California Consumer Privacy Act Disclosure

Last updated March 21, 2023

Applicability

This privacy disclosure (“Notice”) explains how First Interstate Bancsystem, Inc. and First Interstate Bank (individually and collectively “First Interstate,” “us,” “our,” or “we”) collect, use, and disclose personal information relating to California residents covered by the California Consumer Privacy Act of 2018 (“CCPA”). This notice is provided pursuant to the CCPA. If you are not a California resident, then our Consumer Privacy Notice will apply.

Introduction

Under the CCPA, “Personal Information” is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident. The CCPA, however, does not apply to certain information, such as information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations (“GLBA”).

The specific Personal Information we collect, use, and disclose relating to California residents covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Notice does not apply with respect to information we collect about California residents who seek or receive one of our financial products and services for personal, family, or household purposes. For more information about how we collect, disclose, and secure information relating to these customers, please refer to our Consumer Privacy Notice.

Your privacy is important to First Interstate. We believe that protecting your privacy is an integral part of the customer service we provide to you. Consistent with our obligations under applicable laws and regulations, we maintain physical, technical, electronic, procedural, and organizational safeguards and security measures that are designed to protect personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access, whether it is processed by us or elsewhere.

Personal Information We Collect

In the past 12 months, we have collected and disclosed to third parties for our business purposes, the following categories of Personal Information:

Identifiers, such as name and government-issued identifier (e.g., social security number);
Personal information as defined by the California safeguards law, such as contact information and financial information;
Characteristics of protected classifications under California or federal law, such as sex and marital status;
Financial details such as bank account numbers, debit/credit card numbers; cardholder or accountholder name and details; transaction details;
Commercial information, such as transaction information and purchase history;
Biometric information such as fingerprints, faceprints, voiceprints, and behavioral patterns;
Commercial information such as records of personal property, products and service purchased, obtained or considered; purchasing or consuming histories or tendencies;
Internet or network activity information such as browsing history and interactions with our website;
Geolocation data such as device location and Internet Protocol location;
Audio, electronic, visual and similar information such as call and video recordings;
Professional or employment-related information such as work history and prior employer;
Education information such as student records and directory information; and
Inferences drawn from any of the Personal Information listed above.

How Personal Information is Collected

We collect most of this Personal Information directly from you—in person, by telephone, text, email, or via our website and apps. However, we may also collect Personal Information directly from a third party such as from our service providers; from public record sources; from an affiliate; from client directed third parties or institutions representing a client/prospect; or from corporate clients about individuals associated with the clients (e.g., an employee or board member).

Personal Information Disclosed for our Business Purpose

The categories of third parties to whom we disclosed Personal Information for our business are:

Affiliates of First Interstate;
Vendors and service providers who provide services such as website hosting, data analysis, payment processing, information technology and related infrastructure, customer service, email delivery, auditing, marketing and marketing research activities;
Partners and third parties who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, notaries and auditors, who promote the bank and its financial services and products to customers and other prospective buyers;
Third parties who enable customers to conduct transactions online and via mobile devices;
Other third parties to comply with legal requirements such as demands of applicable subpoenas and court orders; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third parties; and
Government agencies as required by laws and regulations.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you.

Retention

We store personal information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.

Why First Interstate Collects Personal Information

In the past 12 months, we may have used Personal Information relating to California residents to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including the following:

Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services.
Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance the service controlled by the business.
Debugging to identify and repair errors that impair existing intended functionality.
Undertaking internal research for technological development and demonstration.
Complying with laws and regulations and to comply with our legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions).

Personal Information We Sold or Disclosed

First Interstate does not offer an opt-out from the sale of Personal Information because First Interstate does not engage in the sale of Personal Information as contemplated by the CCPA. As noted elsewhere in this disclosure, we disclose Personal Information to other businesses for a variety of reasons. While we often benefit from such disclosure, we do not disclose Personal Information for the sole purpose of receiving compensation for that information.

Your Rights Under the CCPA

If you are a California resident, you have the right, subject to certain exceptions defined in the CPRA and other applicable laws and regulations, to:

Request we disclose to you, free of charge, the following information covering the 12 months preceding your request:
- the categories of Personal Information about you that we collected;
- the categories of sources from which the Personal Information was collected;
- the purpose for collecting Personal Information about you;
- the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that was disclosed (if applicable) and the purpose for disclosing the Personal Information about you; and
- the specific pieces of Personal Information we collected about you;
Request, in certain circumstances, to correct inaccurate Personal Information we collect about you;
Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception; and
Be free from unlawful discrimination for exercising your rights under the CCPA.

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. Requests for specific pieces of Personal Information will require additional information to verify your identity.

If you submit a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom you are submitting a request.

In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer or where the Personal Information that we maintain about you is not subject to the CCPA’s access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide social security numbers, driver’s license numbers, or government issued identification numbers, financial account numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft, fraud, or unreasonable risk to data or systems and network security.

We will work to process all verified requests within 45 days, pursuant to the CCPA. If we need an extension for up to an additional 45 days in order to process your request, we will provide you with an explanation for the delay.

How to Exercise Your Rights

If you would like to exercise any of your rights as described in this Notice, please provide the following information to us by sending an email to Privacy@fib.com or calling us toll-free at 855-342-3400:

Identify which privacy right you would like to exercise.
Provide sufficient information so we can verify your identity including:
- Whether you are a current or former client
- Your legal first and last name
- Your date of birth
- Your preferred phone number
- Your email address
- Your physical address

Please note: you may only make a CCPA request twice within a 12-month period.

Verifying Requests

To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your Personal Information or complying with your request. If you request access to or deletion of your Personal Information, we may require you to provide any of the following information: name, date of birth, email address, telephone number, or postal address. In addition, if you ask us to provide you with specific pieces of Personal Information, we will require you to sign a declaration under penalty of perjury that you are the consumer whose Personal Information is the subject of the request. If you designate an authorized agent to make an access or deletion request on your behalf, (a) we may require you to provide the authorized agent written permission to do so, and (b) for access and deletion requests, we may require you to verify your own identity directly with us (as described above).

Any Personal Information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

Changes to This Privacy Notice

This Notice was published on March 21, 2023. Please review this Notice periodically, as we may change it from time to time. If we make changes to this Notice, we will revise the “Last Updated” date at the top of this document.

Print Disclosure