Risk Solutions Supplemental Terms & Conditions

  1. Home
  2. Terms
  3. Supplemental


The terms and conditions listed below govern use of the LexisNexis Risk Solutions Group services (the “LN Services”) and materials available therein (“Materials”), provided by LexisNexis Risk Solutions FL Inc. and its affiliated companies (collectively, “LN”). The terms “Client”, “Customer”, “you”, and “your” in uppercase or lowercase shall mean the entity (e.g., company, corporation, partnership, sole proprietor, etc.) or government agency entering into an agreement for the LN Services.

You agree to comply with the following terms and conditions:


  1. American Board of Medical Specialties (“ABMS”) Data.

    If Customer is permitted to access ABMS Data from LN, Customer shall not use , nor permit others to use, ABMS Data for purposes of determining, monitoring, tracking, profiling or evaluating in any manner the patterns or frequency of physicians’ prescriptions or medications, pharmaceuticals, controlled substances, or medical devices for use by their patients.

  2. BuildeRadius d/b/a BuildFax (Constructions Records and Building Permit Information)

    With respect to the construction records and building permit information in the LN Services, Client acknowledges and agrees that it is solely responsible for complying with, and agrees that its use of the LN Services, provided product, and any derivatives thereof, and any data provided to it by BuildFax or related to construction records and building permit information will comply with all applicable foreign, federal, state and local laws, regulations and ordinances, including , without limitation, the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) the United States Freedom of Information, Open Record, Sunshine and other similar laws and regulations (collectively, the “applicable laws”). Client further acknowledges and agrees that in no event shall BuildFax be liable or responsible for Client’s failure to comply with any applicable law, even if such non-compliance results from Client’s use or reliance on the LN Services, provided product, any derivatives thereof, or any data provided by BuildFax. Without limiting the foregoing, Client acknowledges and understands that certain restrictions apply to the use of data obtained from federal, state and locals governments and agencies, and Client agrees to comply with such restrictions, including, without limitation, restrictions on a person’s right to use such data for marketing purposes. Client acknowledges and agrees that BuildFax data relates solely to real property, and does not relate to any individual consumer, and that Client cannot identify a consumer based on a search of BuildFax’s information.

  3. California Secretary of State


  4. DPPA Regulated Information:

    It is unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of the Driver’s Privacy Protection Act; and it shall be unlawful for any person to make false representation to obtain any personal information from an individual's motor vehicle record.

  5. Dun & Bradstreet

    Access to and use of the D&B database is subject to the Terms of Agreement between you, LN and Dun & Bradstreet, Inc. (D&B). By accessing the D&B Data (or the “Information”), you agree that you have authority to enter into the Terms of Agreement on behalf of your Company and that you have read the Terms of Agreement, understand them, and agree on behalf of yourself and your Company to be bound by them.

    Terms of Agreement
    1. All information which D&B furnished to you will be used by you solely as one factor in your business decisions and will not be used to determine an individual’s eligibility for credit or insurance to be used primarily for personal, family or household purposes or to determine an individual’s eligibility for employment. You also agree that the Information will not be used to engage in unfair or deceptive practices.

    2. You agree that the information will not be reproduced, revealed or made available to anyone else, it being understood that the Information is licensed for your internal use only. You agree to indemnify, defend and hold harmless D&B from any claim or cause of action against D&B arising out of, or relating to, the use of the Information by individuals or entities which have not been authorized to have access to and/or use the Information.

    3. You understand that you are the benficiary of a contract between D&B and LN and that, under that contract, both D&B and LN have reserved certain rights which may result in the termination of your right to receive Information from D&B. In addition, D&B may terminate your receipt of the D&B data at any time if you breach any of its terms and conditions.



    6. You acknowledge and agree that the copyright to the Information is and shall remain with D&B. You acknowledge that the Information, regardless of form or format, is proprietary to D&B and comprises: (a) works of original authorship, including compiled information containing D&B’s selection, arrangement and coordination and expression of such information or pre-existing material it has created, gathered or assembled; (b) confidential or trade secret information; and (c) information that has been created, developed and maintained by D&B at great expense of time and money such that misappropriation or unauthorized use by others for commercial gain would unfairly and irreparably harm D&B. You shall not commit or permit any act or omission by your agents, employees or any third party that would impair D&B’s proprietary and intellectual property rights in the Information. You agree to notify D&B immediately upon obtaining any information regarding a threatened or actual infringement of D&B’s rights.

