Privacy Policy
Last updated April 1, 2020
CyberRisk Alliance holds its readers and customers privacy in the highest regard. It is a core principle of our company. Because of this principle, CyberRisk Alliance believes that you should fully understand the type of information we collect, how it is used and how you can control what information we collect. Therefore, this privacy policy discloses what information we gather and how we use it.
Please read this Privacy Policy carefully along with our Terms of Use to understand our policies and practices regarding how we use and treat information we collect in the process of providing our online services to you. Because we are a multinational company and provide our services across the globe, provisions in these Terms of Use and Privacy Policy may apply differently depending on where you are accessing the services. As such, please review each provision carefully to properly and fully understand how each provision applies to you where you are accessing the services. If you do not agree with our policies, do not provide any information to us via any of our websites.
What
information we collect and how we use it?
CyberRisk Alliance
collects information from our users at several different points on
our web sites, including this one. Wherever we collect personal
information, we include a link to this Privacy Policy on that page.
When you register with one of our sites, sign-up for
one of our events, sign-up to receive one of our newsletters and
promotional emails, or subscribe to other CyberRisk Alliance products
and services, CyberRisk Alliance may ask for your contact information
(such as your name, telephone number, email address, address); and
information about your job (such as the name of the company you work
for, industry you work in, job title, job title level, functional
area, etc. CyberRisk Alliance may also ask for such information at
other times, such as when you request information from CyberRisk
Alliance and/or our customers and suppliers. The information
collected by CyberRisk Alliance may be used in a number of ways
including:
- Sharing broad aggregated demographic and anonymized personal information with our business partners, customers, and third-party providers for the purpose of improving our services and identifying trends, while also providing our business partners and advertisers an efficient way to reach the right audience.
- Use of personal information for security, including analysis of the personal information to pursue our legitimate business interest in protecting our customers and website visitors against malware, cyber-attack and other crime and security risks.
- Use of personal information to contact users regarding renewal of subscriptions, event reminders, deadline notices, surveys, alerts, partner products and services, and other marketing and promotional notifications, via e-mail, postal mail, and/or telephone.
- We may share personal information where we have a good faith belief that such action is necessary to comply with a judicial proceeding, a court order, or legal process served on CyberRisk Alliance, or to establish or exercise our legal rights or defend against legal claims.
- If CyberRisk Alliance is acquired by or merged with another company, we will transfer information about you to this other company in connection with the acquisition or merger.
- All email promotions sent from CyberRisk Alliance provide an opt-out link at the bottom of the email pursuant to which users can opt-out of specific products and promotions. If you receive one of these emails and wish to object to this processing of your information or unsubscribe please follow the instructions given in each email or contact [email protected].
The legal basis for the associated processing of your data is Art. 6 (1)(b) GDPR (performance of contract) respectively Art. 6 (1)(a) GDPR (your consent).
With whom does
CyberRisk Alliance share your information?
If you are
requesting assistance, product information, white papers, case
studies, brochures, or other downloadable content, your contact
information may be shared with the developer or seller of the
relevant product, content, or software. Some materials that are
available for download on CyberRisk Alliance's sites, like white
papers, product demonstrations, case studies, and product literature,
are offered in conjunction with a partner company. This information
is shared with the partner company so that they may provide you with
the material you requested. CyberRisk Alliance under confidentiality
and similar agreements with its customers and partner companies
specify that partner companies: (a) may use this information in
marketing related activities to contact you via common methods
of communication; (b) must not disclose the information to any third
party other than service providers of the partner company solely for
the permitted marketing purposes set forth above; (c) not to sell,
disclose, or use your information for any purpose beyond the purposes
and use identified expressly in CyberRisk Alliance’s agreement with
them; and (d) may only use your contact information in adherence to
all applicable laws. Please contact the partner company
directly if you have any questions about their use of your
information.
In accordance with the GDPR no personally identifiable information from any EU member country individual will be shared unless affirmative and unambiguous consent to do so has been received. For more information on consent and the GDPR please visit our GDPR section in this privacy policy.
Promotional
offers
If you complete one of our registration and/or
subscription forms, you will be giving CyberRisk Alliance express
consent to send promotional offers for select CyberRisk Alliance’
products and services. CyberRisk Alliance endeavors to promote to you
products and services that are relevant and that we feel you would
have a legitimate interest in hearing about. These products or
services may include content newsletters, research reports, events
and seminars. You can opt out from receiving these promotions at any
time by clicking the “unsubscribe” link at the bottom of the
offer email.
To process these internal promotions, CyberRisk Alliance may share your information, such as you contact information, with certain email service providers who contract with CyberRisk Alliance to email market on CyberRisk Alliance’s behalf.
EU member country individuals please see additional information regarding consent in our GDPR section
Cookies
A
cookie is a piece of data stored on the user's computer by a web
browser containing information associated with the user. We use
cookies to be reminded of who you are and to access your account
information in order to deliver to you a better and more personalized
service. This cookie is set when you register.
