Ardent (“Ardent“) operates Ardentgo.com and may operate other websites. It is Ardent policy to respect your privacy regarding any information we may collect while operating our websites.
Like most website operators, Ardent collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Ardent purpose in collecting non-personally identifying information is to better understand how Ardent visitors use its website. From time to time, Ardent may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
Ardent also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged in users and for users leaving comments on Ardentgo.com blogs/sites. Ardent only discloses logged in user and commenter IP addresses under the same circumstances that it uses and discloses personally-identifying information as described below, except that commenter IP addresses and email addresses are visible and disclosed to the administrators of the blog/site where the comment was left.
Gathering of Personally-Identifying Information
Certain visitors to Ardent websites choose to interact with Ardent in ways that require Ardent to gather personally-identifying information. The amount and type of information that Ardent gathers depends on the nature of the interaction. For example, we ask visitors who sign up at Ardentgo.com to provide a username and email address. In each case, Ardent collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Ardent. Ardent does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
Ardent may collect statistics about the behavior of visitors to its websites. Ardent may display this information publicly or provide it to others. However, Ardent does not disclose personally-identifying information other than as described below.
Protection of Certain Personally-Identifying Information
Ardent discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on Ardent behalf or to provide services available at Ardent websites, and (ii) that have agreed not to disclose it to others. Some of those employees, contractors and affiliated organizations may be located outside of your home country; by using Ardent websites, you consent to the transfer of such information to them. Ardent will not rent or sell potentially personally-identifying and personally-identifying information to anyone. Other than to its employees, contractors and affiliated organizations, as described above, Ardent discloses potentially personally-identifying and personally-identifying information only in response to a subpoena, court order or other governmental request, or when Ardent believes in good faith that disclosure is reasonably necessary to protect the property or rights of Ardent, third parties or the public at large. If you are a registered user of an Ardent website and have supplied your email address, Ardent may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what’s going on with Ardent and our products. If you send us a request (for example via email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users. Ardent takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.
Data Breach Notification Policy
Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified using information that is linked or linkable to said individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other information to identify a specific individual, could be used to identify an individual (e.g. SSNs, name, DOB, home address, home email).
A breach is an unauthorized disclosure, unauthorized acquisition, unauthorized access, and/or any similar occurrence where a person other than an authorized user accesses PII or an authorized user accesses PII for other than an authorized purpose.
Ardent protects the information entrusted to it. Essent representatives undergo security and privacy training prior to obtaining access to information and annually to ensure individuals are up-to-date on the proper handling of PII. Failure to complete required training results in denial of access to information.
Users and Systems are tested annually to determine their incident response capability and incident response effectiveness. Ardent meets annually for a tabletop exercise, designed to test the breach response procedure and to help ensure members of the Response Team are familiar with the plan and understand their specific roles.
Ardent employees and contractors with access to data and information systems must report all concerns, suspected breeches, or confirmed breaches. Core event information must be collected and reported: date of the incident, location of the incident, breached data, nature of the breach (loss of control, compromise, unauthorized access or use, other), and the suspected number of impacted individuals, if known.
A breach involving personally identifiable information (PII) in electronic or physical form must be reported to the Executive Vice President within one hour of discovering the incident, who in turn must report it to the President. In terms of reporting, there should be no distinction between suspected and confirmed PII breach incidents.
A Response Team will be formed to determine the level of risk to the impacted individuals with the appropriate remedy and form a Breach Response Plan.
The Response Team will respond to all breaches and will perform an initial assessment of the risk of harm to individuals potentially affected.
This team will analyze reported breaches to determine whether a breach occurred, the scope of the information breached, the potential impact the breached information may have on individuals and on Ardent.
This team consists of the manager of the area experiencing or responsible for the breach, the head of development, the head of systems, and the Executive Vice President.
Within the confines of the law, notification may be delayed if a notification would potentially cause harm, including further breaches. Notification to affected parties may not occur or may be delayed if a national security or law enforcement agency determines that the notification will impede a criminal investigation.
Determination of Notification to Impacted Parties
The Response Team will determine whether notification is necessary for all breaches under their purview. To determine whether notification of a breach is necessary, the respective team will determine the scope of the breach, to include the types of information exposed, the number of people impacted, and whether the information could potentially be used for identity theft. The team will also assess the likely risk of harm caused by the breach. Finally, the team will assess the level of risk and consider a wide range of harms that include harm to reputation and potential risk of harassment, especially when personal records such as health or financial records are involved.
Communication to Impacted Parties
In the event the decision to notify is made, every effort will be made to notify impacted parties as soon as possible unless otherwise precluded above. Notification shall contain details about the breach, including what information was compromised and whether credit monitoring will be offered. Initial notification shall be completed without undue delay from the time the incident was determined to be a breach.
Breach Response Plan Reviews
At the end of each fiscal year, Ardent will review reports, if any, from the Response Team detailing the status of each breach reported during the fiscal year and consider whether it is necessary to take any action, which may include but is not limited to:
Developing or revising documentation
Updating the Data Breach Notification Policy
Updating the Data Breach Response Plan
Revising existing and/or implementing new policies to protect PII holdings
Modifying information sharing arrangements
Changes to this Data Breach Notification Policy
Ardent may update this Data Breach Notification Policy. We will post any changes to our Policy so that you are always aware of the information within it.