Opto Investments, Inc. and its affiliates and subsidiaries (“Opto”) seeks to limit its collection of Nonpublic Personal Information to that which is reasonably necessary for legitimate business purposes. Opto will not disclose Nonpublic Personal Information except in accordance with our policies and procedures, as permitted or required by law, or as affirmatively authorized in writing by the applicable Opto SPV or Investor.
With respect to Nonpublic Personal Information, Opto strives to: (a) ensure the security and confidentiality of the information; (b) protect against anticipated threats and hazards to the security and integrity of the information; and (c) protect against unauthorized access to, or improper use of, the information. Currently, the CCO of our affiliated SEC registered Investment Advisor is responsible for administering these privacy policies and procedures.
Although these principles and procedures apply specifically to Nonpublic Personal Information, Opto representatives must be and will be careful to protect all of Opto’s proprietary information.
Protecting Confidential Information
Opto representatives will maintain the confidentiality of information acquired, with particular care being taken regarding Nonpublic Personal Information.
Nonpublic Personal Information will be restricted to Opto representatives who have a need to know such information.
All requests by third-parties to review such compliance-related documents should be forwarded to the CCO at the said New York City office address.
Disclosure of Nonpublic Personal Information
Nonpublic Personal Information may only be provided to third parties under the following circumstances:
- To broker-dealers opening brokerage accounts;
- To accountants, lawyers, and others as directed in writing by Clients or Investors;
- To specified family members as directed in writing by Clients or Investors, or as authorized by law;
- To third-party service providers, as necessary to service Opto SPV or Investor accounts, assess Opto’s compliance with industry standards, protect the confidentiality and security of Opto’s records, and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; and
- To regulators and others, as required by law.
Opto representatives should and will take reasonable precautions to confirm the identity of individuals requesting Nonpublic Personal Information.
Nonpublic Personal Information may be reviewed by Opto’s outside service providers, such as accountants, lawyers, consultants, and administrators. Opto will review such service providers’ privacy policies to ensure that Nonpublic Personal Information is not used or distributed inappropriately.
Access to Opto’s Premises
Opto’s premises will be locked outside of normal regular business hours.
Information Stored in Hard Copy Formats
Opto has implemented the following procedures to protect Nonpublic Personal Information stored in hard copy formats:
- To the extent practicable, Nonpublic Personal Information will be kept in lockable filing cabinets;
- All Nonpublic Personal Information, as well as Opto’s proprietary information, should and will be locked up at the end of each workday;
- Opto representatives will exercise due caution when mailing or faxing documents containing Nonpublic Personal Information to ensure that the documents are sent to the intended recipients; and
- Opto representatives may only remove documents containing Nonpublic Personal Information from Opto’s premises for legitimate business purposes. Any documents taken off premises must be handled with appropriate care and returned as soon as practicable.
Cybersecurity Practices for All Employees
Opto has implemented the following procedures to protect proprietary and Nonpublic Personal Information stored on electronic systems:
- Opto representatives must never share their account passwords or store their account passwords in a place that is accessible to others;
- Opto representatives should avoid using the same password for different programs;
- Opto representatives should not use the same password for Company accounts as for non-Company accounts;
- Employee passwords should be changed at least every 180 days;
- Opto representatives must shut down or lock their computers when they leave the office for any extended period of time;
- Opto representatives must not include Nonpublic Personal Information in unencrypted emails sent outside of Opto’s network;
- Opto representatives should ensure communications are encrypted and securely authenticated;
- Any computers not issued by the Company that Opto representatives use for business purposes must be configured to comply with Opto’s information security policies;
- Opto representatives, affiliates, and vendors with authorized remote access must ensure that unauthorized users are not allowed remote access to the Company’s networks;
- Any theft or loss of electronic storage media must immediately be reported to the CFO;
- Opto representatives must consult with the CCO before using any removable or mobile media to store sensitive Opto data, including Nonpublic Personal Information;
- Any inquiries or requests for representations about Opto’s cybersecurity controls from third parties, such as Opto SPVs, Investors, vendors, or government officials, must be forwarded to the CCO;
- Any requests from third parties for independent access to Opto’s networks or proprietary data must be forwarded to the CCO; and
- The CISO is responsible for setting Opto representatives’ access permissions on the Company’s computer network.
Opto representatives may only discard or destroy Nonpublic Personal Information in accordance with the Document Destruction policy contained in the Maintenance of Books and Records portion of the Compliance Manual. Opto representatives are reminded that electronic and hard copy media containing Nonpublic Personal Information must be destroyed or permanently erased before being discarded.
Opto will provide a Privacy Notice to all Clients and Investors upon establishment of an advisory relationship or investment in an Opto SPV.
Please note that Clients and Investors acknowledge receipt of the initial Privacy Notice when signing advisory contracts or completing subscription agreements.
Opto provides Clients and Investors with prompt notice of any change to the Company’s privacy policies. To that end, on an annual basis, the CCO reviews the Company’s privacy policies and confirms that the Company (i) only shares Nonpublic Personal Information with nonaffiliated third-parties in a manner that does not require an opt-out right be provided to Clients and Investors; and (ii) has not changed its privacy policies with regard to disclosing Nonpublic Personal Information since it last provided a Privacy Notice to the Company’s Clients and Investors. The CCO has a copy of the Privacy Notice sent.
Responding to Privacy Breaches
If any Opto representatives becomes aware of an actual or suspected privacy breach, including any improper disclosure of Nonpublic Personal Information, that Opto representatives must promptly notify the CCO. Upon becoming aware of an actual or suspected breach, the CCO will investigate the situation and take the following actions, as appropriate:
- To the extent possible, identify the information that was disclosed and the improper recipients;
- Notify the Management;
- Take any actions necessary to prevent further improper disclosures;
- Take any actions necessary to reduce the potential harm from improper disclosures that have already occurred;
- Discuss the issue with legal counsel, and consider discussing the issue with regulatory authorities and/or law enforcement officials;
- Assess notification requirements imposed by applicable state and national regulatory authorities and/or law enforcement officials;
- Evaluate the need to notify affected Clients or Investors, and make any such notifications;
- Collect, prepare, and retain documentation associated with the inadvertent disclosure and Opto’s response(s); and
- Evaluate the need for changes to Opto’s privacy protection policies and procedures in light of the breach.
Privacy Protection Training
The CCO will ensure that all new employees and representatives have received, reviewed, and understand their obligations to protect Nonpublic Personal Information. The CCO also reminds all employees and representatives of their privacy protection obligations during the fourth quarter of each year. If the privacy protection program appears to be functioning well and has not undergone material changes, then this reminder might appropriately take the form of a broadly distributed annual email. The CCO may provide training more frequently and/or in person to individuals or groups if:
- Opto’s policies and procedures, or the threats to Nonpublic Personal Information, change in a material way;
- Opto experiences a privacy breach; and/or
- One or more employees or representatives do not appear to understand their obligations regarding privacy protection.
Oversight of Service Providers
When a service provider is engaged to perform an activity, Opto will take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Opto will make a good faith effort to require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to Opto, or to take appropriate steps to prevent or mitigate identity theft.