Canada: The New Face Of Commercial Crime - Cybersecurity Risks For Companies And Their Directors

Last Updated: February 10 2016
Article by Ruth Promislow and Lauren R. Shneer

The threat of commercial crime against companies is transforming. Technology has created new and innovative ways for fraudsters to exploit individuals and companies through cyber attacks. This new face of fraud can give rise to massive liability issues for a company and its directors following the theft of personal data held by the company.

In order to navigate this new terrain of litigation risks, companies and their directors should understand the evolving scope and nature of potential liability from a cyber attack.

Background

Computer hacking is nothing new. The Hackers Handbook was published more than 30 years ago,1 and the U.S. Congress passed the Computer Fraud and Abuse Act shortly thereafter.2 The hacktivist group, Anonymous, was formed more than a decade ago.3 Five years later, Anonymous hacked the Church of Scientology and disseminated stolen private documents across the Internet.4

Over the last few years, however, there have been several large-scale cyber attacks on sophisticated corporations in both the United States and Canada, giving rise to significant civil and regulatory liability issues for those companies and their directors:

  • In December 2013, a cyber attack on Target Corp. resulted in the exposure of personal and financial information of somewhere between 70 and 110 million customers.5 As a result of this breach, Target's profit fell by 46 percent in its fourth fiscal quarter of 2013 in the United States alone.6 Between lawsuits started by financial service-providers (such as Visa and MasterCard) and customers, Target ultimately spent over $110 million combined in civil settlements.7
  • In December 2013, cyber-hackers gained unauthorized access to the data-systems of Excellus BlueCross BlueShield, a nonprofit independent licensee of the BlueCross Blue Shield Association.8 The personal health data of more than 10 million members and patients was compromised, which included names, birth dates, social security numbers, member identification numbers, financial account information and claims information. As of November 2015, at least 12 lawsuits had been filed against the Rochester-based health insurer, its parent company, Lifetime HealthCare, and other Lifetime subsidiaries.9
  • In January 2014, news broke of an attack on American retailer Neiman Marcus, whereby its hackers obtained all debit and credit card information held by the company over a three-month period. Ultimately, 350,000 customers were affected by the hack. A class action against the company in the United States is pending.10
  • In September 2014, the largest home-improvement retailer, The Home Depot, confirmed it had been the victim of a data hack, whereby more than 53 million email addresses and credit-card numbers were stolen from customers across the United States and Canada. The company has since confirmed it is facing "at least" 44 civil lawsuits in connection with the breach, in addition to a spate of regulatory investigations.11  
  • In November 2014, the notorious cyber-attack on Sony Pictures Entertainment Inc. wiped out the company's internal data centers and led to the cancellation of the theatrical release of "The Interview," a comedy about the fictional assassination of the North Korean leader, Kim Jong-un. Contracts, salary lists, film budgets, entire films and social security numbers were stolen. Sensitive personal emails were leaked. Sony ultimately agreed to pay up to $8 million to employees who alleged their personal data had been stolen.12
  • In December 2014, the Ontario Information Privacy Commissioner issued an order against Rouge Valley Health System's Scarborough Centenary Hospital, finding that there had been two major privacy breaches regarding new mothers' personal health information, which were stolen from the hospital's maternity ward.13 The hospital now faces a $400 million class action suit brought on behalf of patients.14
  • In February 2015, the American health insurer, Anthem Inc., was targeted by cyber-hackers, who compromised the personal and financial information of tens of millions of the company's customers and employees, including their names, social security numbers, birthdays, addresses, and income data. At least 26 lawsuits have since been commenced against Anthem.15
  • In July 2015, a hacker-group called the Impact Team announced it had obtained the user-data of infidelity website Ashley Madison's 39 million members. When Toronto-based parent company, Avid Life Media, Inc. refused to shut down the website, the cyber-hackers exposed the usernames and credit-card transactions of Ashley Madison's executives, and thereafter, of its members. Avid Life now faces class action claims for over $750 million, in addition to pending regulatory investigations.16

These high-profile cyber attacks are warning signs that large scale data breaches pose very real threats to corporations and their directors. Data breaches should be viewed as an inevitable business risk for which companies must prepare. In order for companies and directors to understand the nature of the risks involved, it is instrumental for them to understand how they may be found liable.