    7. These terms are in addition to those found in any LN service agreement. If there is a conflict between these terms and those found in any such service agreement, then these terms will apply. The agreement regarding your receipt and use of the D&B data shall be governed by the laws of the State of New Jersey, United States of America without giving effect to its conflicts of laws provisions. Any disputes arising hereunder must be filed and shall be venued in the United States District Court for the District of New Jersey or in the courts of the State of New Jersey and the parties hereby submit to the jurisdiction of such courts.

  6. Experian

    VIN Gateway Services Direct Auto Market Restrictions

    In no event may Client or any permitted Client distributor (as agreed upon in Client’s written agreement with LN) sell, license or otherwise provide any VIN Gateway Services or LN products or services using the VIN Gateway Data to any entity that is engaged in any of the following business activities: (i) vehicle dealers; (ii) vehicle original equipment manufacturers; (iii) vehicle auction companies; (iv) automotive portals, or (vii) automotive aftermarket suppliers, including the sales and marketing functions of such companies (“Direct Auto Market”), except to the following departments of such entities: (i) the legal, collections, human resources or other corporate support departments/functions of such Direct Auto Market companies, (ii) financial institutions, or (iii) automobile finance companies.

    Additionally, use of the VIN Gateway Data for any of the following purposes is prohibited:

    1. Recall/Advisory Activities: Using VIN Gateway Data to identify specific vehicle owners’ names and addresses (typically all owners linked to a range of VIN numbers) for the purpose of notifying them of a product recall or safety advisory issued by an auto manufacturer, supplier or agent.

    2. Warranty Activities: Using VIN Gateway Data to identify specific records, (e.g. odometer readings, transfer of ownership) associated with a VIN number to identify whether or not a vehicle is still under warranty and providingthis determination to, or in connection with, motor vehicle manufacturers, independent warranty or service contract providers.

    3. Customer Surveys: Using VIN Gateway Data to identify owners of a specific make, model and/or category of vehicles for the purpose of conducting primary consumer research (e.g. telephone interviews, mail surveys) to determine consumer automobile preferences and /or vehicle purchasing trends.

    4. Vehicle Statistics: Using VIN Gateway Data to compile periodic new and/or used vehicle statistics (e.g. recent sales, vehicles in operation) by geography, vehicle classification, dealer, lender, and/or make/model for the purpose of automobile market share reporting for manufacturers and dealer, indirect lending market share reporting for automotive lenders, retail site planning, promoting automotive brands or dealerships to consumers, and/or dispute resolution between retailers and manufacturers.

    5. Share of Garage Analysis: Using VIN Gateway Data to determine the current vehicles owned by an individual, household or group for the purposes of market research or direct marketing, or determining vehicle purchasing patterns over time (e.g. frequency of purchases, loyalty to specific brands).

    6. Vehicle Ownership Profiles/Modeling: Using VIN Gateway Data to build direct marketing models for the purpose of promoting vehicles and auto financing products to consumers.

    7. Vehicle History Reports: Augmenting VIN Gateway Data with accident data, odometer readings, emission readings or state issued vehicle brand data for the purpose of developing a ‘Vehicle History Report’ competing against AutoCheck and CARFAX by providing vehicle valuations to potential buyers, seller, dealers, Original Equipment Manufacturers, auction houses or financers of automobiles. This in no way limits use of the VIN Gateway Data to verify the vehicles owned by a consumer or business or to assess the value of vehicles during the process of underwriting, policy auditing, adjusting, examining or settling of a property claim. Furthermore, client shall not provide, sell or license the branded title indicator or lease/lienholder information to any End User/Distributor outside of the insurance industry.

    8. Fleet Marketing: Using VIN Gateway Data for the purpose of direct marketing to identify and target businesses who own vehicle fleets.

    9. Direct Marketing: Using the Licensed Data for direct marketing activities such as direct mail or telemarketing.

    10. OEM/AOT: Using VIN Gateway Data for removal of nonowner records of original equipment manufacturers or in connection with providing services to motor vehicle manufacturers.

    11. Dealer Audit: Using VIN Gateway Data in connection with original equipment manufacturer performance monitoring of auto vehicles or dealers.

    12. Modeling: VIN Gateway Data shall not be resold or sublicensed for modeling purposes. Resale of any result derived from a model is not prohibited.

    Access Security Requirements for LexisNexis End-Users For FCRA and GLB 5A Data

    The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to Experian systems or data through LexisNexis, referred to as the “Customer”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. LexisNexis reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security.

