HVC Information Security Policy and Information Technology Security Policy

Goal of the Information Security Program

The goal of the Information Security Program is to ensure that the:

  • Confidentiality,
  • Integrity and
  • Availability

    of each item of information owned by or entrusted to HVC.com is protected in a manner that is consistent with…

  • The value attributed to it by the company,
  • The risk the company is willing to accept and
  • The cost the company is willing to pay (in dollars and convenience)

    Wherever it resides, i.e.:

  • On computers,
  • On networks (including backup networks),
  • On magnetic or optical storage media (i.e.: hard drive, magnetic disk, tape backup, CD/DVD, memory stick),
  • In physical storage environments (i.e.: offices, filing cabinets, drawers),
  • On printed media (i.e.: faxes, forms, reports, microfilm, microfiche, books),
  • In a person's memory,
    … etc.

    Purpose of Information Security Policy

    The purpose of this document is to define the principles to which all company officers, directors, employees, consultants and 3rd party suppliers must adhere when handling information owned by or entrusted to HVC.com in any form. The principles cover the following areas:

  • Defining the confidentiality, integrity and availability requirements for information used to support the company's objectives,
  • Ensuring that those requirements are effectively communicated to individuals who come in contact with such information, and
  • Using, managing and distributing such information - in any form, electronic or physical - in a manner that is consistent with those requirements.

    This policy describes in general terms the Information Security Policy of the company, which is also embodied in various policies developed by the guardians of specific information.

    Summary of Personal Responsibilities

    Most of this document focuses on legal obligations as well as the process of determining and communicating the sensitivity of information owned by or entrusted to the company, it also contains a number of requirements to which anyone who handles such information must adhere.

    In summary:

  • Each customer, user, delegate, exhibitor, speaker, sponsor or other HVC participant voluntarily provides confidential information to HVC.

  • HVC.com will make its best efforts by this security policy to treat the data of each customer, user, delegate, exhibitor, speaker, sponsor or other HVC participant with the highest level of security and protection.

  • HVC.com must make its best efforts to not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.

  • HVC.com must take appropriate measures to protect confidential information wherever it is located, i.e.: stored on computer media, held on physical documents, communicated over voice or data networks, exchanged in conversation, etc.

  • HVC.com must safeguard computer/network account that allows access to your account. This includes creating computer passwords that are difficult to guess.

  • HVC.com must render unusable confidential information held on any physical document or computer storage medium (i.e.: diskette, CD, magnetic tape, hard disk) that is being discarded.

  • HVC is not responsible for any confidential information divulged to or discovered by any outside third party as a result of accidental or voluntary dissemination by a user, delegate, exhibitor, speaker, sponsor or other HVC participant. This also covers the deletion and/or alteration of confidential information as well.

    Some examples:
    -A user provides his/her HVC password to another party.
    -A user's personal computer or mobile phone is lost or stolen.
    -A user discards or sells a computer or hard drive that at one time contained user information and had not used an OIT approved 'disk wipe', 'scrubbing' or 'disk sanitation' method (ex: CyberScrub)
    -A user prints out his/her profile and discards it in a recycle bin for others to discover.)

  • A customer of HVC is an event organizer that has contracted the HVC.com software as a service package. They act as administrators of their own event and have complete access to all user information within that event (with the exception of credit card numbers in the case where they elect HVC to process the payments). As such, HVC is not responsible for any confidential information divulged to or discovered by any outside third party as a result of accidental or voluntary dissemination by the HVC customer's event This also covers the deletion and/or alteration of confidential information as well.

    Some examples:
    -An HVC customer provides his/her HVC administrator password to another party.
    -An HVC customer's personal computer or mobile phone is lost or stolen.
    -An HVC customer discards or sells a computer or hard drive that at one time contained critical HVC event information and had not used an OIT approved 'disk wipe', 'scrubbing' or 'disk sanitation' method (ex: CyberScrub)
    -An HVC customer prints out and discards critical information about his/her HVC event in a recycle bin for others to discover.

    Any activities that you suspect may compromise confidential information must be reported to HVC via opening a support ticket on the website.

    General Principles

    Information Collections and the Responsibilities of Information Guardians

    Company-held information must be protected against unauthorized exposure, tampering, loss and destruction, wherever it is found, in a manner that is consistent with applicable federal and New York State laws (see Appendix B), and with the information's significance to the company and any individual whose information is collected. The company must:

  • Define the requirements for confidentiality, integrity and availability (see Appendix D for requirement classifications),
  • Convey the requirements to the managers of all departments that will have access to the information,
  • Decide which company employees, groups, roles or job functions are authorized to access the information in the collection and in what manner (i.e.: who can view the information, who can update the information).

    User Responsibilities

    Protecting Information Wherever It Is Located

    Each HVC user with an account is expected to know and understand their own security requirements and to take measures to protect the information in a manner that is consistent with the requirements defined by the policy, wherever the information is located, i.e.,

  • On computers,
  • On networks (data and voice),
  • On magnetic or optical storage media (i.e.: hard drive, diskette, tape, CD),
  • On printed media (i.e.: forms, reports, microfilm, microfiche, books),
  • In physical storage environments (i.e.: offices, filing cabinets, drawers),
  • In a person's memory, etc.

