Last updated April 1, 2020
What information we collect and how we use it?
- Sharing broad aggregated demographic and anonymized personal information with our business partners, customers, and third-party providers for the purpose of improving our services and identifying trends, while also providing our business partners and advertisers an efficient way to reach the right audience.
- Use of personal information for security, including analysis of the personal information to pursue our legitimate business interest in protecting our customers and website visitors against malware, cyber-attack and other crime and security risks.
- Use of personal information to contact users regarding renewal of subscriptions, event reminders, deadline notices, surveys, alerts, partner products and services, and other marketing and promotional notifications, via e-mail, postal mail, and/or telephone.
- We may share personal information where we have a good faith belief that such action is necessary to comply with a judicial proceeding, a court order, or legal process served on CyberRisk Alliance, or to establish or exercise our legal rights or defend against legal claims.
- If CyberRisk Alliance is acquired by or merged with another company, we will transfer information about you to this other company in connection with the acquisition or merger.
- All email promotions sent from CyberRisk Alliance provide an opt-out link at the bottom of the email pursuant to which users can opt-out of specific products and promotions. If you receive one of these emails and wish to object to this processing of your information or unsubscribe please follow the instructions given in each email or contact [email protected].
The legal basis for the associated processing of your data is Art. 6 (1)(b) GDPR (performance of contract) respectively Art. 6 (1)(a) GDPR (your consent).
With whom does CyberRisk Alliance share your information?
If you are requesting assistance, product information, white papers, case studies, brochures, or other downloadable content, your contact information may be shared with the developer or seller of the relevant product, content, or software. Some materials that are available for download on CyberRisk Alliance’s sites, like white papers, product demonstrations, case studies, and product literature, are offered in conjunction with a partner company. This information is shared with the partner company so that they may provide you with the material you requested. CyberRisk Alliance under confidentiality and similar agreements with its customers and partner companies specify that partner companies: (a) may use this information in marketing related activities to contact you via common methods of communication; (b) must not disclose the information to any third party other than service providers of the partner company solely for the permitted marketing purposes set forth above; (c) not to sell, disclose, or use your information for any purpose beyond the purposes and use identified expressly in CyberRisk Alliance’s agreement with them; and (d) may only use your contact information in adherence to all applicable laws. Please contact the partner company directly if you have any questions about their use of your information.
If you complete one of our registration and/or subscription forms, you will be giving CyberRisk Alliance express consent to send promotional offers for select CyberRisk Alliance’ products and services. CyberRisk Alliance endeavors to promote to you products and services that are relevant and that we feel you would have a legitimate interest in hearing about. These products or services may include content newsletters, research reports, events and seminars. You can opt out from receiving these promotions at any time by clicking the “unsubscribe” link at the bottom of the offer email.
To process these internal promotions, CyberRisk Alliance may share your information, such as you contact information, with certain email service providers who contract with CyberRisk Alliance to email market on CyberRisk Alliance’s behalf.
EU member country individuals please see additional information regarding consent in our GDPR section
If you do not want us to collect any initial cookies upon entering our site, you can set your browser to “private” or “incognito” mode. Check with your browsers’ “help section” for instructions.
Our website also uses Google Analytics. Information collected by the Google Analytics cookies, which includes demographic information such as your gender and age, will be transmitted to and stored by Google on servers in the United States of America in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, please click https://policies.google.com/privacy?hl=en-US. You may opt out of tracking by Google Analytics by clicking https://tools.google.com/dlpage/gaoptout.
If you do not want cookies on your browser from our site, follow the instructions below:
How to control and delete cookies through the browser
The ability to enable, disable or delete cookies can also be completed at browser level. In order to do this, follow the instructions provided by your browser (usually located within the “Help” section of your browser).
Third Party Cookies
In the course of serving advertisements to this site, a third-party advertiser may place or recognize a unique “cookie” on your browser that does not contain any information about the user.
We use IP addresses for purposes of system administration, and to analyze trends, administer the site, track user’s movement, and gather broad firmographic information for aggregate use. IP addresses are not linked to personally identifiable information.
CyberRisk Alliance and the GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It impacts any organization that processes personal data in connection with goods/services offered to an EU resident.
CyberRisk Alliance’s Commitment to Data Protection and GDPR Compliance
If you access the Online Services from the EU you may be eligible for certain rights under the GDPR, including the right to lodge a complaint with the data protection supervisory authority of your country if you believe we have breached your data protection rights and we have not adequately addressed your concerns.
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, each to access information is available to those whose information is collected about them in the EEA, including:
- Finding out if we use your personal data, accessing your personal data and receiving copies of your Personal Data;
- Withdrawing any express consent that you have provided to the processing of your personal data at any time without penalty;
- Accessing your personal data and having it corrected or amended if it is inaccurate or incomplete;
- Obtaining a transferable copy of some of your personal data which can be transferred to another provider when the personal data was processed based on your consent;
- If you believe your personal data is inaccurate, no longer necessary for our business purposes, or if you object to our processing of your Personal Data, you also have the right to request that we restrict the processing of your Personal Data pending our investigation and/or verification of your claim;
- Request your personal data be deleted or restricted under certain circumstances. For example, if we are using your Personal Data on the basis of your consent and have no other legal basis to use such, you may request your Personal Data be deleted when you withdraw your consent.
If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent. When the processing of your personal data is for direct marketing purposes, you have the right to object to such processing.
You have the right to withdraw your consent to our collection and/or processing of your personal data any time by contacting us. You may seek a copy, correct, amend, transfer, rectify or delete your Personal Data by us at any time for any purposes. Please e-mail [email protected].
You have the right to complain to a data protection authority about our collection and use of your Personal Data. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries are available here.
CyberRisk Alliance may share your information with a third-party email service provider (ESP) to promote CyberRisk Alliance’s products and service only, if CyberRisk Alliance believes you have a legitimate interest in receiving the offer.
Please contact us with any question regarding this policy by email at [email protected], or by mail at 400 Madison Avenue Suite 6C New York, NY 10017.
California Privacy Rights Notice
Shine the Light
Pursuant to Section 1798.83-.84 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, what types of personal information, if any, the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information in the immediately preceding calendar year. To access this information, please contact us by emailing [email protected] with “CA Shine the Light Privacy Requests” in the subject line. Please note that, under the law, we are not required to respond to your request more than once in a calendar year, nor are we required to respond to any requests that are not sent to the above-designated email.
California Do Not Track Disclosure
California Consumer Privacy Act (“CCPA”)
Your Right to Know About the Personal Information We Collect About You
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). The sections above set forth the categories of personal information that we collect and process about you, a description of each category, and the source of how we obtain each category.
Your Rights and Choices
Under California Laws, California residents can exercise three privacy rights (Disclosure and Access; Deletion; and “Do Not Sell My Personal Information”) (collectively, “Rights”); however, based on the information we gather, and the fact that we do not “sell” personal information as that term is defined in the CCPA, your rights are somewhat limited as these Rights are not absolute and are subject to certain exceptions. For instance, we are not required to respond to requests concerning employment/application data, B2B data, and cannot disclose or permit access to specific pieces of personal information if the disclosure or access would present a certain level of risk to the security of the personal information, your account with us, or the security of the business’s systems of networks. Specifically, employment/application data is not subject to this Notice if it is personal information that is collected by us in the course of your acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor to us to the extent your personal information is collected and used by us solely within the context of your role or former role as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or a contractor of ours. This also extends to any emergency contact information or benefits administration information you may have provided us in this context. B2B data is similarly not subject to this Notice if the data reflects a written or verbal communication or transaction between you and us if you are acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with us occurs solely in the context of us conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency. If you are a California consumer, we will process your request to exercise your Rights in accordance with California Laws.
A record concerning the requests may be maintained pursuant to our legal obligations. Further, we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive, or manifestly unfounded.
Disclosure and Access Requests
You have the right to request that we disclose to you, for the 12-month period immediately preceding the date of your request to know the following:
Categories of Personal Information Request
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Specific Pieces of Information Request
- The specific pieces of personal information we collected about you (also called a data portability request).
When a request for disclosure is made, we will first take steps to verify your identity to protect your privacy and security. For requests to disclose categories of personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. For requests to disclose specific pieces of personal information collected, we will have the requestor provider at least three pieces of information so that we may verify the requestor’s identity to a reasonably high degree of certainty and additionally provide a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required to retain the signed declarations as part of our record-keeping obligations for 24 months.
Please note that we will never disclose a consumer’s social security number, driver’s license number, or other government-issued identification number, financial account number, any health information or medical identification number, an account password, or security questions and answers in response to a disclosure request.
Please note additionally that we are only required to fulfil a Disclosure request from a consumer twice per every 12-month period. If you submit a request in excess, it may be denied, or you may be charged for fulfilling your request.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Given the type of personal information we collect, for requests to delete personal information collected, we will have the requestor provide at least two pieces of information so that we may verify the requestor’s identity to a reasonable degree of certainty. We are required to retain the requests to delete for a period of 12 months as part of our record-keeping obligations.
If we are unable to verify a request, to the extent possible, that request will be treated as a request to opt-out and afforded rights associated with that request right as described in more detail below.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. A deletion request may be denied, in full or in part, if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Disclosure and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by:
- Emailing us at [email protected] with “Deletion Request” in the subject line
Only you may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request and, to the extent necessary, to identify the browser/device that is the subject of the request.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data disclosure requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We currently do not collect household data. If all the members of a household make a Right to Know or Right to Delete request, we will respond as if the requests are individual requests.
Request Made Through Agents
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, verify the agent’s identity, and we may need you to verify your identity directly with us. (The verification requirement does not apply if the consumer has provided the authorized agent with legal power of attorney under California Probate Code Sections 400 to 4465.)
Requests to Opt-In for Minors
If you are 16 years of age or older, you have the right to direct us not to sell your personal information at any time. We do not and will not sell personal information of consumers we actually know are less than 16 years of age unless we received affirmative authorization from the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age, to opt-in to the sale of their personal information. Upon the receipt of this request to opt-in, we will inform the minor of the right to opt-out later and of the process for doing so.
Sale and Disclosure of Personal Information
Under the CCPA, a “sale” means providing to a third-party personal information for valuable consideration. It does not necessarily mean money was exchanged for the transfer of personal information. We have taken substantial steps to identify whether any of our data sharing arrangements would constitute a “sale” under the CCPA. Due to the complexities and ambiguities in the CCPA, we will continue to evaluate some of our third-party relationships as we wait for final implementing regulations and guidance. For example, it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA. Based on our understanding of the CCPA at this time, in the preceding 12 months we have not sold any personal information to any third parties. In the preceding 12 months, we have disclosed personal information to third parties for business purposes including to customer service, technical support, payment processors, information technology, and sales, recruiting and marketing partners. We will continue to update our business practices as regulatory guidance becomes available and provides clarity on what constitutes a sale transaction, particularly in the advertising ecosystem.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.