Canada: The New Face Of Commercial Crime - Cybersecurity Risks For Companies And Their Directors

Last Updated: February 10 2016
Article by Ruth Promislow and Lauren R. Shneer

The threat of commercial crime against companies is transforming. Technology has created new and innovative ways for fraudsters to exploit individuals and companies through cyber attacks. This new face of fraud can give rise to massive liability issues for a company and its directors following the theft of personal data held by the company.

In order to navigate this new terrain of litigation risks, companies and their directors should understand the evolving scope and nature of potential liability from a cyber attack.


Computer hacking is nothing new. The Hackers Handbook was published more than 30 years ago,1 and the U.S. Congress passed the Computer Fraud and Abuse Act shortly thereafter.2 The hacktivist group, Anonymous, was formed more than a decade ago.3 Five years later, Anonymous hacked the Church of Scientology and disseminated stolen private documents across the Internet.4

Over the last few years, however, there have been several large-scale cyber attacks on sophisticated corporations in both the United States and Canada, giving rise to significant civil and regulatory liability issues for those companies and their directors:

  • In December 2013, a cyber attack on Target Corp. resulted in the exposure of personal and financial information of somewhere between 70 and 110 million customers.5 As a result of this breach, Target's profit fell by 46 percent in its fourth fiscal quarter of 2013 in the United States alone.6 Between lawsuits started by financial service-providers (such as Visa and MasterCard) and customers, Target ultimately spent over $110 million combined in civil settlements.7
  • In December 2013, cyber-hackers gained unauthorized access to the data-systems of Excellus BlueCross BlueShield, a nonprofit independent licensee of the BlueCross Blue Shield Association.8 The personal health data of more than 10 million members and patients was compromised, which included names, birth dates, social security numbers, member identification numbers, financial account information and claims information. As of November 2015, at least 12 lawsuits had been filed against the Rochester-based health insurer, its parent company, Lifetime HealthCare, and other Lifetime subsidiaries.9
  • In January 2014, news broke of an attack on American retailer Neiman Marcus, whereby its hackers obtained all debit and credit card information held by the company over a three-month period. Ultimately, 350,000 customers were affected by the hack. A class action against the company in the United States is pending.10
  • In September 2014, the largest home-improvement retailer, The Home Depot, confirmed it had been the victim of a data hack, whereby more than 53 million email addresses and credit-card numbers were stolen from customers across the United States and Canada. The company has since confirmed it is facing "at least" 44 civil lawsuits in connection with the breach, in addition to a spate of regulatory investigations.11  
  • In November 2014, the notorious cyber-attack on Sony Pictures Entertainment Inc. wiped out the company's internal data centers and led to the cancellation of the theatrical release of "The Interview," a comedy about the fictional assassination of the North Korean leader, Kim Jong-un. Contracts, salary lists, film budgets, entire films and social security numbers were stolen. Sensitive personal emails were leaked. Sony ultimately agreed to pay up to $8 million to employees who alleged their personal data had been stolen.12
  • In December 2014, the Ontario Information Privacy Commissioner issued an order against Rouge Valley Health System's Scarborough Centenary Hospital, finding that there had been two major privacy breaches regarding new mothers' personal health information, which were stolen from the hospital's maternity ward.13 The hospital now faces a $400 million class action suit brought on behalf of patients.14
  • In February 2015, the American health insurer, Anthem Inc., was targeted by cyber-hackers, who compromised the personal and financial information of tens of millions of the company's customers and employees, including their names, social security numbers, birthdays, addresses, and income data. At least 26 lawsuits have since been commenced against Anthem.15
  • In July 2015, a hacker-group called the Impact Team announced it had obtained the user-data of infidelity website Ashley Madison's 39 million members. When Toronto-based parent company, Avid Life Media, Inc. refused to shut down the website, the cyber-hackers exposed the usernames and credit-card transactions of Ashley Madison's executives, and thereafter, of its members. Avid Life now faces class action claims for over $750 million, in addition to pending regulatory investigations.16

These high-profile cyber attacks are warning signs that large scale data breaches pose very real threats to corporations and their directors. Data breaches should be viewed as an inevitable business risk for which companies must prepare. In order for companies and directors to understand the nature of the risks involved, it is instrumental for them to understand how they may be found liable.

