Privacy Policy
We hope that reading this Privacy Policy gives you a clear idea of how we manage information about you.
abstract padlock with data


CRICO refers to a group of companies (and their respective divisions) owned by and serving the Harvard medical institutions and their affiliates. The CRICO group of companies includes: Controlled Risk Insurance Company of Vermont, Inc. (A Risk Retention Group) ("CRICO VT"), Controlled Risk Insurance Company, Ltd. ("CRICO LTD"), and The Risk Management Foundation of the Harvard Medical Institutions Incorporated ("RMF"), (together and hereafter in this Privacy Policy, “CRICO”, “we”, or “us”).

CRICO operates to provide information on our companies, our services, and other content related to the medical malpractice industry and patient safety initiatives. The privacy of your information collected and provided to CRICO is important to us. We want you to feel as comfortable as possible visiting CRICO’s website, using CRICO’s Guest Wireless Network, or using our services. This Privacy Policy is intended to inform you on the following:

  • who collects information,
  • what information is collected, how this is done, and where the information is stored,
  • how CRICO uses and discloses the information that is collected,
  • your rights to view and correct information submitted voluntarily to CRICO,
  • what security procedures we use to protect your information,
  • how the interactive areas of CRICO operate,
  • how we comply with the Children’s Online Privacy Protection Act, and
  • where you can get questions answered about this Privacy Policy.

We hope that reading this Privacy Policy gives you a clear idea of how we manage information about you. By using the CRICO website and/or Guest Wireless Network you acknowledge that you have reviewed and accept the terms of this Privacy Policy and the Terms of Use for all CRICO websites & Guest Wireless Network (“Terms of Use;” together the “Policies”) and you explicitly grant CRICO permission to collect, use, and process your information in the manner set forth in the policies. If you have any questions regarding the policies please contact Coale Parker, General Counsel the Risk Management Foundation of The Harvard Medical Institutions Incorporated at [email protected].


“Aggregate Information” 
means anonymous, aggregated information where an individual cannot be identified as the source of the information. As a website gathers individual pieces of Non-Personal Information from its users, it may combine similar data from many or all of the users of the website into one big “batch.” For example, the site may add up the total number of users in Peoria, Illinois, (but not their names) who are seeking information about medical malpractice insurance and compare that to the number of people in Petaluma, California seeking the same information.

This sort of statistical information is called Aggregate Information because it reflects the habits and characteristics of a large group of anonymous people. Websites may use Aggregate Information or share it with business partners so that the information and services they provide best meet the needs of the users. Aggregate Information also helps advertisers and sponsors on the Web know how effectively they are reaching and meeting the needs of their target audience. 

short for web browser, means a software application used to locate and display pages of the Internet. 

“Click Stream Information” 
is a record of all the pages you have visited during your visit to a particular website or the services you have accessed from the site or from an email. Click Stream Information is associated with your Browser and not with you personally. It records the archives of your Browser.

means a small data file that is stored on the hard drive of the computer you use to view a website. Cookies are placed by that site or by a third party with a presence on the site, such as an advertiser using a Web Beacon and are accessible only by the party or site that placed the Cookie on the computer (i.e., a Cookie placed on your computer by CRICO is not accessed by any other site you visit, but a Cookie placed on your computer by an advertiser may be accessed by any site on which that same advertiser has a presence). Cookies can contain pieces of Personally Identifiable Information. CRICO encrypts any PII it stores in its Cookies. These Cookies often are used to make the site easier to use. For example, if you check a box to ask that we store your user name on your computer so that you don’t have to enter it each time you visit the site, it’s stored in a Cookie on your computer.

is the translation of data into a secret code. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. This is typically done by so called “secure computer systems.” 

is a system designed to prevent unauthorized access to or from a public or private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized users from accessing private portions of public networks. All messages entering or leaving the network pass through the Firewall, which examines each message and blocks those that do not meet specified security criteria.

“Guest Wireless Network” 
is a CRICO operated Wireless Network that is offered to Guests invited to CRICO’s offices or other facilities. A CRICO Guest Wireless Network may be accessed by a Guest who authenticates using a one-time code, sent through SMS or by using a permitted social media authentication mechanism, such as LinkedIn. Use of this network requires the guest to provide accurate “Registration Data,” as detailed in the Terms of Use. The CRICO Guest Wireless Network shall be referred to as the “Wireless Network” herein.

