GLOBAL TECHNOLOGY, PRIVACY, INTELLECTUAL PROPERTY & SURVEILLANCE GOVERNANCE POLICY SUITE
0. GENERAL PREAMBLE & APPLICATION
0.1 Purpose of the Suite
This suite of policies establishes a comprehensive governance framework to protect the Company’s (the “Company”) technology assets, personal data, intellectual property, trademarks, confidential information, and operational integrity, and to prevent and detect cybercrime, spyware, unauthorized surveillance, and corrupt practices in technology procurement and operations.
0.2 Global Application & Hierarchy
a. These policies apply globally to all Company operations, subject to mandatory local law.
b. Where local law imposes stricter requirements than these policies, the stricter requirements prevail.
c. In the event of conflict between these policies and any local procedures, these policies control unless local law requires otherwise.
d. These policies are intended to meet or exceed obligations under, without limitation:
• EU: General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); ePrivacy Directive 2002/58/EC; EU Trade Mark Regulation; EU dual-use regulations (e.g. Regulation (EU) 2021/821).
• US: California Consumer Privacy Act (CCPA) as amended by CPRA; Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030); Wiretap Act (18 U.S.C. § 2511); Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2510–2523, 2701–2712); Stored Communications Act (SCA, 18 U.S.C. § 2701 et seq.); Lanham Act (15 U.S.C. § 1051 et seq.); CAN-SPAM Act (15 U.S.C. § 7701 et seq.); state spyware and privacy laws; Anti-Kickback Act (41 U.S.C. § 8702 et seq.); Foreign Corrupt Practices Act (FCPA, 15 U.S.C. § 78dd-1 et seq.).
• UK: UK GDPR; Data Protection Act 2018; Computer Misuse Act 1990; Regulation of Investigatory Powers Act 2000 (RIPA); Investigatory Powers Act 2016; Bribery Act 2010; Trade Marks Act 1994.
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5); Criminal Code (including s. 342.1 – unauthorized use of computer, s.184 – interception of private communications); Trademarks Act; applicable provincial privacy statutes.
• Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); Criminal Code Act 1995 (Cth); Telecommunications (Interception and Access) Act 1979 (Cth); state Surveillance Devices and Workplace Surveillance legislation; Trade Marks Act 1995 (Cth).
• International: Council of Europe Convention on Cybercrime (Budapest Convention); OECD Anti-Bribery Convention; various WIPO treaties (including Berne Convention, Paris Convention, Madrid Protocol, WIPO Copyright Treaty); TRIPS Agreement; ISO/IEC 27001 and ISO/IEC 27701 standards.
0.3 Definitions (General)
For purposes of all policies, unless otherwise defined:
a. Personal Data / Personal Information has the meaning under GDPR, CCPA/CPRA, PIPEDA, Privacy Act 1988 (Cth), and equivalent laws.
b. Processing means any operation performed on data, as defined in GDPR Art. 4(2).
c. Company Systems means all IT systems, devices, networks, applications, and cloud services owned, leased, or otherwise controlled by the Company.
d. Malicious Code includes spyware, keyloggers, Trojans, backdoors, rootkits, ransomware, and any similar software used to compromise systems or privacy.
e. Surveillance includes any monitoring of communications, systems, documents, locations, or individuals (audio, video, screen, keystroke, or metadata) whether automated or manual.
0.4 Non-Waiver
No manager or employee may waive or authorize deviation from these policies without prior written approval of the Company’s General Counsel or designated legal authority.
⸻
POLICY 1 – GLOBAL PRIVACY AND DATA PROTECTION POLICY
1.1 Purpose
To ensure lawful, fair, secure, and transparent processing of Personal Data, in accordance with GDPR, CCPA/CPRA, PIPEDA, Privacy Act 1988 (Cth), UK GDPR, and analogous laws.
1.2 Scope
Applies to all Personal Data processed by the Company worldwide, including customer, employee, contractor, vendor, and visitor data, regardless of medium or location.
1.3 Key Definitions
a. Controller / Business and Processor / Service Provider are used in the sense of GDPR and CCPA/CPRA.
b. Special Categories / Sensitive Data includes health, biometric, financial, and other protected attributes under applicable law.