    In accessing LexisNexis services, Customer agrees to follow these Experian security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data

    1. Implement Strong Access Control Measures

      1. If using third party or proprietary system to access Lexis systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing LexisNexis data/systems.

      2. If the third party or third party software or proprietary system or software, used to access LexisNexis data/systems, is replaced or no longer in use, the passwords should be changed immediately.

      3. Create a unique user ID for each user to enable individual authentication and accountability for access to LexisNexis’ infrastructure. Each user of the system access software must also have a unique logon password.

      4. Develop strong passwords that are:

        1. Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)

        2. Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts

        3. For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically or that enhancements such as multi-factor authentication are implemented (every 90 days is recommended)

      5. Passwords (e.g. user/account password) must be changed immediately when:

        1. Any system access software is replaced by another system access software or is no longer used

        2. The hardware on which the software resides is upgraded, changed or disposed without being purged of sensitive information

        3. Any suspicion of password being disclosed to an unauthorized party (unauthorized use notification requirements may apply)

        4. It is understood that the practice of encryption of sensitive data at rest will be implemented in the year 2017 for Customer, it being understood that in the meantime Customer shall implement other compensating controls when the data is at rest, including physical security, access controls, or vulnerability assessments

      6. Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithms are utilized (e.g. AES 256 or above).

      7. Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.

      8. Active logins to credit information systems must be configured with a 30 minute inactive session timeout.

      9. Customer must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Experian data

      10. Ensure that Customer employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose

      11. Implement physical security controls to prevent unauthorized entry to Customer’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.

    2. Maintain a Vulnerability Management Program Implement Strong Access Control Measures

      1. Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and updates.

      2. Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry standard security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.

      3. Implement and follow current best security practices for computer virus detection scanning services and procedures:

        1. Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.

        2. Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.

        3. If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.

    3. Protect Data

      1. Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).

      2. Experian data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a minimum.

      3. Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.

      4. Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such as AES 256 or above. An alternative to encryption at rest is compensating controls designed to mitigate the risk of data exposure.

      5. Experian data must not be stored locally and permanently on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.

      6. When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass-code

      7. Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission using an industry-recognized, strong, encryption method.

      8. Only open email attachments and links from trusted sources and after verifying legitimacy.

      9. When no longer in use, ensure that hard-copy materials containing Experian data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.

      10. When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).

    4. Maintain an Information Security Policy

      1. Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.

      2. The FACTA Disposal Rules requires that Customer implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.

      3. Implement and maintain ongoing mandatory security training for those who have access to Experian information and awareness sessions for all staff to underscore the importance of security in the organization.

      4. When using third party service providers (e.g. application service providers) to access, transmit, store or process Experian data, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Customer’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section.

    5. Build and Maintain a Secure Network

      1. Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.

      2. Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.

      3. Administrative access to firewalls and servers must be performed through a secure internal wired connection or over a secured private network only.

      4. Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.

      5. Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.

      6. For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.

      7. When using service providers (e.g. software providers) to access LexisNexis systems, access to third party tools/services must require multi-factor authentication.

    6. Regularly Monitor and Test Networks

      1. Perform regular tests on information systems that serve Experian data and are exposed to the Internet (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.)

      2. Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly a periodic basis and that follow-up to exceptions is required.

      3. Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access LexisNexis systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:

        1. protecting against intrusions;

        2. securing the computer systems and network devices;

        3. and protecting against intrusions of operating systems or software

    7. Mobile and Cloud Technology

      1. Storing Experian data permanently on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.

      2. Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.

      3. Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.

      4. Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.

      5. Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.

      6. In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application.

      7. When using cloud providers to access, transmit, store, or process Experian data ensure that:

        1. Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations

        2. Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian:

          • ISO 27001

          • PCI DSS

          • EI3PA

          • SSAE 16 – SOC 2 or SOC3

          • FISMA

          • CAI / CCM assessment

    8. General

      1. As allowed under Customer’s agreement with LexisNexis, no more than once per year, at Experian’s expense, Experian will have the right to audit the security mechanisms Customer maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices. Audits shall be reasonable in scope and duration.

      2. In cases where the Customer is accessing Experian information and systems via third party software, the Customer agrees to make available to LexisNexis upon request, audit trail information and management reports generated by the vendor software, regarding Customer individual authorized users.

      3. Customer shall be responsible for and ensure that third party software, which accesses LexisNexis information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.

      4. Customer shall conduct software development (for software which accesses LexisNexis information systems; this applies to both in-house or outsourced software development) based on the following requirements:

        1. Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.

        2. Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.