“Non-Personal Information”  or “NPI” 
 is information that is not traceable back to any individual and cannot be used to identify an individual. For example, Click Stream Information is Non-Personal Information, as is information such as gender, age, city, and physical location, when not linked with other Personally Identifiable Information. 

is a secret series of characters, typically alphanumeric (meaning it consists of both letters and numbers) that enables a user to access a file, computer, or program. The user must enter its, his, or her Password before the computer or system will respond to commands. The Password helps ensure that unauthorized users do not access the system. In addition, data files and programs may require a Password.

Ideally, the Password should be something that nobody could guess. In practice, many people choose a Password that is easy to remember, such as their name or their initials. This is one reason it is relatively easy to break into many computer systems. 

“Personally Identifiable Information”  or “PII” 
is information by which an individual may be personally identified (in contrast to Non-Personal Information and Aggregate Information ). Examples of PII include your name, home address, telephone number, email address, and Social Security number. 

 is a computer that provides services to other computers. A “web server”  stores website files and “serves”  them to people who request them.

“Secure Sockets Layer”  or “SSL” 
 is a security protocol for transmitting private information via the Internet. SSL works by using a private key to encrypt data that’s transferred over the SSL connection. Many websites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that utilize an SSL connection start with https: instead of http:. 

is a name used to gain access to a computer system or program. Usernames, and often Passwords, are required in shared systems, such as the Internet. In most such systems, users can choose their own Usernames and Passwords. 

“Web Beacons” 
are tiny graphic image files, embedded in a web page in GIF, jpeg, or HTML format, that provide a presence on the web page and send back to its home server (which can belong to the host site, a network advertiser, or some other third party) information from the users’ Browser, such as the IP address, the URL of the page on which the beacon is located, the type of Browser that is accessing the site, and the ID number of any Cookies on the users’ computer previously placed by that Server. Web Beacons can also be used to place a Cookie on the users’ Browser.

Certain General Principles, Terms, and Disclaimers

This Privacy Policy applies to the websites of CRICO, including, without limitation, the CRICO website; and the Candello website, (collectively, the “Website”).

This Privacy Policy does not supersede the Terms of Use that governs your use of the Website and the Wireless Network. Any conflict between the two shall be determined in favor of the Terms of Use. CRICO may change this Privacy Policy at any time and any changes will be effective immediately upon posting to this Website, so please check back regularly to ensure you read and understand our current privacy policies.

Keeping your information secure is a priority for CRICO. Consequently our privacy standards are designed to, on a commercially reasonable basis:

  • collect and use only information we reasonably determine to be necessary for us to deliver high quality service to users, to administer our business, to improve our business or services, and to let you know of products and services that are available from CRICO,
  • protect the information our visitors share with us, maintaining industry standards of security and confidentiality,
  • require any other organization that we retain or engage to provide support services to us to conform to our privacy standards or, at minimum, assert that it will maintain the reasonable standard of care for security and confidentiality, and
  • keep visitor files, if any, complete, up to date, and accurate.

Some features on the Website may require you to register as a user and to receive our authorization before you can use those particular features. Whether you are an individual or a corporation, partnership, or other form of entity, in order for you to obtain our authorization to use those features and to be considered a registered user, you may be required to provide us with certain information about you or your business and, if a business, any or all individuals you designate to represent that business in connection with your use of the Website (e.g., names, addresses, email addresses, telephone numbers, and other Personally Identifiable Information of each individual who will use the Website). Once we have authorized you as a registered user, we may provide you with a customer identification number and you will select a unique Username and Password. Generally, you will be able to change your Password and any Personally Identifiable Information you have given us in order to protect the security of your Password and reflect updates to your information. If you are a designated representative of a business, keep in mind that a properly authorized representative of that business may revoke your status and, if we are notified of this revocation, CRICO will immediately terminate your right to use the Website as a registered user representing that business. Please note that submitting information to us is not a guarantee or assurance that we will grant authorization to you or permit you, or anyone you designate, to use any or all of the services of the Website. If for any reason you are not granted authorization we will retain the information you submit to us only in order to communicate with you regarding your application; we may, however, request additional or follow-up information for audit purposes or as may be required by law or regulation.

If you are submitting Personally Identifiable Information on behalf of others in your family, business or other organization for registration purposes or otherwise, you represent and warrant that you have their permission, agreement and full authorization to provide this information to us. We reserve the right (a) to ask you to provide evidence of your authority at any time during, or even after, the submission process and (b) to contact those individuals to confirm your authority at any time. If we determine that your authority has not been properly obtained, we may immediately and without notice to you discontinue your authorized use of those features of the Website for which you have registered.

