Canada: Privacy Breaches - Impact, Notification And Strategic Plans*

Last Updated: April 20 2011
Article by Paige Backman


Privacy protection has become a hot topic in recent years, due mainly to the ever-growing pervasiveness of new technologies and to the millions of individuals in North America who have found themselves victims of privacy breaches as a result.

A privacy breach occurs when an individual's personal information is accessed, collected, used or disclosed in contravention of applicable privacy legislation or privacy policy. "Personal information," which is defined differently in different statutes, is the cornerstone to most privacy laws. Personal information usually refers to information that is about an identifiable individual. Some of the more obvious examples of personal information include information pertaining to an individual's home address, nationality or ethnic origin, colour, religion, age or marital status; education, health, employment or criminal history; personal identification numbers, such as those listed on a driver's license or a bank account number; biometric particulars, such as fingerprints or blood type; and sexual preference or political affiliation.

A privacy breach may arise intentionally or inadvertently, but the effect may be equally devastating on its victims. Intentional breaches can consist of theft1 or an abuse or manipulation of the technologies that are so often used to catalogue and protect personal information.2 Hacking, which consists of breaching computer systems and electronic safeguards, is a serious problem, particularly due to the heavy reliance organizations place on computerized databases. Such intentional breaches are often vicious in nature and consist of a deliberate desire to access, collect, use or disclose an individual's personal information with a view of causing a disturbance or perpetrating a crime.

While deliberate, bad faith activities, such as hacking and theft, are serious crimes that cause risks to individuals whose personal information has been exposed, human error or ignorance is often the most likely cause of privacy breaches. Privacy breaches based on human error or ignorance typically arise in cases of careless practices, mistaken disclosures, or operational, technical or communication breakdowns.3 The damages caused by inadvertent privacy breaches, though done without malice, can be just as serious as those breaches that occur intentionally.

Breaches of privacy laws can expose individuals to risks such as embarrassment, loss of employment opportunity, loss of business opportunity, physical risks to safety and identity theft. Financial loss and identity theft have been recognized as two of the most serious and fastest growing crimes in North America.

Whether an organization suffers an intentional or unintentional breach, and regardless of whether the disclosed personal information is used for the perpetuation of fraud or not, the organization is equally responsible for the privacy breach and for having contravened privacy legislation. It is therefore important for organizations to be aware of their responsibilities regarding the handling of personal information and their obligations under privacy laws. One of the key elements of an organization's responsibilities include implementing practices designed to prevent breaches from occurring and enabling the organization to respond in a quick, efficient and effective manner should a breach occur.

Privacy Breaches – A Costly Affair

If bona fides isn't reason enough to implement best practices for the prevention of privacy breaches, then the economics certainly are. Privacy breaches can impact a business's bottom line in an exceptional and virus-like manner.

Businesses have to account for hard costs such as legislative fines and penalties, third party compensation, customer compensation, loss of profits, shareholder litigation and legal defence costs. Business also have to account for soft costs such as loss of goodwill, bad publicity, affected turnover and customer loyalty. While the calculation of such costs is not evident – with soft costs being so difficult to quantify and economic losses being incurred over a period of years – the effect can be staggering.

Below are several examples of some high-profile and costly privacy breaches which have occurred over the past four years:

Heartland Payment Systems ("Heartland") – 2009. Said to be the largest data breach in history to date, Heartland's security compromise allowed hackers to break into the payment processor's networks and steal over 130 million credit and debit card numbers. In May 2010, Heartland's breach expenses were estimated at $140 million, including settlement payments of nearly $60 million with Visa and $3.5 million with American Express, as well as $26 million in legal fees.4 Heartland has since come to an arrangement with MasterCard whereby Heartland agreed to pay MasterCard issuers $41.4 million to settle claims over the data breach.5 Heartland is still dealing with the aftermath of this breach, the total costs of which are as of yet uncertain.