Scope of Liability Arising from a Data Breaches

Depending on the nature of the attack, company and director liability could arise from: (1) claims by regulators; (2) claims by shareholders; (3) claims by victims; and/or (4) claims by banks and/or credit card issuers.

Within each category, liability may arise from the company's failure to take reasonable steps to prevent a data breach and/or its failure to adequately respond to the breach. Each area of exposure is summarized below.

1. Regulatory Investigations/Proceedings

The Office of the Privacy Commissioner of Canada

The Personal Information Protection and Electronic Documents Act17 (PIPEDA or the Act) functions to regulate "commercial organizations" that collect, use, or disclose "personal information".18

PIPEDA came into force on January 1, 2000, and was most recently amended on June 18, 2015, by the Digital Privacy Act (certain provisions of which have not yet come into force).19 The Act is overseen and implemented by the Office of the Privacy Commissioner of Canada.

PIPEDA's main objective is to safeguard individual privacy rights and minimize the unauthorized use or abuse of personal information (including financial information), by governing the conduct of commercial organizations. Organizations governed by PIPEDA are required to manage, protect and safeguard the personal information.20 Under the Act, organizations must, among other things:

  • only use or disclose personal information for the purpose for which it was collected;
  • only keep personal information as long as necessary to satisfy the purpose for which it was collected;
  • implement guidelines and procedures for the retention and destruction of personal information; and
  • protect personal information from unauthorized access, disclosure, copying, use, or modification.

Under the new provisions of the Digital Privacy Act, commercial organizations will also be required to:21

  • notify individuals and organizations of breaches that create a "real risk of significant harm", and report such breaches to the Commissioner;
  • keep and maintain a record of every breach of security safeguards involving personal information under their control.

Under these new provisions, organizations that knowingly fail to report a breach to the Commissioner, or fail to notify individuals as required, could face fines of up to $100,000 per breach – which may mean $100,000 multiplied by the number of individuals whose information has been compromised.

The Commissioner may initiate proceedings against commercial organizations before the Federal Court. If the Federal Court finds an organization non-compliant, it can:

  • order the offending organization to take corrective measures;
  • publish a notice of their corrective measures; and/or
  • award damages to complainants.

Competition Bureau – Regulation of Unfair or Deceptive Practices

Considering the sanctions imposed by the Federal Trade Commission (FTC) in the United States, there is a prospect that organizations in Canada could face regulatory claims brought by the Competition Bureau. In the United States, the FTC has brought more than 50 enforcement actions against American companies for failing to adequately safeguard the personal information of consumers. The FTC has levied fines of up to $22.5 million (on Google Inc., for the 2012 data breach).22 The FTC has been pushing for greater authority to regulate the cybersecurity practices of companies based on its legal mandate to regulate unfair and deceptive practices.23

For example, in connection with the Wyndham Worldwide Corp. security breach, the FTC sued Wyndham claiming its online privacy policy – which promised to "safeguard our customers' personally identifiable information" using "industry standard practices" – was deceptive. The FTC alleged that contrary to this policy, Wyndham did not use commercially reasonable methods for protecting consumer data.24 Wyndham sought to strike the action on the basis that the FTC authority to regulate unfair or deceptive practices did not extend to the regulation of cyber security matters. The Third Circuit Court of Appeals upheld the decision of the district court, finding that FTC has jurisdiction with respect to data security practices.25

In Canada, the Competition Bureau investigates and oversees complaints of unfair or deceptive practices and enforces the provisions of the Competition Act.26 If the Competition Bureau finds a company non-compliant, it can initiate enforcement proceedings before the Competition Tribunal or before a civil court. Upon application by the Commissioner of Competition, the court can order a corporation with unfair or deceptive practices to pay an administrate penalty of up to $10 million and, for each subsequent order against that corporation, an amount of up to $15 million.27

To date, there have not been any reported attempts by the Competition Bureau to regulate cyber security matters based on its authority to regulate unfair or deceptive practices. However, given the approach by the FTC, the risk should not be ruled out.

