Internal Privacy Policy

Updated November, 2024

Jeffer Mangels Butler & Mitchell LLP (“JMBM”, the "Firm", or “we”) is committed to protecting and respecting the privacy of its current and past employees, partners, independent contractors, and job applicants. Please read this Internal Privacy Policy (the “Policy”) carefully to understand the Firm's views and practices regarding the Personal Information of Covered Persons (as defined in Section 1) and how the Firm will treat it.

The Firm only collects the Personal Information it needs to perform the functions described in this Policy. Accordingly, the Firm does not necessarily collect all of the categories and types of Personal Information identified in this Policy from all categories of Covered Persons. For example, the Firm only collects a subset of the Personal Information specifically discussed in this Policy from prospective employees and job applicants. Please contact [Keilani Afalava] if you have any questions about whether certain information in this Policy applies to you.

All Covered Persons at JMBM are covered by and must comply with this Policy. Any Covered Person who fails to comply with this Policy may be subject to disciplinary action, up to and including dismissal. You should immediately contact [Keilani Afalava] if you become aware of a breach or potential breach of this Policy.

The Firm is also committed to respecting both your Personal Information and the Personal Information it receives from customers, vendors, website users, mobile app users and other external sources. Covered Persons should therefore also familiarize themselves with and be aware of the commitments we make in relation to such Personal Information. For a copy of JMBM’s current Public Privacy Policy, please visit https://www.jmbm.com/privacy-policy.html. You can also contact the Firm’s director of human resources for a copy of any JMBM Privacy Policy.

Definitions
Purpose and Scope of This Policy
What Personal Data Does the Firm Collect and How Does the Firm Use Personal Information?
The Firm's Responsibility for Your Personal Information
Sensitive Personal Information
Disclosure and Transfer of Personal Data
Restrictions on Access to Personal Data
Retention of Personal Information
California Privacy Rights
Enforcement of This Policy
Changes to this Policy

1. Definitions

The following definitions apply to this Policy:

“CCPA” means the California Consumer Privacy Act, as amended.

“Consumer” means a living individual about whom the Firm holds Personal Information.

“Contractor” means a natural person who provides any service to a business pursuant to a written contract.

“Covered Person” refers to:

Current and former employees (including permanent, temporary, and part-time employees);
job applicants and other prospective employees;
Contractors or Partners of the Firm about whom the Firm collects and processes Personal Information; and
Dependents and beneficiaries of current and former employees, and Partners about whom the Firm collects and processes Personal Information.

“Electronic” or “Electronically” means relating to technology having electric, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

“Encrypted“ means the transformation of data through an algorithmic process or an alternative method that is at least as secure, so that the data can only be accessed with confidential key or password.

“Partner” means a natural person who holders a partnership interest in the Firm or is designated as an “partner” (whether directly or as the owner of a business entity that holds a partnership interest in the Firm).

“Personal Information” means information (whether stored Electronically or in physical filing systems) relating to a living individual who can be identified from that data (or from that data and other information in JMBM’s possession). Personal Information can be factual (such as a name, address, date of birth, Social Security number or driver’s license number), Sensitive Personal Information as described below, or it can be an opinion (such as a performance appraisal). It can even include a simple e-mail address. The categories of Personal Information as defined by the CCPA that pertain to this Policy include:

Identifiers	Name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
Other Data	Financial information, medical information, health insurance information, signature, physical characteristics or description, telephone number, geolocation
Protected Classes	Race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability, marital status, familial status, military or veteran status, political affiliations or activities, status as a victim of domestic violence, assault, stalking, or any other classification protected under California or federal law
Biometric Information	Fingerprints, retina scans, face prints, DNA
Internet Activity	Browsing history, search history, website interactions
Geolocation Data	Data which allows for determining, with reasonable precision, the location of any person or object
Sensory Data	Audio, electronic, visual, thermal, olfactory, or similar data
Professional Data	CV, resume, employment history, licenses, certificates
Education Data	Educational background, grades, scores
Inferences	Profiles about a consumer reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities drawn from other Personal Information

“Processing”, “Process”, or “Processed” is any activity that involves use of the Personal Information. It includes obtaining, recording, or holding the Personal Information, or organizing, amending, retrieving, using, disclosing, erasing, or destroying it including by automated means. Processing also includes transferring Personal Information to third parties.

