Privacy Policy

Last updated April 1, 2020

CyberRisk Alliance holds its readers and customers privacy in the highest regard. It is a core principle of our company. Because of this principle, CyberRisk Alliance believes that you should fully understand the type of information we collect, how it is used and how you can control what information we collect. Therefore, this privacy policy discloses what information we gather and how we use it.

Please read this Privacy Policy carefully along with our Terms of Use to understand our policies and practices regarding how we use and treat information we collect in the process of providing our online services to you. Because we are a multinational company and provide our services across the globe, provisions in these Terms of Use and Privacy Policy may apply differently depending on where you are accessing the services. As such, please review each provision carefully to properly and fully understand how each provision applies to you where you are accessing the services. If you do not agree with our policies, do not provide any information to us via any of our websites.

What information we collect and how we use it?
CyberRisk Alliance collects information from our users at several different points on our web sites, including this one. Wherever we collect personal information, we include a link to this Privacy Policy on that page. When you register with one of our sites, sign-up for one of our events, sign-up to receive one of our newsletters and promotional emails, or subscribe to other CyberRisk Alliance products and services, CyberRisk Alliance may ask for your contact information (such as your name, telephone number, email address, address); and information about your job (such as the name of the company you work for, industry you work in, job title, job title level, functional area, etc. CyberRisk Alliance may also ask for such information at other times, such as when you request information from CyberRisk Alliance and/or our customers and suppliers. The information collected by CyberRisk Alliance may be used in a number of ways including:

  1. Sharing broad aggregated demographic and anonymized personal information with our business partners, customers, and third-party providers for the purpose of improving our services and identifying trends, while also providing our business partners and advertisers an efficient way to reach the right audience.
  2. Use of personal information for security, including analysis of the personal information to pursue our legitimate business interest in protecting our customers and website visitors against malware, cyber-attack and other crime and security risks.
  3. Use of personal information to contact users regarding renewal of subscriptions, event reminders, deadline notices, surveys, alerts, partner products and services, and other marketing and promotional notifications, via e-mail, postal mail, and/or telephone.
  4. We may share personal information where we have a good faith belief that such action is necessary to comply with a judicial proceeding, a court order, or legal process served on CyberRisk Alliance, or to establish or exercise our legal rights or defend against legal claims.
  5. If CyberRisk Alliance is acquired by or merged with another company, we will transfer information about you to this other company in connection with the acquisition or merger.
  6. All email promotions sent from CyberRisk Alliance provide an opt-out link at the bottom of the email pursuant to which users can opt-out of specific products and promotions. If you receive one of these emails and wish to object to this processing of your information or unsubscribe please follow the instructions given in each email or contact [email protected].

The legal basis for the associated processing of your data is Art. 6 (1)(b) GDPR (performance of contract) respectively Art. 6 (1)(a) GDPR (your consent).

With whom does CyberRisk Alliance share your information?
If you are requesting assistance, product information, white papers, case studies, brochures, or other downloadable content, your contact information may be shared with the developer or seller of the relevant product, content, or software. Some materials that are available for download on CyberRisk Alliance’s sites, like white papers, product demonstrations, case studies, and product literature, are offered in conjunction with a partner company. This information is shared with the partner company so that they may provide you with the material you requested. CyberRisk Alliance under confidentiality and similar agreements with its customers and partner companies specify that  partner companies: (a) may use this information in marketing related activities to contact you via common methods of communication; (b) must not disclose the information to any third party other than service providers of the partner company solely for the permitted marketing purposes set forth above; (c) not to sell, disclose, or use your information for any purpose beyond the purposes and use identified expressly in CyberRisk Alliance’s agreement with them; and (d) may only use your contact information in adherence to all applicable laws.  Please contact the partner company directly if you have any questions about their use of your information.

In accordance with the GDPR no personally identifiable information from any EU member country individual will be shared unless affirmative and unambiguous consent to do so has been received. For more information on consent and the GDPR please visit our GDPR section in this privacy policy.

Promotional offers
If you complete one of our registration and/or subscription forms, you will be giving CyberRisk Alliance express consent to send promotional offers for select CyberRisk Alliance’ products and services. CyberRisk Alliance endeavors to promote to you products and services that are relevant and that we feel you would have a legitimate interest in hearing about. These products or services may include content newsletters, research reports, events and seminars. You can opt out from receiving these promotions at any time by clicking the “unsubscribe” link at the bottom of the offer email. 

To process these internal promotions, CyberRisk Alliance may share your information, such as you contact information, with certain email service providers who contract with CyberRisk Alliance to email market on CyberRisk Alliance’s behalf.

EU member country individuals please see additional information regarding consent in our GDPR section

Cookies
A cookie is a piece of data stored on the user’s computer by a web browser containing information associated with the user. We use cookies to be reminded of who you are and to access your account information in order to deliver to you a better and more personalized service. This cookie is set when you register.

If you do not want us to collect any initial cookies upon entering our site, you can set your browser to “private” or “incognito” mode.  Check with your browsers’ “help section” for instructions.

Our website also uses Google Analytics. Information collected by the Google Analytics cookies, which includes demographic information such as your gender and age, will be transmitted to and stored by Google on servers in the United States of America in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, please click https://policies.google.com/privacy?hl=en-US. You may opt out of tracking by Google Analytics by clicking https://tools.google.com/dlpage/gaoptout.

If you do not want cookies on your browser from our site, follow the instructions below:

How to control and delete cookies through the browser

The ability to enable, disable or delete cookies can also be completed at browser level. In order to do this, follow the instructions provided by your browser (usually located within the “Help” section of your browser). 

Upon entering one of our sites, all users have the ability to accept our use of cookies. Full use of our website requires an individual to accept to use cookies while on our site.

Third Party Cookies
In the course of serving advertisements to this site, a third-party advertiser may place or recognize a unique “cookie” on your browser that does not contain any information about the user.

IP Addresses
We use IP addresses for purposes of system administration, and to analyze trends, administer the site, track user’s movement, and gather broad firmographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links
This website may contain links to other sites. Please be aware that CyberRisk Alliance is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy policies of each and every web site that collects personally identifiable information. This Privacy Policy applies solely to information collected by this we site.

CyberRisk Alliance and the GDPR

What is the GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).  It also addresses the export of personal data outside the EU.  It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.  It impacts any organization that processes personal data in connection with goods/services offered to an EU resident.  

CyberRisk Alliance’s Commitment to Data Protection and GDPR Compliance

If you access the Online Services from the EU you may be eligible for certain rights under the GDPR, including the right to lodge a complaint with the data protection supervisory authority of your country if you believe we have breached your data protection rights and we have not adequately addressed your concerns.

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, each to access information is available to those whose information is collected about them in the EEA, including:

  • Finding out if we use your personal data, accessing your personal data and receiving copies of your Personal Data;
  • Withdrawing any express consent that you have provided to the processing of your personal data at any time without penalty;
  • Accessing your personal data and having it corrected or amended if it is inaccurate or incomplete;
  • Obtaining a transferable copy of some of your personal data which can be transferred to another provider when the personal data was processed based on your consent;
  • If you believe your personal data is inaccurate, no longer necessary for our business purposes, or if you object to our processing of your Personal Data, you also have the right to request that we restrict the processing of your Personal Data pending our investigation and/or verification of your claim;
  • Request your personal data be deleted or restricted under certain circumstances. For example, if we are using your Personal Data on the basis of your consent and have no other legal basis to use such, you may request your Personal Data be deleted when you withdraw your consent.

If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent. When the processing of your personal data is for direct marketing purposes, you have the right to object to such processing.

You have the right to withdraw your consent to our collection and/or processing of your personal data any time by contacting us. You may seek a copy, correct, amend, transfer, rectify or delete your Personal Data by us at any time for any purposes. Please e-mail [email protected].

You have the right to complain to a data protection authority about our collection and use of your Personal Data. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries are available here.

Legitimate Interest

CyberRisk Alliance may share your information with a third-party email service provider (ESP) to promote CyberRisk Alliance’s products and service only, if CyberRisk Alliance believes you have a legitimate interest in receiving the offer.

Contact

Please contact us with any question regarding this policy by email at [email protected], or by mail at 400 Madison Avenue Suite 6C New York, NY 10017.

California Privacy Rights Notice

This portion of the Privacy Policy applies solely to California Consumers (“consumers” or “you”). We have adopted this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. The purpose of this Notice is to provide you with a description of our online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights you have regarding your personal information. As used in this Notice, any terms defined in the CCPA have the same meaning when used in this Notice.

Shine the Light

Pursuant to Section 1798.83-.84 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, what types of personal information, if any, the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information in the immediately preceding calendar year. To access this information, please contact us by emailing [email protected] with “CA Shine the Light Privacy Requests” in the subject line. Please note that, under the law, we are not required to respond to your request more than once in a calendar year, nor are we required to respond to any requests that are not sent to the above-designated email.

California Do Not Track Disclosure

Do Not Track is a privacy preference that users can set in their web browsers. When a user turns on the Do Not Track signal, the browser sends a message to websites requesting them not to track the user. At this time, we do not respond to Web browser “do not track” settings or signals. As described in our Cookie Policy, we deploy cookies and other technologies on our Service to collect information about you and your browsing activity, even if you have turned on the Do Not Track signal.

California Consumer Privacy Act (“CCPA”)

Your Right to Know About the Personal Information We Collect About You

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). The sections above set forth the categories of personal information that we collect and process about you, a description of each category, and the source of how we obtain each category.

Your Rights and Choices

Under California Laws, California residents can exercise three privacy rights (Disclosure and Access; Deletion; and “Do Not Sell My Personal Information”) (collectively, “Rights”); however, based on the information we gather, and the fact that we do not “sell” personal information as that term is defined in the CCPA, your rights are somewhat limited as these Rights are not absolute and are subject to certain exceptions. For instance, we are not required to respond to requests concerning employment/application data, B2B data, and cannot disclose or permit access to specific pieces of personal information if the disclosure or access would present a certain level of risk to the security of the personal information, your account with us, or the security of the business’s systems of networks. Specifically, employment/application data is not subject to this Notice if it is personal information that is collected by us in the course of your acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor to us to the extent your personal information is collected and used by us solely within the context of your role or former role as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or a contractor of ours. This also extends to any emergency contact information or benefits administration information you may have provided us in this context. B2B data is similarly not subject to this Notice if the data reflects a written or verbal communication or transaction between you and us if you are acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with us occurs solely in the context of us conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency. If you are a California consumer, we will process your request to exercise your Rights in accordance with California Laws.

A record concerning the requests may be maintained pursuant to our legal obligations. Further, we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive, or manifestly unfounded.

Disclosure and Access Requests

You have the right to request that we disclose to you, for the 12-month period immediately preceding the date of your request to know the following:

Categories of Personal Information Request

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Specific Pieces of Information Request

  • The specific pieces of personal information we collected about you (also called a data portability request).

When a request for disclosure is made, we will first take steps to verify your identity to protect your privacy and security. For requests to disclose categories of personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. For requests to disclose specific pieces of personal information collected, we will have the requestor provider at least three pieces of information so that we may verify the requestor’s identity to a reasonably high degree of certainty and additionally provide a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required to retain the signed declarations as part of our record-keeping obligations for 24 months.

Please note that we will never disclose a consumer’s social security number, driver’s license number, or other government-issued identification number, financial account number, any health information or medical identification number, an account password, or security questions and answers in response to a disclosure request.

Please note additionally that we are only required to fulfil a Disclosure request from a consumer twice per every 12-month period. If you submit a request in excess, it may be denied, or you may be charged for fulfilling your request.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Given the type of personal information we collect, for requests to delete personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. We are required to retain the requests to delete for a period of 12 months as part of our record-keeping obligations.

If we are unable to verify a request, to the extent possible, that request will be treated as a request to opt-out and afforded rights associated with that request right as described in more detail below.

Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. A deletion request may be denied, in full or in part, if retaining the information is necessary for us or our service providers to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Disclosure and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by:

Only you may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request and, to the extent necessary, to identify the browser/device that is the subject of the request.

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data disclosure requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Household Requests

We currently do not collect household data. If all the members of a household make a Right to Know or Right to Delete request, we will respond as if the requests are individual requests.

Request Made Through Agents

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, verify the agent’s identity, and we may need you to verify your identity directly with us. (The verification requirement does not apply if the consumer has provided the authorized agent with legal power of attorney under California Probate Code Sections 400 to 4465.)

Requests to Opt-In for Minors

If you are 16 years of age or older, you have the right to direct us not to sell your personal information at any time. We do not and will not sell personal information of consumers we actually know are less than 16 years of age unless we received affirmative authorization from the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age, to opt-in to the sale of their personal information. Upon the receipt of this request to opt-in, we will inform the minor of the right to opt-out later and of the process for doing so.

Sale and Disclosure of Personal Information

Under the CCPA, a “sale” means providing to a third-party personal information for valuable consideration. It does not necessarily mean money was exchanged for the transfer of personal information. We have taken substantial steps to identify whether any of our data sharing arrangements would constitute a “sale” under the CCPA. Due to the complexities and ambiguities in the CCPA, we will continue to evaluate some of our third-party relationships as we wait for final implementing regulations and guidance. For example, it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA. Based on our understanding of the CCPA at this time, in the preceding 12 months we have not sold any personal information to any third parties. In the preceding 12 months, we have disclosed personal information to third parties for business purposes including to customer service, technical support, payment processors, information technology, and sales, recruiting and marketing partners. We will continue to update our business practices as regulatory guidance becomes available and provides clarity on what constitutes a sale transaction, particularly in the advertising ecosystem.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes

We may change, modify, add, or remove portions of this Privacy Policy, at any time, in our sole discretion.

For users in the United States, any changes or modifications will be effective immediately upon posting of the revisions on the website and shall apply to all use of our services and all acts or omissions occurring after the effective date of the revised Terms of Use. Please check for changes when you access our sites. Your continued use of our services, following the posting of changes, will mean that you accept and agree to all changes or modifications.

For users in the EEA, any changes or modifications will be effective upon your express consent as you will be notified of any changes by virtue of a pop-up, banner, or other notification mechanism when you seek to access our services after we issue a change or modification. Upon consent, the revisions on the services shall apply to all use of our services and all acts or omissions occurring after the effective date of the revised Privacy Policy.