        3. Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other

      5. Under Section H.1 above, reasonable access to audit trail reports of systems utilized to access LexisNexis systems shall be made available to LexisNexis upon request, for example during breach investigation or while performing audits.

      6. Data requests from Customer to LexisNexis must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.

      7. Customer shall report actual security violations or incidents that impact Experian to LexisNexis within twenty-four (24) hours or per agreed contractual notification timeline. Customer agrees to provide notice to LexisNexis of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 888-872-5375, Email notification will be sent to Security.investigations@lexisnexis.com.

      8. Customer acknowledges and agrees that the Customer (a) has received a copy of these requirements, (b) has read and understands Customer’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to LexisNexis services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.

      9. Customer understands that its use of LexisNexis networking and computing resources may be monitored and audited by LexisNexis, without further notice.

      10. Customer acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access LexisNexis services or data are secure and in compliance with its LexisNexis agreement.

      11. When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by LexisNexis.

      Record Retention: The Federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, Experian requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a consumer complaint that your company impermissibly accessed their credit report, Experian will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. “Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.”

      Internet Delivery Security Requirements

      In addition to the above, following requirements apply where Customer and their employees or an authorized agent/s acting on behalf of the Customer are provided access to LexisNexis provided services via Internet (“Internet Access”).

      General requirements:

      1. The Customer shall designate an employee to be its Head Security Designate, to act as the primary interface with LexisNexis on systems access related matters. The Customer’s Head Security Designate will be responsible for establishing, administering and monitoring all Customer employees’ access to LexisNexis provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.

      2. The Customer’s Head Security Designate or other Security Designates shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each LexisNexis product based upon the legitimate business needs of each employee. R shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.

      3. Unless automated means become available, the Customer shall request employee's (Internet) user access via the Head Security Designate/Security Designate. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). LexisNexis’ approval of requests for (Internet) access may be granted or withheld in its sole discretion. LexisNexis may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Customer), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.

      4. An officer of the Customer agrees to notify LexisNexis in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.

      Roles and Responsibilities

      1. Customer agrees to identify an employee it has designated to act on its behalf as a primary interface with LexisNexis on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Customer and shall be available to interact with LexisNexis on information and product access, in accordance with these Experian Access Security Requirements for LexisNexis End-Users. Customer’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Customer’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to LexisNexis’ systems and information. Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to LexisNexis immediately or the Head Security Designate’s access terminated.

      2. As a Client to LexisNexis’ products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Customer.

      3. The Security Designate may be appointed by the Head Security Designate as the individual that the Customer authorizes to act on behalf of the business in regards to LexisNexis product access control (e.g. request to add/change/remove access). The Customer can opt to appoint more than one Security Designate (e.g. for backup purposes). The Customer understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with LexisNexis’ Security Administration group on information and product access matters.

      4. The Head Designate shall be responsible for notifying their corresponding LexisNexis representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.


      1. Must be an employee and duly appointed representative of Customer, identified as an approval point for Customer’s Authorized Users.

      2. Is responsible for the initial and on-going authentication and validation of Customer’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).

      3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.

      4. Is responsible for ensuring that Customer’s Authorized Users are authorized to access LexisNexis products and services.

      5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Customer.

      6. Must immediately report any suspicious or questionable activity to LexisNexis regarding access to LexisNexis’ products and services

      7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to LexisNexis.

      8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.

      9. Shall be available to interact with LexisNexis when needed on any system or user related matters.




      Computer Virus

      A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying.


      Very sensitive information. Disclosure could adversely impact your company.


      Encryption is the process of obscuring information to make it unreadable without special knowledge.


      In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.

      Information Lifecycle

      (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained.

      IP Address

      A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices.


      A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission.


      A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets.


      Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet.

      Experian Independent Third Party Assessment Program

      The Experian Independent 3rd Party Assessment is an annual assessment of an Experian LexisNexis’ ability to protect the information they purchase from Experian. EI3PA℠ requires an evaluation of a LexisNexis’ information security by an independent assessor, based on requirements provided by Experian. EI3PA℠ also establishes quarterly scans of networks for vulnerabilities.

      ISO 27001 /27002

      IS 27001 is the specification for an ISMS, an Information Security Management System (it replaced the old BS7799-2 standard) The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.

      PCI DSS

      The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

      SSAE 16 SOC 2, SOC3

      Statement on Standards for Attestation Engagements (SSAE) No. 1 SOC 2 Report on Controls Related to Security, Availability, Processing Integrity, Confidentiality, and Privacy. The SOC 3 Report , just like SOC 2, is based upon the same controls as SOC 2, the difference being that a SOC 3 Report does not detail the testing performed (it is meant to be used as marketing material).