Securities Regulators

If an organization subject to a data breach is a reporting issuer, it could potentially face regulatory prosecutions brought by securities commissions, including the Ontario Securities Commission (OSC).

In Ontario, the OSC administers and enforces the Ontario Securities Act.28 The OSC's stated mandate is to "provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in capital markets".29 Section 122(1)(a) of the Securities Act, for instance, makes it an offense for an organization to make "misleading or untrue" statements to the public, or to fail to disclose a fact "that is required to be stated or that is necessary to make the statement not misleading".30

Under this provision, a data hack could conceivably expose a company to large regulatory penalties. For example, if a reporting issuer promised to safeguard its customers' data using industry-standard practices, but then failed to live up to its representations, the OSC could technically initiate investigations or proceedings under section 122(1)(a). Under the Securities Act, the OSC is empowered to seek fines of up to $5 million for contraventions of Ontario securities law – including contraventions of section 122(1)(a).31

2. Claims by Shareholders

In connection with a data breach, a company's shareholders could potentially bring an action against the corporation itself or against its directors (through a derivative claim, or depending on the case, a direct claim for oppression). To date, there have not been any shareholder actions litigated in Canada arising from a cyber breach. However, the litigation faced by companies and principals in the United States may be instructive.

In connection with the Target data breach, Target's shareholders filed at least four derivative action suits, which were consolidated and brought before the District Court of Minnesota in 2014.32 The shareholders alleged that, among other things, Target's directors and officers failed to "maintain proper internal controls" or take adequate steps to prevent the attack. They also alleged that Target failed to properly notify customers about the scope of the breach after it occurred. The shareholders sought damages arising from, among other things, amounts incurred by Target from defending the various class action suits and regulatory investigations.33

In connection with the Wyndham data breaches referenced above,34 Wyndham shareholders sued the company's directors and officers (through a derivative suit) for failing to take reasonable steps to maintain their customers' personal and financial information in a secure manner, and for failing to disclose the breaches to shareholders in a timely manner.35 The action was dismissed on factual grounds. Specifically, the court noted that the board of directors had met before the breach on numerous occasions to discuss and implement cybersecurity procedures, and had held 14 quarterly meetings after the breach to discuss the response to the attack, including the adoption of security enhancements.36 While the outcome was a good one for the company and its directors, this case highlights the risks that companies and directors may face in similar circumstances.

3. Claims by Victims

Victims of a cyber breach whose data has been compromised or misappropriated are likely litigants against companies and their directors. The high profile data breaches in Canada and the United States demonstrate the scope, scale and magnitude of potential attacks. There could be millions of individual victims whose personal or financial information is exposed.

In seeking damages against a company, a victim does not need to prove specific damages arising from the data breach. The Ontario Court of Appeal has held that intrusion upon seclusion is a tort for which damages may be awarded up to $20,000.37 Given the potential number of customers/employees whose data could be compromised from a cyber attack, this exposure can be significant. In addition to the tort of intrusion upon seclusion, there are potential damages that arise from a cyber attack, such as costs associated with identity theft.

