Canada: Cybersecurity – The Legal Landscape In Canada

Last Updated: January 12 2016
Article by Lyndsay A. Wasser, Frank Palmay, Rohan Hill and Mitch Koczerginski


In Canada, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks (or the impact of such risks when they materialize) can have serious legal and financial consequences for an organization. Therefore, it is crucial for organizations that operate in Canada (in whole or in part), or that have business partners operating in Canada, to understand this rapidly evolving area of law and governance.

The following paper provides a brief overview of the evolving Canadian landscape governing data protection and cybersecurity. The purpose of this overview is to provide an introduction to the sources of law and governance that would impact organizational decision making with respect to the development of a plan to address cybersecurity risks. Specifically, this paper introduces the statutory framework of Canadian privacy and data management laws affecting cybersecurity, the regulatory and governance framework for certain regulated organizations and institutions and the current state of relevant common law. Following a brief review of the legal landscape, we provide recommendations on how to minimize the risk of cyber threats.

Statutory Framework

In the private sector, there are a number of statutes that require organizations to protect personal information within their possession or control. Of particular importance is the Personal Information Protection and Electronic Documents Act ("PIPEDA"),1 which is the Federal legislation that applies to protection of employee personal information by federally-regulated organizations (such as banks and telecommunications companies), as well as protection of personal information in the course of commercial activities in all jurisdictions that do not have substantially similar legislation.

Currently only Alberta,2 British Columbia3 and Quebec4 have substantially similar legislation. Such provincial legislation is applicable in place of PIPEDA, and contains implicit or explicit accountability and security obligations similar to the PIPEDA obligations outlined above (although only the Alberta legislation contains breach reporting requirements).5

PIPEDA contains a number of provisions applicable to data protection and cybersecurity, including:

  • Organizations are responsible for personal information under their control and must designate an individual or individuals who are accountable for compliance with the principles set out in Schedule 1 of PIPEDA.6
  • Personal information must be protected by security safeguards appropriate to the sensitivity of the information.7
  • Security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.8
  • The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.9
  • The methods of protection should include (a) physical measures – e.g., locked filing cabinets and restricted access to offices; (b) organizational measures – e.g., security clearances and limiting access on a "need-to-know" basis; and (c) technological measures – e.g., the use of passwords and encryption.10

In June 2015, PIPEDA was amended to require that organizations notify the Office of the Privacy Commissioner of Canada (the "OPC") and affected individuals of a breach of security safeguards,11 if it is reasonable to believe in the circumstances that the breach poses a "real risk of significant harm"12 to the affected individuals. Also, organizations will be required to keep a record of all breaches. Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000. These new provisions have not yet come into force, but will become mandatory once the associated regulations have been enacted.

Other relevant statutory requirements/restrictions include:

  1. Almost every jurisdiction throughout Canada has specific legislation governing protection of personal health information that is collected,13 used or disclosed by health information custodians, as well as protection of personal information held by government bodies/institutions.14
  2. Certain provinces have also created statutory torts, pursuant to which individuals can bring a claim for breach of their privacy (without proof of damages).15
  3. Canada's Criminal Code16 sets out the following offences:

    • using a device willfully to intercept a private communication without the express or implied consent of the originators or intended recipient;17 and
    • intercepting fraudulently and without colour of right any function of a computer system.18
  4. Canada's Anti-Spam Law ("CASL")19 contains provisions governing software installation in the course of commercial activities, including provisions aimed at viruses and spyware, including prohibitions against:

    • installation of computer programs on another person's computer system20 without the express consent of the owner or an authorized user of that system,
    • causing a computer program to be installed without consent, and
    • having installed a computer program, causing that program to communicate with other electronic devices without the consent of the owner or authorized user.
    These prohibitions apply if the installer (or the party directing the installer) is located in Canada, or if the target computer system is located in Canada.

Finally, there are some sector-specific statutes that include provisions relevant to protection of personal information, such as provisions in the Bank Act21 that regulate use and disclosure of personal financial information by federally regulated financial institutions.

Regulatory and Governance Framework

The Office of the Superintendent of Financial Institutions ("OSFI") and the Canadian Securities Administrators ("CSA") each provide guidance to address the cybersecurity risks for organizations subject to their regulation.

