Global Hyatt Corporation Policy for the Use of Information Technology Resources 1. Introduction ...................................................................................................................... 3 2. Purpose of the Policy ....................................................................................................... 4 3. Authorized Users and System Access .............................................................................. 5 4. Privacy ............................................................................................................................. 5 5. Specific Prohibited Activities .......................................................................................... 6 6. User Names and Passwords ............................................................................................. 9 7. Security ........................................................................................................................... 11 8. Mobile Device Security ................................................................................................. 13 9. Laptop Security .............................................................................................................. 14 10. Portable Storage and Memory Security ....................................................................... 16 11. Viruses .......................................................................................................................... 17 12. Encryption Software ..................................................................................................... 18 13. Electronic Mail Use Policy .......................................................................................... 18 14. Managing SPAM .......................................................................................................... 21 15. Internet Use Policy ....................................................................................................... 22 16. Miscellaneous ............................................................................................................... 23 17. Violations of the Policy ................................................................................................ 26 18. Acknowledgment and Consent ..................................................................................... 26
Exhibit A – Designated Authorities for Corporate Data May 2006 Global Hyatt Corporation
Page 1 of 31
Exhibit B – General Email Etiquette
May 2006 Global Hyatt Corporation
Page 2 of 31
1. Introduction To remain competitive and to better serve our customers, Global Hyatt Corporation and its subsidiaries provide our employees and the employees of our hotels access to various forms of Information Technology Resources. When used properly, these resources can greatly enhance our ability to do business more efficiently and effectively. Along with the power of these tools comes the significant responsibility for their proper use. Accordingly, the Global Hyatt Corporation Policy for the Use of Information Technology Resources (the “Policy”) is set forth below. For the purposes of the Policy, the term “Information Technology Resources” or “IT Resources” means and includes, without limitation, all host computers, file servers, application servers, communication servers, mail servers, fax servers, Web servers, computers, standalone computers, laptops, software, printers, copiers, kiosks, mobile telephones, portable memory devices, handheld devices and PDAs (e.g., BlackBerry), point of sale workstations, data files and all internal and external computer and communications networks (e.g., the Internet, commercial online services, valueadded networks and EMail systems that may be accessed directly or indirectly from our computer network). For a detailed list of the IT Resources, or any questions regarding the application of this Policy, please contact your local Information Technology Department. If you are working in a hotel or office without a local Information Technology Department, you should interpret any reference in this Policy to “your local Information Technology Department” to mean the Information Technology Department at the Corporate Office. The Policy is intended to apply to all employees (including temporary employees, if applicable), independent contractors and agents of Global Hyatt Corporation (“Hyatt”), its affiliates and subsidiaries and the offices and hotels that use or are connected to the IT Resources (those affiliates, subsidiaries, offices and hotels are sometimes collectively referred to herein as “Connected Entities” and individually as a “Connected Entity”) and other approved computer users (those employees, independent contractors, agents and approved computer users are sometimes collectively referred to herein as “Users” and individually as a “User”). Please read the Policy carefully and sign the attached Acknowledgment and Consent form. Please return the signed Acknowledgement and Consent form to your local Human Resources Department. Questions regarding the interpretation and May 2006 Global Hyatt Corporation
Page 3 of 31
administration of the Policy should be directed to the Corporate Office Information Technology Department.
2. Purpose of the Policy Hyatt and the Connected Entities have committed a significant amount of capital to acquiring and maintaining the IT Resources in order to assist you and your colleagues in doing your jobs quickly and professionally. The Policy has been created to ensure that all Users understand the rights, responsibilities and dangers of using these powerful business tools. The policies and procedures described in this Policy are mandatory and apply to all Users of the IT Resources, wherever they may be located. This Policy embodies rules and obligations that are essential to protecting the reputation, goodwill, property and personnel of Hyatt and the Connected Entities from the very real risks created by use or misuse of the IT Resources. Violations of this Policy can also expose Hyatt, the Connected Entities and their respective officers, directors and employees to civil and criminal liability. Therefore, violations of this Policy will be taken very seriously and may result in disciplinary action (up to and including the termination of your employment) and civil and criminal prosecution. The Policy is intended to supplement, not replace, the other policies of Hyatt and the Connected Entities. If you find a conflict among the various policies, please bring it to the attention (or ask your Department Head to bring it to the attention) of the Human Resources or Legal Departments at the Corporate Office. Technology tools will continue to grow and evolve over time, as will the use of them and the other IT Resources by Hyatt and the Connected Entities. These policies and guidelines are subject to change to reflect these new developments. If you have any thoughts, concerns or ideas about how Hyatt and the Connected Entities might make better use of this technology or how these policies and guidelines may better address the realities of working with the IT Resources, please do not hesitate to bring them to the attention of your local Information Technology Department.
May 2006 Global Hyatt Corporation
Page 4 of 31
3. Authorized Users and System Access Approved Use of the IT Resources. The IT Resources are the property of Hyatt and/or the Connected Entities and may only be used for approved purposes. The IT Resources are for use by authorized Users in the performance of their jobs. However, occasional, limited, appropriate personal use of specified IT Resources (i.e., personal computers, EMail and the Internet) will be permitted when, in the sole and exclusive judgment of Hyatt and/or the Connected Entities (as applicable), the permitted use does not: (1) interfere with the User’s work performance; (2) interfere with any other User’s work performance; (3) have undue impact on the operation of the IT Resources; or (4) violate any other provision of this Policy or any other policy, guideline or standard of Hyatt and/or the Connected Entities (as applicable). Users have the responsibility to use the IT Resources in a professional, ethical and lawful manner at all times. Authorized Users Only. Users must ensure that only employees of Hyatt and the Connected Entities and their authorized independent contractors, consultants, temporary workers (if applicable) and other persons who have read and signed the attached Acknowledgment and Consent form are using or have access to the IT Resources. No Visitor or Guest Access Permitted. Visitors should not be permitted to use or access any IT Resource (other than Internet access or computer stations specifically designated for use by visitors) without the knowledge of the local Information Technology Department and without first executing the Policy. If you suspect that an unauthorized user has access to the Information Technology, report it immediately to your Department Head or your local Information Technology Department.