      The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

      CAI /CCM

      Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

  7. Georgia DPPA-regulated data, additional terms for use of the data for the Government Purpose (DPPA 1)

    Georgia stipulates that if you are using data for notice for towed, impounded, red light, or parking violations, it is only permissible if the violation/incident occurred outside of the state of Georgia. Use of the data to send traffic notices to consumers for violations that occurred in Georgia is prohibited.

  8. Georgia Secretary of State


  9. IHS Global Inc.
    Important: Your ordering and use of IHS Products, Inc. (“IHS”) products is subject to the following Terms of Use

    1. The products are licensed to you for your internal use only. You may create reports, presentations or any other discussion document (collectively “work”) using the information from IHS or any portion of it for your  internal use only. You undertake that such work shall be insubstantial and de minimis in nature; shall not be primarily copy(s) of the materials and shall never be used to create or produce a commercial product.

    2. You may not copy, distribute, republish, transfer, sell, license, lease, give, permanently retain, decompile, reverse engineer, disseminate, publish, assign (whether directly or indirectly, by operation of law or otherwise), transmit, scan, publish, or otherwise reproduce, disclose or make available to others or create derivative works from, the Product or any portion thereof, except as specifically authorised herein.

    3. You may retain IHS materials accessed through LexisNexis for up to 12 months, after which you shall immediately delete, destroy or return all originals and copies of such IHS materials, except such materials as you may be required, by applicable law or government regulation for backup purposes - materials retained for such backup purposes shall not be used for any other purpose and shall be destroyed promptly after the retention period required by such law or regulation expires.

    4. IHS and its third party information providers make no representations or warranties of any kind with respect to the products, including but not limited to, the accuracy, completeness, timeliness, merchantability or fitness for a particular purpose of the products or of the media on which the product is provided and you agree that IHS and its third party information providers shall not be liable to you for any loss or injury arising out of or caused, in whole or in part, by negligent acts or omissions in procuring, compiling, collecting, interpreting, reporting, communicating or delivering the products.

    5. You acknowledge and agree that the products are proprietary to IHS and comprise: (a) works of original authorship, including compiled information containing IHS's selection, arrangement and coordination and expression of such information or pre-existing material it has created, gathered or assembled; (b) confidential and trade secret information; and (c) information that has been created, developed and maintained by IHS at great expense of time and money, such that misappropriation or unauthorized use by others for commercial gain would unfairly or irreparably harm IHS. You agree that you will not commit or permit any act or omission by your agents, employees, or any third party that would impair IHS's copyright or other proprietary and intellectual rights in the products.

  10. Illinois DPPA-regulated data, additional terms for use of the data for the Government Purpose (DPPA 1)

    Data may not in any event be used for traffic violation notifications (toll, red light, parking, speeding, etc.). Use of the data for sending traffic notices to consumers is prohibited.

  11. Indiana Supplemental Terms and Conditions

    The data or information provided is based on information obtained from Indiana Courts on a date that may be obtained by contacting your LN sales representative or as provided in the product. The Division of State Court Administration and the Indiana Courts and Clerks of Court: 1) Do not warrant that the information is accurate or complete; 2) Make no representations regarding the identity of any persons whose names appear in the information; and 3) Disclaim any liability for any damages resulting from the release or use of the information. The user should verify the information be personally consulting the official records maintained by the court in question.

  12. Michigan Corporations

    Provider, in producing the aforementioned CORPINFO disclaims any liability for the accuracy of any of the information. The CORPINFO is produced and sold for general information purposes only. Said CORPINFO is not to be construed as having the legal effect of a certified copy of any of the information appearing in the data file or an official certification of filing by Provider. When information contained within the CORPINFO is displayed on a video terminal, the following or a similarly worded statement will appear on either the menu screen or the beginning of each corporation record: "THIS DATA IS FOR INFORMATION PURPOSES ONLY. CERTIFICATION CAN ONLY BE OBTAI NED THROUGH THE MICHIGAN DEPARTMENT OF LICENSING AND REGULATORY AFFAIRS, CSCLB, CORPORATIONS DIVISION."