1.4 Principles
The Company shall adhere to:
a. Lawfulness, Fairness, Transparency (GDPR Art. 5(1)(a)).
b. Purpose Limitation – collected for specified, explicit, legitimate purposes only.
c. Data Minimization – limited to what is necessary.
d. Accuracy – kept accurate and up to date.
e. Storage Limitation – retained no longer than necessary.
f. Integrity & Confidentiality – protected by appropriate security.
g. Accountability – documented compliance (GDPR Art. 5(2)).
1.5 Legal Bases & Consent
a. Processing must rely on a valid legal basis (e.g., consent, contract performance, legal obligation, legitimate interests) under GDPR Art. 6 and analogous laws.
b. Where required (e.g., certain marketing or tracking), consent must be:
• Freely given, specific, informed, and unambiguous (GDPR Art. 4(11));
• Documented and revocable at any time.
1.6 Data Subject / Consumer Rights
The Company shall implement procedures to honor rights including:
• Access, rectification, erasure, restriction, portability, objection (GDPR Arts. 15–21);
• CCPA/CPRA rights to know, delete, correct, and opt-out of sale/sharing;
• PIPEDA’s access and correction rights;
• Privacy Act 1988 and UK GDPR equivalent rights.
1.7 Cross-Border Transfers
a. Transfers from EU/UK to third countries must comply with GDPR/UK GDPR (e.g., adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules).
b. Transfers from Canada, Australia, and other jurisdictions must comply with local transfer restrictions and contractual safeguards.
1.8 Security & Breach Notification
a. The Company shall implement “appropriate technical and organizational measures” (GDPR Art. 32; ISO 27001/27701).
b. Personal Data breaches shall be assessed and, where required:
• Notified to the competent supervisory authority within 72 hours under GDPR Art. 33;
• Notified to affected individuals where required (e.g., GDPR Art. 34; state breach notification laws in the US; PIPEDA breach provisions; Australian Notifiable Data Breaches scheme).
1.9 Enforcement & Sanctions
a. Violations may result in disciplinary measures up to and including termination, civil liability, and referral to regulators and law enforcement.
b. Regulatory penalties may include administrative fines up to the highest levels permitted (e.g., GDPR up to 4% of global annual turnover; CCPA/CPRA statutory penalties; Privacy Act 1988 increased penalties).
1.10 Review
Reviewed at least annually and upon significant legal or operational changes.
⸻
POLICY 2 – TRADEMARK PROTECTION AND USAGE POLICY
2.1 Purpose
To safeguard the Company’s trademarks globally and ensure lawful use of third-party marks in accordance with the Lanham Act, Madrid Protocol, EU Trade Mark Regulation, UK Trade Marks Act 1994, Canadian Trademarks Act, and Australian Trade Marks Act 1995.
2.2 Scope
Covers all use, registration, enforcement, and licensing of Company and third-party trademarks.
2.3 Key Provisions
a. All trademarks must be cleared, registered, and maintained with support from legal counsel and, where appropriate, under the Madrid System (Madrid Protocol).
b. Unauthorized or misleading use of third-party marks that could cause confusion, dilution, or unfair competition is strictly prohibited.
c. Use of Company marks by employees or partners must follow brand guidelines and be subject to written license or authorization.
d. Suspected infringement by third parties shall be reported to Legal for potential enforcement, including cease-and-desist, opposition, cancellation, or litigation.
2.4 Enforcement & Consequences
a. Misuse of Company marks may result in disciplinary action.
b. Unauthorized use of third-party marks may expose the Company and individuals to civil liability (e.g., damages, injunctive relief, profits disgorgement) under relevant trademark statutes.
⸻
POLICY 3 – INTELLECTUAL PROPERTY (IP) PROTECTION & ANTI-THEFT POLICY
3.1 Purpose
To prevent theft, misappropriation, or unauthorized use of Company IP, including patents, copyrights, trade secrets, software, designs, and proprietary know-how.
3.2 Scope
Applies to all employees, officers, contractors, vendors, and other third parties handling Company IP.
3.3 Legal Framework
a. National patent laws (e.g., US Patent Act, EU/UK patent regimes).
b. Copyright statutes (e.g., US Copyright Act, EU/UK copyright laws).
c. Trade secret laws (e.g., US Defend Trade Secrets Act; EU Trade Secrets Directive; national trade secrets laws).
d. WIPO treaties and TRIPS.