In Canada, high profile cases involving claims by victims include:

  • Ashley Madison: A $760-million class action has been commenced in Ontario against Avid Life Media.38 The plaintiffs claim damages for, among other things, costs incurred to prevent identity theft, increased risk of identity theft, mental distress, emotional upset, anguish, anxiety and depression, lost time, inconvenience, and frustration.
  • Bank of Nova Scotia: A class action was commenced asserting unspecified damages against the Bank of Nova Scotia by customers whose confidential information was breached by a bank employee. The plaintiff class claims damages for, among other things, intrusion upon seclusion, inconvenience, discomfort, distress and aggravation. In the alternative, the plaintiff class seeks damages pursuant to the doctrine of waiver of tort, which are calculated by requiring the Bank to disgorge its profits during the relevant period of time. The action was certified as a class action in 2014. Leave to appeal from that decision was dismissed later that year.39
  • Target: A class action is pending against Target in Quebec for compensable damages. While the action was initially dismissed on jurisdictional grounds, it was reinstated by the Quebec Court of Appeal.40 The representative plaintiff has sought damages for fear, stress, inconvenience and loss of time due to the necessity of monitoring more closely his monthly statements of accounts. In the United States, there were more than 80 class actions instituted as a result of the Target data breach.41

4. Claims by Credit Card Issuers/Banks

A cyber attack may also give rise to claims by networks such as Visa or MasterCard or related financial institutions in connection with the costs incurred by those financial institutions for the cost of replacing credit cards and reimbursing fraudulent transactions.

A 2007 data breach involving TJX Companies stores – brands like T.J. Maxx and Marshalls – involved the compromise of at least 46 million customers' information. In the face of claims by Visa, TJX agreed to fund up to $40.9 million42 for payments to certain financial institutions. TJX also settled with MasterCard for approximately $20 million.43

Conclusion

While the risk of a cyber attack and the corresponding claims for damages cannot be eliminated, it can be managed.

Companies should prepare and implement a data breach plan that includes steps for resisting and responding to cyber attacks. Directors should be engaged with this process. In the aftermath of an attack, there is no time to waste on last-minute plans.

A central component of the response plan should involve immediate consultation with counsel regarding a number of critical matters such as:

  • whether the law requires notice to be given to third parties of the breach and if not required, whether it is advisable to do so in any event;
  • the content of the notice so that required information is included and because the content of the notice could later be used against the company in litigation by those individuals whose information has been compromised;
  • whether a press release should be issued and regarding the content of the press release;
  • an internal investigation to determine how the breach occurred so that steps can be taken to contain the breach and rectify the weakness in the system. The investigation should be overseen by external counsel so that solicitor/client privilege remains over the investigation report and witness statements;
  • what steps are necessary to contain the effects of the breach and to prevent any further breach; and
  • cross-border implications of the data breach.

Companies and their directors should consult with counsel on a routine basis in order to ensure that their data breach plan factors in the evolving legal requirements or standards expected of companies.

Further, in the event of an attack, it is imperative for companies to consult with counsel as soon as possible, in order to avoid any legal missteps that could result in increased litigation claims and/or greater financial consequences.

Footnotes

1 Hugo Cornwall, The Hacker's Handbook (London: E Arthur Brown, 1985).

2 Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1986).

3 Around 2004, users on an online discussion board called 4chan started referring to their hacker collective as "Anonymous". David Kushner, "The Masked Avengers: How Anonymous incited online vigilantism from Tunisia to Ferguson", The New Yorker (8 September 2014) online: http://www.newyorker.com/magazine/2014/09/08/masked-avengers.

4 Claudine Beaumont, "Hackers wage web war on Scientologists", The Telegraph (4 February 2008) online: http://www.telegraph.co.uk/technology/3356210/Hackers-wage-web-war-on-Scientologists.html.

5 Anthony Wing Kosner, "Actually Two Attacks In One, Target Breach Affected 70 to 110 Million Customers", Forbes (17 January 2014) online: http://www.forbes.com/sites/anthonykosner/2014/01/17/actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers/#2715e4857a0b322a17db596e.