1. OSFI Guidance

OSFI regulates Federally Regulated Financial Institutions ("FRFIs"), including banks, most insurance companies and federal pension plans. OSFI does not currently have in place regulations requiring specific actions by FRFIs with respect to cybersecurity. However, Guideline B-10: Outsourcing of Business Activities, Functions and Processes sets out OSFI's expectations with respect to technology-based outsourcing and informs of OSFI's expectations with respect to cybersecurity risk management.22

In 2013, OSFI released the Cybersecurity Self-Assessment Guidance for FRFIs to assess their level of preparedness and to assist in the implementation of useful cybersecurity practices.23 The template focuses on six categories for assessment: organization and resources; cyber risk and control assessment; situational awareness; threat and vulnerability risk management; cybersecurity incident management; and cybersecurity governance. In releasing the self-assessment guidance, OSFI indentified that it "expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks". In addition, OSFI released Draft Guideline E-21: Operational Risk Management in August of 2015, which proposes that FRFIs develop a framework for operational risk management based on the following four principles:24

  1. Operational risk management should be fully integrated within the FRFIs overall risk management program and appropriately documented;
  2. Operational risk management serves to support the overall corporate governance structure of the FRFI.
  3. FRFIs should ensure effective accountability for operational risk management, by using, for instance, a 'three lines of defence' approach to separate the key practices of operational risk management and provide adequate independent overview and challenge; and
  4. FRFIs should ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools.

2. CSA Guidance

The CSA is an umbrella organization of Canada's provincial and territorial securities regulators whose objective is to improve, coordinate and harmonize regulation of the Canadian capital markets. The CSA has recently identified cybersecurity as a major concern to the Canadian capital markets. On September 26, 2013, the CSA released CSA Staff Notice 11-326 titled "Cyber Security".25 The CSA emphasized the need for issuers, registrants and regulated entities to be aware of the challenges of cyber crime and take appropriate measures to safeguard themselves and their clients or stakeholders. In particular, the denial of service attacks and advanced persistent threats were identified as two major types of cyber threats that were increasing in frequency and sophistication.

In particular, in Staff Notice 11-326 the CSA suggested that:

  • Issuers, registrants and regulated entities who had not yet considered the risks of cyber crime, give consideration to how best address the risks. Suggested steps included:

    • Educating staff with respect to the importance of, and their role in, information and computer security.
    • Following guidance and best practices from industry associations and recognized security organizations.
    • Conducting regular third party vulnerability and security tests and assessments.
  • Issuers, registrants and regulated entities who had already taken steps to address the issue, should review their cybersecurity risk control measures on a regular basis.
  • Issuers should consider whether cyber crime risks, incidents, and related controls constitute matters that need to be disclosed in a prospectus or continuous disclosure filing.
  • Registrants should consider whether risk management systems provide for management of cyber crime risks in accordance with prudent business practices.
  • Regulated entities should consider the measures necessary to manage the risks of cyber crime.

Staff Notice 11-326 cautioned that the CSA "will consider these issues in its reviews of issuer disclosure and in its oversight of registrants and regulated entities."

The Common Law (Case Law)

In addition to the statutory and regulatory frameworks described above, there is an evolving body of case law in Canada that is developing in response to individual and class action claims related to privacy and data protection breaches.

For example, in January 2012, the Ontario Court of Appeal recognized a new tort of "Intrusion Upon Seclusion", whereby:

One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.26

According to the Court, a central rationale for the recognition of this new cause of action was the unprecedented power of organizations to capture and store vast amounts of personal information using modern technology. Highly sensitive personal information can now be accessed and collated with relative ease, including financial and health information as well as data related to individuals' whereabouts, communications, shopping habits and more. The Court found that the common law must evolve in response to the modern technological environment.27

Intrusion upon seclusion now frequently forms part of the allegations in lawsuits involving unauthorized access to or disclosure of personal information. Some lawsuits have also included allegations of other privacy-related torts, which have not yet been officially recognized (but have also not yet been rejected) by Canadian courts. One such tort is "publicity given to private life", a cause of action which, in other jurisdictions, has generally involved situations where a person or organization publicizes a matter concerning the private life of another person, if the matter is of a kind that would be highly offensive to a reasonable person and it is not of legitimate concern to the public.

Lawsuits involving data breaches also include more traditional allegations, such as claims of negligence, breach of contract and statutory breach (e.g., breach of consumer protection legislation).

Although individual lawsuits related to data protection and cybersecurity are possible in Canada, the bigger concern for most organizations is the rise in class action lawsuits. In Canada these lawsuits tend to fall under three broad categories: (1) employee errors; (2) employee "snooping" and other misconduct; and (3) data breaches. Examples of each are set out below.

1. Employee Errors

Some examples of class action lawsuits that involved mistakes by one or more employees of an organization include:

  • Class action lawsuits filed in several provinces following the loss of an unencrypted external hard drive containing sensitive personal information of approximately 583,000 individuals who participated in the Canada Student Loans Program, by an employee of Human Resources and Skills Development Canada.28
  • Class action lawsuits filed in Ontario and British Columbia after a mailing was sent to approximately 40,000 individuals, which identified them as participants in a federal program for access to medical marihuana.29

Although some of these class actions have not yet been certified, and none of them have yet been decided on their merits, it is clear that plaintiffs are seeking to hold organizations accountable for mistakes made by employees.

2. Employee "Snooping" and other Misconduct

In addition to cases involving mistaken loss or disclosure of personal information, Canada has seen a number of class actions following intentional unauthorized access to or disclosure of personal information by employees. For example:

  • In Newfoundland and Labrador a class action lawsuit was filed against the Health Authority after an employee allegedly accessed approximately 1,043 medical records without authorization;30
  • In Ontario a class action has been filed alleging that employees of the Peterborough Regional Health Centre accessed patients' personal health information and distributed it to third parties without their consent;31 and
  • In Ontario a class action was filed after a mortgage officer gave customers' confidential information to his girlfriend who then distributed it to persons who used it to commit identity theft and fraud.32

The above is just a sampling of the class actions that have been filed following employee "snooping" or other misconduct. The extent to which courts will hold organizations vicariously liable for this type of employee misconduct is still unsettled law in Canada.

3. Data breaches

Class action lawsuits were filed in 2014, in Quebec and Ontario, following data breaches affecting Target and Home Depot.33

More recently, in August 2015, class proceedings were commenced in Ontario following the high profile cyber attack targeting the dating website Ashley Madison. The plaintiffs have alleged that Ashley Madison's parent companies, Avid Dating and Avid Life, are liable to the representative plaintiff and class members for breach of contract, breach of Ontario's Consumer Protection Act,34 negligence, intrusion upon seclusion, breach of privacy, and publicity given to private life, and the plaintiffs are seeking general damages in the amount of $750 million dollars, special damages (including for mental distress, emotional upset, anguish, anxiety and depression) and punitive damages of $10 million dollars. The plaintiffs have alleged that Ashley Madison failed to exercise reasonable care or take reasonable or appropriate steps to safeguard member data before or after breach, failed to disclose the breach in a timely and transparent manner and made false representations, or breached contract, with respect to the companies' paid data deletion service.

Although this action is still at a very early stage, it will be useful to monitor this litigation to see whether and to what extent courts will hold organizations responsible for data breaches.

Reducing Legal Risk

Liability for insufficient or ineffective cybsersecurity practices can arise in a number of ways. Breaches of the various statutes discussed above may result in complaints filed by groups or individuals, as well as audits or investigations initiated by the relevant privacy commissioner or other regulatory body. Penalties under the various statutes vary, but can include substantial fines in some cases, as well as prosecution of individual offenders. In addition, the regulators can disclose the identity of organizations that are prosecuted or investigated, which can result in harm to the organization's reputation. Civil disputes respecting cybersecurity issues may result in lengthy and expensive class action litigation, potentially large damage awards or settlement costs, and significant reputational harm.

Therefore, organizations should conduct an audit of their existing cybersecurity status, including an evaluation of: (i) who and what is connected to their systems and networks; (ii) what is running on their systems and networks; and (iii) whether they have technology in place to prevent most breaches, rapidly detect breaches that do occur, and minimize the damage of such breaches (e.g., automatic shutdown when data leaks are detected).

Organizations should also take into account the advice of cybersecurity experts. For example, the Australian Government's Department of Defence (along with other cyber experts)35 has suggested the following four mitigation strategies, which it has found can significantly reduce the risk of a cyber intrusion:36

  1. Application whitelisting
  2. Timely patching of applications
  3. Timely patching of operating system
  4. Minimize administrative privileges

Still, despite an organization's best efforts, it is not possible to entirely eliminate the risk of a successful cyber attack. Therefore, organizations may wish to consider insurance options to mitigate the risk of financial loss as a result of cyber attacks.


With cyber attacks regularly featuring in headline news, and class action lawsuits proliferating at an alarming speed, all organizations would be well advised to consider the state of their "cyber hygiene" and takes steps to remedy any deficiencies.

Cybersecurity is an area that requires a multi-disciplinary approach, with input from a variety of experts. Therefore, a cyber audit will necessarily involve an evaluation of an organization's information technology systems, but must also include consideration of applicable legal and regulatory requirements as well as options to reduce or mitigate risks (including insurance options). Although this will require an initial investment of time and resources, organizations that fail to actively address cyber risk may be exposed to serious reputational, financial and legal repercussions if and when a data breach occurs.

McMillan Cybersecurity Article Series


1 Personal Information Protection and Electronic Documents Act, SC 2000, c 5

2 Personal Information Protection Act, SA 2003, c P-6.5.

3 Personal Information Protection Act, SBC 2003, c 63.

4 An Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1.

5 Manitoba has also passed The Personal Information Protection and Identity Theft Prevention Act, SM2013, C.17, but as at the date of writing this legislation was not yet in force.

6 PIPEDA Schedule 1, Article 4.1

7 PIPEDA Schedule 1, Article 4.7

8 PIPEDA Schedule 1, Article 4.7.1

9 PIPEDA Schedule 1, Article 4.7.2.

10 PIPEDA Schedule 1, Article 4.7.3.

11 "Breach of security safeguards" means "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 or from failure to establish those safeguards. PIPEDA, s.2(1).

12 Defined to include "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. PIPEDA, s.10.1(7).

13 Every jurisdiction other than Prince Edward Island.

14 The Federal public sector legislation is the Privacy Act, RSC 1985, c P-21.

15 i.e., British Columbia, Manitoba, Newfoundland and Saskatchewan

16 An Act respecting the Criminal Law, R.S.C., 1985, c. C-46 (the "Criminal Code").

17 Criminal Code at s.184.

18 Ibid at s.342.1.

19 An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. S.C. 2010, c. 23.

20 Broadly defined, and would include smartphones, tablets, desktops and laptops, wearable technology, and smart cars and appliances.

21 Bank Act, SC 1991, c 46 ("Bank Act").

22 See

23 See

24 See

25 See

26 Jones v. Tsige, 2012 ONCA 32.

27 Ibid.

28 See for example Condon v. Canada, 2015 FCA 159.

29 See for example John Doe and Suzie Jones v. Her Majesty the Queen., which includes the novel tort "publicity given to private life".

30 Hynes v. Western Regional Integrated Health Authority, 2014 CanLII 67125.

31 Hopkins v. Kay, 2014 ONSC 321.

32 Evans v. The Bank of Nova Scotia, 2014 ONSC 2135.

33 See, for example, Zuckerman c. Target Corporation, 2015 QCCS 1285 and Lozanski v. The Home Depot Inc., CV-14-51262400CP (Ont. Sup. Ct.).

34 Consumer Protection Act, 2002, S.O. 2002, c. 30, Sched. A.

35 These four mitigation strategies have also been emphasized by the Council on Cyber Security, in its paper "The Critical Security Controls for Effective Cyber Defense", as being amongst the "First Five Quick Wins" that will have the most immediate impact on preventing cyber attacks. See: The fifth "quick win" emphasized by the Council on Cyber Security is "use of standard, secure system configurations."

36 See for more information on these mitigation strategies. These four mitigation strategies have also been emphasized by the Council on Cyber Security, in its paper "The Critical Security Controls for Effective Cyber Defense", as being amongst the "First Five Quick Wins" that will have the most immediate impact on preventing cyber attacks. See: The fifth "quick win" emphasized by the Council on Cyber Security is "use of standard, secure system configurations."

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2016

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Lyndsay A. Wasser
Frank Palmay
Rohan Hill
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.