Privacy Policy

Updated May 18th, 2020
PACLOCK's privacy policy describes how PACLOCK collects, uses, and shares your personal data.

What Personal Data We Collect And When And Why We Use It

When we collect information

We collect information about you if you place an order with us (directly or through Amazon)

We will collect your personal data via the following methods:

  • By recording details you provide to us – e.g. your communications with us through emails or calls, and/or
  • Your Amazon account and order.

Personal data we collect and use if you place an order with us

Category of Personal Data

Further information about the category

Contact information

Names, addresses (including address history)

The legal basis for using your personal data

We will only collect and use your personal data where we are satisfied that we have an appropriate legal basis to do this. This may be because:

  • you have consented to us using the personal data for example by placing an order with us;
  • our use of your personal data is necessary to perform fulfillment of an order with you; and/or
  • our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have for example fulfilment of a court order.

If you would like to find out more about the legal basis for which we process personal data please contact us at data-protection@paclock.com

Personal Data Processed

Reason for Processing

Legal Justification

Names, addresses (including address history)

To ship your order to you

Consent, or necessity for performance of a contract

 

Sharing Your Personal Data

We share your information in the manner and for the purposes described below:

  1. within Pacific Lock Company, where such disclosure is necessary to provide you with our services or to manage our business;
  2. with third parties who help manage our business and deliver services. These third parties have agreed to confidentiality restrictions and use any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. These include shipping services, such as FedEx, USPS, etc;
  3. with our regulators, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies

Transferring Personal Data Globally

We do not share your data globally.

How We Protect And Store Your Information

Security

We have implemented and maintain appropriate technical and organizational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to such information appropriate to the nature of the information concerned.

Storing your personal data

We will store your personal data for as long as is reasonably necessary for the reason, as explained in this notice, for which it was collected. In some circumstances we may store your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements.

Phase I – Preparation Details

The Preparation phase is easily the most important and often overlooked phase. Without proper preparation incident response activities may be disorganized, expensive, and could cause irreparable harm to Pacific Lock Company. Tasks included in the Preparation phase include but are not limited to the following:

  • Establishing Cyber Security Incident Response (CSIRT).
  • Ensure appropriate parties are aware of incident reporting processes.
  • Validate logging, alerting and monitoring policy compliance.
  • Ensure CSIRT receives appropriate training based on skill gap analysis, career development efforts, and skill retention needs.
  • Define and document standard operating procedures and workflows for CSIRT.
  • Review reports and logs and validate remediation efforts.
  • Establish disposable and disabled Administrative credentials to be enabled and used for investigations.

The Preparation phase is a continuous process.

Reporting Incidents

Incident reporting is available for both internal and external parties. Each of these are equally critical as sometimes users of Pacific Lock Company’s systems and information may be the first to observe a problem.

Incident Type

Reporting Method

Available To

Anonymous?

Response Time

Many

Email Contact

Customers & Employees

No

Up to 4 hours during office hours. Otherwise, within 2 hours of open.

Physical Access

Alert Office Manager

Employees

No

Immediate

Many

CSIRT Phone Contact

Employees

No

Immediate during office hours. Otherwise, within 1 hour of open.

To report incidents, please send an email to data-protection@paclock.com.

Reporting Information to Amazon

If Amazon information was compromised in the incident, then Amazon must be made aware within 24 hours of detection of the incident. CSIRT must report the incident to Amazon via email to 3p-security@amazon.com. In the case of compromised Amazon information, no report is to be made to an authority or customer on behalf of Amazon unless Amazon specifically requests in writing that the CSIRT do so.

 

Phase II – Identification and Assessment Identification

When a Pacific Lock Employee or external party notices a suspicious anomaly in data, a system, or the network, or a system alert generates an event then CSIRT must perform an initial investigation and verification of the event.

Events vs Incidents

As defined above, Events are observed changes in normal behavior of the system, environment, process, workflow or personnel. Incidents are events that indicate a possible compromise of security or non-compliance with policy that negatively impacts (or may negatively impact) the organization. To facilitate the task of identification of an incident, the following is a list of typical symptoms of security incidents, which may include any or all of the following:

  • Email notification from an intrusion detection tool.
  • Suspicious entries in system or network accounting or logs.
  • Discrepancies between logs.
  • Repetitive unsuccessful logon attempts within a short time interval.
  • Unexplained new user accounts.
  • Unexplained new files or unfamiliar file names.
  • Unexplained modifications to file lengths and/or dates, especially in system files.
  • Unexplained attempts to write to system files or changes in system files.
  • Unexplained modification or deletion of data.
  • Denial/disruption of service or inability of one or more users to login to an account.
  • System crashes.
  • Poor system performance of dedicated servers.
  • Operation of a program or sniffer devices used to capture network traffic.
  • Unusual time of usage (i.e. users login during unusual times)
  • Unusual system resource consumption (High CPU usage)
  • Last logon (or usage) for a user account does not correspond to actual last time the user used the account.
  • Unusual usage patterns.
  • Unauthorized changes to user permission or access.