3.4 Key Provisions
a. All IP created by employees or contractors within the scope of employment/engagement is owned by the Company, subject to written contracts.
b. Confidential information and trade secrets must be protected via NDAs, access controls, and need-to-know limitations.
c. Unauthorized copying, transfer, or disclosure of source code, algorithms, datasets, designs, or documents is strictly prohibited and may constitute trade secret theft or copyright infringement.
d. Use of open-source software must comply with approved license management procedures to prevent license contamination and IP risk.
3.5 Enforcement
a. Violations may result in civil actions (injunctions, damages, delivery up, account of profits) and criminal referral where applicable.
b. The Company reserves all rights under trade secret and IP statutes to pursue civil and, where applicable, criminal remedies.
⸻
POLICY 4 – TECHNOLOGY ASSET TRANSFER & OWNERSHIP POLICY
4.1 Purpose
To regulate ownership, transfer, export, and disposition of technology assets, including hardware, software, source code, and technical data, in compliance with export controls and technology transfer laws.
4.2 Legal Framework
a. US International Traffic in Arms Regulations (ITAR, 22 C.F.R. Parts 120–130).
b. US Export Administration Regulations (EAR, 15 C.F.R. Parts 730–774).
c. EU dual-use regulation (e.g., Regulation (EU) 2021/821).
d. National export control and sanctions regimes in relevant jurisdictions.
4.3 Key Provisions
a. All transfers of controlled technology, software, or technical data must be pre-cleared by the Company’s Export/Trade Compliance function.
b. “Deemed exports” (e.g., providing controlled technology to non-national employees in certain jurisdictions) must be assessed and licensed where required.
c. Ownership of technology assets must be documented via asset registers, assignment agreements, and license terms.
d. Disposition or transfer of assets (including mergers, acquisitions, divestitures) must ensure continuity of IP ownership and compliance with privacy and export laws.
4.4 Enforcement & Review
Non-compliance may result in internal sanctions and exposure to government penalties, including substantial fines, debarment, and criminal charges.
⸻
POLICY 5 – COMPUTER FRAUD, CYBERCRIME & TECHNOLOGY THEFT PREVENTION POLICY
5.1 Purpose
To prevent, detect, and respond to computer fraud and cybercrime against or through Company Systems.
5.2 Legal Framework
Includes, without limitation:
• US Computer Fraud and Abuse Act (18 U.S.C. § 1030);
• UK Computer Misuse Act 1990;
• Canada Criminal Code s. 342.1;
• Australia Criminal Code Act 1995 (computer offences);
• Council of Europe Budapest Convention on Cybercrime.
5.3 Prohibited Conduct
a. Unauthorized access to any system or account (including “hacking,” password sharing, or privilege escalation).
b. Unauthorized alteration, deletion, or exfiltration of data.
c. Deployment of malware, ransomware, or backdoors on Company or third-party systems.
d. Use of Company Systems to commit fraud, theft, or other crimes.
5.4 Penalties under Law (Illustrative)
a. Many jurisdictions impose substantial fines and multi-year imprisonment for unauthorized access, data theft, or system interference.
b. Offenders may face civil lawsuits for damages and injunctive relief, including under CFAA and analogous statutes.
5.5 Company Response
a. Suspected cybercrime shall be promptly investigated by Security and Legal.
b. Where appropriate, matters will be reported to law enforcement and regulators.
c. The Company will seek full legal remedies, including recovery of losses and litigation against internal or external perpetrators.
⸻
POLICY 6 – DIGITAL SECURITY & ACCESS CONTROL POLICY
6.1 Purpose
To establish robust security and access control measures across all Company Systems, aligned with ISO/IEC 27001 and ISO/IEC 27701.
6.2 Key Provisions
a. Least Privilege & Need-to-Know: Access rights must be limited to what is strictly necessary for job performance.
b. Strong Authentication: Multi-factor authentication (MFA) shall be implemented for sensitive systems and remote access.
c. Logging & Monitoring: Security-relevant events, including logins, privilege changes, and data exfiltration attempts, must be logged and monitored.
d. Endpoint Protection: All endpoints must run approved anti-malware, EDR (endpoint detection and response), host firewalls, and hardening baselines.
e. Encryption: Sensitive data must be encrypted at rest and in transit using strong, industry-standard cryptography.
f. Change Management: Software and configuration changes must follow a formal change control process with appropriate approvals and rollback plans.
g. Secure Development: Software development must adhere to secure coding practices and undergo security testing.
6.3 Non-Compliance
Failure to comply may result in removal of access rights, disciplinary measures, and, where appropriate, legal action.
