Companies shall establish data and information security protection controls for the information they have or obtain, and they shall:
1.
record, maintain, reconcile, collect, process and classify credit information in a proper and suitable manner to facilitate reference to such information;
2.
protect information from loss, which includes the adoption of backup systems and the development of contingency recovery plans as well as business continuity plans;
3.
protect credit information from unauthorized access, usage, modification, or disclosure in violation of the Law and its Implementing Regulations;
4.
establish controls and procedures to be applied upon members' request to check credit records;
5.
review the company’s staff confidentiality controls regularly;
6.
review usage patterns of information systems regularly to detect and investigate any unusual usage patterns;
7.
maintain records for all access, modification and audit cases of credit information database, including previous enquiry records as well as all incident records that imply confirmed or suspected violations; and
8.
provide sufficient knowledge to the authorized member representatives concerning the international best security practices relating to the working rules.