  13. Michigan Department of Consumer and Industry Services, Corporation and Land Development Bureau


  14. Michigan Department of Energy, Labor and Economic Growth


  15. National Change of Address Database.

    LN is a licensee of the United States Postal Service’s NCOALINK database (“NCOA Database”). The information contained in the NCOA Database is regulated by the Privacy Act of 1974 and may be used only to provide a mailing list correction service for lists that will be used for preparation of mailings. If Customer receives all or a portion of the NCOA Database through the LN Services, Customer hereby certifies to LN that it will not use such information for any other purpose. Prior to obtaining or using information from the NCOA Database, Customer agrees to complete, execute and submit to LN the NCOA Processing Acknowledgement Form.

  16. New York State Department of State, Division of Corporations

    The information provided by the Department of State, Division of Corporations is not an official record of the Department of State or the State of New York. LN is not an employee or agent of the Department of State or the State of New York. The Department of State disclaims all warranties, express or implied, regarding the corporation’s data.

  17. New York State Unified Court System

    The New York State Unified Court System (“UCS”) does not warrant the comprehensiveness, completeness, accuracy or adequacy for any particular use or purpose of the information contained in its databases and expressly disclaims all other warranties, express or implied, as to any matter whatsoever. Neither the UCS, its courts, court-related agencies or its officers or employees shall be responsible for any loss or damage caused by the use of the information contained in any of its databases.

  18. North Carolina Department of the Secretary of State
    State Of North Carolina - County Of Wake
    (Corporations Data Files)


  19. Pennsylvania Department of State, Corporation Bureau


  20. Phone Numbers in General

    All phone numbers in the LN database must be used for legitimate and lawful purposes. It is customer’s responsibility to comply with all rules and regulations related to the use and distribution of phone numbers, including landlines, and mobile phone numbers. All use of phone numbers from LN must be done in accordance with applicable law, including Do Not Call where appropriate.

  21. Private Investigator Use of the LN Services

    Investigators shall maintain up to date and current licenses so long as the Private Investigator is accessing the LN Services

  22. Property Records (Source A)

    You may not use any portion of these Materials to create, replace, supplement or enhance any title, legal, vesting, ownership or encumbrance report. You are prohibited from using the Materials to develop any models, scores, or analytics including any methodology that would seek to value, trend, appraise, insure, encumber, un-encumber or otherwise evaluate real property assets in any manner. You may not comingle, mix or combine Materials with real estate information that you obtain from other sources. You may not disclose or share with any third- party counts, layouts or statistical metrics relating to the Materials. The Materials shall not be used in connection with alternative insurance underwriting approaches or products without first obtaining written permission. Further, the methodology that would see to value, trend, appraise, insure, encumber, un-encumber or otherwise evaluate real property assets in any manner.

  23. South Dakota DPPA-regulated data, additional terms for use of the data for the Government Purpose (DPPA 1)

    Motor vehicle data may not be used in connection with red light or speed camera violation notifications. Use of this data for sending red light or speed camera notices to consumers is prohibited.

  24. State of Washington Administrative Offices of the Courts

    Not all information provided by Washington Administrative Offices of the Courts is being made available in the report.

  25. Wisconsin Circuit Court Data Subscription

    1. If Subscriber publishes or releases WCCA Information relating to any criminal case to any other person in whole or in part, directly or as part of a compilation, Subscriber shall restate prominently the following advisory that appears on the WCCA website:

    2. Notice to employers: It may be a violation of state law to discriminate against a job applicant because of an arrest or conviction record. Generally speaking, an employer may refuse to hire an applicant on the basis of a conviction only if the circumstances of the conviction substantially relate to the particular job. For more information, see Wisconsin Statute 111.335 and the Department of Workforce Development's Arrest and Conviction Records under the Law publication.

  26. Zumingo, Inc.

      For Phone Finder, One Time Password (OTP), Authentication by Weblink, and customers accessing phone ownership data from mobile network operators in Canada or about Canadians, such customers must obtain consumer consent prior to accessing these offerings and such consent must include at least the following terms verbatim:

      You authorize your wireless carrier to disclose to [Your Company Name] and its third-party service providers your mobile number, network status, customer type, customers role, billing type, mobile device identifiers (IMSI and IMEI) and other subscriber status and device details, if available, solely to verify your identity and prevent fraud for the duration of the relationship. See our Privacy Policy to see how we treat your data.

  27. Online public record data may not be used for direct marketing.

    This data may contain information that may be restricted from marketing use, like phone numbers that have been included on the Do Not Call registry or equivalents. Furthermore, this online public record data may contain public record data from government entities in states that have laws prohibiting using public records for soliciting or contacting consumers to purchase goods or services. Marketing specific products are available.