Assessment

Once a potential incident has been identified, the CSIRT will be activated to investigate the situation. The assessment will determine the category, scope, and potential impact of the incident.

 

Phase III – Containment and Intelligence

The objective of the containment phase of the incident response is to regain control of the situation and limit the extent of the damage. To achieve this objective, Pacific Lock has defined a number of containment strategies relevant to a variety of incident types. Reference the procedures related to one or more of the Containment Strategies listed below:

Containment Strategies

Use the list of strategies below to choose the procedure(s) most appropriate for the situation.

  • Stolen Credentials: Disable account credential, reset all active connections, review user activity, reverse changes, increase alerting, harder from future attacks.
  • DOS/DDOS: Control WAN/ISP.
  • Virus Outbreak: Contain LAN/system.
  • Data Loss: Review user activity, implement data breach response procedures.
  • Compromised API: Review changes made, repair API, harden from future attacks.

Investigation

As the CSIRT works to contain, eradicate, and recover from the incident, the investigation will be ongoing. As the investigation proceeds, it may be found that the incident is not fully contained, eradicated, or recovered. If that is the situation, it may be necessary to revisit earlier phases.

The investigation attempts to fully identify all systems, services, and data impacted by the incident, including root cause analysis, which helps to determine the entry point of an attacker or weakness in the system that allowed the event to escalate into an incident.

Initial Cause Investigation

Investigation should be conducted with consideration given to the ongoing impact to critical business operations. Ideally, the Initial Cause Investigation should be concluded before leaving the Eradication phase. At times, however, it may be necessary or appropriate to continue investigation during or after eradication and recovery. Delaying the Investigation should only be considered when the CSIRT is confident that the incident has been fully contained and the full scope of the impact is known. Delays or modifications to the scope of investigation activities must be approved by the Incident Response Commander.

The investigation techniques utilized will vary by the type of incident. The investigation may rely on some (or all) of the following:

  • Interview with witnesses and/or affected persons.
  • Capturing images, snapshots, or memory dumps of affected systems.
  • Obtaining relevant documents.
  • Conducting observations.
  • Analyzing the logs of the various devices, technologies, and hosts involved.
  • Compare the compromised system to a known good copy.

 

Phase IV – Eradication Details

The eradication consists of full elimination of all components of the incident. Steps to eradicate components of the incident may include:

  • Disable breached user accounts.
  • Reset any active sessions for breached accounts.
  • Identify and mitigate vulnerabilities leveraged by the attacker.
  • Close unnecessary open ports.
  • Increase authentication security measure (implement MFA, add geolocation restrictions).
  • Increase security logging, alerting, and monitoring.
  • Clean installation of affected operating systems and applications.

All re-installed operating systems and applications must be installed according to Pacific Lock system build standards, including but not limited to:

  • Applying all the latest security patches.
  • Disabling all unnecessary services.
  • Installing anti-virus software.
  • Changing all account passwords (including domain, user, and service accounts).

Key Decisions for Exiting Eradication Phase

  • Has the root cause been identified and identified vulnerabilities been remediated?
  • Have all the impacted accounts, including CSIRT burner credentials been reset?
  • CSIRT is confident that the network and systems are configured to eliminate a repeat occurrence.
  • There is no evidence of repeat events or incidents.

 

Phase V – Recovery Details

Prior to restoring systems to normal operation, it is critical that the CSIRT validate the system(s) to determine that eradication was successful, and the network is secure. Once the organization has been attacked successfully, the same attackers will often attack again using the same tools and techniques leveraged in the initial attack. Having gained access to the compromised system(s) or network once, the attacker has more information at their disposal to leverage in future attacks.

If feasible, the system should be installed in a test environment to determine functionality prior to re-introduction into a production environment.

Furthermore, network monitoring should be implemented for as long as necessary to detect any unauthorized access attempts.

Recovery steps may include:

  • Restoring systems from a clean backup.
  • Replacing corrupted data from a clean backup.
  • Restoring network connections and access rules.
  • Communicating with interested parties about changes related to increased security.
  • Increasing network and system monitoring activities (short or long-term).
  • Increasing internal communication/reporting related to monitoring.
  • Engaging a third party for support in detecting or preventing future attacks.