Bank of New York Mellon ("BNY Mellon") – 2008. The personal information of more than 12.5 million people was compromised as a result of the BNY Mellon's loss of six to ten unencrypted tapes containing Social Security numbers, names, addresses and birth dates.6 A year later, BNY Mellon reached a settlement agreement with the Connecticut Department of Consumer Protection and the Connecticut Department of Banking, agreeing to provide an additional year of creditor monitoring to the individuals who were notified and to reimburse any individuals who had had funds stolen from their accounts as a direct result of the breach. In addition, BNY Mellon agreed to pay $150,000 to the State of Connecticut General fund.7

TJX Companies ("TJX") – 2007. TJX suffered a considerable breach resulting in the theft of over 45 million customers' credit and debit card numbers. The company lost $17 million and 3 cents per share by the end of its first quarter alone.8 Although original estimates placed the damages at $4.5 billion,9 the actual costs of the breach suffered by TJX are currently unknown. The company is said to have spent more than $20 million investigating the incident, notifying customers and hiring lawyers to deal with the dozens of associated lawsuits.10 To date, TJX has entered into a number of settlement agreements, notably with MasterCard International Inc. ($24 million),11 Visa ($40.9 million),12 several banks, namely AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank ($525,000),13 41 different U.S. States for legislative breaches ($9.75 million total)14 and the individual victims of the breaches themselves (where TJX offered vouchers, cheques, reimbursement, insurance and legal fees, depending on the individual circumstances).15 While these settlement amounts are impressive and provide a hint as to the ultimate cost suffered by TJX, they do not reflect the internal costs incurred by TJX in rectifying the breach, which are likely substantial.

TD Ameritrade Holding Corp. ("TD Ameritrade") – 2007. The names, addresses, phone numbers and "miscellaneous trading" information of more than 6 million retail and institutional customers of brokerage firm TD Ameritrade were compromised in a data breach.16 A class action lawsuit was filed against TD Ameritrade for the security breach. As of the date of writing this article, the court had just granted preliminary approval to a settlement of this case, which (1) requires payment of between $2.5 to 6.5 million to the class - each claimant is "entitled to seek cash benefits ranging from $50 to $2,500, depending 'on the nature of the account affected by the identify theft and the type of expense and unreimbursed loss incurred . . . .'"; (2) sets a maximum of $500,000 for attorney's fees; and (3) requires TD Ameritrade to engage a third party auditor to assess its data security practices.

Certegy Check Services ("Certegy") – 2007. The personal information of approximately 5.9 million individuals was compromised when a Certegy employee stole customer records that revealed credit card, bank account and other personal information. Certegy recently signed a settlement agreement with the Florida Attorney General's office, agreeing to provide either one year of free credit monitoring services or two years of bank account monitoring services to those affected. In addition, Certegy agreed to pay $850,000 to cover the state's investigative costs and attorneys fees and to make a $125,000 contribution to Florida's "Seniors vs. Crime" program, which provides educational, investigative and crime prevention programs for senior citizens.17

The above cases are some of the higher profile and economically significant instances of data breaches; however, these cases also demonstrate the different types of hard costs all organizations risk suffering in the wake of privacy breaches. What these numbers do not do is that they do not measure the internal costs of rectifying such breaches, nor the loss of goodwill that has undoubtedly been suffered by these organizations.

Globally, the average organizational cost of a data breach is measured at $3.4 million, while the average cost per compromised record is $142 – of which $63 pertains to indirect costs (including lost business) and $79 pertains to direct costs (including detection, escalation, notification and ex-post response). These statistics come from a recent report, sponsored by PGP Corporation, that analyzes the cost of data breaches in the United States, United Kingdom, Germany, France and Australia (all converted into U.S. dollars).18 Of these countries, the average organizational cost of a data breach was greatest in the United States, where the most expensive average data breach cost $6.75 million. Germany came in second at $3.44 million. The United Kingdom and France nearly tied for third, with average costs at $2.57 million and $2.53 million, respectively. Australia came in last with an average cost of $1.83 million.19

Best Practices to Limit Privacy Breaches

The best defence is a good offence. To limit privacy breaches, organizations need to be proactive and aggressive, and build their privacy practices on four pillars. First, management needs to understand their organization's obligations under law and applicable standards. Privacy breaches are often defined opposite obligations under the law. As such, one of the easiest ways to avoid privacy breaches is for organizations to have a good practical understanding of their obligations under privacy laws. While this exercise may begin with an understanding of statutory and regulatory obligations, it does not end there. Organizations then need to take a look at their own privacy policies, contracts with third parties and any industry standards to which the organizations are bound or to which they have voluntarily agreed to adhere.