6 See Maggie McGrath, "Target Profit Falls 46% On Credit Card Breach And The Hits Could Keep On Coming", Forbes (26 February 2014) online: http://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-credit-card-breach-and-says-the-hits-could-keep-on-coming/#2715e4857a0b4f7c6cc35e8c. See also Jim Finkle, "Exclusive: Cybercrime firm says uncovers six active attacks on U.S. merchants", Reuters (17 January 2014) online: http://www.reuters.com/article/us-target-databreach-idUSBREA0G18P20140117.

7 Ahiza Garcia, "Target settles for $39 million over data breach" CNN Money, (2 December 2015) online: http://money.cnn.com/2015/12/02/news/companies/target-data-breach-settlement/.

8 As published on the company's website, "Notice of Cyberattack Affecting Excellus BlueCross Blueshield", Excellus BlueCross Blueshield (18 January 2015), online: http://www.excellusfacts.com/.

9 Joanne Finnegan, "Excellus BCBS still unclear Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online: http://www.fiercehealthpayer.com/story/anthem-slammed-lawsuits-due-data-breach/2015-07-13.

10 Alison Frankel, "The 7th Circuit just made it a lot easier to sue over data breaches", Reuters (21 July 2015) online: http://blogs.reuters.com/alison-frankel/2015/07/21/the-7th-circuit-just-made-it-a-lot-easier-to-sue-over-data-breaches.

11 See The Home Depot, Press Release, "The Home Depot Reports Findings in Payment Data Breach Investigation", (6 November 2014) online: https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf. See also Michael Calia, "Home Depot Facing at Least 44 Civil Suits in Data Breach", The Wall Street Journal, (25 November 2014) online: http://www.wsj.com/articles/home-depot-facing-at-least-44-civil-suits-in-data-breach-1416917359.

12 See Sony Corporation, News Release, "Consolidated Financial Results Forecast for the Third Quarter Ended December 31, 2014, and Revision of Consolidated Forecast for the Fiscal Year Ending March 31, 2015", (4 February 2015) online : http://www.sony.net/SonyInfo/IR/library/fr/150204_sony.pdf. See also Edvard Pettersson, "Sony to Pay as Much as $8 Million to Settle Data-Breach Case", Bloomberg Business (20 October 2015) online: http://www.bloomberg.com/news/articles/2015-10-20/sony-to-pay-as-much-as-8-million-to-settle-data-breach-claims.

13 Information and Privacy Commissioner of Ontario, News Release, "Rouge Valley Health System Failed to Protect Patient Health Information", (16 December, 2014) online: https://www.ipc.on.ca/images/Resources/2014-12-16-HO-013-e_1.pdf.

14 Joel Eastwood, "Rouge Valley faces $400M class-action lawsuit over privacy breach", Toronto Star (25 June 2014) online: http://www.thestar.com/news/gta/2014/06/25/rouge_valley_faces_400m_classaction_lawsuit_over_privacy_breach.html. Note that, because of the provisions of the Personal Health Information Protection Act, the company had to notify patients of the privacy breach, which was confirmed in early July 2014.

15 See Danny Yadron and Melinda Beck, "Health Insurer Anthem Didn't Encrypt Data in Theft", The Wall Street Journal (5 February 2015) online: http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560. See also Dori Zweig, "Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online: http://www.fiercehealthpayer.com/story/anthem-slammed-lawsuits-due-data-breach/2015-07-13.

16 See Sadaf Ahsan, "$750M class-action lawsuit filed against Ashley Madison on behalf of Canadian subscribers following data leaks", National Post (20 August 2015) online: http://news.nationalpost.com/news/750m-class-action-lawsuit-filed-against-ashley-madison-on-behalf-of-all-canadians-following-data-leaks. See also Chris Isidore and David Goldman, "Ashley Madison hackers post millions of customer names", CNN Money, (19 August 2015) online: http://money.cnn.com/2015/08/18/technology/ashley-madison-data-dump/.

17 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA).

18 PIPEDA, ibid, at ss. 2(a), under which "personal information" is defined as "information about an identifiable individual".