⸻
POLICY 7 – ANTI-SPYWARE & MALICIOUS CODE POLICY
7.1 Purpose
To prohibit, detect, and eradicate spyware and other malicious code on Company Systems and to clearly define legal and disciplinary consequences.
7.2 Legal Framework
a. US CAN-SPAM Act (15 U.S.C. § 7701 et seq.) and state spyware laws (e.g., California Consumer Protection Against Computer Spyware Act; Washington Computer Spyware Act).
b. Relevant provisions of CFAA, Computer Misuse Act, Criminal Code, and similar statutes that criminalize unauthorized installation of software and unauthorized access.
c. Data protection and privacy laws (GDPR, CCPA/CPRA, PIPEDA, Privacy Act 1988, UK GDPR) governing unlawful tracking and surveillance.
7.3 Definitions
a. Spyware: Any software, code, or tool designed or used to covertly monitor, intercept, copy, or transmit user activity, credentials, communications, or data without transparent authorization consistent with law and Company policy.
b. Keylogger: Software or hardware that records keystrokes.
c. Screen Capture Tool: Software that records or streams screen content covertly.
7.4 Prohibited Activities
The following are strictly prohibited, unless expressly authorized in writing by the Chief Information Security Officer (CISO) and General Counsel for legitimate security reasons and in full compliance with applicable law:
a. Deployment or use of:
• Keyloggers on Company or third-party systems;
• Covert screen capture or session-recording tools;
• Covert audio or camera monitoring software;
• Hidden tracking mechanisms that monitor document access or user behavior beyond disclosed security logging;
• Any spyware or similar code obtained from unapproved sources.
b. Unauthorized manipulation of existing security tools to repurpose them as covert surveillance mechanisms.
c. Installation of remote access tools (RATs, remote desktop tools) outside of approved IT mechanisms and without proper logging and consent.
7.5 Criminal Penalties (Illustrative)
a. Under many laws (CFAA, Computer Misuse Act, national criminal codes), unauthorized installation of spyware or covert monitoring software can result in criminal prosecution, including imprisonment and substantial fines.
b. Under US state spyware laws, violators may face civil penalties and statutory damages per incident.
c. Under privacy laws like GDPR and national privacy statutes, unlawful monitoring may incur regulatory fines, civil damages, and in some jurisdictions, criminal liability.
7.6 Civil Remedies for the Company
a. The Company may pursue:
• Injunctive relief to prevent ongoing misuse;
• Compensatory and, where available, punitive damages;
• Recovery of investigation and remediation costs;
• Attorney’s fees and costs where allowed by law.
7.7 Technical Countermeasures
The Company shall implement:
a. Anti-malware and EDR tools configured to detect spyware patterns, keyloggers, and suspicious remote control tools.
b. Application allowlisting/denylists to prevent unapproved software installation.
c. Network intrusion detection and anomaly detection.
d. Regular security scans, penetration testing, and forensic capabilities.
7.8 Procedures When Spyware is Suspected or Detected
a. Any employee suspecting spyware or malicious software must immediately report it to IT Security or via designated incident channels.
b. The device or system may be isolated for forensic investigation.
c. Legal must determine reporting obligations (e.g., regulators, law enforcement, affected individuals).
d. Evidence shall be preserved in accordance with digital forensics best practices for potential litigation or prosecution.
7.9 Enforcement & Sanctions
a. Any employee, contractor, or vendor involved in unauthorized deployment or use of spyware or malicious code will be subject to:
• Immediate suspension of access;
• Disciplinary action up to and including termination;
• Civil action by the Company;
• Referral to law enforcement and regulators.
⸻
POLICY 8 – PROHIBITION OF UNAUTHORIZED SURVEILLANCE & MONITORING POLICY
8.1 Purpose
To strictly regulate and, by default, prohibit unauthorized surveillance and monitoring of individuals, communications, and documents, ensuring compliance with wiretap, interception, and privacy laws worldwide.
8.2 Legal Framework
Includes, without limitation:
• US Wiretap Act (18 U.S.C. § 2511) and ECPA;
• US Stored Communications Act (18 U.S.C. § 2701 et seq.);
• State audio recording laws, including all-party consent jurisdictions (e.g., California, Pennsylvania, Massachusetts) where two-party or all-party consent is required;
• UK RIPA 2000 and Investigatory Powers Act 2016;
• Canada Criminal Code s.184 (interception of private communication);
• Australia Telecommunications (Interception and Access) Act 1979 (Cth) and state/territory Surveillance Devices and Workplace Surveillance statutes;
• EU GDPR and ePrivacy Directive.
8.3 Definitions
a. Unauthorized Surveillance: Any interception, recording, or monitoring of communications, audio, video, keystrokes, screen, document access, or geolocation that is not:
• Clearly disclosed;
• Lawful in the applicable jurisdiction; and
• Approved under Company procedures and Legal review.
8.4 Prohibited Activities
Except where explicitly permitted by law and authorized in writing by the CISO and General Counsel, the following are prohibited:
a. Electronic Communications
• Intercepting phone calls, VoIP calls, video conferences, messages, or emails beyond necessary and disclosed security logging.
• Accessing stored communications (e.g., private email content, chats) without lawful authorization and proper business justification.
b. Audio & Visual Surveillance
• Recording conversations (in person or remote) without obtaining legally required consent (including in jurisdictions requiring all-party consent).
• Covert video/audio recording of employees, contractors, or visitors unless expressly authorized and legally permitted (e.g., specific investigatory contexts).
c. Document & Screen Monitoring
• Covert tools that capture document views, exports, or screen content beyond standard access logging and DLP controls.
• Unauthorized monitoring of personal devices, even when used for work, beyond lawful and disclosed BYOD policies.
d. Location and Metadata Tracking
• Covert geolocation tracking of individuals or personal devices.
• Unnecessary retention or analysis of communication metadata in violation of privacy laws.
8.5 Permissible Monitoring (Strictly Controlled)
a. Limited, disclosed, and lawful monitoring for security, compliance, and operational purposes (e.g., security logs, email retention, DLP) may occur, provided that:
• It is documented in employee notices and privacy policies;
• It is proportionate and necessary;
• It complies with applicable surveillance consent requirements.
b. Any investigatory surveillance must be:
• Pre-approved by Legal;
• Conducted in compliance with all jurisdiction-specific surveillance laws;
• Documented with clear purpose, scope, and duration.
8.6 Penalties and Legal Consequences (Illustrative)
a. Unlawful interception or recording may constitute a criminal offense, subject to imprisonment and fines under Wiretap/ECPA, RIPA, Telecommunications (Interception and Access) Act, state Surveillance Devices Acts, and other national laws.
b. Civil liability may include statutory damages, compensatory damages, punitive damages, and attorney’s fees.
c. Regulatory enforcement (e.g., data protection authorities) may impose administrative fines and corrective orders.
8.7 Reporting, Investigation, and Escalation
a. Any suspicion of unauthorized surveillance must be reported immediately to Legal and IT Security or via whistleblower channels.
b. The Company will conduct prompt investigations, preserve evidence, and determine legal obligations to report to authorities or individuals.
c. Where violation is confirmed, the Company will consider criminal referral and civil actions.
8.8 Disciplinary Measures
Any person found to have engaged in unauthorized surveillance is subject to immediate disciplinary action up to termination, and potential personal liability.
⸻
POLICY 9 – ANTI-KICKBACK & THIRD-PARTY TECHNOLOGY ETHICS POLICY
9.1 Purpose
To prevent kickbacks, bribes, and corrupt arrangements involving technology vendors, consultants, and service providers, and to ensure transparency and integrity in procurement and vendor management.
9.2 Legal Framework
Includes, without limitation:
• US Foreign Corrupt Practices Act (FCPA, 15 U.S.C. § 78dd-1 et seq.);
• US Anti-Kickback Act (41 U.S.C. § 8702 et seq.);
• UK Bribery Act 2010;
• OECD Anti-Bribery Convention;
• National anti-bribery/kickback laws (e.g., Criminal Codes in Canada, Australia, EU Member States).
9.3 Definitions
a. Kickback: Any thing of value given, offered, received, or requested as a reward for favorable treatment in connection with a contract or business decision.
b. Thing of Value includes cash, gifts, travel, entertainment, discounts, personal services, or other benefits.
9.4 Prohibited Arrangements
The following are strictly prohibited:
a. Accepting or offering any kickback, bribe, or secret commission related to:
• Awarding technology contracts or licenses;
• Selecting vendors, integrators, or consultants;
• Approving invoices, change orders, or extensions.
b. Requiring or accepting off-book payments, rebates, or “side deals” in connection with technology purchases or renewals.
c. Using intermediaries, agents, or shell entities to disguise corrupt payments or benefits.