Key Decisions for Exiting Recovery Phase

  • Have business operations been restored?

 

Phase VI – Lessons Learned

The follow-up phase includes reporting and post-incident analysis on the system(s) that were the target of the incident and other potentially vulnerable systems. The objective of this phase is continued improvement to applicable security operations, response capabilities, and procedures.

Documentation

All details related to the incident response process must be formally documented and filed for easy reference. The following items must be maintained whenever possible:

  • All system events (audit records, logs).
  • All actions taken (including the date and time that an action is performed).
  • All external conversations.
  • Investigator notes compiled.
  • Any deviations from SOP and justifications.

Lessons Learned and Remediation

The CSIRT will meet with relevant parties (technical staff, management, vendors, security team, etc.) to discuss and incorporate lessons learned from the incident to mitigate the risk of future incidents. Based on understanding of the root cause, steps will be taken to strengthen and improve Pacific Lock’s information systems, policies, procedures, safeguards, and /or training as necessary. Where mitigations or proposed changes are rejected, a Risk Acceptance Process must be followed. Incidents should be analyzed to look for trends and corrective action should be considered where appropriate.

It’s easy being a PACLOCK customer. We have one simple guiding principle:

“PACLOCK wants to do good business with good customers.” When we get asked what we mean by “good business with good customers,” here are some of the answers that we offer:

Depend on Us: PACLOCK is constantly finding ways to decrease lead times by increasing our ability to push product out the door. We generally ship all orders, even highly custom orders, within 3 to 5 business days.

Minimum Orders: We are happy to ship small orders, so long as you are willing to pay small invoices. Generally, we prefer to ship a 6-piece minimum per lock style.

Express Order Fulfillment: Orders for any product can be put at the front of our production line. We charge an additional 15% of the total order to process and ship within your requested amount of time (minimum charge of $15). We’ll work with you to give you an anticipated lead time for this custom service.

Pay on Time: We are proud to be one of the last family owned lock manufacturers in the world and we depend on your timely payments to help continue growing our business.

Free Shipping: We will pay freight charges on all orders over $1,000.00 USD (based on net prices) to a single destination within the continental United States and Canada.

Domestic Shipping: We ship via FEDEX & USPS for our orders. We are willing to ship via UPS, DHL, or other carriers but will add a service charge to do so. Please call for details.

International Shipments: Please call and talk to us about shipping internationally. We have arrangements set up with forwarders but are willing to work with your forwarders as well.

Changing or Canceling an Order: Either of these situations drains value from a company. We will be as flexible as possible, but we will likely expect some value from you in return to accommodate your request.

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

What personal information do we collect from the people that visit our website?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, phone number or other details to help you with your experience.

When do we collect information?

We collect information from you when you register on our site, place an order, subscribe to a newsletter, fill out a form or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

  • To allow us to better service you in responding to your customer service requests.
  • To quickly process your transactions.
  • To send periodic emails regarding your order or other products and services.
  • To follow up with them after correspondence (live chat, email or phone inquiries)

How do we protect your information?

Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We use regular Malware Scanning. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information. All transactions are processed through a gateway provider and are not stored or processed on our servers.

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We use cookies to:

  • Help remember and process the items in the shopping cart.
  • Understand and save user’s preferences for future visits.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.

If users disable cookies in their browser:

If you turn cookies off, some of the features that make your site experience more efficient may not function properly. Some of the features that make your site experience more efficient and may not function properly.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.

Third-party links

We do not include or offer third-party products or services on our website.

Google

Google’s advertising requirements can be summed up by Google’s Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en

We use Google AdSense Advertising on our website.

Google, as a third-party vendor, uses cookies to serve ads on our site. Google’s use of the DART cookie enables it to serve ads to our users based on previous visits to our site and other sites on the Internet. Users may opt-out of the use of the DART cookie by visiting the Google Ad and Content Network privacy policy. We have implemented the following:

  • Google Display Network Impression Reporting
  • Demographics and Interests Reporting

We, along with third-party vendors such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.

Opting out:
Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. – See more at: http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf

According to CalOPPA, we agree to the following:

Users can visit our site anonymously.

You will be notified of any Privacy Policy changes:

  • On our Privacy Policy Page

Can change your personal information:

  • By logging in to your account

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third-party behavioral tracking?

It’s also important to note that we allow third-party behavioral tracking

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

  • Within 7 business days

We will notify the users via in-site notification

  • Within 7 business days

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.