicable laws) regarding proposed new-hire employees; these are conducted with the prospective employee’s express permission or otherwise in compliance with applicable laws, and we have arrangements in place with third-party service providers who assist us with background checks and screening to help assure that the rights of individuals are honored and that their PII is not used or disclosed for any illegal or impermissible purpose. Newly-hired employees are also required to sign agreements providing that they will protect, and not make unauthorized use or disclosure of, private and confidential information that they may have access to through Teradata. All employees confirm such each time they log-on to our network and systems, at which time they also acknowledge and confirm that they are granting us permission to monitor their use of our network, systems, internal-use apps, internal-use Sites and other IT resources, with no expectation of personal privacy by them, to the maximum extent permitted by law.
With respect to consulting, professional services and managed services activities we perform for our customers, we generally control and segregate access to PII that our customers possess or process, and comply with other industry-driven and customer-driven privacy and information security practices. For example, for most of our services engagements for deployments of our solutions at our customer sites or at our customer-selected data centers, we either do not have access to the PII in our customers’ data, or, where we do, we often do so solely through secure workstations and network connections provided and managed by or for, the customer, used only for that purpose, and accessible by log-on credentials and other security measures only by our authorized personnel who are in need-to-know positions with respect to that data. Typically, for our customer onsite solutions, we do not access or take possession of our customers’ PII or other sensitive data, nor remove it from our customers’ sites.
The same applies with respect to our Global Development Centers (“GDC”s), such as those in the Czech Republic, Philippines, India, and Pakistan. The services performed at those centers typically employ stricter controls, practices and procedures are applied to secure and limit access to the PII. Where applicable laws or contract provisions prohibit or restrict access to solutions or information from locations, from countries, or by citizens or residents of other than where the solution or data is located, we implement procedures to help assure we comply with those requirements.
When we run research, development or technical support tests and benchmarks against data for our customers, we rarely have access to or take possession of actual unmodified individually-identifiable PII. If PII is involved, sensitive individually-identifiable data elements typically are encrypted, obfuscated, truncated or otherwise made anonymous. In the exceptional circumstances where we access or take possession of sensitive individually-identifiable PII for critical testing, support or benchmarking, controls, practices and procedures are applied to secure and limit physical and electronic access to the data and data rooms, data centers and facilities involved.
When we host solutions for our customers, we require that it be done on systems that are separate from the IT infrastructure we use and access to manage and operate our own business. The data of various hosted customers is segregated from the data of other customers. Hosted solutions are operated from secure third-party-owned or third-party-operated data centers designed and implemented to help assure that PDP is achieved. The solutions we host, as set forth in the applicable hosting contracts or in standards incorporated into the contracts with our respective customers, are routinely backed-up, the back-up data is secured, and redundancy, disaster recovery and business continuity planning are built-in to our practices and procedures with respect to the hosted-data. Typically, with respect to environments where we serve as a data processor for our data-controller-customers, the hosted-environment and cloud-environment contracts make it the primary responsibility of our data-controller-customers to specify their policy, government and industry regulatory compliance requirements. We work with our hosted customers and cloud customers to help assure their data is stored, processed and managed according to their requirements. Teradata may also, if contracted to do so, function in the role of consultant to our customers and will help identify and bring to the attention of our customers PDP risks or non-compliance issues we notice in the normal course of business while providing services, hosted offerings or cloud offerings.
When we provide education/certification courses, such as via Teradata University/Teradata University for Academics and Teradata Certified Professional Programs, Teradata will Use information collected about you to confirm your eligibility for such courses and to use associated websites. Teradata will Use your registration information to send you messages from time to time. You may opt out of receiving such messages, except such messages as Teradata believes are necessary for the administration of associated websites (for example, changes of policy, violations of the terms of use, or compromises to the registration data). If you opt in to receive specific subscriptions to Teradata publications, Teradata will use your registration information to electronically deliver those specific publications to you. Teradata does not disclose your registration information to unaffiliated third parties or use your registration information for any other purposes. Teradata may collect the Internet Protocol address of your computer for data about use of associated websites. Teradata uses cookies to remember your “sign in” information as a convenience to you, maintain a certain user interface state for associated websites, and track your usage associated websites. Please read our Cookie notice on our public websites, and submit your preferences accordingly. Teradata may collect data about pages visited, courses taken and services used by you. Teradata may match such data to information about you (for example, your user registration). Teradata may provide such data to the executive directors and advisory board members of Teradata University/Teradata University for Academics and to your manager. In the case of students, Teradata may provide such information to the student’s professors and teaching assistants. Such data may be used in efforts to make associated websites more useful to the Teradata University/Teradata University for Academics community and to enforce the terms of use for associated websites. Teradata may publish aggregates of such data in descriptions promoting associated websites. The content you submit may be viewed by other members of the Teradata University/Teradata University for Academics community accessing associated websites. Associated websites may contain links to third-party websites. The Use of PDP about you in connection with such third-party websites is governed by the privacy policies, if any, of such third-party websites.
END OF POLICY