Who Collects Information Through the Website

Subject to this Privacy Policy, the Terms of Use, and any other rules or policies applicable to the Website, CRICO collects and is the sole owner of information collected through the Website.

CRICO has provided links to other web sites to provide those who use the Website with a better, more fulfilling experience. Once you enter another website (whether through an advertisement, service, or content link), be aware that CRICO is not responsible for the privacy practices of such other sites (see also Section 10 of the Terms of Use). We encourage you to look for and review the privacy statements of each and every web site that you visit through a link or sponsorship notice.

Information We Collect and How it is Used

If you use the Website without registering, we will only collect anonymous Non-Personal Information about you through the use of Cookies and other technical means (described in more detail in this Privacy Policy). If you choose to register with the Website to use interactive or other specific services, we require you to submit Personally Identifiable Information. By registering with the Website you acknowledge that you have reviewed this Privacy Policy and the Terms of Use and agree that CRICO may use your Non-Personal Information and Personally Identifiable Information for any purpose detailed herein. While you may use some of the functionality of the Website without registration, certain specific tools and services on the Website require registration and your submission of PII.

The following list provides examples of how we may use your Non-Personal Information and Personally Identifiable Information.

  • To display content we think may be of interest you and others and otherwise help us customize what you see when you visit the Website.
  • To solicit user feedback to assess user-satisfaction or other needs and interests.
  • To help us in creating new tools, features, and services.
  • To provide you with notice of new features or other changes relating to the Website or Wireless Network.
  • To contact you with regard to any registration you may have with the Website or Wireless Network.
  • To confirm or fulfill an order you have made through the Website.
  • To send you material on behalf of our partners.
  • To assess and monitor usage of the Website or Wireless Network and specific features or services.
  • To monitor compliance with the Terms of Use, this Privacy Policy, and any other rules, agreements, or policies governing your use of the Website.

How we collect NPI.

We collect Non-Personal Information about your use of the Website or Wireless Network through our use of Cookies and through other technical means (e.g., Click Stream Information such as log files, Web Beacons, etc.). We encourage you to research online resources and learn about not only Cookies, but also the other technical means through which information about you may be collected through websites you visit. Your Browser software can be set to reject all Cookies. A “help” section of most Browsers’ toolbar usually offers instructions on how to reset the Browser to reject Cookies. If you reject our Cookies, certain of the functions and conveniences of the Website may not work properly, but we believe you do not have to accept our Cookies in order to productively use the Website.

Anonymous nature of NPI; linking of NPI and PII.

Generally, the NPI we collect about you is attached to arbitrary, anonymous system names that are assigned to visitors when they enter the Website. Please note, however, that during the registration process, or at other times during your use of the Website, we may ask for your permission to link your NPI with your PII.

Examples of how we may use NPI.

The anonymous NPI we obtain from you is generally used to render, administer, and improve the Website, our services, and our business. We may use NPI to do any of the following (please note that this list is not exhaustive, only representative and provided only to assist you in understanding how we might use the NPI we collect).

  • To help dynamically generate content on web pages or in newsletters.
  • To statistically monitor how many people are using the Website.
  • To track generic user behavior (see, for example, the definition of “Click Stream Information”).
  • To monitor how many people open our emails.
  • To help us evaluate the purpose our users undertake certain activities, including those listed immediately above.
  • To determine the popularity of certain content.
  • To facilitate users’ log-in and navigation and as session timers.
  • To restrict underage use of our services.

Disclosure of Aggregate Information. CRICO may provide Aggregate Information to third parties. For example, we might inform third parties regarding the number of users of the Website and the activities they conduct while on the Website. We require parties with whom we share Aggregate Information to agree that they will not attempt to make this information Personally Identifiable Information, such as by combining it with other databases.

How we collect PII. The PII that we collect and store generally consists of information gathered when you register with the Website for specific services and/or when you update any registration or profile information, but may also include other data input, forms, and information you provide to us whether electronically, by phone, by telecopier, in writing, in person, or by any other means.

How we use PII. We use PII, and any data, personal or otherwise, that you provide and which may be saved on the Website , to provide our products and services and in any manner that you otherwise consent to. In addition to the ways in which we may use Non-Personal Information, examples of the ways in which we may use PII include, but are not limited to: responding to your questions, providing to you the services you select, contacting you regarding CRICO events or other news, advising you of products or services that may be available through CRICO, sending you emails about website maintenance and updates, contacting you as needed to address a suspected violation of the Terms of Use, this Privacy Policy, or any other rules or policies applicable to the Website, informing you of significant changes to this Privacy Policy, and otherwise rendering, administering, and improving the Website, our services, and our business. We may also use PII to contact users regarding other corporate opportunities. CRICO does not provide any of your PII to third parties without your permission or sell or market your PII to unaffiliated organizations.