Second, management needs to have a good understanding of their organization's information handling practices. This includes understanding the nature and source of personal information on intake, understanding how the organization uses, stores, transfers and discloses personal information and, of course, how understanding how the organization renders anonymous, deletes or destroys personal information for which it no longer has any reasonable use.20 Wireless and technology-based security protections are key to develop and implement, particularly in today's digital age. Thefts or hacking may be impossible to prevent, given the technological advancements that are made every day. Nevertheless, the use of strong encryption programs, password protection and digital locks will prevent unauthorized access to data that is stored on such electronic systems. Encryption has become the standard for storing personal information and health information on portable devices21 and practicing privacy breach prevention can be as simple as deleting a data cache or wiping a hard drive.22

Third, management needs to ensure their organization has a privacy policy (for internal and external distribution) that reflects the organization's personal information handling practices and, of course, compliance with laws and applicable standards.23

Fourth, once a privacy policy is developed, management needs to implement the provisions of such policy. A key element of such implementation involves management ensuring its employees, officers, directors, consultants and third parties with whom such organizations do business, understand and comply with the organization's privacy policies. If employees, officers and directors are not properly educated, both with regard to obligations at law and the organization's particular privacy policies, privacy breaches are virtually impossible to prevent. Once an organization ensures that its own personnel understands their obligations, the organization needs to ensure that each third party to whom such organization has disclosed, transferred or otherwise granted access to personal information is also aware of and complies with the organization's privacy policies. Compliance obligations with third parties should be set out in written contractual terms to establish agreed on standards and avoid misunderstanding. Contractual terms should address security obligations, restrictions on use and disclosure of the personal information, breach notification obligations as well as obligations to assist in investigating allegations of privacy breaches and/or responding to inquiries and claims from individuals and government officials. To ensure such third party's compliance with its obligations, the contract should include an audit right in favour of the organization relating to the third party's practices.

Destruction and Disposal of Personal Information

Once an organization has done its job and rationalized the personal information that it collects, uses and/or discloses, the organization will still need to ensure the personal information it does collect, use and/or store is returned, destroyed or deleted in an appropriate manner. Adequate destruction and disposal policies are a key element in the breach prevention equation.

Disposal and destruction policies and processes need to account for both physical destruction and technological elements of a file. Paper and hard copy records that contain personal information should be shredded (ideally cross shredded), and their destruction should be systematically monitored and certified, even if it occurs off-site.24 As for electronic files, unnecessary or unused sensitive data should be wiped, rendered unreadable and/or destroyed. This is particularly true if the organization intends to dispose of or donate its old computers, such that the computers could find their way into the hands of a third party.25

Responding to Privacy Breaches

Despite implementation of best practices and preventative measures, privacy breaches do still occur. Often, weaknesses in privacy protection do not come to the attention of an organization until after a breach has occurred. While such a breach may be the result of faulty business practices or operational break-downs, the organization should take key steps to immediately rectify any damage caused. The first 72 hours of the breach are crucial to its containment and to the containment of the potential harm or damages that may be suffered by third parties. If the organization does not act immediately and aggressively seek to contain and rectify the situation, the potential damages to individuals impacted by such breach becomes difficult to manage and the organization's ability to limit its liability as a result is severely compromised. As well, from a pure business perspective, getting out in front of a privacy breach with affected parties allows the organization to ensure it can control the message and limit the damage to its reputation.

The first elements of a privacy breach response are containment and assessment. Containment and assessment of the breach are essential to the mitigation of the organization's potential liability and damages, as well as to the suppression of adverse consequences felt by those individuals targeted by the breach. Containment need not be complicated, but should be immediate. Without immediate containment, the organization is permitting the breach to continue to occur and can widen the liability exposure of the organization. The organization needs to shut down the unauthorized practice, seek to recover the compromised records, if possible, and make changes to the system that was breached, such as a change to access codes or a system shutdown, so that a subsequent or ongoing breach is inhibited.26

The organization should coordinate an investigation to determine the scope of the breach and how the breach occurred. To do so, the organization should designate a responsible individual, if not a team of individuals, to administer the investigation. This investigation should commence concurrently with the shutdown process. If the breach is found to have resulted from a criminal activity, the organization should notify the police, as they too can play a crucial role in breach containment and the restoration of compromised data. Neglecting to notify police of a privacy breach caused by criminal or potentially criminal activity can compromise the ability of an organization to investigate and mitigate the breach.27

Alongside the investigation, the organization needs to consider and scope the potential damage that may be caused by the breach. This assessment requires a review of which data elements have been compromised, the sensitivity of those elements and the context in which that information might be manipulated or abused. Understanding the risks associated with the breach is a key element in focusing the breach response and in managing the risks to the individuals and the liability of the business.