    If an authorized HVC user is not aware of the security requirements for information to which he or she has access, he or she must provide that information with maximum protection until its requirements can be ascertained. Any HVC user is responsible for all activities performed by anyone using that access information or identifier. Therefore, each HVC user must be diligent in protecting his or her access information against theft, and his or her computer and network accounts against unauthorized use. Passwords created for computer and network accounts should be difficult to guess (see "Password Policy" document for guidelines). Furthermore, passwords should never be shared or recorded and stored in a location that is easily accessible by others. Stolen computer and network accounts suspected of being compromised should be reported to the company administrators immediately. The assignment of a single network or system account to a group of individuals sharing the same password is highly discouraged and may only occur in cases where there is no reasonable, technical alternative.

    Diligence Concerning Information Associated with "Identity Theft"

    Identity theft is an extremely serious and significant problem in our society. Anyone can obtain certain pieces of information about an individual has the ability to use credit cards, harm credentials, adversely affect business relationships, create forged documents or steal assets in the individual's name. Being sensitive to the identity theft threat, the company requires that extra precaution be taken when collecting, using and storing non-public "personally identifiable" information, such as:

  • Passwords,
  • Answers to Personal Security Questions,
  • Real Time Account Login Locations (IP Addresses),
  • Social Security Number (or Equivalent),
  • Business Tax Identification (EIN or Equivalent),
  • Date of birth,
  • Place of birth,
  • Mother's maiden name,
  • Credit card numbers,
  • Bank account numbers,
  • Bank routing/SWIFT numbers,
  • Income tax records,
  • Insurance Information,
  • Drivers license numbers,
  • Passport numbers.

    With the exception of passwords, answers to personal security questions, and IP Addresses, collection and use of any of the above pieces of information should be limited to situations where there is legitimate business need and no reasonable alternative.

    HVC understands the need to safeguard this information, and that adequate procedures are in place to minimize this risk. Access to such information may only be granted to authorized individuals on a need to know basis.

    Limitations on Sharing Personally Identifying Information

    All non-public information gathered and maintained by employees and agents of HVC.com, for the purpose of conducting company business, that personally identifies any living or deceased individual - names and other personal information pertaining to individual users, delegates, exhibitors, speakers, sponsors or other participants - is considered "confidential" unless otherwise specified by this document or by the appropriate company administrator or designate. Such information associated with an individual may only be shared with:

  • The individual with respect to whom the information is maintained,
  • Persons designated in writing by that individual,
  • Company employees and representatives (included selected volunteers) who need access to such information for legitimate company business or to support the processing of such information, and who are authorized by the company,
  • Governmental agencies to which the company has a legal obligation to provide such information,

  • The HVC customer that is the administrator of the same virtual event the user is a member of.
  • Company-contracted organizations (i.e.: VOIP Services, Payment Providers, etc.) that:
  • Require such information to deliver their services on behalf of the company,
  • Are authorized by the company.


    • The use of any personally identifying information collected and/or maintained by the company about any living or deceased individual - users, delegates, exhibitors, speakers, sponsors or other participants - in hard copy or electronic form for any purpose that does not support the company's objectives is strictly prohibited.

    Methods of Distributing Public Information Associated with Individuals

    Some pieces of personally identifiable information are considered public information. These pieces of information are described in Appendix A. The following procedures describe how public information associated with individuals may be shared:

  • Directory information, including name, company, address, phone number and e-mail address, can be made generally available over the specific virtual event web site. The HVC customer (event administrator) may deem other elements of information appropriate to be made as public directory information as well.

  • Other public information (may be released to the public in response to reasonable requests).

    Public Chat


    Users of HVC engaged in a public chat room are to recognize that their comments and their presence is made public and open for all to see/read at the virtual event.

    Exchanging Information via E-Mail or Other Network Facilities

    Electronic mail (e-mail) may in some situations be considered an insecure mechanism for exchanging information. The privacy of information contained within e-mail messages can be exposed, especially when either the sender or any of the recipients utilize a wireless network connection. The use of mechanisms that exchange information in a readable form, such as "ftp", "chat" and "instant messaging", between computers also places confidential information at risk. While HVC allows for emails between users within a virtual event, the email is also forwarded to one's inbox, outside the HVC system. The purpose is to initiate communication. In such instances, if information that needs to be communicated is deemed as "confidential" or "highly confidential", must be exchanged with an individual or entity using e-mail or any other network facility that transfers data, it is suggested that it be encrypted using a hardware- or software-based mechanism. It is also recommended that the email include the following disclaimer: "This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments."

    Discarding Information

    Physical documents containing information that has been classified as "confidential" or "highly confidential" by the company and/or designates must be shredded using a company approved device or shredding facility prior to being discarded. Any computer hard drive or removable magnetic medium, such as a diskette, magnetic tape, Zip disk, etc., that has been used to hold any kind of "confidential" or "highly confidential" information must be electronically 'disk wiped', 'scrubbed' or 'disk sanitized' using OIT-approved software (ex: Cyberscrub) prior to being discarded or being transferred to any individual or entity who is not authorized to view such information.

    On such media, the mere deletion of confidential data is not sufficient as deleted information is still accessible to individuals possessing any of a number of available software tools. Any non-erasable medium, such as a CD, optical disk, etc., that has been used to hold any kind of "confidential" or "highly confidential" information must be physically destroyed before being discarded.

    Valid Uses of Aggregate Information

    HVC may analyze and aggregate business, institutional and/or government data. However, official, published reports on specific events that include such aggregate data may only be issued with the review and approval of the appropriate HVC customer (event administrator). Similarly, sharing those reports with individuals or organizations for which the reports are not primarily intended requires the permission of the customer primarily responsible for the report.