19 As a result of the Digital Privacy Act, S.C. 2015, c. 32.

20 PIPEDA, supra note 17 at ss. 5-10 and Schedule 1,which sets out ten principles with which commercial organizations must comply, including: accountability, consent, accuracy, and safeguards.

21 While all other new provisions came into force upon the Act gaining Royal Assent, those dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and implemented.

22 Josh Ladeau, "The FTC: What You Need To Know About one of the Most Relentless Federal Cyber Regulators", Advisen Insurance Intelligence (3 June 2015) online: http://www.advisenltd.com/wp-content/uploads/2015/06/the-ftc-report-2015-06-03.pdf.

23 Ontario Securities Commission, "About", (21 January 2015) online: https://www.osc.gov.on.ca/en/About_about_index.htm.

24 Federal Trade Commission v. Wyndham Worldwide Corporation, Case No. 14-3514 (3d Cir. 2015).

25 Ibid.

26 Competition Act, RSC 1985, c C-34, at s. 74.01.

27 Ibid at ss. 74.1(1)(c)(ii).

28 Securities Act, RSO 1990, c S.5 (Securities Act).

29 Ontario Securities Commission, supra note 23.

30 Securities Act, supra note 28 at ss. 21(1)(a).

31 Securities Act, supra note 28 at ss. 122 (1)(c).

32 In Re Target Corp. Customer Data Sec. Breach Litig., Case No. 14-cv-00203 (D. Minn. 2014).

33 See Complaint at 3 ¶ 7, Kulla, No. 14-cv-00203-PAM-JJK (D. Minn. 2014); also see Complaint at 6 ¶ 12, Collier, No. 14-cv-00266-PAM-JJK (D. Minn. Jan 29, 2014).

34 Vedder Price, Newsletter/Bulletin, "Lessons from the Dismissal of Wyndham Shareholders Derivative Action", (19 November 2014) online: http://www.vedderprice.com/lessons-from-dismissal-of-wyndham-shareholders-derivative-action/.

35 Palkon v Holmes, Case No. 2:14-cv-01234 (D.N.J. 2014).

36 Brenda R. Sharton, Gerard M Stegmaier and Goodwin Procter, "Breaches in the boardroom: What directors and officers can do to reduce the risk of personal liability for data security breaches", Thomson Reuters online: http://legalsolutions.thomsonreuters.com/law-products/news-views/corporate-counsel/breaches-in-the-boardroom-what-directors-and-officers-can-do-to-reduce-the-risk.

37 Jones v Tsige, 2012 ONCA 32.

38 Statement of Claim, Court File No. CV-15-22622CP.

39 Evans v The Bank of Nova Scotia, 2014 ONSC 7249 (Sup Ct).

40 See Zuckerman v Target Corporation, Québec Superior Court (Court File No. 500-06-000686-143, 2014). See also "Quebec Court of Appeal sends Target data breach class action jurisdiction application back to lower courts", Canadian IT Law Association (25 November 2015) online: http://www.it-can.ca/2015/11/25/quebec-court-of-appeal-sends-target-data-breach-class-action-jurisdiction-application-back-to-lower-courts/.

41 Zuckerman v Target Corporation, 2015 QCCS 1285.

42 The TJX Companies, Inc., Press Release, "The TJX Companies, Inc. Announces Settlement Agreement with Visa U.S.A. Inc. and Visa Inc.; Estimated Costs Already Reflected in Previously Announced Charge", (30 November 2007) online: http://investor.tjx.com/phoenix.zhtml?c=118215&p=irol-newsArticle_pf&ID=1082977.

43 Robin Sidel, "Target Nears Settlement With MasterCard Over Data Breach", The Wall Street Journal (14 April 2015) online: http://www.wsj.com/articles/target-nears-settlement-with-mastercard-over-data-breach-1429050238.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Ruth Promislow
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions