top of page
  • Facebook
  • Twitter
  • LinkedIn
Image by Ryan Duffy

Privacy
Policy

Morton and William

Last Updated: June 2025

1. Introduction

This policy is based on the Data Privacy Act (NIST Privacy Framework) and applies only to information maintained in a "system of records," which the Act defines as a set of records controlled by the agency from which information is retrieved by a unique identifier, such as an individual's name and/or date of birth, Social Security number, or employee identification number.

2. Purpose

This Privacy Policy outlines how Morton and William LLC; collects, uses, shares, and protects personal information in compliance with applicable federal privacy regulations and consistent with the NIST Privacy Framework and FAR/DFARS requirements for government contractors.

3. Scope

This policy applies to all personal information collected, processed, or stored by Morton and William LLC during the performance of government contracts, including data of employees, clients, subcontractors, and government personnel.

4. Policy

Data Collection

We collect personal information that is:

  • Required to fulfill government contract obligations

  • Needed for hiring and HR management

  • Necessary for verifying identity, security clearances, and access control. 

       This may include:

- Full name, address, contact details.

- Social Security Number (for background checks or clearance verification).

- Employment and education history.

- Government-issued identification.

- System and network activity logs (for auditing purposes).

Use of Information

Collected information is used strictly for:

  • Executing contractual obligations.

  • Security clearance processes.

  • Employee management.

  • System and facility access control.

  • Compliance with federal requirements (e.g., FISMA, CUI handling).

Data Sharing and Disclosure

We do not sell or lease personal data. Data may be shared only with:

  • Authorized government agencies.

  • Approved subcontractors under NDA.

  • Legal entities as required by law.

  • All data sharing is governed by data minimization and need-to-know principles.

 

Data Retention and Disposal

Data is retained only as long as required by:

  • Federal contract terms (FAR/DFARS)

  • Applicable laws and regulations (e.g., NARA schedules)

  • Secure disposal methods are employed, such as shredding, degaussing, and digital sanitization (in line with NIST SP 800-88).

 

Data Protection

Morton and William LLC applies administrative, technical, and physical safeguards including:

  • Role-based access controls

  • Multi-factor authentication

  • Encryption at rest and in transit

  • Endpoint protection and patch management

  • Employee privacy and security training. 

  • These controls are aligned with NIST SP 800-171 and 800-53 Rev. 5.

 

⁠Data Subject Rights

Individuals may request:

  • Access to their personal data

  • Correction of inaccuracies

  • Deletion (where legally permissible)

  • Restriction of processing

  • Requests may be made via: contact@mortonandwilliam.com 

 

⁠Third-Party Processors

All third-party service providers must:

  • Sign a data processing agreement (DPA)

  • Adhere to our privacy and security standards

  • Be regularly assessed for compliance

 

Compliance & Incident Response

Morton and William LLC has an Incident Response Plan (Link - TBD) aligned with NIST SP 800-61. Privacy breaches are reported per federal and contractual requirements, including to:

  • Contracting Officer

  • DHS (if required)

  • Impacted individuals (when legally mandated).

bottom of page