4. Privacy Hyatt and its Connected Entities reserve the right to enter, access, search and monitor the computer, computer files and EMail messages and files of any User and all other aspects of their use of the IT Resources in order to monitor the User’s compliance with the Policy and otherwise in furtherance of the legitimate business interests (e.g., monitoring work flow and productivity) of Hyatt and the Connected Entities without further notice to the User, including, without limitation, monitoring sites visited by a User on the Internet, monitoring chat groups and newsgroups and reviewing material downloaded from or uploaded to the Internet by the User. Any May 2006 Global Hyatt Corporation
Page 5 of 31
evidence of violations of this Policy or any other policies of Hyatt and/or the Connected Entities discovered in the course of such search and monitoring will be reported to your local Information Technology and Human Resources Departments. No Expectation of Privacy. Users are given access to the IT Resources to assist them in the performance of their duties. Notwithstanding anything to the contrary set forth in this Policy, Users should not have any expectation of privacy with respect to anything they create, store, access, send, receive or do using the IT Resources, irrespective of whether they do so for business or personal use. Passwords Do Not Imply Privacy. The use of unique User Names in combination with corresponding passwords to restrict access to a computer, network, file or message should not be interpreted by a User as creating an expectation of privacy in the material they create, store, access, send, receive or do using the IT Resources. Authorized personnel at Hyatt and the Connected Entities have access rights that permit them to access all material that Users create, access, store, send, receive and otherwise do using the IT Resources, regardless of whether such materials have been saved to a file folder or a directory that is otherwise used exclusively by a particular User. Automated Monitoring. Except where prohibited by applicable law, Hyatt and/or its Connected Entities may use automated software to monitor material created, accessed, stored, sent or received using the IT Resources and other information concerning a User’s use of the IT Resources.
5. Specific Prohibited Activities Inappropriate or Unlawful Material. Material that is fraudulent, harassing, sexually explicit, profane, obscene, defamatory, racist, sexist, or otherwise unlawful or inappropriate may not be sent by EMail or other form of electronic communication (such as bulletin board systems, newsgroups, chat groups) or accessed using or displayed on or stored using the IT Resources. Users encountering or receiving this kind of material should immediately report the incident to their Department Head or local Human Resources Department. Users who send, receive, access, store or display prohibited materials will be subject to immediate discipline, up to and including termination of employment. Prohibited Uses. Without prior written permission from your Department Head, the IT Resources may not be used for dissemination or storage of commercial or
May 2006 Global Hyatt Corporation
Page 6 of 31
personal advertisements, solicitations, promotions, destructive programs (e.g., viruses or selfreplicating code), religious, social, political material or any other unauthorized use. Waste or Inappropriate Use of IT Resources. Users are prohibited from performing acts that waste or inappropriately use IT Resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, downloading streaming video or audio, playing games, engaging in online chat groups, using printers to make multiple copies of documents when the use of copy machines would be more appropriate or otherwise creating unnecessary network traffic. Mass Marketing EMail. Users are prohibited from using the company EMail system for the purposes of sending out mass EMail communications for marketing campaigns. Thirdparty systems are available to effectively manage EMail communications for marketing purposes. Large File Transfers. Users should schedule communicationsintensive activities such as large file transfers, mass EMailings, and streaming audio or video for off peak times (that is, before 9:00 a.m. and after 5:00 p.m., Monday through Friday). Because audio, video, MP3 and picture files require significant storage space and carry the risk of claims of copyright infringement, files of this sort should not be downloaded unless they are businessrelated. All files that are downloaded must be scanned for viruses and other destructive programs.
May 2006 Global Hyatt Corporation
Page 7 of 31
Misuse of Software. Users are prohibited from doing any of the following without the prior written authorization from your local Information Technology Department: (1) copying software for use on their home or personal computers; (2) providing copies of software to independent contractors or other third parties; (3) installing software on any laptops, desktops, or servers belonging to Hyatt or a Connected Entity; (4) downloading software from the Internet or other online service to any of workstations or servers belonging to Hyatt or a Connected Entity; (5) modifying or changing software in any way; or (6) reverseengineering, disassembling or decompiling software. Users who become aware of any misuse of software or violation of applicable copyright laws should immediately report the incident to their Department Head or to their local Information Technology or Human Resources Department. Personal Software and Screen Savers. Users are prohibited from installing or having software (e.g., applications, Screen Savers, etc.) that is not part of the defined list of software approved by their local Information Technology Department installed on IT Resources without prior written authorization from their local Information Technology Department. Similarly, Users are prohibited from displaying Screen Savers on their workstations or laptop computers that are not part of the Windows Operating System or that have not been provided by Hyatt or a Connected Entity without obtaining prior written authorization from their local Information Technology Department. Your local Information Technology Department will conduct regular system software audits and any unauthorized software application or Screen Saver found will be immediately removed. Access to Corporate Data. Users are prohibited from accessing, modifying, adding to or deleting Corporate Data from outside the security and auditing controls of the application(s) or systems(s) that maintains the data without the prior written approval of the individual or category of individuals designated on Exhibit A to this Policy for that type of Corporate Data. For the purposes of this Policy, the term “Corporate Data” shall mean any and all business records belonging to Hyatt or a Connected Entity concerning their past, present or future financial performance, customers and sources of business (including without limitation individual guests, groups, corporate accounts, travel agencies and agents) or employees that are created and maintained in an electronic format in a centralized database with restricted access, including, without limitation, any data maintained in the following types of systems or databases: central reservations systems (e.g., RESERVE, Voyager), loyalty program databases (e.g., the Gold Passport database and related applications), property management systems (e.g., Fidelio, HyAdvantage, MSI, Encore), sales and catering systems and databases May 2006 Global Hyatt Corporation