Breach Notification

After assessing the personal information involved, the cause and extent of the privacy breach, the individuals affected by the breach and any foreseeable harm from the breach, the organization should consider notifying any affected individuals, government regulators and the police. Many jurisdictions have mandatory breach notification requirements and an organization should be familiar with such requirements, as well as any obligations imposed on that organization by industry standards and/or contracts. While breach notification legislation is currently in its infancy in Canada,28 many states within the United States have established breach notification legislative provisions, many of which carry significant costs for failure to notify and for multiple violations.29

Organizations are not often willing to notify individuals affected by a privacy breach. Notification can lead to heightened consumer response, media involvement and loss of goodwill. Organizations will usually want to avoid any negative publicity or public backlash unless they are compelled by law to do so. A choice not to notify is typically premised on the belief that consumers and/or media would not otherwise find out about the breach. In this age of instant communication, premising a business strategy on a belief that word of the breach will not get out is flawed and can be quite costly. Depending on the jurisdiction where the breach occurred and the jurisdiction where damages are suffered, organizations responsible for privacy breaches can risk facing serious lawsuits and substantial monetary penalties.

While breach notification will likely affect heightened inquiries and complaints from individuals and publicity, breach notification, if handled correctly, can be beneficial to an organization. Breach notification can be an important tool in mitigating an organization's damages and can allow the organization, and not the press or privacy commissioners, to control the message being sent to the public.

Some argue that an organization which notifies individuals impacted by a privacy breach will limit its potential damages as a result of the breach. That belief is based on the premise that notification empowers those effected individuals to take action in mitigating any harm that otherwise would have been suffered by them. In turn, this mitigation of damages mitigates the organization's liability.

Content of Breach Notification

The content and type of breach notification is not always legislated and may vary, depending on the type of breach and the individuals affected. Notifications may be direct or indirect. Although direct communication is more personal, it addresses the specific personal information at issue for that individual, and as a result is more effective. Unfortunately, direct communication is not always practical. Content of the notification will vary, as appropriate, and may include information about the incident, details on what the organization has done and will do to control or reduce the harm, information on how individuals can protect themselves and contact information, should the individuals have any questions or concerns about the breach.30 Notification content should also be considerate of whether or not a police investigation of the breach is ongoing, as disclosure of some information may not be sensible in certain circumstances.

Canadian Privacy Laws and Breach Notification

To date, outside of Alberta and certain provincial health information legislation, Canada has not had clear breach notification requirements for businesses facing a breach of their privacy safeguards in respect of the personal information it holds. Though the Privacy Commissioners across the country had provided examples of "best practices" in such situations, the majority of businesses are not required by law to disclose a privacy breach.

Organizations in Alberta, to the extent subject to Personal Information Protection Act (Alberta), must provide notice to Alberta's privacy commissioner, without unreasonable delay, of an incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.31 In addition, Alberta's privacy commissioner may require organizations to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure.32

Amendments have also been proposed to the Personal Information Protection and Electronic Documents Act ("PIPEDA"), as set forth in Bill C-29.

Should Bill C-29 become law, PIPEDA would impose two separate levels of breach notification, one in respect of notifying the Privacy Commissioner of Canada, and another in respect of notifying individuals whose personal information has been compromised by the breach. As a result of section 10.1 of the proposed Bill C-29, a company would be required to disclose a breach of privacy laws to the Privacy Commissioner of Canada where there has been a "material breach of security safeguards under its control." Whether a breach will be considered "material" must be determined by the company through examining several factors, including the sensitivity of the information implicated in the breach, the number of individuals affected, and whether the breach represents a systematic failure to safeguard personal information by the organization.

Under section 10.2 of the proposed Bill C-29, an organization would have to inform an individual of a breach of the privacy safeguards implemented by it where there is a reasonable chance the breach "creates a real risk of significant harm to the individual." The provision sets forth a broad spectrum for the kind of harm that an individual could experience as a result of the breach, including but not limited to humiliation and financial loss, and provides several factors to consider in evaluating the harmful nature of the breach to the individual. The breach will more likely be considered harmful to the individual if it is personal information that is sensitive and likely to be misused.

