Data Security & Privacy Policy
******************************

The Data Security & Privacy Policy defines how Maryland Productions (MP) and Event Revolution (RV)
protect company, client, and personal data. Because MP/RV handle sensitive business information,
client details, financial records, and operational data, strict data security practices are
required at all times.

Protecting data is a shared responsibility.


Purpose
=======

- Protect company and client data from unauthorized access, loss, or misuse.
- Establish standards for handling, storing, and transmitting data securely.
- Reduce cybersecurity risks and legal exposure.
- Ensure compliance with applicable privacy and data protection laws.
- Define responsibilities for reporting and responding to security incidents.


Who This Policy Applies To
==========================

This policy applies to:

- Employees (full-time and part-time)
- Freelancers and independent contractors
- Temporary staff and interns
- Project Managers and Crew Leads
- Anyone with access to MP/RV data or systems

Compliance with this policy is a condition of employment or engagement.


Types of Data Covered
=====================

This policy applies to all forms of data, including:

- Client information and contact details
- Contracts, proposals, and pricing
- Financial and billing records
- Inventory and asset data
- Employee and contractor information
- Login credentials and authentication data
- Internal communications and documentation
- Photos, drawings, plots, and show files


Data Classification
===================

Data should be treated according to sensitivity:

Public
   Information approved for public release.

Internal
   Non-public business information intended for internal use only.

Confidential
   Sensitive business or personal data requiring restricted access.

Confidential data must be protected with the highest level of care.


Access Control
==============

- Access is granted on a **need-to-know** basis.
- Users may access only data required for their role.
- Sharing access or credentials is prohibited.
- Access must be revoked immediately when no longer required.
- Elevated or admin access is limited and audited.

Unauthorized access is a serious violation.


Password & Authentication Standards
===================================

- Use strong, unique passwords for all systems.
- Do not reuse passwords across systems.
- Enable multi-factor authentication where available.
- Do not store passwords in plain text.
- Do not share credentials with anyone.

Compromised credentials must be reported immediately.


Data Storage
============

- Store data only in approved company systems.
- Do not store confidential data on personal devices unless approved.
- Do not use personal cloud storage for company data.
- Keep local copies to a minimum.
- Follow retention and deletion requirements.

Improper storage increases risk of data loss or breach.


Data Transmission
=================

- Use secure methods when transmitting data.
- Verify recipients before sending sensitive information.
- Do not send confidential data via unsecured channels.
- Use password protection or encryption when required.

Always assume email can be misdirected.


Device & Physical Security
==========================

- Lock devices when unattended.
- Do not leave devices in unsecured locations.
- Protect devices from theft, loss, or damage.
- Report lost or stolen devices immediately.
- Do not connect unknown or unauthorized devices to company systems.

Physical security is part of data security.


Third-Party Access
==================

- Vendors or partners may access data only with approval.
- Access must be limited to what is required.
- Third-party tools must be approved before use.
- NDAs may be required where appropriate.

Unapproved data sharing is prohibited.


Data Breach & Incident Reporting
================================

A data security incident includes:

- Lost or stolen devices
- Unauthorized system access
- Suspected phishing or malware
- Accidental data exposure
- Mis-sent confidential information

If an incident occurs:

1. Report it immediately to management or the system owner.
2. Do not attempt to conceal or fix the issue independently.
3. Follow instructions for containment and mitigation.

Prompt reporting reduces harm.


Privacy Expectations
====================

- Personal and client data must be used only for legitimate business purposes.
- Do not collect unnecessary personal information.
- Respect privacy in all communications and documentation.
- Do not access personal data out of curiosity.

Privacy violations are taken seriously.


Monitoring & Auditing
=====================

- Systems may be monitored to ensure security and compliance.
- Access logs may be reviewed.
- Audits may be conducted periodically.

Users should have no expectation of privacy on company systems.


Enforcement
===========

Violations of this policy may result in:

- Loss of system access
- Disciplinary action
- Removal from jobs
- Termination of employment or contract
- Legal action where appropriate

Severity depends on the nature and impact of the violation.


Acknowledgement
===============

All personnel may be required to acknowledge this policy in writing. Failure to read or acknowledge
this policy does not exempt individuals from compliance.


Related Policies
================

- :doc:`it_acceptable_use`
- :doc:`client_confidentiality`
- :doc:`code_of_conduct`
- :doc:`equipment_responsibility`