Page 8 of 31
(e.g., Envision, HYMARK, SCA, Delphi), finance and accounting systems (e.g., Oracle, JD Edwards, Hyperion, Scala, MSI), Point of Sale systems (e.g., Micros, InfoGenesis, MSI), human resource databases (e.g., PeopleSoft), payroll systems (e.g., ADP), data extracts to thirdparty data processors (e.g., Gold Passport, travel agency commissions, Smith Travel Research) and guest service delivery and escalation systems (e.g., Hotel Expert, eConcierge, OpenTable). Copies of Corporate Data. Users are prohibited from maintaining copies of Corporate Data (in any form) on their local computers, laptop computers, portable memory devices, or personally owned computers and/or portable memory devices without the prior written approval of the individual or category of individuals designated on Exhibit A to this Policy for that type of Corporate Data. In the event a User obtains written approval to copy Corporate Data onto his or her company issued local computer, laptop computer or portable memory device, that Corporate Data must be deleted from the applicable IT Resource immediately after the completion of the approved use. Creation and Maintenance of “Intranets” and Web Servers. Users are prohibited from establishing intranets or web servers for use within their office or hotel without permission and oversight from the Information Technology Department of the Corporate Office. Unauthorized web sites are a significant security risk for Hyatt and the Connected Entities. They also run the risk of degrading the performance of, and increasing the maintenance costs associated with, other IT Resources
6. User Names and Passwords User Names and Passwords are the rudimentary components of security for applications and systems within our environment. They are the first level of access control that we employ to help prevent unauthorized access to sensitive personal and financial data and generally serve two purposes. First, they prevent unauthorized individuals from accessing a computer or a particular file. Second, they link activities conducted on the computer with a particular User. Unique User Names. No User will be given access to any IT Resource without first being assigned a unique User Name and a temporary Password (which must then be reset by the User) from their local Information Technology Department that clearly identifies them while connected to an IT Resource. Users are prohibited from sharing User Names and Passwords. Except where authorized by the Information Technology Department of the Corporate Office, the use of generic User Names or
May 2006 Global Hyatt Corporation
Page 9 of 31
Passwords (i.e. training, concierge, hyatt) to access IT Resources is expressly prohibited. Select Complex Passwords. Passwords should be obscure and a minimum of eight characters in length. For best security, passwords must be complex, meaning that they must include characters from three of the following four categories: •
English UPPER case characters (e.g., A..Z)
•
English lower case characters (e.g., a..z)
•
Base digits (e.g., 0..9)
•
NonAlphanumeric Special Characters (e.g., “@”, “!”, “&”. “^”, “%”)
For example, you may want to consider substituting nonalphanumeric characters for English chargers to create strong passwords. Using the password “HyattHotels” could be “Hy@ttH0tel$”; or a phrase such as “Golden Rings” could be transformed to “g0ld3n+r1n6s”. You should never use a word related to your employer, department name, location, or specific terms or names used in your department. You should never use common sequences of numbers such as 12345678, the names of family members, children, or pets. You should never use any information that may be personally identifiable you, such as your name, telephone number, your date of birth, your automobile license plate number or your address. Password Upkeep. All passwords must be changed every sixty (60) days. Where available, this will be enabled as an automated process controlled at the system level. The applications or the servers will notify you when it is time to change your password. Where automated password renewal is not available, the Users are required to manually change their passwords within the systems and applications for which they have access in order to be compliant with this policy. Users who do not change their passwords within the time prescribed may be automatically locked out of the system. Users are prohibited from creating automated means of entering User Names and Passwords in order to log into IT Resources (i.e., through the use of electronic scripts, shortcut buttons, etc.). Divulging Passwords. Users are responsible for keeping their passwords secure. Passwords should never be given out to anyone. Users that need to provide their supervisors, subordinates or colleagues with access to their computers or other IT May 2006 Global Hyatt Corporation
Page 10 of 31
Resources should ask their local Information Technology Department to grant temporary or permanent (as appropriate) access rights to the individual(s) requiring the access rather than simply giving them the User’s password. For example, Users that want their administrative assistants to have access to the files stored on their computer, network user directory or EMail database should send a written request to their local Information Technology Department requesting that their assistant be given such access. Users should even refrain from disclosing their passwords to members of the Information Technology Department, who should never need to know your password. A common ploy for someone trying to break into a computer system is for the wouldbehacker to contact a user, introduce him or herself as an employee of the company and request the user’s password in order to check out the system. If anyone asks for your password, refuse to give it and immediately report the incident to your local Information Technology Department. If you suspect that your password has been discovered, you should immediately change your password and report your suspicions to your local Information Technology Department. Responsibility for Passwords. Users are responsible for safeguarding their passwords for access to the IT Resources. Individual passwords should not be written down and left where other people can find them. Users are responsible for all transactions made using their passwords. No User may access the IT Resources with another User’s password or account. Password Reset Requests. Requests for password resets for IT Resources should be directed to your local Information Technology Department. The Information Technology Department may require the User to provide the secret word (e.g. father’s middle name, favorite color) that was indicated by the User when access to IT Resources was requested. The Information Technology Department will only reset the password when the correct secret word is provided.
7. Security The security of the IT Resources is everybody’s responsibility. No matter how much technology is put into making the IT Resources secure, it will not work without the cooperation and vigilance of all Users. Users should immediately notify their Department Head or the Corporate Information Technology Department if they become aware of any attempts to damage, interrupt or improperly alter, inhibit, access, copy or transmit any IT Resources and/or related data files.