If you do not want us to collect any initial cookies upon entering our site, you can set your browser to “private” or “incognito” mode. Check with your browsers’ “help section” for instructions.
Our website also uses Google Analytics. Information collected by the Google Analytics cookies, which includes demographic information such as your gender and age, will be transmitted to and stored by Google on servers in the United States of America in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, please click https://policies.google.com/privacy?hl=en-US. You may opt out of tracking by Google Analytics by clicking https://tools.google.com/dlpage/gaoptout.
If you do not want cookies on your browser from our site, follow the instructions below:
How to control and delete cookies through the browser
The ability to enable, disable or delete cookies can also be completed at browser level. In order to do this, follow the instructions provided by your browser (usually located within the “Help” section of your browser).
Upon entering one of our sites, all users have the ability to accept our use of cookies. Full use of our website requires an individual to accept to use cookies while on our site.
Third Party
Cookies
In the course of serving advertisements to this
site, a third-party advertiser may place or recognize a unique
"cookie" on your browser that does not contain any
information about the user.
IP
Addresses
We use IP addresses for purposes of system
administration, and to analyze trends, administer the site, track
user's movement, and gather broad firmographic information for
aggregate use. IP addresses are not linked to personally identifiable
information.
Links
This
website may contain links to other sites. Please be aware that
CyberRisk Alliance is not responsible for the privacy practices of
such other sites. We encourage our users to be aware when they leave
our site and to read the privacy policies of each and every web site
that collects personally identifiable information. This Privacy
Policy applies solely to information collected by this we site.
CyberRisk Alliance and the GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It impacts any organization that processes personal data in connection with goods/services offered to an EU resident.
CyberRisk Alliance’s Commitment to Data Protection and GDPR Compliance
If you access the Online Services from the EU you may be eligible for certain rights under the GDPR, including the right to lodge a complaint with the data protection supervisory authority of your country if you believe we have breached your data protection rights and we have not adequately addressed your concerns.
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, each to access information is available to those whose information is collected about them in the EEA, including:
- Finding out if we use your personal data, accessing your personal data and receiving copies of your Personal Data;
- Withdrawing any express consent that you have provided to the processing of your personal data at any time without penalty;
- Accessing your personal data and having it corrected or amended if it is inaccurate or incomplete;
- Obtaining a transferable copy of some of your personal data which can be transferred to another provider when the personal data was processed based on your consent;
- If you believe your personal data is inaccurate, no longer necessary for our business purposes, or if you object to our processing of your Personal Data, you also have the right to request that we restrict the processing of your Personal Data pending our investigation and/or verification of your claim;
- Request your personal data be deleted or restricted under certain circumstances. For example, if we are using your Personal Data on the basis of your consent and have no other legal basis to use such, you may request your Personal Data be deleted when you withdraw your consent.
If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent. When the processing of your personal data is for direct marketing purposes, you have the right to object to such processing.
You have the right to withdraw your consent to our collection and/or processing of your personal data any time by contacting us. You may seek a copy, correct, amend, transfer, rectify or delete your Personal Data by us at any time for any purposes. Please e-mail [email protected].
You have the right to complain to a data protection authority about our collection and use of your Personal Data. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries are available here.
Legitimate Interest
CyberRisk Alliance may share your information with a third-party email service provider (ESP) to promote CyberRisk Alliance’s products and service only, if CyberRisk Alliance believes you have a legitimate interest in receiving the offer.
Contact
Please contact us with any question regarding this policy by email at [email protected], or by mail at 400 Madison Avenue Suite 6C New York, NY 10017.
California Privacy Rights Notice
This portion of the Privacy Policy applies solely to California Consumers (“consumers” or “you”). We have adopted this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. The purpose of this Notice is to provide you with a description of our online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights you have regarding your personal information. As used in this Notice, any terms defined in the CCPA have the same meaning when used in this Notice.
Shine the Light
Pursuant to Section 1798.83-.84 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, what types of personal information, if any, the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information in the immediately preceding calendar year. To access this information, please contact us by emailing [email protected] with “CA Shine the Light Privacy Requests” in the subject line. Please note that, under the law, we are not required to respond to your request more than once in a calendar year, nor are we required to respond to any requests that are not sent to the above-designated email.
California Do Not Track Disclosure
Do Not Track is a privacy preference that users can set in their web browsers. When a user turns on the Do Not Track signal, the browser sends a message to websites requesting them not to track the user. At this time, we do not respond to Web browser “do not track” settings or signals. As described in our Cookie Policy, we deploy cookies and other technologies on our Service to collect information about you and your browsing activity, even if you have turned on the Do Not Track signal.
California Consumer Privacy Act (“CCPA”)
Your Right to Know About the Personal Information We Collect About You
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). The sections above set forth the categories of personal information that we collect and process about you, a description of each category, and the source of how we obtain each category.
Your Rights and Choices
Under California Laws, California residents can exercise three privacy rights (Disclosure and Access; Deletion; and “Do Not Sell My Personal Information”) (collectively, “Rights”); however, based on the information we gather, and the fact that we do not “sell” personal information as that term is defined in the CCPA, your rights are somewhat limited as these Rights are not absolute and are subject to certain exceptions. For instance, we are not required to respond to requests concerning employment/application data, B2B data, and cannot disclose or permit access to specific pieces of personal information if the disclosure or access would present a certain level of risk to the security of the personal information, your account with us, or the security of the business’s systems of networks. Specifically, employment/application data is not subject to this Notice if it is personal information that is collected by us in the course of your acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor to us to the extent your personal information is collected and used by us solely within the context of your role or former role as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or a contractor of ours. This also extends to any emergency contact information or benefits administration information you may have provided us in this context. B2B data is similarly not subject to this Notice if the data reflects a written or verbal communication or transaction between you and us if you are acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with us occurs solely in the context of us conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency. If you are a California consumer, we will process your request to exercise your Rights in accordance with California Laws.
A record concerning the requests may be maintained pursuant to our legal obligations. Further, we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive, or manifestly unfounded.
Disclosure and Access Requests
You have the right to request that we disclose to you, for the 12-month period immediately preceding the date of your request to know the following:
Categories of Personal Information Request
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Specific Pieces of Information Request
- The specific pieces of personal information we collected about you (also called a data portability request).
When a request for disclosure is made, we will first take steps to verify your identity to protect your privacy and security. For requests to disclose categories of personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. For requests to disclose specific pieces of personal information collected, we will have the requestor provider at least three pieces of information so that we may verify the requestor’s identity to a reasonably high degree of certainty and additionally provide a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required to retain the signed declarations as part of our record-keeping obligations for 24 months.
Please note that we will never disclose a consumer’s social security number, driver’s license number, or other government-issued identification number, financial account number, any health information or medical identification number, an account password, or security questions and answers in response to a disclosure request.
Please note additionally that we are only required to fulfil a Disclosure request from a consumer twice per every 12-month period. If you submit a request in excess, it may be denied, or you may be charged for fulfilling your request.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Given the type of personal information we collect, for requests to delete personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. We are required to retain the requests to delete for a period of 12 months as part of our record-keeping obligations.
If we are unable to verify a request, to the extent possible, that request will be treated as a request to opt-out and afforded rights associated with that request right as described in more detail below.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. A deletion request may be denied, in full or in part, if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Disclosure and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by:
- Emailing us at [email protected] with “Deletion Request” in the subject line
Only you may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request and, to the extent necessary, to identify the browser/device that is the subject of the request.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data disclosure requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Household Requests
We currently do not collect household data. If all the members of a household make a Right to Know or Right to Delete request, we will respond as if the requests are individual requests.
Request Made Through Agents
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, verify the agent’s identity, and we may need you to verify your identity directly with us. (The verification requirement does not apply if the consumer has provided the authorized agent with legal power of attorney under California Probate Code Sections 400 to 4465.)
Requests to Opt-In for Minors
If you are 16 years of age or older, you have the right to direct us not to sell your personal information at any time. We do not and will not sell personal information of consumers we actually know are less than 16 years of age unless we received affirmative authorization from the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age, to opt-in to the sale of their personal information. Upon the receipt of this request to opt-in, we will inform the minor of the right to opt-out later and of the process for doing so.
Sale and Disclosure of Personal Information
Under the CCPA, a “sale” means providing to a third-party personal information for valuable consideration. It does not necessarily mean money was exchanged for the transfer of personal information. We have taken substantial steps to identify whether any of our data sharing arrangements would constitute a “sale” under the CCPA. Due to the complexities and ambiguities in the CCPA, we will continue to evaluate some of our third-party relationships as we wait for final implementing regulations and guidance. For example, it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA. Based on our understanding of the CCPA at this time, in the preceding 12 months we have not sold any personal information to any third parties. In the preceding 12 months, we have disclosed personal information to third parties for business purposes including to customer service, technical support, payment processors, information technology, and sales, recruiting and marketing partners. We will continue to update our business practices as regulatory guidance becomes available and provides clarity on what constitutes a sale transaction, particularly in the advertising ecosystem.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Changes
We may change, modify, add, or remove portions of this Privacy Policy, at any time, in our sole discretion.
For users in the United States, any changes or modifications will be effective immediately upon posting of the revisions on the website and shall apply to all use of our services and all acts or omissions occurring after the effective date of the revised Terms of Use. Please check for changes when you access our sites. Your continued use of our services, following the posting of changes, will mean that you accept and agree to all changes or modifications.
For users in the EEA, any changes or modifications will be effective upon your express consent as you will be notified of any changes by virtue of a pop-up, banner, or other notification mechanism when you seek to access our services after we issue a change or modification. Upon consent, the revisions on the services shall apply to all use of our services and all acts or omissions occurring after the effective date of the revised Privacy Policy.