“Sensitive Personal Information” is Personal Information that reveals about a Covered Person one or more of the following types of information, including: Social Security, driver’s license, state identification card or passport number; account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information; health information; information about sex life or sexual orientation. This Sensitive Personal Information will be handled with extra care as further described in this Policy. Sensitive Personal Information includes financial account information, protected health or medical details, physical or mental health or condition information.

2. Purpose and Scope of this Policy

This Policy sets out the basis on which Personal Information the Firm collects from you, or you provide to the Firm, will be processed by the Firm. This Policy supports the Firm’s efforts to safeguard Personal Information in any format to, in particular:

Ensure the security and confidentiality of Personal Information in a manner consistent with industry and legal standards;
protect against threats or hazards to the security or integrity of Personal Information; and
protect against unauthorized access to or use of Personal Information that creates a substantial risk of identity theft or fraud.

This Policy applies to all Personal Information relating to Covered Persons that exists in any of the Firm’s Processing environments, on any media, at all times.

As an employer, the Firm needs to collect, store and Process Personal Information about its Covered Persons. Personal Information may be provided to the Firm by a variety of means, including through the Internet, the Firm’s intranet, by email, by telephone, by fax or in person. Personal Information, which may be held on physical or Electronic media, is subject to certain legal safeguards that impose restrictions on how the Firm may Process Personal Information. The Firm strives to uphold these key principles when Processing Personal Information:

Openness: Provide information to Covered Persons about how we Process their Personal Information, including not doing anything with their Personal Information that they would not expect or that we would be embarrassed for them to know about.
Purpose Limitation: Only collect Personal Information for a specific business need of the Firm, and only use the Personal Information for that specific purpose for as long as necessary.
Accuracy: Keep Personal Information accurate, complete, and up-to-date. Anyone whose Personal Information we Process has the right to obtain a copy of that Personal Information and to correct any inaccuracies.
Security: Protect Personal Information with appropriate security measures from being lost or stolen, and to prevent to the extent possible accidental or unauthorized access, damage, loss, or disclosure.

3. What Personal Data Does the Firm Collect and How Does the Firm Use Personal Information?

The Firm may collect and Process, and/or has, in the 12-month period immediately preceding the effective date of this Policy, collected and Processed, the following Personal Information about its Covered Persons (excluding children under 16 years of age) for the following purposes:

Human Resources, Payroll Processing, Employment Eligibility Verification: Covered Person’s name, current and prior addresses, date of birth, Social Security number(s), driver’s license number(s), passport number(s), Visa status (where lawful and required), employment eligibility verification, and, where necessary, motor vehicle records, criminal records, state identification card numbers, bank account information, where a Covered Person elects auto-depositing of paychecks, education and employment history, resume/CV, and garnishments.
Security Requirements and Video Surveillance: Covered Person’s fingerprints or other biometric data, or video recordings as necessary for managing physical security of workplace locations and assets, or for maintaining security of confidential materials. Video surveillance data may also be recorded in order to monitor employee work performance or to assist in conducting workplace investigations. Biometric information, geolocation, and video surveillance data shall be recorded and maintained as set forth in the Employee Handbook.
Hiring, Promoting and Evaluating Capacity to Perform Essential Job Duties: For the purpose of determining whether a Covered Person can carry out the essential job duties of his or her position and/or determining whether to hire an applicant or promote a Covered Person, the Firm may collect information from and about the Covered Person’s former employer(s) relating to a Covered Person’s job performance; background details relating to a Covered Person’s record checks or credit checks (when permitted by law and related to the Covered Person’s position); confirmation of degrees, professional licenses, and/or certifications; information about civil court records, criminal court records, bankruptcy court records, tax lien records, judgment records, and Sensitive Personal Information, in accordance with applicable local, state or national laws and regulations; insurance confirmation (as required for the performance of the position’s essential job duties); medical information related to physical restrictions (as required for the performance of the position’s essential job duties); medical information related to requested leaves of absence; medical information related to alleged and actual on the job injuries.
Benefits: For the purpose of providing a Covered Person and their spouses, domestic partners, and/or dependents health plans, pension benefits, and/or any other type of Firm-sponsored benefits, the Firm may collect the Covered Person’s current medical insurance information, a Covered Person’s spouse’s or registered domestic partner’s medical insurance information, medical records and information relating to the Covered Person’s primary physicians or medical providers.
Drug and Alcohol Policy: For the purpose of administering the Firm’s Drug and Alcohol Policy, the Firm may collect a Covered Person’s drug test results (where permitted by law), including, without limitation, pre-employment but post-conditional offer drug tests, post-accident drug tests, and reasonable suspicion drug tests and/or drug tests required by customer contract and permitted under the law.
Retirement Plans: For the purpose of enrolling, maintaining, or assisting with the administration of a 401k plan, or any other type of Firm-sponsored savings, spending, deferred compensation, or retirement plan or account, the Firm may collect a Covered Person’s banking information, beneficiary information, retirement information, or family details (including but not limited to a dependent’s Personal Information, marriage status, and marriage history).
Access to Firm IT Resources: For the purpose of ensuring compliance with all of the Firm’s employment-related policies and applicable law and regulations, as well as other security and confidentiality requirements, and as consistent with applicable federal and state law, the Firm may collect information about each Covered Person’s use of the Firm’s computer systems and network, including without limitation browser history (regarding both internal network and external network [i.e., Internet] information access), search history, file access and transfer records, and website interactions. Video surveillance data may also be recorded in order to assist in conducting workplace investigations.
Compliance with Laws: The Firm may collect any of the Personal Information described above as needed to comply with applicable laws and regulations. Although the Firm is permitted under relevant laws to undertake a range of human resources-related Processing, by submitting Personal Information to the Firm you confirm your consent to your Personal Information being Processed as set forth in this Policy.
Employment Contracts: The Firm may collect any of the Personal Information described above to carry out its obligations arising from contracts of employment entered into between a Covered Person and the Firm, including but not limited to payroll functions, reporting to the Internal Revenue Service or state or local or other applicable equivalent, enrolling Covered Persons in benefit programs, or dealing with disciplinary complaints about or actions against Covered Persons.
Research, Analysis, and Improvement: The Firm may collect any of the Personal Information described above to analyze and improve the Firm’s business processes, including to assist Firm with improving its application and recruitment processes and other human resources-related objectives.
COVID-19 Pandemic-Specific Requirements: As needed to address workplace safety concerns related to the COVID-19 pandemic and any related health crisis, the Firm has collected and may in the future collect medical and other private information that was and is intended and used solely to evaluate the risk of COVID-19 transmission by any Covered Person (whether or not the Covered Person had been diagnosed with the virus) to others in the workplace, to permit contact tracing of any infected Covered Person to prevent further transmissions as possible, to notify “close contacts” of potential exposure as required by law, and to comply with recordkeeping requirements pursuant to applicable law (the “COVID-19 Information”). The COVID-19 Information will be Processed and retained pursuant to this Policy.

The Firm is permitted under relevant laws to undertake a range of human resources-related Processing. The Firm will notify you about how your Personal Information being Processed as set forth in this Policy at the time any Personal Information is collected, or after such collection if new types of Processing are to be carried out.

If a Covered Person engages with the Firm outside of the context as a Covered Person, information collected in that relationship will be subject to either the Firm’s Public Privacy Policy available at https://www.jmbm.com/privacy-policy.html or from the Firm’s director of human resources.

4. The Firm's Responsibility for Your Personal Information

Security Procedures. The Firm will strive to protect your Personal Information through the following methods:

The Firm has security procedures in place that are designed to keep any Personal Information the Firm holds secure and in accordance with this Policy. This includes conducting periodic testing and monitoring of the Firm's systems and security measures and processes, maintaining an audit plan, training and testing Covered Persons on the Firm’s data security protocols, and monitoring compliance with this Policy;
The Firm maintains security measures and technology to prevent Personal Information from being inadvertently disclosed to any unauthorized third party either orally, in writing, via the internet, or by any other means, accidentally or otherwise. This includes, without limitation, monitoring the Firm’s systems for unauthorized access; employing firewall protection and system security patches; and employing virus and malware protection;
The Firm has adopted policies that require laptops, backup tapes and drives, smartphones, tablets, and other portable devices containing Personal Information to be password protected and all Personal Information to be encrypted as appropriate;
The Firm uses physical, administrative, and technical procedures to limit access to Personal Information as described in this Policy;
The Firm has the ability to remotely destroy Personal Information on Firm laptops and/or certain mobile devices that are lost or stolen.

Security Incidents. Any Covered Person who becomes aware of circumstances that may indicate an intrusion or compromise in the Firm's security is obliged to immediately report the incident to the CIO or the IT Help Desk, a member of the Firm's Management Committee (Stan Gibson or, if Mr. Gibson is not available, Neil Erickson), the Firm's Cybersecurity Counsel (Michael Gold or Robert Braun), and the Executive Director (Doug Walton). The circumstances requiring notice include evidence of unauthorized access to Personal Information in any format, loss or theft of equipment or records containing Personal Information, evidence of an intrusion into the Firm’s system, or Personal Information transmitted or disclosed in error. The Firm maintains appropriate logs of all monitoring and security activity. The Firm has established a response plan to address breaches in its security that is reviewed and updated periodically. If there is a breach of security, the affected individuals will be notified as required by law. The Firm reviews all security events and all responsive actions in order to improve its protection of Personal Information.