May 2006 Global Hyatt Corporation
Page 11 of 31
Use of Access Rights for Snooping or Other Unauthorized Uses. In certain instances, Users are given access rights to networks, systems, databases or files for the purpose of maintaining or otherwise administering those networks, systems, databases or files without the permission to read, alter or copy the information contained in or on those networks, systems, databases or files. Users that are found using their access rights to read, alter, or copy information without authorization, or who otherwise circumvent network or system security on an unauthorized basis, will be subject to immediate disciplinary action, up to and including the termination of their employment. Accessing other Computers and Networks. A User’s ability to connect to other computer systems through a network or by a modem does not imply the right to connect to those systems unless specifically authorized by the operators of those systems. Users are prohibited from accessing systems for which the operator of the system hasn’t granted them access rights. Users that have questions concerning their access rights should contact their local Information Technology Department. Computer Security. Each User is responsible for ensuring that their use of outside computers and networks, including the Internet, does not compromise the security of the IT Resources. This duty includes taking reasonable precautions to prevent intruders from accessing the networks of Hyatt and the Connected Entities without authorization and to prevent introduction and spread of viruses. In the case of Users accessing corporate data or IT Resources remotely, either using IT Resources or personally owned computers or laptops (“Personal Resources”), it is the responsibility of the User to ensure that the system has uptodate antivirus protection and adequately configured firewall software to prevent hackers from gaining control of their systems and stealing the data that is stored on those systems. Data Protection Measures. Users are prohibited from attempting to circumvent the data protection measures enacted by Hyatt and/or the Connected Entities or to uncover security loopholes or bugs. Users are prohibited from gaining or attempting to gain unauthorized access to restricted areas or files stored on the IT Resources. Users are prohibited from tampering with any software protections or restrictions placed on computer applications, files or directories. Unattended PCs Must be Locked. Users are reminded that unattended computers must be either logged off of the network, powered off, or locked using the Windows Operating System “lock computer” feature. Any systems left unattended by a User may result in the suspension of that User’s right to use the IT Resources.
May 2006 Global Hyatt Corporation
Page 12 of 31
Use of Home Computers or Personally Owned Laptops. Users are reminded that that if they use Personal Resources for business purposes, including working with Corporate Data or other data related to the business of Hyatt or a Connected Entity, they need to ensure that those Personal Resources are properly protected with upto date personal firewalls and antivirus software, and that their Personal Resources are uptodate with the latest available software patches for both the application and the operating systems. Users are encouraged to seek guidance from their local Information Technology Department concerning the best available personal firewall, antivirus software, or application and operating system updates. However, a User’s local Information Technology Department will not be able to support or provide this software for any Personal Resources.
8. Mobile Device Security Mobile devices, such as mobile phones, the RIM BlackBerry, Palm Tungsten, and HP PocketPC, empower their users with instant communications and improved management of personal information. Users who are provided with a Mobile Device by Hyatt or a Connected Entity must take all reasonable steps to ensure that the device is protected from loss or theft. •
All Mobile Devices must be configured with a poweron password. Users must assure that no passwords for their device are written on or affixed to their device.
•
Users are permitted occasional, limited, appropriate personal use of their Mobile Device in accordance with this Policy. Any excessive use as determined by the sole and exclusive judgment of Hyatt and/or the Connected Entities (as applicable) will result in the revocation of the right to use a Mobile Device.
•
Any disregard for the security of a Mobile Device will result in the revocation of the right to use a Mobile Device.
•
In the case of the theft or loss of a Mobile Device, the User may be held personally responsible for its loss, including the cost of its replacement. Any theft or loss of a Mobile Device must be immediately reported to your Department Head.
May 2006 Global Hyatt Corporation
Page 13 of 31
•
All Users that are given a BlackBerry device must have received, read, and submitted the Acknowledgement form for the Global Hyatt Policy for the Use of Blackberry Devices.
9. Laptop Security Portable computers offer Users the ability to be more productive while on the move. They offer greater flexibility in where and when Users can work and access information, including information on our corporate network. However, network enabled portable computers also pose the risk of data theft and unauthorized access to our corporate network. Certified Laptop Use. Any portable computer that is proposed for network connection to the IT Resources, whether furnished by Hyatt or a Connected Entity or the User’s Personal Property, must be reviewed, approved and certified by your local Information Technology Department. Personal Firewall Software. Users must ensure that a personal firewall is installed on their laptop and that it is always active. Each laptop furnished by Hyatt or a Connected Entity must be configured with personal firewall settings enabled. Your local Information Technology Department can advise you of appropriate personal firewall software to install on your personal laptop, but they will not install or support such software on Personal Resources. AntiVirus Software. AntiVirus software must be installed, kept up to date, and must be active at all times. Each laptop furnished by Hyatt or a Connected Entity will be configured with approved antivirus software. It is the User’s responsibility for keeping their antivirus scanning software up to date. It is strongly recommended that Users update their antivirus software before disconnecting from the network. Your local Information Technology Department can advise you of appropriate antivirus software for your Personal Resources, but they will not install or support such software on noncompany owned computers. PowerOn Passwords. All laptops furnished by Hyatt or a Connected Entity must be configured with a poweron password set by the local Information Technology Department. This password may not be changed by the User, and can only be set by the local Information Technology Department. Users must assure that no passwords for their system are written on or affixed to their laptops.
May 2006 Global Hyatt Corporation
Page 14 of 31
Physical Security. All Users that are provided with a laptop by Hyatt or a Connected Entity must take all reasonable steps to ensure that the laptop is protected from theft. This includes securing the laptop at your workstation with the supplied notebook security cable or locking the laptop in a filing cabinet. Use of Wireless Hotspots. At this time, the use of wireless (“WiFi”) “Hotspots” is permitted for laptop Users when the properly configured antivirus and firewall software is active. Your local Information Technology Department will properly configure your companyowned laptop for proper use on WiFi networks. However, Users should take extreme care when connecting to public Internet services as these networks do not offer adequate protection for the User. Only recommended WiFi services (such as TMobile’s HotSpot, StarHub, SwissCom) are considered safe with a properly configured laptop. WiFi networks, if unsecured without adequate personal firewall software, will leave the contents of your laptop exposed and accessible by hackers. The data on your laptop can be stolen without your knowledge. Any data stored on a laptop device that is particularly sensitive should be protected by passwords in order to protect them theft. Wireless radios must be disabled (turned off) when not in use. Use of Bluetooth or Infrared Personal Area Networking. Bluetooth and Infrared technologies, though different in their use, are both designed to be an inexpensive wireless personal networking system for all classes of portable devices such as laptops, PDAs (personal digital assistants), mobile phones and headsets. Bluetooth can also replace cabling in a more static environment (i.e. between desktop computers and printers). While providing a cordless way of connecting devices, it can also be used to interconnect computers. Therefore, Users are reminded that having Bluetooth or Infrared enabled on their laptops will leave them open for potential intrusion by hackers. Bluetooth or Infrared features of a laptop should be disabled when the User is not in a secured area. Remote Access and VPN Services. Where available, authorized Users may only remotely access Hyatt’s network and IT Resources via an approved Virtual Private Network (“VPN”) secured connection. For information regarding Remote Access and VPN Services, please consult your local Information Technology Department. All Users who have been given Remote Access and VPN Services capabilities must have received, read, and submitted the Acknowledgement form for the Global Hyatt Policy for the Use of Remote Access and VPN Services.