If you are registered to use particular services, you acknowledge and also consent to our tracking activities and use of the Website under your Username in connection with those services (e.g., in order to maintain quality control and contact you concerning your transactions or subscriptions, should it be necessary or appropriate to do so).

Our (a) use of your PII and (b) handling of any email sent to us by you through the Website (with regard to communications from clients and the public), will in each case be in a manner consistent with the Terms of Use, this Privacy Policy, any other rules or policies applicable to this Website, and all applicable laws, rules, and regulations.

Disclosure of Your Personally Identifiable Information

CRICO will not disclose your Personally Identifiable Information to any third party other than: (a) at your request or with your consent, (b) to outsource one or more of our internal functions, products, or services, or (c) to private entities and law enforcement or other government officials as we, in our sole discretion, believe necessary or appropriate (i) to investigate or resolve possible problems or inquiries, (ii) to protect our own business and assets, or (iii) in special cases, such as a physical threat to you or others.

Despite CRICO’s efforts to protect your PII, there is always some risk that an unauthorized third party may find a way around our security systems or that transmissions of information over the Internet will be intercepted. CRICO is not responsible or liable for any loss or damage of any sort arising from or relating to any breach of our security or interception of your transmissions. (see Terms of Use).

Your Rights to View and Correct Information Submitted Voluntarily

In most cases, the tools that collect and store Personally Identifiable Information allow you to correct, update or review that information (and any preferences) by logging-in to the specific service and making the desired changes to your registration information. In most cases you may also withdraw your registration by sending us an email at [email protected]. If you withdraw a registration with the Website your PII may not be deleted from our records and we may use that data for internal purposes.

What Security Procedures We Use to Protect Your Information

Access to data and technology relating to user information is Password protected and limited to authorized personnel. In addition, CRICO uses industry standard technology to keep users’ information secure while residing on CRICO’s Servers.

Listed below are some of the security procedures that CRICO uses to protect your privacy:

  • Requires both a personal username and a password for users to access their Personally Identifiable Information.
  • Uses firewalls to protect information held in our servers.
  • Utilizes Secure Socket Layer (SSL) encryption in transmitting PII to our servers. To take advantage of encryption technology, you must have an Internet browser which supports 128-bit encryption.
  • Closely monitors the limited number of CRICO employees who have access to your PII.
  • Requires all CRICO employees to abide by our Privacy Policy and be subject to disciplinary action if they violate it.
  • Backs up our systems to protect the integrity of your PII.

How the Interactive Areas of the Website Operate

As a service to our users, the Website may feature message boards, chat rooms, and/or other public forums where users with similar interests can share information and support one another or where users can post questions for others to answer. We may also offer online discussions moderated by topical experts.

In addition, you may choose to use certain interactive content, tools, and services that ask you to voluntarily provide information about yourself. Some of these tools (like certain quizzes or calculators) do not retain information, while others may store information in accordance with the authorization you provide at the time you use the service or tool. Please be aware of this fact.

Any chat room, message board, or similar interactive service is by design open to the public and is not a private, secure service, and CRICO is not responsible for the privacy of information voluntarily provided by a user in interactive areas. You should think carefully before disclosing any Personally Identifiable Information in any public forum because what you have written may be seen, disclosed to, or collected by third parties and may be used by others in ways we are unable to control or predict, including to contact you for purposes unauthorized by you.

How we Comply with the Children’s Online Privacy Protection Act

Our Website is not intended for children under 13 years of age. We are a general audience website, and do not direct any of our content or knowingly market our products or services to children under the age of 13. Additionally, we do not knowingly collect Personally Identifiable Information from children under 13. If you are under 13, do not use or provide any information on this Website on or through any of its features. If we learn we have collected or received Personally Identifiable Information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at [email protected].

Where You Can Get Questions Answered About the CRICO Privacy Policy

If you have any questions or comments regarding this Privacy Policy, please contact: [email protected] If you do not receive adequate resolution of a privacy related problem, you may write to CRICO at: Privacy Officer, The Risk Management Foundation of the Harvard Medical Institutions Incorporated, 1325 Boylston Street, Boston, MA 02215.

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.