  28. Online public record data may not be used for direct marketing.

    This data may contain information that may be restricted from marketing use, like phone numbers that have been included on the Do Not Call registry or equivalents.  Furthermore, this online public record data may contain public record data from government entities in states that have laws prohibiting using public records for soliciting or contacting consumers to purchase goods or services.  Marketing specific products are available.

  29. SSA VERIFY GATEWAY TERMS & CONDITIONS (For Customers accessing the SSA Verify offering):
  • 1.1 (a) This section sets forth additional or amended terms and conditions for the use of the SSA Verify LN Service, which are LN Services as defined in your Agreement and which provide a direct gateway access connection (the “Gateway”) to data maintained by the Social Security Administration (“SSA”) (as further described in subsection (b) below).The LN Services provided hereunder are not approved, authorized, or endorsed by any government entity, including without limitation the SSA. (b) On behalf of Customer, LN will submit Customer requests for social security verification data maintained by the SSA (the “SSN Data”) via the Gateway. Customer acknowledges and agrees that all such requests must contain written consent of the subject consumer to be accepted by the SSA for processing.

  • 1.2 For purposes of requesting the SSA Verify LN Service, Customer shall use only the official Form SSA-89 (or its successor) to request consent of the subject consumer, with no additional wording added. Form SSA-89 is available at: https://www.ssa.gov/forms/ssa-89.pdf. Customer shall list the “Agent” on the Form SSA-89 as: LexisNexis Risk Solutions Inc..

  • 1.3 As required by the SSA, Customer acknowledges the following:
  • 1.3.1 Section 1140 of the Social Security Act authorizes SSA to impose civil monetary penalties on any person who use the words "Social Security" or other program-related words, acronyms, emblems and symbols in connection with an advertisement, solicitation or other communication, "in manner which such person knows should know would convey, or in a manner which reasonably could be interpreted or constructed as conveying, the false impression that such item is approved, endorsed, or authorized by the Social Security Administration…" 42 U.S.C. 1320b-10(a)
  • 1.3.2 Customer is specifically prohibited from using the words "Social Security" or other program-related words, acronyms, emblems and symbols in connection with an advertisement for "identity verification";
  • 1.3.3 Customer is specifically prohibited from advertising that SSN verification provides or serves as identity verification;
  • 1.3.4 Notwithstanding anything to the contrary in any agreement between Customer and LN, the SSA shall have the right of access to all of LN’s books and records associated with the LN’s participation in the Consent Based Social Security Number Verification program at any time;

  • 1.4 Notwithstanding anything to the contrary in the Agreement, Customer shall establish, maintain and follow policies and procedures to protect the SSN Data, including policies and procedures to report to LN lost or compromised, or potentially lost or compromised, SSN Data, as follows:.
  • 1.4.1 Customer shall inform any individual or entity authorized by it to handle the SSN Data (each, an “Authorized User”) of their responsibility to safeguard such information. In addition, Customer shall , within reason, take appropriate and necessary action to (1) educate Authorized Users on the proper procedures designed to protect the SSN Data, and (2) enforce their compliance with the policy and procedures prescribed.
  • 1.4.2 If Customer or any of its Authorized Users become aware or suspects that any SSN Data has been lost, compromised, or potentially compromised, Customer, in accordance with its incident reporting process, shall provide immediate notification of the incident to LN in accordance with the security reporting provisions of the Agreement. Customer shall act to ensure that each Authorized User has been given information as to how to contact LN in such circumstances. Customer shall provide LN with updates on the status of the reported SSN Data loss or compromise as they become available but shall not delay the initial report.
  • 1.4.3 Customer shall provide completed and accurate information about the details of the possible SSN Data loss to assist LN, including the following information.
  • Contact information;
  • A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss;
  • A description of safeguards used, where applicable (e.g., locked briefcase redacted personal information, password protection, encryption, etc.);
  • Name of LN employee contacted;
  • Whether Customer or the Authorized User has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.);
  • Whether Customer or the Authorized User has filed any other reports (i.e., Federal Protective Service, local police, and SSA reports); and
  • Any other pertinent information .

  • 1.5 If the SSA returns SSN Data on the subject consumer via the Gateway, then LN will format the SSN Data on behalf of Customer and transmit the formatted SSN Data to Customer. LN will retain a copy of the SSN Data so delivered for Customer’s internal auditing functions but LN will not maintain a database of SSN Data from which Customer may access previously submitted searches or other output for other uses. LN is not a “consumer reporting agency” or “reseller” (as those terms are defined in the FCRA) with respect to the SSN Data, and the SSN Data does not constitute “consumer reports,” as that term is defined in the FCRA. Customer agrees to treat the SSN Data as a non-FCRA service. Accordingly, the SSN Data may not be used in whole or in part as a factor in determining eligibility for credit, insurance, employment or another purpose in connection with which a consumer report may be used under the FCRA. SSN Data may be used only for the purpose stated in the written consent form from the subject consumer, and shall make no further use or re-disclosure of the verification. This subsection supplements the non-FCRA acknowledgments and prohibitions pertaining to the LN services under the Agreement.