May 2006 Global Hyatt Corporation
Page 15 of 31
Audit of Laptop Usage. Your local Information Technology Department reserves the right to audit your use of any laptop furnished by Hyatt or a Connected Entity to ensure that it continues to conform to this Policy. Your local Information Technology Department will also deny network access to any laptop that has not been properly configured and certified. Any disregard for the security of a laptop will result in the revocation of the right to use a laptop. In the case of the theft of a laptop, the User may be held financially responsible for its loss.
10.Portable Storage and Memory Security The use of portable memory devices by Users present a number of risks, including the theft or loss of proprietary information and the introduction of viruses and other malicious computer code past our security systems and firewalls. Those devices include: flash, thumb, or jump drives (also known as USB memory drives); MP3 and MPEG players (particularly iPods); PDAs and Smartphones; Digital Cameras; Memory/Storage media (e.g. memory sticks, rewritable DVDs, CDs, and floppy diskettes). General Security Risks. While the use of portable devices is currently not prohibited, Users are reminded of the specific security risks surrounding their use: Loss
Devices used to transfer or transport work files can be lost or stolen.
Theft
Proprietary data can be stolen.
Virus
Users can inadvertently introduce viruses such as Trojans to the network while loading infected files from an unscanned memory device.
Copyright
Software copied onto portable memory devices can violate licensing agreements
Spyware
Spyware or tracking codes can be introduced to our network via portable memory media
Compliance
Loss or theft of financial data could expose Hyatt to the risk of noncompliance with various laws and directives including VISA/CISP or other so
May 2006 Global Hyatt Corporation
Page 16 of 31
called “PCI” standards, SarbanesOxley and Data Privacy laws. Password Protection. Proper use of devices will include the password protection of individual files or the portable media device and the use of advanced portable media devices where biometric security and encryption is enabled. Corporate Data. Portable memory devices are not to be used for the transmission or storage of Corporate Data. Users must report any theft or accidental loss of any portable storage device to their Department Head. The improper use of portable memory devices by others should be reported to your Department Head, your local Human Resources Department or Information Technology Department or the Information Technology Department in the Corporate Office. Any misuse of portable memory devices will result in the immediate revocation of the ability to use such devices and will include appropriate disciplinary action, which may include the termination of your employment.
11.Viruses Virus Detection. Viruses can cause substantial damage to the IT Resources. Each User is responsible for taking reasonable precautions to ensure he or she does not introduce viruses into the IT Resources. To that end, all material received on a portable memory media and all material downloaded from the Internet or received via EMail from computers or networks that do not belong to Hyatt or a Connected Entity MUST be scanned for viruses and other destructive programs before being placed onto the IT Resources. Users should understand that their home computers and laptops might contain viruses. All media used to transfer data from these computers to a Hyatt or Connected Entity network MUST be scanned for viruses before being placed onto the IT Resources. Accessing the Internet. To ensure security and avoid the spread of viruses, Users accessing the Internet through a computer attached to a Hyatt or Connected Entity network must do so through an approved Internet firewall. Accessing the Internet directly by modem is strictly prohibited unless the computer you are using is not connected to a Hyatt or Connected Entity network. Users are encouraged to purchase and install appropriate antivirus and firewall software for their home systems when working with Corporate Data or when using their personal resources to connect to the IT Resources. Your local Information Technology Department can
May 2006 Global Hyatt Corporation
Page 17 of 31
make suggestions for appropriate software, but will not be able to provide technical assistance with Personal Resources. Approved Virus Detection and Removal Software. Only approved Virus Detection and Removal Software may be installed on the IT Resources. It is the responsibility of everyone to ensure that his or her systems are installed with and are running the latest virus definition files at all times. For assistance or to ensure that your systems are properly protected, please consult your local Information Technology Department.
12.Encryption Software Use of Encryption Software. Users are prohibited from installing or using encryption software on any IT Resource without first obtaining written permission from the Information Technology Department at the Corporate Office. Users may not use encryption keys that are unknown to their Department Head or their local Information Technology Department. Export Restrictions. The U.S. government and the governments of other countries have imposed restrictions on export of software containing encryption technology (such as Lotus Notes, that permit encryption of messages and electronic commerce software that encodes transactions). Software containing encryption technology shall not be placed on the Internet or otherwise sent or transmitted (e.g., via EMail attachment, portable memory media) from one country to another without prior written authorization from the Corporate Office Information Technology Department and the Hyatt Legal Department. Certified Software. Only software applications that have been certified by Hyatt or a Connected Entity are supported for use with the IT Resources. Users are prohibited from installing any other software on IT Resources, and no support will be provided for systems that are not compliant with the current Certified Software standards. Users requiring the use of software that is not certified in the manner described above should seek written approval by their Department Head and the Corporate Office Information Technology Department.
