1. Revision History
- Amended Version adopted 2020-12-16 (eMeeting 2020-12-16-01)
- Original Version Adopted 2011-03-03 (eMeeting 2010-10-28-01)
Privacy is important to ACSA both legally and morally. ACSA is on board with Bruce Schneier’s remark that “data is a toxic asset”1 and in line with that, ACSA and its associated events and organizations collect as little personally identifiable information (PII) as possible for the purposes for which it is needed, store that data securely while it is in ACSA’s possession, keep the data for as short a period of time to accomplish the purpose, for which it is collected, and securely deletes that data once that purpose has been accomplished. ACSA seeks to fully comply with major international privacy regulations, particularly including the point that ACSA never sells or shares PII.
The privacy of those who provide information to ACSA is important to ACSA. ACSA respects concerns about maintaining strict privacy. Any personally identifying information (PII) that is divulged to us is always kept in confidence.
Applied Computer Security Associates (ACSA) is the sponsor of events such as the Annual Computer Security Applications Conference (ACSAC), the New Security Paradigms Workshop (NSPW), and other programs, collectively referred to as "subactivities." This policy defines the approach ACSA will take to protect the personally identifiable information (PII) of users of its websites and participants in its applicable subactivities. This policy constitutes a part of the Terms & Conditions of the subactivity websites, and governs your use of those websites and your interaction with ACSA and our applicable subactivities.
For the purposes of this policy, the terms "we" and "our" mean ACSA or our applicable subactivities. The terms "you" and "your" mean the user of our websites and other information systems, to include those who choose to participate in our applicable subactivities.
Information provided to Applied Computer Security Associates (ACSA), whether doing business as the Annual Computer Security Applications Conference (ACSAC), a workshop, or any other activity, is the property of ACSA.
Questions or comments related to this policy may be sent to the ACSA Privacy Coordinator at firstname.lastname@example.org.
4. Policy Statement
We collect, store, process and transmit personally identifiable information (PII) in a manner consistent with the laws of the United States. Further, we employ generally accepted privacy and security principles that we find appropriate in addressing your privacy needs, as well as our mission objectives.
- ACSA refers to the Applied Computer Security Associates and its associated activities, events, and conferences, which are termed "subactivities".
- Applicable Subactivities (henceforth “Subactivities”) refers to those ACSA activities that are covered by the policy, and specifically excludes those activities governed by a pre-existing memorandum of understanding (MOU) that would exclude this policy. As of the time of the update to this policy, the following subactivities are covered by a separate MOU and are not subject to this policy:
- New Security Paradigms Workshop (NSPW)
- Personally Identifiable Information (PII) means information that may directly identify you as an individual, including, but not limited to, name, postal address, telephone number, email address, IP address, credit card information, and tax identification information. PII also includes personal and employment-related information, such as affiliation and work addresses. It may also include additional information provided at registration, including selected conference activity attendance and special dietary requests. All PII is protected from unauthorized access.
- Specially Protected PII is a subset of PII that requires special protection in storage and transmission. Information that requires special protection includes financially-related PII (such as credit card information, taxpayer identification, and information used to financially process reimbursements (in the context of the reimbursement)), and information provided in support of a visa letter.
- Submitter PII. PII associated with materials submitted with the intent of publication or public dissemination (e.g., papers, workshops, tutorials, training sessions, case studies, panels, talks), is not Specially Protected PII.
It is the intent of ACSA to follow industry standard practices. This policy references security controls defined in the latest edition of National Institute of Standards and Technology (NIST) SP 800-53, Security and Privacy Control Catalog, and references encryption standards defined by NIST in the Federal Information Processing Standards (FIPS).
6. Relationship to Supplemental Policies
7. Protection of PII
It is our policy that reasonable and generally accepted security controls be employed on computers that collect, store, process and transmit your PII. We periodically review and improve our security and privacy policies as necessary. We authorize our volunteers and third-party vendors to have access to your PII on a "need to know" basis, based upon the business function of the user, and our mission needs. We limit the population of users with access to your PII to the minimum needed in order to accomplish the ACSA mission.