5. Sensitive Personal Information

It is sometimes necessary for the Firm to Process Sensitive Personal Information as described in Section 3 above. The Firm may collect or Process Sensitive Personal Information for the purpose of inferring characteristics about Covered Persons, consistent with applicable law.

While the Firm has the right to Process Sensitive personal Information in certain circumstances under applicable law, Covered Persons have certain rights with respect to the Firm’s Processing of Sensitive Personal Information as addressed in Section 9 below.

6. Disclosure and Transfer of Personal Information

Security of Personal Information During Transfer.

Where Personal Information is transferred within the Firm's course of performing its duties, the level of security appropriate to the type of Personal Information and anticipated risks will be applied. For example, if transferred by e-mail, Personal Information may be encrypted with the password supplied separately where it is appropriate and necessary. The Firm also employs recognized technology and/or private networks to protect Personal Information transferred over the Internet where it is appropriate and necessary.

Disclosures to Third Parties.

By providing Personal Information to the Firm, you agree that the Firm may share certain information with third parties and, by submitting Personal Information to the Firm, you agree to this transfer and Processing.

Personal Information will only be transferred to a third party if the third party agrees to comply with procedures and policies that comply with this Policy and the Firm's data protection procedures, or if that third party puts in place adequate measures which are compliant with all applicable laws and regulations.

Personal Information will only be shared with third parties in limited circumstances, including:

As necessary to any affiliated Firm following procedures and policies that comply with this Policy.
When the Firm is under a duty to disclose or share a Covered Person’s Personal Information in order to comply with any legal obligation.
To service providers that need the Personal Information to provide Covered Persons or the Firm with certain services related to the Covered Person’s employment or contractual relationship with the Firm.
With third party companies that conduct background checks, including, but not limited to, credit history, criminal conviction history, civil court case history, and prior employment. The third parties with whom this information is shared will use it only for the purposes of conducting the background check as specified by the Firm.
If the Firm is required by a client agreement or contract to share background check results, including any information identified in the “Essential Job Duties” paragraph of Section 3, you will be provided with that information prior to the disclosure and required to sign a waiver.

If the Firm is required by a client agreement to disclose identification information to grant access to the client’s worksite, you will be provided with that information prior to the disclosure and required to sign a waiver.

7. Restrictions on Access to Personal Information

The Firm employs physical, administrative, and technological means to restrict access to Personal Information including:

Only those who have appropriate authority or are reasonably required to know or use Personal Information will have access to Personal Information, and only to the extent necessary for legitimate business purposes. This authority may be revoked at any time and for any reason or no reason.
Access to Personal Information requires a password and user ID or other identifiers that the Firm provides for authorized users.
Physical records containing Personal Information (e.g., paper records and storage media) are required to be kept in restricted and secure areas. Access to these records is limited to authorized personnel only to the extent necessary for legitimate business purposes.
Physical or Electronic access is terminated for Covered Persons whose employment is terminated or whose authorization is revoked. Terminated and unauthorized Covered Persons are not permitted to maintain any copies or reproductions of Personal Information, are required to return all equipment and must certify that they have not maintained any copies or reproductions of Personal Information.
The Firm endeavors to disclose Personal Information only to the extent reasonably necessary. The Firm masks Sensitive Personal Information and other details such as Social Security numbers and financial account numbers, as applicable.
The Firm does not permit direct public access between external networks and any system component that stores Personal Information. The Firm uses a firewall and other technologies to filter and screen inbound and outbound Internet traffic.
Personal Information may also be anonymized where possible (e.g., where only statistical information is needed).

8. Retention of Personal Information

The Firm will only retain your Personal Information or portions of your Personal Information for as long as is necessary to perform its obligations to you or as is required by law. The Firm has a legal duty to retain employment records that may include Covered Persons’ Personal Information after the termination of employment. There are varying requirements as to how long an employer must maintain employment records depending on the type of record being maintained. Accordingly, different categories of Personal Information may be kept for different periods of time in compliance with the law.

All Personal Information you provide will be stored on secure servers or in secure files which may be based in the United States. By submitting your Personal Information, you fully consent to this transfer, storing and Processing. The Firm will take reasonable steps to treat your data securely and in accordance with this Policy.

9. California Privacy Rights

The following disclosures and the rights described below are applicable to Covered Persons who are residents of California.

9.1 Information the Firm Collects

Descriptions of the categories of information the Firm collects, the sources of the information, and the uses of that information are contained in Sections 2 and 3 above.

9.2 Your Rights Under the CCPA

Under the CCPA, Covered Persons located in California have certain rights regarding their Personal Information, including the following:

RIGHT TO ACCESS. You have the right to access Personal Information which we may collect or retain about you. If requested, we will provide you with a copy of your Personal Information which we collect as permitted by the CCPA. You also have the right to receive your Personal Information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).
RIGHT TO KNOW. You have the right to request that we disclose the following about your Personal Information, as defined by the CCPA:
- The specific Personal Information we may collect;
- The categories of Personal Information we may collect;
- The categories of sources from which we may collect your Personal Information;
- The business purpose(s) for collecting or sharing your Personal Information;
- The categories of Personal Information we may disclose for business purposes; and
- The categories of third parties to whom we may share your Personal Information.
RIGHT TO OPT-OUT FROM THE SELLING OR SHARING OF MY PERSONAL INFORMATION. The Firm does not “sell” or “share” Personal Information within the meaning of the CCPA. The CCPA defines “sharing” to mean the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
RIGHT TO LIMIT USE AND DISCLOSURE OF SENSITIVE PERSONAL INFORMATION. In certain contexts you may have the right to limit how your Sensitive Personal Information is used and disclosed
RIGHT TO DELETION. In certain circumstances, you have the right to request the deletion of your Personal Information. Upon verifying the validity of a deletion request and when required by law, we will delete your Personal Information from our records, and instruct any service providers or third parties to delete your Personal Information.
RIGHT TO CORRECT/RIGHT TO RECTIFICATION. In certain circumstances, you have the right to request correction of any inaccurate Personal Information. Upon verifying the validity of a verifiable correction request, we will use commercially reasonable efforts to correct your Personal Information as directed, taking into account the nature of the Personal Information and the purposes of maintaining your Personal Information.

Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.

Discrimination and retaliation against any Covered Person for exercising their CCPA data rights under this policy and applicable law is strictly prohibited.

9.3 Exercising Your Rights

You may submit an individual rights request by calling us at 888-810-0411, completing our online form located at https://www.jmbm.com/privacy-policy-form.html or emailing the Firm at human@jmbm.com. The Firm shall maintain records of requests for at least 24 months.

Before the Firm can process a request to delete, a request to correct, or a request to provide a copy of a Covered Person’s Personal Information, the Firm will verify the identity of the individual making such request. To verify your identity, the Firm will rely upon information we have previously collected about you, such as known phone number or email address.

You may designate an authorized agent to exercise these rights on your behalf. If a Covered Person utilizes an authorized agent to exercise these rights, the following proof that the agent has been authorized to act on the individual’s behalf must be provided:

Proof of written permission by the Covered Person for the authorized agent to act on his or her behalf and separate verification of the Covered Person; or
Proof that the authorized agent holds a power of attorney to act on the Covered Person’s behalf pursuant to Cal. Probate Code §§ 4000-4465.

The Firm will acknowledge a request within 10 days of receipt of a request. A verified request will generally be fulfilled within 45 days of receipt of any such request. If necessary, the Firm may take an additional 45 days to respond to the request, for a maximum total of 90 days, provided that the Firm provides the requester with notice and an explanation of the reason the Firm will take more than 45 days to respond. The Firm shall inform the requestor whether it has complied, in whole or part, with the request or the basis for denial. Prior to deleting or releasing any information, the Firm will need to verify the requestor is authorized to have the information deleted or to receive the information through the authentication method described above.

10. Enforcement of This Policy

You should direct any questions or concerns about the interpretation or operation of this Policy, or about what may or may not be done with regard to Personal Information, to our director of human resources.

Any Covered Person found to have violated this Policy is subject to disciplinary action, up to and including termination of employment for employees.

11. Changes to this Policy

This Policy is updated and effective as of the date shown on the title page. The Firm shall review this Policy and the particular security measures whenever there is a material change in business practices that may reasonably have an impact on the security or integrity of records containing Personal Information or as required by applicable law. Any changes the Firm may make to this Policy in the future will be posted on the Firm's Intranet.