13.Electronic Mail Use Policy EMail is a quick and convenient way of communicating with other Users and with outsiders. However, as with all types of communications, EMail has its good points May 2006 Global Hyatt Corporation
Page 18 of 31
and its bad points. It should be used in conjunction with, not as a replacement for, telephone, memos, letters and faxes. The policies and guidelines set forth below are intended to protect both the sender and the recipient of EMail messages as well as Hyatt and the Connected Entities from the pitfalls and hazards that accompany the widespread use of EMail. While these policies and guidelines specifically address EMail, it is important to keep in mind that EMail is just another form of corporate communication and is therefore subject to all policies, guidelines and practices of Hyatt and/or the Connected Entities relating to corporate communications in general. Appropriate discretion should always be used when communicating any proprietary or confidential information over any EMail system. Such information should not be transmitted outside of Hyatt or a Connected Entity unless you are expressly authorized to do so. If authorized, employees must take special care to ensure that such information is properly communicated only to those authorized to receive such information. Communicating Confidential Information. Always keep in mind that EMail and the Internet are public methods of communication. When you send information via EMail, or make it available on the Internet, there is always a possibility that unauthorized individuals will view the information. Never send confidential, proprietary or trade secret information without first obtaining authorization from your Department Head. This type of information is a valuable asset and each of us must make sure that it is protected from unauthorized disclosure. EMail messages can potentially be stored indefinitely on any number of computers, in addition to that of the recipient. Copies of your messages may be forwarded to others instantaneously at the intentional or mistaken click of your mouse. In addition, EMail sent to nonexistent or incorrect User Names may be delivered to persons that you never intended. Sending Unsolicited EMail (“Spamming”). Users are prohibited from sending unsolicited EMail to persons with whom they do not have a prior relationship or with whom they have not received express permission to receive messages without the express permission of their Department Head. “Spoofing” or Otherwise Hiding Your Identity. Users are prohibited under any circumstances from using “spoofing” or other means to disguise their identities in sending EMail. Users must not alter the ‘From:’ line or other attributionoforigin information in EMail, messages or postings. Anonymous or pseudonymous May 2006 Global Hyatt Corporation
Page 19 of 31
electronic communications are forbidden. Further, Users are prohibited from sending messages on behalf of other individuals without the express permission of that individual. Care in Drafting EMail. Users should make each electronic communications truthful and accurate. Users should use the same care in drafting EMail and other electronic documents as they would for any other written communication. The quality of writing reflects on the company. Users should always strive to use good grammar and correct punctuation and keep in mind that anything created or stored using the IT Resources may and likely will be reviewed by others. Chain Letters, Joke Lists or Mass EMail. Every User is expected to use good judgment when using the EMail system. Sending or forwarding chain EMail or nonbusiness related mass EMail violates this standard and will not be tolerated. Violations of the provision of this section should be reported to the User’s local Human Resources or Information Technology Department. Users found to be involved in sending chain EMail or nonbusiness related mass EMail may be subject to disciplinary action, including revocation of EMail privileges. Repeated violations of this policy may result in termination of employment. Internet Disclaimer Tagline. All EMail messages sent to Internet destinations must include the following “Internet Confidentiality Statement” tagline: Internet Confidentiality Statement The information contained in this communication is confidential and intended only for the use of the recipient named above, and may be legally privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend it to the sender and delete the original message and copy of it from your computer system. Opinions, conclusions and other information in this message that do not relate to our official business should be understood as neither given nor endorsed by this company.
Please note that the EMail system will automatically append this disclaimer to all Internet recipients. Monitoring of EMail. As indicated above, EMail, like any employee business communication, is subject to monitoring by Hyatt and/or the Connected Entities at any time without further notification to the User or the recipient. Any messages sent
May 2006 Global Hyatt Corporation
Page 20 of 31
or received via Hyatt’s EMail system, whether of a business or personal nature, may be read by authorized Hyatt personnel at any time. Any information contained in E Mail messages may be used and revealed to the appropriate authorities, both inside and outside Hyatt, to document employee misconduct or criminal activity. However, EMail exchanged with Hyatt’s Legal Department or other lawyers doing work for Hyatt or a Connected Entity will not be subject to monitoring in order to preserve the confidentiality and attorneyclient privilege of such communications. Personal EMail Access. Users desiring to send and retrieve personal EMail messages on an occasional basis while at work are encouraged to use a personal account with an online service such as Hotmail, Yahoo and AOL in order to make it clear to the recipient of those messages that the content of those messages is personal rather than business related. However, since those services are being accessed using Corporate Resources, Users should remember that: (1) anything a User creates, stores, sends, receives or does using such online services will be subject to monitoring and review; (2) such limited use of Corporate Resources is subject to all other provisions of the Policy; and (3) although you are using a third party EMail service, your computer identification (IP Address), which identifies you and Hyatt, is recorded for all your activity online and is sent with your EMail address to the intended recipient. Using your Corporate EMail Address for Personal Use. You should never use your corporate Internet EMail address for personal use (i.e. for orders placed with online merchants such as Amazon.com; joining web sites that request your EMail address). By avoiding the use of your company issued EMail address on these web sites, you will lessen the chances that the receipt of SPAM will burden the Hyatt IT Resources.
14.Managing SPAM Internet Junk Mail or “SPAM” is a growing problem for many people. While the governments and other organizations crack down on offenders, there are few things that you can do to help reduce your chances of getting SPAM. The most common mistake is either replying to a piece of junk mail that you’ve received or clicking on the “unsubscribe” link to try and remove your name from that EMail list. By replying to the EMail sender, you are increasing your chances of receiving additional SPAM by confirming that your EMail address is valid to the EMail marketers that earn their living by sending SPAM to valid EMail addresses.
May 2006 Global Hyatt Corporation
Page 21 of 31
Here are a few tips to help stop SPAM: •
Do not reply to any offers … you may end up getting more SPAM.
•
Be cautious about sharing your EMail address when shopping online. Do not use your company EMail account for any online shopping.
•
Refuse promotional offers through EMail. Many online retailers will have a checkoff (or optout) box allowing you to be effectively removed from future mailings.