The following are the specific protections required based on the type of PII:PII in the possession of ACSA and its subactivities must be stored on systems that provide access controls that restrict who can access the system and the information. Printed PII must be stored out of sight when not in use. The only exception is PII that the owner has authorized to be released. Specially Protected PII requires additional protection. It must be transmitted with encryption and sufficiently strong keys, and must be stored encrypted. When printed and not in use, it must be stored in a locked desk or other container. Submitter PII, as it is intended for publication, is considered public information and does not require protection.
We are a not-for-profit organization, supported by the efforts of volunteers. In some cases, volunteers employ their personally-owned or employer-provided computers and other IT resources to support their work with us. This work may include the collection, storage, processing and transmission of your PII, such as your name, physical addresses, and email addresses. We advise volunteers to follow reasonable and generally accepted security practices when handling such information. We require that all such computers protect Specially Protected PII as stated in this policy. We reserve the right to audit the security controls implemented by any given volunteer, and provide volunteers with a list of recommended mechanisms to implement controls. We limit the number of volunteers with access to your PII to the minimum needed in order to accomplish our mission objectives.
With the exception of information maintained by us and conference organizers in access controlled areas, no personally identifiable information about you is kept on ACSA servers (such as www.acsac.org).
8. Disclosure of PII
We will not disclose PII collected on our websites to third parties, except as required by law or as necessary to provide conference, publication, or other services germane to our mission. We do not sell PII. We may disclose PII to third-party vendors as necessary to process conference registrations, hotel registrations, online/ecommerce payments and travel related reservations.
We will not use PII for any purposes other than those specifically related to our conferences and subactivities, except as discussed under the section titled "Mailing Lists."
9. Aggregate Data
We may share aggregated data, which includes data about you, with third parties. Aggregated User Data does not include PII and is shared for the purposes of determining the attainment of certain benchmarks and other statistical metrics. An example of such data would be overall demographic breakdowns of academic vs. commercial attendees.
10. Event Registration
The names of registrants for our events and activities may be shared with our contractors and volunteers in order to ensure that speakers and other presenters have been registered for the subactivity. Names and email addresses may be employed to send you email related to ACSA subactivities. We may use a service provider (e.g., MailChimp) to send that email.Hotel Registration
For your convenience, we may provide links to hotel websites that are party to the organization of conference events. When you reserve a hotel room through our room block for a conference (using the link on the activity website), the hotel may share information such as your name and address with us. We use that information to ensure that attendee's reservations are accounted for in meeting contractual obligations with our contracted hotel. For example, we may use that information to contact you if we see that a reservation has been made as part of the conference block, yet you have not registered for the conference.Third Party Vendors
We have formal (contractual) and informal (service based) relationships with third parties (such as registrar services and hotels) in order to provide conferences and other services to subactivities. We are not responsible for the privacy practices of these third party vendors for contracts signed before the initial adoption of this policy. We work with our contractors to ensure that PII is adequately protected in a manner congruent with this policy. When we have a formal contract in place with a third-party vendor (contracted vendor), it will require appropriate protection of PII provided to that contractor. When there is no formal contract, we cannot state that the contractor is bound by the specific terms and conditions of this policy. You are encouraged to make your own assessment of contractor privacy policies and to alert us to any concerns you might have. Links to contractor privacy polices are available on our website.Visa Letters
When we host a subactivity in the United States, you may request a visa letter to facilitate your obtaining a visa to attend or present at the activity. We will receive PII from you as part of this request process (for example, passport identification information), and we will provide a letter containing this information, as well as an indication of the level of participation in our activities, to you or to an embassy official designated by you. PII obtained in conjunction with a visa letter is Specially Protected PII by us. We request that you follow our guidance in protecting this PII when you transmit it to us. We are not responsible if you send us PII unprotected (e.g., in plain-text email).Special Circumstances
We may disclose your PII when we have reason to believe that disclosing such information is necessary to identify, contact or bring legal action against someone who may be causing injury to or is interfering with our other users or anyone else who could be harmed by such activities.
11. User Tracking
We do not track user activity beyond use of our websites. In particular, we do not place cookies on your computers unless explicitly indicated, nor do we collect PII as you "surf" (casually visit) our websites. We only know about you if you choose to identify yourself when you communicate with us via e-mail, voluntarily register for our mailing list, attend a subactivity (attendee), or participate in planning and conduction a subactivity (volunteer). Such communication includes responses to Calls for Submissions or Calls for Participation. We treat such communications as PII until acceptances are announced, at which point we assume that permission has been obtained from you to publicly announce your identity as you will be participating in the relevant activity.