9.5 Disclosure Requirements
a. All financial relationships, referral arrangements, or potential conflicts of interest involving vendors must be fully disclosed in accordance with the Company’s conflict-of-interest policies.
b. Gifts, hospitality, and entertainment from technology vendors must be pre-approved when exceeding prescribed thresholds.
9.6 Due Diligence & Vendor Selection
a. The Company shall conduct risk-based due diligence on technology vendors, including screening for corruption, sanctions, cybersecurity posture, and data protection practices.
b. Contracts must include clauses on:
• Anti-bribery and anti-kickback compliance;
• Audit rights and access to books and records;
• Termination for compliance breaches.
9.7 Penalties under Law (Illustrative)
a. FCPA and UK Bribery Act violations may result in:
• Significant corporate fines;
• Individual imprisonment;
• Debarment from public contracts;
• Reputational damage and civil suits.
b. Anti-Kickback Act violations may carry criminal penalties and civil damages, including treble damages and penalties for false claims in government-related contracts.
9.8 Whistleblower Protections
a. Individuals reporting suspected kickbacks or corruption in good faith are protected against retaliation.
b. The Company will investigate all good-faith reports and may utilize internal or external investigators as needed.
⸻
POLICY 10 – LEGAL RAMIFICATIONS & ENFORCEMENT OF SURVEILLANCE & CYBER VIOLATIONS POLICY
10.1 Purpose
To consolidate and clarify the legal consequences, internal sanctions, and enforcement mechanisms for violations involving spyware, unauthorized surveillance, cybercrime, and related misconduct.
10.2 Scope
Covers all violations of Policies 5, 6, 7, 8, and 9, and any other policy relating to technology misuse.
10.3 Criminal Exposure
Individuals involved in:
• Installing or using spyware;
• Unauthorized system intrusion;
• Electronic eavesdropping;
• Fraudulent technology procurement or kickback schemes;
may be subject to criminal prosecution under:
• CFAA and analogous laws (imprisonment, fines);
• Wiretap/ECPA, RIPA, and Telecommunications (Interception and Access) Act (criminal penalties for unlawful interception);
• National anti-bribery and anti-corruption statutes (custodial sentences and fines);
• State/provincial surveillance and privacy laws.
10.4 Civil Liability
Violations may expose:
a. The Company to claims for damages, class actions, regulatory enforcement, and injunctions.
b. Individuals to personal civil liability where laws allow (e.g., private rights of action for unlawful interception, privacy invasion, or spyware).
10.5 Company Remedies against Individuals & Vendors
The Company reserves the right to:
a. Terminate employment, contracts, or vendor relationships for cause.
b. Seek recovery of all losses, including:
• Direct financial losses;
• Regulatory fines (where recoverable);
• Investigation and remediation costs;
• Attorneys’ fees and litigation costs.
c. Pursue indemnification under contractual provisions.
d. Seek injunctive relief to prevent ongoing or future harm.
10.6 Reporting Obligations
Depending on the nature and severity of the violation, the Company may be required or choose to:
a. Report incidents to law enforcement (cybercrime units, anti-corruption authorities).
b. Notify data protection authorities of reportable data breaches (e.g., GDPR Art. 33, UK ICO, OAIC in Australia, provincial or federal regulators in Canada).
c. Notify affected individuals where mandated by data breach or surveillance laws.
d. Report improper vendor conduct to relevant regulatory or industry bodies.
10.7 Governance, Oversight & Escalation
a. The Board or designated Board Committee shall have oversight of major technology-related legal and security risks.
b. The CISO and General Counsel shall jointly own this policy, coordinate incident response, and report material violations to executive leadership and, where required, the Board.
c. Periodic audits and assessments shall be conducted to evaluate compliance with this entire policy suite.
10.8 Training & Awareness
a. All employees must complete mandatory training on privacy, cybersecurity, surveillance restrictions, and anti-corruption at onboarding and at regular intervals.
b. High-risk roles (e.g., IT admins, procurement, executives) shall receive enhanced training focused on spyware risks, surveillance laws, and anti-kickback obligations.
10.9 Review & Continuous Improvement
This policy, and the entire suite, shall be reviewed at least annually and after any major legal change, regulatory action, or significant incident. Updates shall be communicated and incorporated into training.