15.Internet Use Policy Certain Users will be provided with access to the Internet to assist them in performing their jobs. While the Internet can be an extremely powerful business tool, it must be used in strict compliance with this Policy and its use must be tempered with common sense and good judgment. Disclaimer of Liability for Content Found on the Internet. The Internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit and inappropriate material. Sometimes, even harmless search requests may lead to sites with highly offensive content. In addition, having an EMail address on the Internet may lead to the receipt of unsolicited EMail containing offensive content. Users accessing the Internet do so at their own risk. Blocking of Inappropriate Content and Services. From time to time, Hyatt and/or the Connected Entities may use software to identify inappropriate or sexually explicit Internet sites or to prevent access to such sites and services. Even if such software is used, it is never foolproof, so in the event you nonetheless encounter inappropriate or sexually explicit material while browsing on the Internet, you should immediately disconnect from the site and for your own protection, you should immediately notify your local Information Technology Department as to what occurred. Games and Entertainment Software. Employees may not use Internet connections to play interactive online games, download games or other entertainment software, including screen savers, MP3 files, or to play games over the Internet. Employees may not use peering file share services (e.g., using Gnutella, KaZaa, Napster, LimeWire and other applications or services) for the search and retrieval of MP3, May 2006 Global Hyatt Corporation
Page 22 of 31
Video, Pictures, or other files. In addition to wasting valuable corporate resources, the use of these services exposes Hyatt and the Connected Entities to potential liability for copyright infringement. Internet Firewalls. To ensure security and avoid the spread of viruses, Users accessing the Internet through a computer attached to a Hyatt or Connected Entity network must do so through an approved Internet firewall. Accessing the Internet directly, by modem, is strictly prohibited unless the computer you are using is not connected to a Hyatt or Connected Entity network. Your local Information Technology Department must approve all access to the Internet and may revoke access at any time. Users are encouraged to purchase and install appropriate anti virus and firewall software for their Personal Resources when using them to connect to the IT Resources. Your local Information Technology Department can make suggestions for appropriate software, but will not provide technical assistance with your Personal Resources. Using the Internet for Personal Business. Users using Corporate IT Resources to transact personal business on an occasional basis (e.g., checking bank balances or processing other online banking transactions, stock trading, purchasing items online) do so at their own risk. Users are reminded that they should take special care when transmitting credit card information or making electronic funds transfers over the Internet that they are doing so over a secure connection. However, neither Hyatt nor a Connected Entity is responsible for ensuring that Users have access to secure and reliable connections to the Internet for their personal transactions, and neither Hyatt nor a Connected Entity shall have liability to Users for any losses they incur as a result of using (or not being able to use) IT Resources for their personal business. Neither Hyatt nor a Connected Entity is also responsible for any loss, theft or other compromise of your personal information while using the Internet.
16.Miscellaneous EMail with Attorneys. In general, any communication between an employee and attorneys employed by Hyatt or a Connected Entity concerning a legal matter (whether the attorney is “inhouse” or is outside counsel) is considered confidential and may be protected by the attorneyclient privilege. However, this protection may be lost if the message is viewed by a nonattorney. This is true even if the person reading the message is also an employee of Hyatt or a Connected Entity.
May 2006 Global Hyatt Corporation
Page 23 of 31
•
When corresponding with Hyatt’s Legal Department on a legal matter, DO NOT send copies of the message to anyone outside of the Legal Department. If you believe that the message should be shared with someone outside of the Legal Department, ask the attorney to forward the message to the appropriate individual. This will serve to protect the attorneyclient privilege.
•
Because of the risk of inadvertently waiving the Attorney/Client Privilege, Users SHOULD NOT send EMail to inhouse or outside counsel over the Internet without clearing it first with the Legal Department.
AttorneyClient Communications. EMail sent from or to inhouse counsel or any attorney representing Hyatt or a Connected Entity concerning legal matters should include this warning header on each page: “ATTORNEYCLIENT PRIVILEGED; DO NOT FORWARD WITHOUT PERMISSION.” Communication from attorneys may not be forwarded without the sender’s express permission. Representing Hyatt or a Connected Entity. Your EMail and Internet address identifies you as an employee, independent contractor or agent of or having some other type of official relationship with Hyatt or a Connected Entity. However, only certain employees are authorized to speak on their behalf. Unless you are specifically authorized to speak to the press or comment publicly on behalf of Hyatt or a Connected Entity, you are not authorized to represent Hyatt or the Connected Entity in communications on the Internet. Representing yourself as speaking on behalf of Hyatt or a Connected Entity without authorization is grounds for disciplinary action up to and including termination of employment. Defamation, Harassment and Libel. Posting information on the Internet, in whatever fashion, is no different from publishing information in the newspaper. If a posting is alleged to be defamatory, harassing, or libelous, both the User making the posting and Hyatt could be subject to claims for monetary damages. Be aware of what you post and send over the Internet. Keep in mind that EMail intended as a private communication could be forwarded, copied or otherwise published without your knowledge or authorization.
May 2006 Global Hyatt Corporation
Page 24 of 31
Defending Hyatt. Hyatt or a Connected Entity may, from time to time, become the victim of online trademark infringements, defamation, disparagement or other violations of its rights. Users on the Internet may play an important role in uncovering such violations. However, reacting online could exacerbate a situation and create legal difficulties for you as well as for Hyatt and/or a Connected Entity. If you witness what you believe may be a trademark violation or a defamatory, disparaging or otherwise damaging statement about Hyatt or a Connected Entity on the Internet, immediately report the incident to the Hyatt Legal Department including the context, the Internet site or newsgroup in which it appeared and if possible, a copy of the offending message or language. Do not respond on your own no matter how you may feel about the situation. Illegal Copying and Copyrights. Users may not illegally copy material protected under copyright law or make that material available to others for copying. Users are responsible for complying with copyright law and licenses that apply to software, files, documents, messages and other material they wish to download or copy. Users may not agree to a license or download any material for which a registration fee is charged, free, or “shareware” without first obtaining the express written permission of your local Information Technology Department. Compliance with Applicable Laws and Licenses. Users must comply with all software licenses, copyrights and all other state, federal and international laws governing intellectual property and online activities in their use of the IT Resources. Other Policies Applicable. Users must observe and comply with all other policies and guidelines of Hyatt and/or the Connected Entities in their use of the IT Resources, including but not limited to the policy on Work Place Values. Amendments and Revisions. This Policy may be amended or revised from time to time as the need arises. Users will be provided with copies of all amendments and revisions. No Additional Rights. This Policy is not intended to, and does not grant, Users any contractual rights.