When submitting content for consideration as inclusion at one of our activities (for example, submitting a paper for publication), you may have cookies placed on your computer to support use of the submission application, but these cookies do not contain PII.
12. Mailing Lists
Individuals who desire to be informed of ACSA activities can "opt-in" to be included in the ACSA lists by going to www.acsac.org and providing the web agent with a postal mail address, an electronic address, or both. In like manner, an individual can utilize the web software to be removed from the postal mail list, electronic mail list, or both lists.
In late 2000, ACSA informed all mailing list subscribers that they must opt-in again if they want to stay on the mailing list.
You may tell us to not to include your information on our lists. You may use our website to remove your information from our lists.
We do not share PII with non-ACSA activities. We may forward mailings on behalf of third-parties that share the interests of our users. In these cases, we will deliver mailings to you although the content of the mailings was produced by the third-party. Your PII is not provided to these third parties; we do not provide them with our electronic or attendee lists.
13. Attendee Lists
As of the 2019 Conference, the ACSAC subactivity is no longer publishing attendee lists. Other subactivities may have their own policies on publishing the attendee lists, but all must provide the ability for an attendee to request that their information not be published.
While we publish attendee lists only for the use of the participants of any given event, and for our own personnel involved with that event, you should note that we have no control over further forwarding of these lists once they are out of our hands. Thus, such lists may be used by participants for purposes other than those intended by us. Our intent is to allow you to collaborate with other participants.
You may choose whether or not to submit PII while using our services. In some cases, third party vendors require your PII in order to meet their obligations to us (such as in the case of hotel registration). In such cases, choosing to not disclose your PII to us may limit your ability to use any or all of our services.
We understand that many submissions for publication at our subactivities may be the work of more than one author. If you submit work for publication that is the work of more than one author, we assume that you are acting as an authorized agent for all authors of the submission in that you have their authorization to publish their PII, as may be contained in the submission you provide to us. Per professional publication (e.g., IEEE and ACM) standards, publications must be attributed to at least one author, generally with the organizational affiliation of the authors, as well as their contact information.
If you are the person submitting a work for publication, you are required, prior to your submitting any work for consideration for publication, to have obtained the correct name, affiliation, and contact information for all authors, and to have obtained their permission to have such information published in the proceedings (or other publicly distributed publication) of the subactivity, to include inclusion of such information in the digital library of the proceedings publisher, and other summarization and citation services as may manifest themselves on the Internet, as is generally accepted in the venue of academic and professional publication of articles similar to the material that you are submitting.
16. Data Integrity
We limit use of your PII to ways that are compatible with the purposes for which it was collected or subsequently authorized by you. Reasonable steps are taken to ensure that PII is retained only if it is relevant to our mission and that it is kept accurate, complete and current.
If you are aware that PII in our position is inaccurate or out of date, please let us know so that we may correct the information (or, for historical information, make a note that it is out of date). Additionally, please notify us if you want us to make a best-effort attempt to delete any PII we may have on you (we can’t always remove such information from sub-contractor systems, but we will pass on the request). Contact email@example.com to provide such notification.
17. Website Links
Our websites contain links to other websites. We are not responsible for the privacy practices or content of these websites.
18. Notification of Changes
We will periodically review and update this policy. Changes to this policy will be posted on the ACSA website.
Electronic and Postal Mailing Services:
Payment and Registration Services:
MX Merchant: https://mxmerchant.com/mx6/legal
Priority Payment Systems: https://www.pps.io/privacy/
Registration Systems Labs: adheres to ACM policy – https://www.acm.org/about-acm/privacy-policy
Program and Proceedings Services:
Amazon Web Services: https://aws.amazon.com/privacy/
ACSAC Conference Hotel:
2021-2022 – UT/AT&T Conference Center: https://meetattexas.com/privacy-policy
2018-2019 – Condado Hilton: https://hiltonhonors3.hilton.com/en/policy/global-privacy-statement/index.html