    Subpoenas

    HVC customers and users are reminded that the full range of information collected on the account of any living or deceased individual - customers, delegates, exhibitors, sponsors, speakers, or any other participant - in hard copy or electronic form may be subpoenaed and entered into the public record of a court case. Appropriate discretion should therefore be exercised in the drafting of any document that will be stored in any company file. In the event the company receives investigative subpoenas, court orders and other compulsory requests from law enforcement agencies that require the disclosure of company held information, company counsel will be consulted before taking any action.

    Reporting of Security Breaches or Suspicious Activity

    Any member of the company staff who comes across any evidence of information being compromised or who detects any suspicious activity that could potentially expose, corrupt or destroy information must report such information to the company administrator and I Officer. No one should take it upon himself or herself to investigate the matter further without the authorization of the company administrator, IT Officer or General Counsel.

    Any user or customer who comes across any evidence of information being compromised or who detects any suspicious activity that could potentially expose, corrupt or destroy information should report such information to the company via opening a support ticket on the website.

    Awareness Prior to Obtaining Access to Confidential Information

    All employees and agents must review the "Protection of Confidential Information - Summary of Responsibilities" document contained in Appendix E (Part I) before being given access to confidential information contained within the company's computer systems, networks and physical facilities.

    All HVC customers and users must review the Terms and Conditions, which includes the "Protection of Confidential Information - Summary of Responsibilities" document contained in Appendix E (Parts II and III) before being given access to confidential information contained within the company's computer systems and networks.

    Additional Requirements for Technology Managers

    Technology managers are those individuals who manage computing and network environments where company information is stored, transmitted or processed, such as:

  • Computer operating environments (i.e.: UNIX, Windows, Macintosh, etc.),
  • Database management environments (i.e.: Oracle, Sybase, SQL Server, Access, etc.),
  • Application environments (i.e.: PeopleSoft, Data Mall, etc.),
  • Network environments (i.e.: electrical, optical, microwave and wireless networks, routers, switches, firewalls, etc.),
  • Physical storage facilities (i.e.: tape libraries, filing cabinets, etc.),
  • Backup storage facilities (i.e.: Remote Storage, etc.),

    Technology managers are responsible for ensuring that specific data's requirements for confidentiality, integrity and availability as defined by the company are being satisfied within their environments. This includes the development of:

  • A cohesive architectural policy,
  • Product implementation and configuration standards,
  • Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the company, and
  • An effective strategy for protecting information against generic threats posed by computer hackers.

    SMS and VOIP RELATED ACTIVITY

    Any unauthorized use of the Services, is expressly prohibited. The HVC Customer, the user, exhibitor, sponsor, delegate, speaker and/or other participant agrees to abide by all
    applicable local, national and international laws and regulations and is solely responsible for all acts or omissions that occur under its account or password, including the content of any transmissions through SMS and VOIP Service.

    The Terms and Conditions cover numerous restrictions placed upon users and event administrators for both the event services as well as VOIP and SMS services.

    PAYMENT RELATED INFORMATION

    Any unauthorized use of the Services, is expressly prohibited. The HVC Customer, the user,


    Appendix A - Personally Identifying Information That Is Generally Considered Public

    Notwithstanding the general policy of treating personally identifying information as "confidential", the information listed below describes the circumstances under which certain limited types of personally identifying information may be generally considered by the company to be publicly accessible, except as otherwise noted. Other elements may only be considered public if defined as such by the HVC Customer (virtual event administrator).

    Information about Current and Former Customers

    The company considers the following to be "Directory Information" that may be shared with the general public:

  • Name,
  • Company Name,
  • Company address,
  • Company telephone number,
  • Company Logo,
  • Avatar (or photo if substituted),
  • Dates of attendance,
  • Conversations in public chat rooms,
  • Public forum posts,
  • 3rd Party Social Media Information (ex: Linked In Profile, Twitter posts, etc).


    Each HVC customer (virtual event administrator) may have their own security policy regarding their own event for their delegates. The content of each event is considered confidential by the company and it is up to the customer to select what information from their event to disclose to the public.

    Appendix B - Potentially Applicable Laws

    As summarized below, a number of federal and state laws may also apply to information collected and maintained by both HVC customers and HVC.

    Computer Fraud and Abuse Act (CFAA)

    Enacted in 1984 (and revised in 1994), the CFAA criminalizes unauthorized access to a "protected computer" with the intent to defraud, obtain any information of value or cause damage to the computer. Under the CFAA, a "protected computer" is defined as a computer that is used in interstate or foreign commerce or communication or that is used by or for a financial institution or the government of the United States. For example, the act of "hacking" into a secure web site from an out-of-state computer may violate the CFAA.

    Electronic Communications Privacy Act (ECPA)

    Enacted in 1986, the ECPA broadly prohibits (and makes criminal) the unauthorized use or interception of the contents or substance of wire, oral or electronic communications. In addition, the ECPA prohibits unauthorized access to or disclosure of electronically stored communications or information. Such prohibitions may apply to company employees who willfully exceed the scope of their duties or authorizations by accessing certain databases housed within the company system. The ECPA does not, however, prohibit the company from monitoring network usage levels and patterns in order to ensure the proper functioning of its information systems.

    (for Academic events) -- The Family Educational Rights and Privacy Act (FERPA)

    Enacted in 1974, FERPA (also known as the Buckley Amendment) affords students (or parents if the student is a minor) certain rights with respect to the student's "education records." As defined under FERPA, the term "education records" encompasses a broad range of materials and information such as disciplinary, financial and academic records established during a given student's enrollment and maintained in a variety of company databases and other filing arrangements. In particular, FERPA provides that "education records" and personally identifiable information contained therein may not be released or disclosed (including disclosure by word of mouth) without the written consent of the student (or parents, as the case may be). Violations of FERPA may result not only from the unauthorized disclosure of education records but also from the failure to exercise due care in protecting such records against unauthorized access from outsiders. However, even in the absence of express student (or parental) consent, FERPA permits disclosure of education records to company employees who have a legitimate interest in the student and to outside parties in a variety of circumstances, such as those where public health or safety are at issue.