May 2006 Global Hyatt Corporation
Page 25 of 31
17.Violations of the Policy Regardless of whether the Policy specifically identifies disciplinary action above, Vviolations of this Policy may result in disciplinary action, up to and including the termination of your employment and civil and criminal prosecution.
18.Acknowledgment and Consent By my signature below, I acknowledge that I have received a copy of the Global Hyatt Corporation Policy for the Use of IT Resources dated May 2006. I have read and hereby agree to comply with the terms of this Policy. I understand that a violation of this Policy may result in disciplinary action, including termination, as well as civil or criminal liability. Regardless of whether my use of the IT Resources is for business or for my incidental personal use, I consent to the monitoring of my usage of the IT Resources in the manner described in the Policy and I acknowledge and agree that I have no expectation of privacy concerning anything that I do using the IT Resources.
Signature:
Printed Name:
Department:
May 2006 Global Hyatt Corporation
Page 26 of 31
Date:
May 2006 Global Hyatt Corporation
Page 27 of 31
EXHIBIT A DESIGNATED AUTHORITIES FOR CORPORATE DATA As stated in Section 5 of this Policy, this Exhibit identifies those individuals or category of individuals for the purposes of providing written authorization to a User for access to Corporate Data. Property Management Systems
Hotel General Manager
Central Reservations Systems
VP of Marketing, Chicago
Point of Sale Systems
Hotel General Manager
Finance and Accounting Systems: For Corporate and Chain programs:
VP of Finance, Chicago
For local Hotel programs:
Hotel General Manager
Human Resources Systems: For Corporate and Chain programs:
VP of Human Resources, Chicago
For local Hotel programs:
Hotel General Manager
Payroll Systems
Hotel General Manager
Guest Service Delivery and Escalation Systems
Hotel General Manager
Guest Loyalty Programs: For Gold Passport and Chain programs:
VP of Marketing, Chicago
For local Hotel programs:
Hotel General Manager
Sales and Catering Systems
Hotel General Manager
Data Extracts to third-party Data Processors
Hyatt IT, Chicago
For any other system or data source not listed here, or if you have any questions, please consult with your local General Manager.
May 2006 Global Hyatt Corporation
Page 28 of 31
EXHIBIT B GENERAL EMAIL ETIQUETTE
EMail is a useful business tool; however it can be abused in various ways. Familiarizing yourself with the following rules of EMail etiquette will help make E Mail even more useful: •
Always use a salutation.
•
Make your message short. EMail is not the medium for communicating long, complicated messages. Save those for hardcopy memos or reports (although it is fine to attach those to an EMail with a short introductory message). Strive to limit your EMail to three paragraphs.
•
Keep your messages to the point – one point! Don’t try to convey too many ideas or concepts. Digressions and superfluous points will frustrate your reader and he or she will be less likely to understand and take the action you want.
•
Keep attachments to a minimum. Excessive and nonessential attachments can overwhelm readers. Attach relevant excerpts – not entire documents – and refer the reader to the specific paragraphs or section that should be read. If replying to a message that had attachments in it, be certain to remove the attachment so as to prevent the resending of files unnecessarily. Also, please note that the EMail system has a limit of 6MB for incoming and outgoing EMail attachments.
•
Do not overuse EMail by sending courtesy copies (CC) of a message to people who do not need them. Similarly, it is not generally necessary to reply to an EMail just to inform the sender that you have received it.
•
Take great care in using blind copies (BCC). You should avoid using the BCC function to send blind copies of EMail messages as much as possible. However, the use of the BCC function may be appropriate when sending an EMail message to multiple recipients, or when it is necessary to shield the identify of the recipients of a message from one another in order to comply with privacy laws or principles. Please contact your local Information Technology Department for guidance on the use of the BCC function.
May 2006 Global Hyatt Corporation
Page 29 of 31
•
Do not forward EMail messages unless the original sender is aware that the message may be forwarded. Use common sense; if you would not have forwarded a copy of a paper memo with the same information, do not forward the EMail.
•
EMail is for business communication, not for advertising. Sending global E Mail advertising garage sales, cookie sales or fundraisers is inappropriate.
•
Never forget that EMail is not conversation. It is recorded and can be duplicated at will. While it is generally less formal than a hard copy letter or memorandum, it is far more permanent than speaking to someone on the phone.
•
EMail does not convey emotion well. Use the telephone when appropriate.
•
EMail is not an informal communications method. Therefore, the use of abbreviations, slang, jargon and other informal language is discouraged.
•
Use normal capitalization and punctuation. Typing a message in all capital letters is the equivalent of shouting at the reader. You can, however, use capital letters for emphasis.
•
Spellcheck and reread your message. It may take a few more minutes, but it’s well worth it. Incomprehensible and misspelled EMail turns people off, makes you look uneducated, and makes it less likely that recipients will read your E Mail in the future.
•
Include only a portion of the original sender’s message in your replies to help put your reply in context. It is also appropriate to delete unimportant portions of the original message in order to prevent the message from getting too long, including the removal of any file attachments from the original message.
•
Internal EMail Messages should always be closed with a proper signature that includes a complimentary closing and your name. It is not necessary and it is discouraged to include your full contact details for people whom you regularly correspond with, or for people who are using the Hyatt EMail system. For example: Best regards, John
May 2006 Global Hyatt Corporation
Page 30 of 31
•
External EMail Messages should always be closed with a proper signature that includes a complimentary closing and your name and your full contact details. For example: Best regards, Nancy Smith Marketing Communications Manager Global Hyatt Corporation 71 S. Wacker Dr. Chicago, Illinois 60606 Telephone: +312-555-1212 Telefax: +312-555-1212 Visit us online at www.hyatt.com
May 2006 Global Hyatt Corporation
Page 31 of 31