Post-Breach Management

Once an organization finishes managing the immediate consequences of the breach, it should take the information learned from the breach investigation and re-evaluate its policies and safeguards. It is not sufficient for an organization to mitigate breach consequences. Organizations must implement preventative practices, such as those noted above, to prevent future occurrences of privacy breaches.33 In developing or updating its practices, an organization may wish to consider conducting a security audit of both physical and technical information handling practices; a review of policies and procedures; a review of employee training practices; and a review of partners, including consultants and other service providers.34

The resources expended by organizations in implementing best practices for the prevention of privacy breaches pales in comparison to the above statistics. One rising consideration in risk management is the purchase of privacy liability insurance. Policies may cover damages that arise out of unauthorized access to, collection of, and use or disclosure of personal information that results in harm to employees or third parties; defence expenses as a result of regulatory or criminal investigations; crisis management and notification expenses; and/or network security liability.35 While insurance policies may be costly, organizations may wish to pursue them as a protective measure against the otherwise exorbitant costs entailed in managing and mitigating a privacy breach.

While privacy protection may not always be seen as a main priority, it is indisputable that the effects of a privacy breach can be devastating, both to the affected individuals as well as to the organizations involved. Privacy breaches not only undermine the affected individuals' confidence in the organization responsible for the breach, but also risk adversely influencing consumers' confidence in commercial markets, generally. Privacy breaches risk discouraging consumerism and making individuals increasingly wary of where and how they transact. Recent years have seen an increase in organizational dependence on amassing and analyzing significant amounts of personal information, globally, through electronic databases.

The increasing scope and reach of global privacy breaches will have considerable long-term effects on consumers' confidence in electronic commerce and, consequently, on the global economy in general.


* Authored by Paige Backman, a partner in Aird & Berlis LLP's Corporate Group and the Privacy, Technology and Communication Industry Team. Acknowledgement and great appreciation is extended to Karen Levin, an articling student at Aird & Berlis LLP for her assistance with this paper.

1. In January 2007, for example, a laptop computer containing the personal health information of approximately 3,000 patients at the Hospital for Sick Children was stolen from the car of a physician, who had taken the laptop home to do data analysis. See discussion in Curtis Rush's "Sick Kids' laptop theft angers watchdog" (7 March 2007), online: The Star

2. In September 2008, for example, an Agriculture and Agri-Food Canada (AAFC) IT system administrator discovered that two servers had been hacked and that approximately 60,000 personal data records of agricultural producers were exposed. See "Findings under the Privacy Act: Amateur hacks into Agriculture and Agri-Food Canada computers" (18 June 2010), online: Office of the Privacy Commissioner of Canada

3. See, e.g., "Johns Hopkins University e-mail attachment error exposed personal info" (22 October 2010), online: In this case, approximately 85 staff members at Johns Hopkins University received an e-mail from the Applied Physics Laboratory's benefits office that contained an incorrect attachment, identifying names, Social Security numbers, and birthdates on 692 dependents of the Lab's staff members.

4. Jaikumar Vijayan, "Heartland breach expenses pegged at $140M –so far" (10 May 2010), online: Computerworld

5. "Heartland settles with MasterCard over data breach" (20 May 2010), online: InfoSecurity

6. Jonathan Stempel, "Bank of NY Mellon data breach now affects 12.5 mln" (28 August 2008), online: Reuters

7. Connecticut Department of Banking, "News Release: Department of Consumer Protection and Department of Banking Announce Settlement with Bank of New York Mellon for 2008 Data Breach" (3 February 2008), online: State of Connecticut

8. Sharon Guadin, "T.J. Maxx Breach Costs Hit $17 Million" (17 May 2007), online: InformationWeek

9. Ibid.

10. Ki Mae Heussner, "10 of the Top Data Breaches of the Decade" (14 June 2010), online: ABC News

11. "TJX, MasterCard settle" (3 April 2008), The Globe and Mail, online: Thomson Reuters, 2008 WLNR 6236375.

12. Linda McGlasson, "TJX, Visa Agree to $40.9 Million Payout for Data Breach" (4 December 2007), online: Bank Information Security

13. Jaikumar Vijayan, "TJX agrees to settle another breach lawsuit for $525,000" (3 September 2009), online: Computerworld

14. Mitch Lipka, "T.J. Maxx owner pays $9.75 million, settles with 41 states over massive data breaches" (23 July 2009) online: WalletPop

15. Wendy Gross, "TJX Enters into Proposed Settlement Agreement of Customer Class Actions" (8 August 2008), online: McCarthy Tetrault

16. Jaikumar Vijayan, "Names, contact info on 6M TD Ameritrade customers compromised" (14 September 2007), online: Computerworld

17. Larry Barrett, "Certegy Settles in Florida Data Breach Incident" (19 April 2010), online: eSecurity Planet

18. Ponemon Institute, LLC, "2009 Annual Study: Global Cost of a Data Breach" (April 2010), online:

19. Ibid.

20. The corollary of this review has been that management then needs to rationalize such practices to ensure the least amount of personal information is collected, used and disclosed and, otherwise ensure compliance with laws.

21. Encryption, for example, has become the standard in Canada for storing personal or health information on portable devices. See, e.g., "Level of security on stolen laptops simply not acceptable, says Commissioner" (24 June 2009), online: Office of the Information and Privacy Commissioner of Alberta and "Hundreds of Ont. patient health files stolen: Privacy commissioner calls for more data security education" (4 August 2010), online: CBC News

22. See, e.g., "How safe is your scan? Copy machines spill identity secrets" (19 October 2010), online: CBC News (, where it is revealed that personal information that has been scanned into certain digital photocopier hard drives can be easily tapped, unless the units are wiped clean.

23. As laws relating to privacy are in relative infancy, and because technologies used to collect, store, transfer, process and steal personal information are always evolving, there may be circumstances when an organization may not know how to develop adequate privacy policies to ensure appropriate protection relating to the personal information in its care and for which it is responsible. In those circumstances, organizations should approach their legal departments and privacy or data commissioners.

24. When a traveller complained to the Office of the Privacy Commissioner of Canada after discovering a passenger manifest in a recycling bin at Toronto's train station, the Office of the Privacy Commissioner launched an investigation that showed that the information printed on the document could have allowed unauthorized access to personal information. The train company, VIA Rail, made immediate changes to its procedures for handling passenger manifests and directed all employees, as a result, to shred such documents before recycling them. See "Findings under the Privacy Act: VIA updates procedures after passenger finds manifest in recycling bin" (18 June 2010), online: Office of the Privacy Commissioner of Canada

25. See discussion on disposal of personal information and best practices at "Audit Report of the Privacy Commissioner of Canada: Personal Information Disposal Practices in Selected Federal Institutions, Section 37 of the Privacy Act, Final Report 2010" (2010), online: Office of the Privacy Commissioner of Canada

26. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada

27. See, e.g., PIPEDA Case Summary #2008-395: Commissioner initiates safeguards complaint against CIBC (25 September 2008), online: Office of the Privacy Commissioner of Canada In this case, the Office of the Privacy Commissioner of Canada (OPC) had criticized one of Canada's largest banks, the Canadian Imperial Bank of Commerce (CIBC), for its mishandling of a privacy breach situation. The bank had shipped a disk drive with unencrypted personal information of more than 400,000 clients from Montreal, Quebec to Markham, Ontario. When the package had arrived in Ontario, the disk drive was missing. The OPC noted that the CIBC should not have waited 24 days before notifying the Montreal police of the breach.

28. The Minister of Industry, the Honourable Tony Clement, recently introduced new legislation in the House of Commons that would legislate a data breach notification requirement for private-sphere organizations. See Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, 3rd Sess, 40th Parl, 2010, cl 10 (first reading 25 May 2010).

29. See, e.g., section 445.72 of Michigan's Identity Theft Protection Act, 2004, Act 452 (available online: Michigan Legislature, which provides that the aggregate liability of a person for civil fines for breach notification failures arising from the same security breach can cost up to $750,000.00.

30. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada

31. Section 34.1 of the Personal Information Protection Act, S.A. 2003, c. P-6.5

32. Ibid, Section 37.1

33. A positive example of how to manage the after-effects of a privacy breach can be seen in the Canada Border Services Agency's handling of a recent privacy breach. The Agency had released a document to the public that had accidentally included a page containing personal information belonging to other individuals. Upon discovery of the breach, the Canada Border Services Agency pledged to review its procedures and to implement a manual quality assurance process of all information that it releases, such that similar data breaches do not occur in the future. See "Findings under the Privacy Act: Software glitch at border services agency triggers data breach" (18 June 2010), online: Office of the Privacy Commissioner of Canada

34. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada

35. Murn Meyrick, "Privacy Liability and Insurance", available online: Nymity

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Paige Backman
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.