1. Purpose
This policy establishes how R&L Carriers Shared Services, LLC (“R&L Carriers”) collects, uses, stores, and protects employee data when employees voluntarily enroll a personal mobile device to receive SMS-based or similar authentication codes for Multi-Factor Authentication (MFA). The purpose of this policy is to ensure transparency, protect employee privacy, and comply with applicable data protection and telecommunications regulations.
2. Scope
This policy applies to all R&L Carriers employees, contractors, and authorized users who voluntarily opt in to using a personal mobile device for MFA when accessing R&L Carriers systems, applications, or services.
3. Voluntary Participation
Enrollment of a personal mobile device for MFA is voluntary. Employees may choose alternative authentication methods where available. By enrolling a personal device, the employee explicitly consents to the collection and use of limited personal data as described in this policy.
4. Data Collected
R&L Carriers collects only the minimum data necessary to provide MFA services, which may include:
- Mobile phone number
- Device association with the employee’s account (non-hardware identifying)
- Date and time of MFA enrollment and authentication events
R&L Carriers does not collect:
- Device location data
- Personal contacts, messages, photos, or content
- Call logs or usage data unrelated to MFA
5. Purpose of Data Use
Collected data is used solely for the following purposes:
- Delivering one-time passcodes (OTPs) for login authentication
- Verifying user identity during account recovery
- Protecting R&L Carriers systems and employee accounts from unauthorized access
Personal device data is not used for marketing, monitoring employee behavior, or tracking device activity beyond MFA functionality.
6. Consent and Opt-In
Employees provide explicit consent during MFA enrollment by:
- Entering their mobile phone number, and
- Acknowledging disclosure language stating that SMS authentication messages will be sent to their personal device, and
- Completing the enrollment process through an affirmative action (e.g., checkbox or confirmation step).
By enrolling in SMS-based MFA, employees acknowledge that:
- SMS authentication messages will be sent to their personal mobile device
- Message and data rates may apply based on their mobile carrier and plan
- Employees may opt out of SMS-based MFA at any time by replying STOP to an authentication message, removing their mobile number from the MFA enrollment system, or contacting IT support
Section 6A – SMS Messaging Disclosure
Employees enrolled in SMS-based MFA may receive text messages only when initiating authentication or account recovery actions. Message frequency varies based on login activity. Message and data rates may apply. Employees may opt out of SMS messages from R&L Carriers any time by replying STOP or by removing their mobile number from the MFA enrollment system. For assistance, employees may reply HELP or contact R&L Carriers IT support.
7. Data Sharing and Service Providers
R&L Carriers may share limited MFA-related data with trusted third-party service providers solely to deliver authentication services. These providers may include:
- Identity and access management platforms
- Telecommunications and messaging providers
All service providers are contractually required to protect data, use it only for authorized purposes, and comply with applicable privacy and security standards.
8. Data Retention
Personal device data is retained only for as long as necessary to support MFA services or as required by legal, regulatory, or security obligations. When MFA enrollment is removed or no longer required, associated personal device data is securely deleted or anonymized in accordance with R&L Carriers’ data retention policies.
9. Data Security
R&L Carriers implements administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Access to MFA-related data is limited to authorized personnel with a legitimate business need.
10. Employee Rights
Employees have the right to:
- Request information about the personal data collected for MFA
- Update or correct their mobile phone number
- Withdraw consent and discontinue use of a personal device for MFA, subject to security requirements
Requests related to this policy may be directed to the R&L Carriers IT or Information Security team.
11. Compliance
This policy is intended to comply with applicable privacy, employment, and telecommunications laws and industry standards. Failure to adhere to this policy may result in disciplinary action or revocation of system access.
12. Policy Updates
R&L Carriers may update this policy from time to time to reflect changes in technology, legal requirements, or business practices. Material changes will be communicated to employees through appropriate channels.
13. Contact Information
Questions regarding this policy or MFA enrollment may be directed to:
- R&L Carriers Information Technology / Information Security