We have adopted, implemented and maintain an information security and privacy program that includes technical, organizational, administrative, and other security measures designed to protect, as required by applicable law, against reasonably anticipated or actual threats to the security of your personal information. Our Security Program was created with reference to recognized industry standards such as those published by the International Standards Organization and the National Institute of Standards and Technology. It includes, among many other things, procedures for assessing the need for and employing encryption and multi-factor authentication as appropriate, or using equivalent compensating controls. We therefore have every reason to believe our Security Program is reasonable and appropriate for our business and the nature of foreseeable risks to the personal information we collect. We further periodically review and update our Security Program, including as required by applicable law.
Despite the significant investment we’ve made in, and our commitment to, the Security Program including enforcement of third party oversight procedures, we cannot guarantee that your personal information, whether during transmission or while stored on our systems, otherwise in our care, or the care of our vendors and business partners, will be free from either failed or successful attempts at unauthorized access or that loss or accidental destruction will never occur. Except for our duty under applicable law to maintain the Security Program, we necessarily disclaim, to the maximum extent the law allows, any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information.
All that said, as part of our Security Program, we have specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised, including where our vendors and business partners are required under applicable law to notify us in the event of an incident adversely affecting personal information we provided to them has occurred. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by law, as well as to give them such other mitigation and protection services (such as the credit monitoring and identity theft insurance) as may be required by applicable law.