Become a member
Cyber Risk Institute Privacy Policy

Effective: March 31, 2020

This privacy policy (“Policy”) explains how the Cyber Risk Institute (“CRI,” “we,” or “us”) collects, uses, and shares information in connection with an individual’s (“you” or “user”) use of www.CyberRiskInstitute.org,  and our other websites and mobile applications that link to this Policy (collectively, the “Services”).  It also describes your rights and choices with respect to the information we collect.

By accessing or using our Services, you acknowledge that you have read, understand, and agree to the terms of this Policy and consent to the collection, use, and sharing of information in a manner consistent with this Policy.

Information that We Collect

We collect a variety of information when you use or access our Services, including:

  • Contact information

    When you create an account on the Services, register for an event, or sign up for our newsletters or emails, we may collect your contact information, such as name, mailing address, postal code, email address, and phone number.

  • Demographic and business-related information.  We also may collect demographic and other information, such as your job title or position, company name or affiliation, primary business, preferences, and interests.
  • Event registration information. In addition to the contact, demographic, and payment information discussed above, we or our partners may collect additional information when you register for an event, such as emergency contact details, hotel accommodations, dietary restrictions, and answers to event-related questions.
  • Other information you provide to us. We collect additional information that you provide to us directly or through the Services, such as when you communicate with us, use our web-based tools, ask us a question, respond to our surveys, or submit your name, resume and cover letter when expressing an interest in working for us.
  • Information collected automatically.  When you use the Services, we or our third-party service providers may automatically receive and record certain information from your device or through the Services.  For example, this may include your device’s IP address, web pages you visit or features you use within the Services (including across different devices), the date and time of your activities on the Services, time since your last visit, links you click, searches conducted, the website visited before navigating to the Services, your software and hardware attributes (including browser and operating system type and version, device screen size, mobile app version, device type, and device identifiers), demographic and interest data based on browsing activity, and your general location inferred from an IP address.  To obtain such information, we or our third-party service providers may use the following technologies to recognize your device and collect information about your device and Services usage:
  • Server logs.  When you use the Services, we and our service providers automatically receive and record certain information from your computer (or other device) and your browser.  To obtain such information, we may use server logs or applications that recognize your device and gather information about its online activity.
  • Cookies.  We and our service providers also use cookies on the Services.  Cookies are small files that are stored on your device by your web browser.  A cookie allows our partners and us to recognize whether you have visited before and may store user preferences and other information.  If you are concerned about having cookies on your device, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it.  You can also delete cookies from your device.  However, if you choose to block or delete cookies, certain features of the Services may not operate correctly.
  • Web beacons, tags, pixels, and similar technologies.  The Services or the emails that you receive from us may use an application known as a “web beacon” (also known as a “tag” or “pixel”) and similar technologies.  A web beacon is a string of HTML or JavaScript code embedded in a website or email that provides a method for transferring data to a company’s servers.  For example, it may load a single-pixel image that permits us or our service providers to generate a record of your visit and set or read cookies.  This allows us to understand the features you use or the pages you visit on our Services and whether you have opened a particular email.
  • Mobile advertising IDs and SDKs.  We or our service providers may use mobile advertising identifiers (such as Apple’s IDFA or Google’s Advertising ID) to collect information for analytics and interest-based advertising purposes, as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”  We also may include third-party software development kits (“SDK”) in our mobile apps.  An SDK consists of third-party code that we may use to add features to our Services and allow our service providers to collect information through the Services.

We may combine information collected through the Services with other information that we or third parties collect about you in other contexts, such as our communications with you, our events, or through referrals.  We will treat such combined information in accordance with this Policy.

How We Use Information

We use the information we collect for a variety of purposes, including:

  • Providing our services. To provide our Services to you, carry out the transaction(s) you request, fulfill the terms of any agreement you have with us, process payments, register for events, respond to your requests or inquiries, conduct internal record keeping, secure your information and our Services, and for other purposes related to managing our organization.
  • Communicating with you. To communicate with you regarding your account, events or conferences for which you have registered, important updates regarding our Services, and other administrative matters.
  • Newsletters, promotional messages, and advertising. To send you newsletters or other promotional messages regarding our Services and events that we organize, and to target our advertising as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Analytics and improving the Services. To count and recognize visitors to the Services, analyze how visitors use the Services, improve the Services, create new features or services, and conduct analytics, including as described in the section below titled “Third-Party Analytics and Interest-Based Advertising.”
  • Compiling aggregated information.  To compile aggregated statistics or reports that we may share with our event co-sponsors, partners, or other third parties.
  • Legal Purposes.  For legal or other necessary purposes, including as described in the section below titled “How We Share information.”

How We Share Information

We may share information with third parties in various contexts, including:

  • Service providersWe use third-party service providers to assist us in the operation of the Services, including to manage our communications and newsletters, provide event registration services, process payments, host and process data, and conduct analytics and interest-based advertising.  We may permit these third-party service providers to collect information on our behalf or share information with these service providers for the purposes described in this Policy.
  • CRI members. We may share event attendee or participant lists with our members.
  • Event co-sponsors and partnersWe may share information with organizations that co-sponsor events with us or otherwise partner with us to provide events or services to you.
  • Third-party plugins. The Services may integrate third-party plugins (such as a Facebook “like” button and Twitter “follow” button).  Even if you do not click on these plugins, they may collect information about you, such as your IP address and the pages that you view.  They also may set and/or access cookies or use similar technologies.  These plugins are governed by the privacy policies of the companies providing them.
  • Legal purposesWe may use and disclose information where we believe that doing so is necessary:
  • To comply with applicable law or a court order, subpoena, or other legal processes.
  • To investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to Services users, our property, or the property or physical safety of any person or third party.
  • To establish, protect, or exercise our legal rights or defend against legal claims.
  • Corporate transfers. In the event of a merger, sale of capital stock or assets, investment, reorganization, bankruptcy, consolidation, or similar transaction, we may share the information we possess to facilitate the transaction, including during due diligence, or as a corporate asset to the acquiring entity.
  • Aggregated informationWe may provide third parties with aggregated information about our membership or users of our Services, including demographic and usage information.

Third-Party Analytics and Interest-Based Advertising

We partner with third parties to engage in analytics, auditing, research, and reporting on our Services.  These third parties collect information regarding your usage of the Services as described in the section above titled “Information that We Collect,” and they may use server logs, cookies, web beacons, tags, pixels, mobile advertising IDs (such as Apple’s IDFA or Google’s Advertising ID), and similar technologies.  In particular, we use Google Analytics on the Services.  You can learn more about Google Analytics’ data practices here and opt out here.

We also partner with third parties to provide advertising services that are targeted based on your online activities across websites, mobile apps, and devices over time (commonly referred to as “interest-based advertising”).  Our advertising partners may collect information about your activities on our Services on your current device and combine it with information about your activities on other websites, mobile apps, and devices.  They may collect such information using server logs, cookies, web beacons, tags, pixels, mobile advertising IDs (such as Apple’s IDFA or Google’s Advertising ID), cross-device linking, and similar technologies.  For example, our advertising partners may use the fact that you visited our websites or used our mobile apps to target advertising to you on non-CRI websites and mobile apps on your current device or on other devices you use.  You can opt out of interest-based advertising in web browsers and mobile apps on your current browser or device by following the instructions below.

  • Web browser opt-out.  To opt out in web browsers, please visit optout.aboutads.info and optout.networkadvertising.org.  To help preserve your choices, you can install the “Protect My Choices” extension that is available at http://www.aboutads.info/PMC.
  • Mobile application opt-out.  To opt out in mobile apps, you can adjust the advertising preferences on your mobile device.  For example:
  • In iOS 7+, visit Settings > Privacy > Advertising > Limit Ad Tracking.
  • In Android, visit Settings > Google > Ads > Opt out of interest-based ads or Opt out of Personalized Advertising.

You can also opt out for participating companies by downloading the Digital Advertising Alliance’s AppChoices tool at www.aboutads.info/appchoices and following the instructions in the app.  For more information about opting out on mobile devices, please see https://www.networkadvertising.org/mobile-choice.

Please note that the opt-outs described above will apply only to the specific browser or device from which you opt out, and therefore you will need to opt out separately on all of your browsers and devices.  If you delete or reset your cookies or mobile advertising identifiers, change browsers (including upgrading certain browsers), or use a different device, any opt-out cookie or tool may no longer work and you will need to opt out again.  Our Services do not respond to Do Not Track signals at this time.

Information for Users Outside the United States

The information that we collect through or in connection with our Services is controlled by the Cyber Risk Institute, which is headquartered in the United States at the address listed in the “Contact Us” section below.  Your information may be transferred to and processed in the United States for the purposes described above.  CRI also may subcontract the processing of your data to, or otherwise share your data with, third parties in the United States or countries other than your country of residence.  The data protection laws in these countries may be different from, and less stringent than, those in your country of residence.  By agreeing to this Policy when registering for an account on the Services and/or using the Services or by providing any information to us, you expressly consent to such transfer and processing.

To the extent required by law, our legal basis for processing information, as described above, will depend on the type of information at issue and the purpose for which it is collected and used.  In many cases, we rely on your consent to process information, or we process information as necessary for the performance of our agreements with you.  We also may rely on our legitimate interests to process your information, for the purposes described in this Policy, except where such interests are overridden by your data protection interests or fundamental rights and freedoms.

Your Privacy Rights and Choices

CRI provides you with choices to review, access, and update your information or to exercise your privacy or data protection rights, as follows:

  • If you no longer want to receive newsletters or promotional communications from CRI, please follow the “unsubscribe” instructions that are included at the bottom of each message. Please note that if you unsubscribe from our newsletter or promotional communications, you will still receive administrative messages.
  • You may have rights under applicable laws to request access to, correction or deletion of, or restrictions on the processing of, certain information. You also may have rights under applicable laws to opt out or withdraw consent to further processing, request copies of your data, or lodge a complaint with a data protection authority in your jurisdiction.  To make such request and/or inquire about such rights, please email info@cyberriskinstitute.org with “Attn:  Privacy” in the subject line.  For your protection, we may need to verify your identity or authenticate your information before implementing your request.

Data Security and Retention

CRI uses reasonable physical, technical, and administrative safeguards to protect your information against loss or unauthorized access, use, modification, or deletion.  However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your information.

CRI retains your information for as long as reasonably necessary for its legitimate business purposes, to provide the Services to you, to fulfill the purposes described in this Policy, or as required by law.

Links to Other Websites

The Services may contain links to websites or mobile apps of other third parties, including social media sharing features that link to third-party websites.  If you follow a link to any of these websites or apps, please note that these websites and apps (and any services that may be accessible through them) have their own privacy policies.  We are not responsible for the privacy practices of other websites or apps or the information you share through such other websites or apps.  We encourage our users to be aware when they leave the Services and to read the privacy policies applicable to such third-party websites and apps.  This Policy applies solely to information collected in connection with the Services.

Children’s Privacy

Our Services are not intended for use by children under the age of 13.  We request that such children do not provide information to us through any of the Services.

Sensitive Information

We ask that you not send us, and you not disclose, any sensitive information (e.g., social security numbers, financial information, health information, information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or sexual orientation) on or through the Services or otherwise to us.

Updates to this Privacy Policy

CRI reserves the right to change this Policy from time to time by updating this page, so please review this page periodically for changes.  The “updated” and “effective” dates provided at the top of the page will indicate when the Policy was most recently updated and became effective.  Your continued use of our Services will serve as an acceptance of any changes to the Policy.

Contact Us

If you have any questions or concerns regarding this Policy, please contact us by email at info@cyberriskinstitute.org, with “Attn:  Privacy” in the subject line, or by mail at Cyber Risk Institute, Attn:  Privacy, 600 13th Street NW, Suite 400, Washington, DC 20005.

BACK TO TOP