    (for Financial Related Events) The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (GLBA)

    Enacted in 1999, the GLBA requires financial institutions to carefully protect customers' financial information. In the event a financial institution runs an HVC virtual event, they must comply with GLBA provisions. The GLBA has two relevant components: (1) "safeguarding" rules and (2) privacy rules. All personally identifiable financial information from users must be safeguarded against foreseeable risks of disclosure, intrusion and systems failure. The customer must designate information security program managers in their business units that handle financial information, identify risks to the security of financial information, and develop security programs to protect against risks. As the privacy standards of GLBA must be followed for all financial information, the company must have a privacy policy to comply with GLBA and will make required privacy notifications to users whose financial information is obtained. More information is available on the Federal Trade Commission web site: http://www.ftc.gov/privacy/glbact/index.html

    (educational Seminars with Non-Profits Colleges and Universities ONLY) The Technology, Education, and Copyright Harmonization Act (TEACH Act)
    Enacted in 2002, the TEACH Act relaxes certain copyright restrictions so that accredited, non-profit colleges and universities may use multimedia content for instructional purposes in technology-mediated settings. However, the TEACH Act carries a number of security requirements designed to ensure that digitally transmitted content will be accessible only to students who are properly enrolled in a given course.

    State Laws

    In addition to the federal laws summarized above, there may be particular state laws that apply to the handling of confidential information. For example, state laws may govern the collection or use of information regarding children, consumers and other groups. Before establishing new practices with regard to the handling of confidential information, company employees are encouraged to consult the company counsel in order to determine whether specific New York laws apply.

    Subpoenas and Other Compulsory Requests

    Many of the federal and state laws described above create exceptions allowing for the disclosure of confidential information in order to comply with investigative subpoenas, court orders and other compulsory requests from law enforcement agencies. Employees who receive such compulsory requests should contact company counsel before taking any action.

    Vendor Agreements

    When negotiating contracts with third party vendors, the company will consider whether such vendors require access to company databases or to other filing systems containing confidential information. Agreements providing third party vendors with access to such information must ensure that the vendor is subject to obligations of confidentiality that will enable the company to comply with its own obligations under the applicable privacy laws. In addition, such vendors should be contractually obligated to implement data protection and security measures that are commensurate with the company's practices. By the same token, HVC customers must be careful not to disclose confidential information entrusted to their care by an outside party, especially when such information is governed by the terms of a confidentiality agreement or clause with that party.

    Appendix C - Disclosure of HVC Customers for Promotion of HVC In certain cases, the company will publicly list the HVC customer as a client of HVC. This would be in the form of a press release, a list showing the name of the company (or event) and the logo on the website. Approval of the HVC customer is required and upon request it will be removed.

    Appendix D - How the Company Assess Security Requirements

    As stated previously, the company is responsible for assessing the security requirements in three areas of concern: confidentiality, integrity and availability. To facilitate the assessment process and ensure that these requirements are expressed in a consistent manner in the company, categorization of the information uses the guidelines described in this section. The confidentiality requirement of information will be expressed in the following terms:

  • "Public" information can be freely shared with individuals on or off campus without any further authorization by the company.
  • "Internal" information can be freely shared with members of the company community. Sharing such information with individuals outside of the company community requires authorization by the company administrator.
  • "Customer" or "Event" information can be freely shared with members of the company and the HVC customer (event administrator). Sharing such information with individuals outside of the HVC customer requires authorization by the appropriate HVC customer.
  • "User" information can be freely shared with members of the company, the HVC customer (event administrator) and the user (delegate, exhibitor, speaker, sponsor or other participant). Sharing such information with individuals outside of the user requires authorization by the appropriate user.
  • "Confidential" information can only be shared on a "need to know" basis with individuals who have been authorized by the company, either by their association with specific job functions or explicitly by name.
  • "Highly confidential" information can only be shared on a "need to know" basis with a limited number of individuals who have been authorized by the company explicitly by name.

    The integrity/availability requirement for an information collection will be expressed as follows:

  • "Non-critical" if its unauthorized modification, loss or destruction would cause little more than temporary inconvenience to the user community and support staff, and incur limited recovery costs. Reasonable measures to protect information deemed "non-critical" include storing physical information in locked cabinets and/or office space, using standard access control mechanisms that prevent unauthorized individuals from updating computer-based information, and making regular backup copies.
  • "Critical" if its unauthorized modification, loss, or destruction through malicious activity, accident or irresponsible management could potentially cause the company to:
  • Suffer significant financial loss or damage to its reputation,
  • Be out of compliance with legislative requirements,
  • Adversely impact its clients, or
  • Miss a legally mandated deadline.

    In addition to the protective measures described for information deemed "non-critical":
  • "Critical" information must be verified either visually or against other sources on a regular basis, and
  • A business continuity plan to recover "critical" information that has been lost or damaged must be developed, documented, deployed and tested annually.

    Appendix E - Summary of End User Responsibilities

    All individuals must review the following "Summary of Responsibilities" document before obtaining access to confidential information contained within the company's computer systems, networks and physical facilities.

    Administrators are responsible for ensuring that each of their staff members who have access to confidential information has reviewed the document and understands his or her responsibilities as they relate to the handling of confidential information.