TO ALL SUBSCRIBERS PURCHASING THE SOCIAL SECURITY ADMINISTRATION'S LIMITED ACCESS DEATH MASTER FILE (LADMF): As a result of a court case under the Freedom of Information Act, SSA is required to release its death information to the public. SSA's Limited Access Death Master File (LADMF)contains the complete and official Social Security Administration (SSA) database extract, as well as updates to the full file of persons reported to SSA as being deceased. SSA authorizes the use of this database as an identity verification tool. However, you, as a subscriber/purchaser of SSA's (LADMF) are advised at the time of initial purchase that the LADMF does have inaccuracies and SSA DOES NOT GUARANTEE THE ACCURACY OF THE LADMF FILE. SSA does not have a death record for all deceased persons. Therefore, the absence of a particular person on this file is not proof that the individual is alive. Further, in rare instances, it is possible for the records of a person who is not deceased to be included erroneously in the LADMF. If an individual seeing your copy of the LADMF has a complaint that they find erroneous data/death information on that LADMF, you should advise them to follow the procedures listed below. In fact, you should be providing the information below in your publication, if any, of the LADMF: ERRORS - If an individual claims that SSA has incorrectly listed someone as deceased (or has incorrect dates/data on the Limited Access Death Master File (LADMF), the individual should be told to contact their local social security office (with proof) to have the error corrected. The local social security office will: (1) make the correction to the main NUMIDENT file at SSA and give the individual a verification document of SSA's current records to use to show to any company, recipient/ purchaser of the LADMF that had the error, OR, (2) find that SSA already has the correct information on the main NUMIDENT file and LADMF (probably corrected sometime prior), and give the individual a verification document of SSA's records to use to show to any company, subscriber/purchaser of the LADMF that had the error. In the latter case (2 above), the LADMF subscriber (you) probably received the incorrect death data sometime prior to the correction on SSA's main records. (The only way you can now get an updated LADMF with the correction would be to again purchase the entire LADMF file and keep it current with all of the MONTHLY OR WEEKLY UPDATES - See MANDATORY REQUIREMENTS below). You should accept proof from the individual (their own records or the verification s/he received from the local social security office) and correct your copy of the LADMF. You should also notify any organizations to which you sold the LADMF that this correction needs to be made. MANDATORY REQUIREMENTS: It is mandatory that all subscribers of the LADMF intending to use its data on a continuing basis must, after receiving an updated complete LADMF FULLFILE keep that file updated by continually purchasing all MONTHLY OR WEEKLY UPDATES (NEW DEATHS/ CHANGES/DELETIONS), beginning with the same month as the Full File. If you are not meeting SSA's requirements because you are not receiving the MONTHLY OR WEEKLY UPDATES ON A CONTINUING BASIS immediately after receiving the FULL FILE, then you are NOT keeping your LADMF up-to-date with SSA's records. Thus, you are working with a LADMF with an increased number of unnecessary inaccuracies and possibly adversely affecting an increased number of individuals. NO ONE IS TO SELL THE LADMF WITHOUT REQUIRING CONTINUOUS SUBSCRIBERS TO ADHERE TO THIS MANDATORY REQUIREMENT FOR KEEPING THEIR LADMF UP-TODATE. YOU, AS A LADMF SUBSCRIBER, ARE REMINDED THAT YOU SHOULD NOT TAKE ANY ADVERSE ACTION AGAINST ANY INDIVIDUAL WITHOUT FURTHER INVESTIGATION TO VERIFY THE DEATH LISTED. If you, as a subscriber to SSA's LADMF, are making available/selling SSA's LADMF information to others, you MUST ALSO PROVIDE THEM WITH A COPY OF THIS NOTICE. NOTE: DO NOT TELL ANYONE TO CONTACT NTIS OR SSA HEADQUARTERS FOR CORRECTIONS! CORRECTIONS MUST BE MADE AT THE LOCAL SOCIAL SECURITY OFFICE SERVICING THE INDIVIDUAL.

Google Maps are subject to the following terms: