Equifax has a duty to protect the confidentiality and security of any consumer report or other nonpublic consumer information ("Consumer Information") it provides to its Clients. In addition, Equifax seeks to protect its proprietary information including subscriber codes, account information, and all other nonpublic business information ("Proprietary Information") (Consumer Information and Proprietary Information being referred to cumulatively as "Equifax Information"). In order to discharge these responsibilities, Equifax must obtain from its Clients appropriate information on systems, applications, processes, and entities involved in the transmission of Equifax Information. Equifax requires a description of the intended use, resale, or transmission of the Consumer Information by a Client. This document sets forth the policies and requirements of Equifax for Clients to access, obtain, repackage, and distribute Equifax Information over the Internet. These requirements are in addition to standard Equifax contractual terms and conditions.

 

Terms of Delivery:
  1. Governs only the access of Equifax information through Equifax's managed portal, ePORT.

  2. Governs only the access of information through the URL https://www.eport.equifax.com.

  3. Covers only access via a browser such as Microsoft's Internet Explorer ™ or Netscape Navigator ™. Access of ePORT by screen-scraping or other automated system is not covered by this agreement. A separate agreement must be executed if access is through other than an Internet browser.

 

Data Security

All Proprietary Information, including Equifax subscriber codes and security digits must be protected from unauthorized use. If Proprietary Information must be communicated by Client to an Intermediary for purposes of the transmission of Consumer Information to an End-User, the Intermediary must safeguard this Information and observe these Internet Security requirements.

  1. All Equifax Information must be encrypted as it is transmitted over the Internet. A minimum of 128-bit key encryption is required.

  2. Equifax Information must also be protected when stored on servers, subject to the following requirements:

    1. Servers storing Equifax Information must be separated from the Internet or other public networks by firewall or other comparable methods;

    2. Equifax Information must not be stored on a server that can be accessed by TCP services directly from the Internet and should not be referenced in domain name services (DNS) tables;

    3. Secure access (both physical and network) to servers storing Equifax Information, must include authentication and passwords that are changed at least every 90 days;

    4. All servers must be kept current with appropriate security-specific system patches, as they are available.

  3. Consumer Information shall not be shared with, or accessed by, any person other than an End-User or permitted Intermediary, and all transmission and/or storage of Consumer Information shall be subject to all of the terms and conditions stated in these Internet Security Requirements. The Client is responsible for ensuring that the Intermediary meets these Internet Security requirements.

  4. All Proprietary Information, including Equifax subscriber codes and security digits must be protected from unauthorized use. If Proprietary Information must be communicated by Client to an Intermediary for purposes of the transmission of Consumer Information to an End-User, the Intermediary must safeguard this Information and observe these Internet Security requirements.

 

End-User Authentication
  1. All Equifax Information, including Proprietary Information and Consumer Information, shall only be shared by Client with an End-User who has been authenticated by strong authentication methodology.

  2. When Consumer Information is accessed by an End-User, the specific individual with access to the Information must be identified, each access shall be logged, and a record of this access shall be maintained for at least three (3) months.

 

Compliance
  1. The Client agrees to comply with these Internet Security Requirements at all times.

  2. A breach of security or other circumstance which causes or may have caused or allowed, access to Equifax Information by unauthorized persons or systems, whether intentional, fraudulent, or accidental, must be reported to Equifax as soon as possible and, in any case, not later than one (1) business day after discovery.

 

Liability

The Client shall assume all liability for the use and/or resale of Consumer Information and its delivery via the Internet, and shall hold Equifax harmless from all such liability.

 

Approval of Exceptions

Equifax must approve, in writing, any variance from these Internet Security Requirements.

 

Modifications

Equifax retains the right to update or modify, from time to time, these Internet Security Requirements. If Equifax updates or modifies these Internet Security Requirements, Equifax will require that the Client conform its systems, applications, processes or procedures to comply with the update or modification within a reasonable time period, having regard to all relevant security and legal concerns, as may be determined in the discretion of the Equifax Group Executive, reasonably exercised.

 

Disclaimer

Compliance by the Client with these Internet Security Requirements shall not relieve the Client of the obligation to observe any other or further contractual, legal, or regulatory requirements, rules or terms, nor shall Equifax's review or approval of any of Client's systems, applications, processes, or procedures constitute or be deemed to constitute the assumption by Equifax of any responsibility or liability for compliance by the Client with any contractual, legal, or regulatory requirements, rules, or terms. Client shall remain solely responsible for the security of its system, the security of all Equifax Information received by it from Equifax, and for any breach of that security. Equifax retains the right, in its sole discretion, to withhold approval of Internet access to Equifax Information for any reason. Equifax may suspend or terminate access to the Equifax Information at any time if Equifax has reason to believe that Client, an Intermediary, or a business End-User has violated any of these Internet Security Requirements or any contractual, legal, or regulatory requirements, rules or terms.

(Rev 01/05/2007)