    Part I - Employees and Agents of HVC

    Protection of Confidential Information - Summary of Responsibilities
    Applicable to: All Individuals with Access to Confidential HVC.com Information
    Effective Date: February 18, 2010

    The company maintains information that is sensitive and valuable, and is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. This includes, but is not limited to:

  • Personal information about customers, delegates, exhibitors, sponsors, speakers, and other participants (i.e.: passwords, third party passwords, credit card numbers, certain personal history, discussions, emails, sms messages, etc.)
  • Company business information (i.e.: certain product information, intellectual property, conversations, meetings, financial reports, internal reports and memos, contracts, strategic reports, surveys, emails, etc.)
  • Information about or provided by third parties (i.e.: information covered by non-disclosure agreements, contracts, business plans, non-public financial data, computer programs, discussions, emails, sms messages, etc.)

    The exposure of such information to unauthorized individuals could cause irreparable harm to the company or members of the company community. Thus, you are expected to diligently protect it:

  • You may only access the information needed to perform your legitimate duties as a company employee or agent and only after being authorized by the company.
  • You may not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.
  • You must take appropriate measures to protect confidential information wherever it is located, i.e.: held on physical documents, stored on computer media, communicated over voice or data networks, exchanged in conversation, etc.
  • You must safeguard any password, security token, computer/network account that allows you to access confidential information. This includes creating difficult-to-guess computer passwords.
  • You must destroy or render unusable confidential information held on any physical document (i.e.: memos, reports, microfilm, microfiche) or computer storage medium (i.e.: diskette, CD, magnetic tape, hard disk) that is being discarded.
  • You must report any activities that you suspect may compromise confidential information to your immediate supervisor, the company administrator and IT Officer.
  • Your obligation to protect confidential information does not cease after you leave the company.

    Your failure to comply with the above requirements may subject you to disciplinary measures, up to and including termination of employment.

    Part II - HVC Customers

    Protection of Confidential Information - Summary of Responsibilities
    Applicable to: HVC Customers (Event Administrators)
    Effective Date: February 18, 2010

    The company maintains information that is sensitive and valuable, and is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. This includes, but is not limited to:

  • Personal information about customers, delegates, exhibitors, sponsors, speakers, and other participants (i.e.: passwords, third party passwords, credit card numbers, certain personal history, discussions, emails, sms messages, etc.)
  • Company business information (i.e.: certain product information, intellectual property, conversations, meetings, financial reports, internal reports and memos, contracts, strategic reports, surveys, emails, etc.)
  • Information about or provided by third parties (i.e.: information covered by non-disclosure agreements, contracts, business plans, non-public financial data, computer programs, discussions, emails, sms messages, etc.)

    The exposure of such information to unauthorized individuals could cause irreparable harm to the company, your firm and/or members of the company community. Thus, you are expected to diligently protect it:

  • You are provided access the information needed to perform your legitimate duties as an event administrator and only after being authorized by the company as an HVC customer.
  • You should not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.
  • You should take appropriate measures to protect confidential information wherever it is located, i.e.: held on physical documents, stored on computer media, communicated over voice or data networks, exchanged in conversation, etc.
  • You should safeguard any password, security token, computer/network account that allows you to access confidential information. This includes creating difficult-to-guess computer passwords.
  • You should destroy or render unusable confidential information held on any physical document (i.e.: memos, reports, microfilm, microfiche) or computer storage medium (i.e.: diskette, CD, magnetic tape, hard disk) that is being discarded.
  • You should report any activities that you suspect may compromise confidential information via the support ticketing system on the HVC.com website.
  • Your obligation to protect confidential information should not cease after the conclusion of the virtual event(s).

    Part III - HVC Users

    Protection of Confidential Information - Summary of Responsibilities
    Applicable to: HVC Users
    Effective Date: February 18, 2010

    The company maintains information that is sensitive and valuable, and is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. This includes, but is not limited to:

  • Personal information about customers, delegates, exhibitors, sponsors, speakers, and other participants (i.e.: passwords, third party passwords, credit card numbers, certain personal history, discussions, emails, sms messages, etc.)
  • Company business information (i.e.: certain product information, intellectual property, conversations, meetings, financial reports, internal reports and memos, contracts, strategic reports, surveys, emails, etc.)
  • Information about or provided by third parties (i.e.: information covered by non-disclosure agreements, contracts, business plans, non-public financial data, computer programs, discussions, emails, sms messages, etc.)

    The exposure of such information to unauthorized individuals could cause irreparable harm to the company, your firm and/or members of the company community. Thus, you are expected to diligently protect it:

  • You are provided access the information needed to perform your legitimate duties as a delegate, speaker, sponsor, exhibitor, user or other participant and only after being authorized by the event administrator and by HVC.
  • You should not in any way divulge, copy, release, sell, loan, review, alter or destroy any information except as properly authorized within the scope of your professional activities.
  • You should take appropriate measures to protect confidential information wherever it is located, i.e.: held on physical documents, stored on computer media, communicated over voice or data networks, exchanged in conversation, etc.
  • You should safeguard any password, security token, computer/network account that allows you to access confidential information. This includes creating difficult-to-guess computer passwords.
  • You should destroy or render unusable confidential information held on any physical document (i.e.: memos, reports, microfilm, microfiche) or computer storage medium (i.e.: diskette, CD, magnetic tape, hard disk) that is being discarded.
  • You should report any activities that you suspect may compromise confidential information via the support ticketing system on the HVC.com website.
  • Your obligation to protect confidential information should not cease after the conclusion of the virtual event(s).

    Appendix F - (Suggested For Events dealing with Financial Related Matters)
    Confidential Information Addendum (Non-Disclosure) for Information Covered by the Gramm-Leach-Bliley Act

    The form on the following page (or a comparable form approved by your counsel) is recommended to offer to exhibitors, sponsors, speakers delegates and users in order to be can be given access to a financial related virtual event as a protection under the Gramm-Leach-Bliley Act.

    CONFIDENTIAL INFORMATION ADDENDUM FOR INFORMATION PROTECTED BY GLBA Confidential Information Addendum for Information Covered by the Gramm-Leach-Bliley Act This Addendum ("Addendum") amends and is hereby incorporated into the existing agreement known as ____________________________ ("Agreement"), entered into by and between _______________________________ (hereinafter "Service Provider") and ____________________ (hereinafter "Virtual Event Administrator") on __________________. Virtual Event Administrator and Service Provider mutually agree to modify the Agreement to incorporate the terms of this Addendum to comply with the requirements of the Gramm Leach Bliley Act ("GLB") dealing with the confidentiality of customer information and the Safeguards Rule. If any conflict exists between the terms of the original Agreement and this Addendum, the terms of this Addendum shall govern.

    1. Definitions:

    a. Covered Data and Information includes Student Financial Information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB), as well as any credit card information received in the course of business by the company, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

    b. Financial Information is that information that the company has obtained from a customer in the process of offering a financial product or service, or such information provided to the company by another financial institution. Offering a financial product or service includes offering loans, receiving income tax information from a person when offering a financial package, and other miscellaneous financial services as defined in 12 C.F.R. §225.28. Examples of financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

    2. Acknowledgment of Access to Covered Data and Information: Service Provider acknowledges that the Agreement allows the Service Provider access to Covered Data and Information. Specifically, access to the following categories of Covered Data and Information is anticipated under the Agreement:
    ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

    3. Prohibition on Unauthorized Use or Disclosure of Covered Data and Information: Service Provider agrees to hold the covered data and information in strict confidence. Service Provider shall not use or disclose Covered Data and Information received from or on behalf of Virtual Event Administrator except as permitted or required by the Agreement or this Addendum, as required by law, or as otherwise authorized in writing by Virtual Event Administrator.

    4. Safeguard Standard: Service Provider agrees that it will protect the Covered Data and Information it receives from or on behalf of Virtual Event Administrator according to commercially acceptable standards and no less rigorously than it protects its own confidential information.

    5. Return or Destruction of Covered Data and Information: Upon termination, cancellation, expiration or other conclusion of the Agreement, Service Provider shall:

    a. Return to Virtual Event Administrator or, if return is not feasible, destroy all Covered Data and Information in whatever form or medium that Service Provider received from or created on behalf of Virtual Event Administrator. This provision shall also apply to all Covered Data and Information that is in the possession of subcontractors or agents of Service Provider. In such case, Service Provider shall retain no copies of such information, including any compilations derived from and allowing identification of Covered Data and Information. Service Provider shall complete such return or destruction as promptly as possible, but not less than thirty (30) days after the effective date of the conclusion of this Agreement. Within such thirty (30) day period, Service Provider shall certify in writing to Virtual Event Administrator that such return or destruction has been completed. b. If Service Provider believes that the return or destruction of Covered Data and Information is not feasible, Service Provider shall provide written notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction is not feasible, Service Provider shall extend the protections of this Addendum to Covered Data and Information received from or created on behalf of Virtual Event Administrator, and limit further uses and disclosures of such Covered Data and Information, for so long as Service Provider maintains the Covered Data and Information.

    6. Term and Termination:

    a. This Addendum shall take effect upon execution.

    b. In addition to the rights of the parties established by the underlying Agreement, if Virtual Event Administrator reasonably determines in good faith that Service Provider has materially breached any of its obligations under this Addendum, Virtual Event Administrator, in its sole discretion, shall have the right to:

    i. exercise any of its rights to reports, access and inspection under this Addendum; and/or

    ii. require Service Provider to submit to a plan of monitoring and reporting, as Virtual Event Administrator may determine necessary to maintain compliance with this Addendum; and/or

    iii. allow Service Provider to immediately cure the breach to Virtual Event Administrator's satisfaction; and/or

    iv. terminate the Agreement immediately if Service Provider has breached a material term of this Addendum and cure is not possible.

    c. Before exercising any of these options, Virtual Event Administrator shall provide written notice to Service Provider describing the violation and the action it intends to take.

    7. Subcontractors and Agents: If Service Provider provides any Covered Data and Information which was received from, or created for, Virtual Event Administrator to a subcontractor or agent, then Service Provider shall require such subcontractor or agent to agree to the same restrictions and conditions as are imposed on Service Provider by this Addendum.

    8. Maintenance of the Security of Electronic Information: Service Provider shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted Covered Data and Information received from, or on behalf of, Virtual Event Administrator.

    9. Reporting of Unauthorized Disclosures or Misuse of Covered Data and Information: Service Provider shall report to Virtual Event Administrator any use or disclosure of Covered Data and Information not authorized by this Addendum or in writing by Virtual Event Administrator. Service Provider shall make the report to Virtual Event Administrator not less than one (1) business day after Service Provider learns of such use or disclosure. Service Provider's report shall identify:

    a. the nature of the unauthorized use or disclosure,
    b. the Covered Data and Information used or disclosed,
    c. who made the unauthorized use or received the unauthorized disclosure,
    d. what Service Provider has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and

    e. what corrective action Service Provider has taken or shall take to prevent future similar unauthorized use or disclosure.
    Service Provider shall provide such other information, including a written report, as reasonably requested by Virtual Event Administrator.

    10. Indemnity. Service Provider shall defend and hold Virtual Event Administrator harmless from all claims, liabilities, damages, or judgments involving a third party, including Virtual Event Administrator's costs and attorney fees, which arise as a result of Service Provider's failure to meet any of its obligations under this Addendum.

    11. Survival. The respective rights and obligations of Service Provider under Section 5 shall survive the termination of this Agreement

    IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to be duly executed in its name and on its behalf.

    HVC.COM SERVICE PROVIDER: ___________________

    By: _______________________ By: _______________________________

    Title: _______________________ Title: _______________________________

    Date: _______________________ Date: _______________________________



    Appendix G - Confidential Information Agreement (Non-Disclosure) for Data Transferred to an External Service Provider

    The form on the following page (or a comparable form approved by the company counsel) must be signed by an appropriate representative of any external organization before any member of that organization can obtain non-public company information.



    CONFIDENTIAL INFORMATION AGREEMENT FOR DATA TRANSFERRED TO AN EXTERNAL SERVICE PROVIDER
    This agreement is hereby entered into, by and between _________________________
    (hereinafter "Service Provider") and HVC.com (hereinafter "HVC") on ___________________. HVC.com and Service Provider mutually agree to the terms of this Agreement whereby HVC will provide the following data and information:
    to Service Provider for the following purposes:
    Such data and information shall be provided to Service Provider for a defined period, starting upon the execution of this agreement and ending no later than
    If any conflict exists between the terms of this agreement and any prior agreement, the terms of this agreement shall govern.

    4. Definition:
    a. Covered Data and Information will include all data and information provided by HVC to Service Provider specifically for the aforementioned purposes as well as any data and information that Service Provider may derive from such data and information.
    5. Acknowledgment of Access to Covered Data and Information: Service Provider acknowledges that the Agreement allows the Service Provider access to Covered Data and Information, and that Covered Data and Information will be used for testing and assessment purposes only.
    6. Prohibition on Unauthorized Use or Disclosure of Covered Data and Information: Service Provider agrees to hold the Covered Data and Information in strict confidence. Service Provider shall not use or disclose Covered Data and Information received from or on behalf of HVC except as permitted or required by the Agreement, as required by law, or as otherwise authorized in writing by HVC.
    7. Safeguard Standard: Service Provider agrees that it will protect the Covered Data and Information it receives from or on behalf of HVC according to commercially acceptable standards and no less rigorously than it protects its own Covered Data and Information.
    8. Return or Destruction of Covered Data and Information: Upon termination, cancellation, expiration or other conclusion of the Agreement, Service Provider shall:
    a. Return to HVC or, if return is not feasible, destroy all Covered Data and Information in whatever form or medium that Service Provider received from or created on behalf of HVC. This provision shall also apply to all Covered Data and Information that is in the possession of subcontractors or agents of Service Provider. In such case, Service Provider shall retain no copies of such information, including any compilations derived from and allowing identification of Covered Data and Information. Service Provider shall complete such return or destruction as promptly as possible, but not less than thirty (30) days after the effective date of the conclusion of this Agreement. Within such thirty (30) day period, Service Provider shall certify in writing to HVC that such return or destruction has been completed.
    b. If Service Provider believes that the return or destruction of Covered Data and Information is not feasible, Service Provider shall provide written notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction is not feasible, Service Provider shall extend the protections of this Agreement to Covered Data and Information received from or created on behalf of HVC, and limit further uses and disclosures of such Covered Data and Information, for so long as Service Provider maintains the Covered Data and Information.
    9. Term and Termination:
    a. This Agreement shall take effect upon execution.
    b. In addition to the rights of the parties established by the underlying Agreement, if HVC reasonably determines in good faith that Service Provider has materially breached any of its obligations under this Agreement, HVC, in its sole discretion, shall have the right to:
    i. Exercise any of its rights to reports, access and inspection under this Agreement; and/or
    ii. Require Service Provider to submit to a plan of monitoring and reporting, as HVC may determine necessary to maintain compliance with this Agreement; and/or
    iii. Provide Service Provider with a fifteen (15) day period to cure the breach; and/or
    iv. Terminate the Agreement immediately if Service Provider has breached a material term of this Agreement and cure is not possible.
    c. Before exercising any of these options, HVC shall provide written notice to Service Provider describing the violation and the action it intends to take.
    12. Subcontractors and Agents: If Service Provider provides any Covered Data and Information which was received from, or created for, HVC to a subcontractor or agent, then Service Provider shall require such subcontractor or agent to agree to the same restrictions and conditions as are imposed on Service Provider by this Agreement.
    13. Maintenance of the Security of Electronic Information: Service Provider shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted Covered Data and Information received from, or on behalf of, HVC.
    14. Reporting of Unauthorized Disclosures or Misuse of Covered Data and Information: Service Provider shall report to HVC any use or disclosure of Covered Data and Information not authorized by this Agreement or in writing by HVC. Service Provider shall make the report to HVC not less than one (1) business day after Service Provider learns of such use or disclosure. Service Provider's report shall identify:
    f. The nature of the unauthorized use or disclosure,
    g. The Covered Data and Information used or disclosed,
    h. Who made the unauthorized use or received the unauthorized disclosure,
    i. What Service Provider has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and
    j. What corrective action Service Provider has taken or shall take to prevent future similar unauthorized use or disclosure.
    Service Provider shall provide such other information, including a written report, as reasonably requested by HVC.
    15. Indemnity. Service Provider shall defend and hold HVC harmless from all claims, liabilities, damages, or judgments involving a third party, including HVC's costs and attorney fees, which arise as a result of Service Provider's failure to meet any of its obligations under this Agreement.
    16. Survival. The respective rights and obligations of Service Provider under Section 5 shall survive the termination of this Agreement
    IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf.

    HVC.COM SERVICE PROVIDER:______________________
    By: By:
    Title: Title:
    Signature: Signature:
    Date: Date:



    Appendix H - Confidential Information Agreement (Non-Disclosure) for Vendor Support, either On-Site or via Remote Access

    The form on the following page (or a comparable form approved by the company counsel) must be signed by an appropriate representative of any external organization before any member of that organization can gain access to company computer systems.
    CONFIDENTIAL INFORMATION AGREEMENT - VENDOR REMOTE OR ON-SITE SUPPORT This agreement is hereby entered into, by and between ____________________________________ (hereinafter "Service Organization") and HVC.com (hereinafter "HVC") on _________________________.
    HVC.com and Service Organization mutually agree to the terms of this Agreement to govern the handling of HVC data and information by any employee, subcontractor, agent or other individual affiliated with Service Organization (hereinafter "Service Provider") to which he or she may have access during the course of any work done relating to the maintenance, support or testing of computer software and/or hardware used by HVC. If any conflict exists between the terms of this agreement and any prior agreement, the terms of this agreement shall govern.

    1. Definitions:

    The term Service Provider will refer to any employee, subcontractor, agent or other individual affiliated with Service Organization who has access to HVC data and information. The term Covered Data and Information will refer to any piece of HVC data and information to which any Service Provider may have access during the course of his or her performing work relating to the maintenance, support or testing of computer software and/or hardware used by HVC.

    1. Acknowledgment of Access to Covered Data and Information: Service Organization acknowledges that the Agreement allows Service Providers to access Covered Data and Information, and that Covered Data and Information will be used for testing and assessment purposes only.

    2. Prohibition on Unauthorized Use or Disclosure of Covered Data and Information: Service Organization agrees that Service Providers will hold the Covered Data and Information in strict confidence. Service Providers shall not use or disclose any piece of Covered Data and Information that may be accessed except as permitted or required by the Agreement, as required by law, or as otherwise authorized in writing by HVC.

    3. Safeguard Standard: Service Organization agrees that Service Providers will protect the Covered Data and Information according to commercially acceptable standards and no less rigorously than it protects its own Covered Data and Information.

    4. Handling of Covered Data and Information: Service Providers will take no intentional action to make a copy of any piece of Covered Data and Information onto any computer or media without prior authorization by manager of the HVC department responsible for that data. In cases where information is copied onto any media, electronic, magnetic, optical, print, film or otherwise, such Covered Data and Information will be carefully guarded by all Service Providers against unauthorized exposure and, once the issue has been resolved, Service Providers will destroy all copies of Covered Data and Information either through destructive erasure (magnetic and electronic media) or physical shredding (all other media, such as paper, CDs, DVDs, etc.).

    5. Term and Termination:

    a. This Agreement shall take effect upon execution.

    b. In addition to the rights of the parties established by the underlying Agreement, if HVC reasonably determines in good faith that any Service Provider has materially breached any of its obligations under this Agreement, HVC, in its sole discretion, shall have the right to:

    i. Exercise any of its rights to reports, access and inspection under this Agreement; and/or
    ii. Require Service Organization to submit to a plan of monitoring and reporting, as HVC may determine necessary to maintain compliance with this Agreement; and/or
    iii. Provide Service Organization with a fifteen (15) day period to cure the breach; and/or
    iv. Terminate the Agreement immediately if any Service Provider has breached a material term of this Agreement and cure is not possible.

    c. Before exercising any of these options, HVC shall provide written notice to Service Organization describing the violation and the action it intends to take.

    6. Subcontractors and Agents: If a Service Provider provides any Covered Data and Information which was received from, or created for HVC to a subcontractor or agent, then Service Organization shall require such subcontractor or agent to agree to the same restrictions and conditions as are imposed on Service Organization by this Agreement.

    7. Maintenance of the Security of Electronic Information: Service Organization shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted Covered Data and Information received from, or on behalf of, HVC.

    8. Reporting of Unauthorized Disclosures or Misuse of Covered Data and Information: Service Organization shall report to HVC any use or disclosure of Covered Data and Information not authorized by this Agreement or in writing by HVC. Service Organization shall make the report to HVC not less than one (1) business day after Service Provider learns of such use or disclosure. Service Organization's report shall identify:

    a. The nature of the unauthorized use or disclosure,
    b. The Covered Data and Information used or disclosed,
    c. Who made the unauthorized use or received the unauthorized disclosure,
    d. What Service Organization has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and
    e. What corrective action Service Organization has taken or shall take to prevent future similar unauthorized use or disclosure. Service Organization shall provide such other information, including a written report, as reasonably requested by HVC.

    9. Indemnity. Service Organization shall defend and hold HVC harmless from all claims, liabilities, damages, or judgments involving a third party, including HVC's costs and attorney fees, which arise as a result of Service Organization's failure to meet any of its obligations under this Agreement.

    10. Survival. The respective rights and obligations of Service Organization under Section 5 shall survive the termination of this Agreement

    IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf.

    HVC.COM SERVICE ORGANIZATION:_____________________________
    By: By:
    Title: Title:
    Signature: Signature:
    Date: Date:
    • ??????.???????