Scope of Liability Arising from a Data Breaches

Depending on the nature of the attack, company and director liability could arise from: (1) claims by regulators; (2) claims by shareholders; (3) claims by victims; and/or (4) claims by banks and/or credit card issuers.

Within each category, liability may arise from the company's failure to take reasonable steps to prevent a data breach and/or its failure to adequately respond to the breach. Each area of exposure is summarized below.

1. Regulatory Investigations/Proceedings

The Office of the Privacy Commissioner of Canada

The Personal Information Protection and Electronic Documents Act17 (PIPEDA or the Act) functions to regulate "commercial organizations" that collect, use, or disclose "personal information".18

PIPEDA came into force on January 1, 2000, and was most recently amended on June 18, 2015, by the Digital Privacy Act (certain provisions of which have not yet come into force).19 The Act is overseen and implemented by the Office of the Privacy Commissioner of Canada.

PIPEDA's main objective is to safeguard individual privacy rights and minimize the unauthorized use or abuse of personal information (including financial information), by governing the conduct of commercial organizations. Organizations governed by PIPEDA are required to manage, protect and safeguard the personal information.20 Under the Act, organizations must, among other things:

  • only use or disclose personal information for the purpose for which it was collected;
  • only keep personal information as long as necessary to satisfy the purpose for which it was collected;
  • implement guidelines and procedures for the retention and destruction of personal information; and
  • protect personal information from unauthorized access, disclosure, copying, use, or modification.

Under the new provisions of the Digital Privacy Act, commercial organizations will also be required to:21

  • notify individuals and organizations of breaches that create a "real risk of significant harm", and report such breaches to the Commissioner;
  • keep and maintain a record of every breach of security safeguards involving personal information under their control.

Under these new provisions, organizations that knowingly fail to report a breach to the Commissioner, or fail to notify individuals as required, could face fines of up to $100,000 per breach – which may mean $100,000 multiplied by the number of individuals whose information has been compromised.

The Commissioner may initiate proceedings against commercial organizations before the Federal Court. If the Federal Court finds an organization non-compliant, it can:

  • order the offending organization to take corrective measures;
  • publish a notice of their corrective measures; and/or
  • award damages to complainants.

Competition Bureau – Regulation of Unfair or Deceptive Practices

Considering the sanctions imposed by the Federal Trade Commission (FTC) in the United States, there is a prospect that organizations in Canada could face regulatory claims brought by the Competition Bureau. In the United States, the FTC has brought more than 50 enforcement actions against American companies for failing to adequately safeguard the personal information of consumers. The FTC has levied fines of up to $22.5 million (on Google Inc., for the 2012 data breach).22 The FTC has been pushing for greater authority to regulate the cybersecurity practices of companies based on its legal mandate to regulate unfair and deceptive practices.23

For example, in connection with the Wyndham Worldwide Corp. security breach, the FTC sued Wyndham claiming its online privacy policy – which promised to "safeguard our customers' personally identifiable information" using "industry standard practices" – was deceptive. The FTC alleged that contrary to this policy, Wyndham did not use commercially reasonable methods for protecting consumer data.24 Wyndham sought to strike the action on the basis that the FTC authority to regulate unfair or deceptive practices did not extend to the regulation of cyber security matters. The Third Circuit Court of Appeals upheld the decision of the district court, finding that FTC has jurisdiction with respect to data security practices.25

In Canada, the Competition Bureau investigates and oversees complaints of unfair or deceptive practices and enforces the provisions of the Competition Act.26 If the Competition Bureau finds a company non-compliant, it can initiate enforcement proceedings before the Competition Tribunal or before a civil court. Upon application by the Commissioner of Competition, the court can order a corporation with unfair or deceptive practices to pay an administrate penalty of up to $10 million and, for each subsequent order against that corporation, an amount of up to $15 million.27

To date, there have not been any reported attempts by the Competition Bureau to regulate cyber security matters based on its authority to regulate unfair or deceptive practices. However, given the approach by the FTC, the risk should not be ruled out.

Securities Regulators

If an organization subject to a data breach is a reporting issuer, it could potentially face regulatory prosecutions brought by securities commissions, including the Ontario Securities Commission (OSC).

In Ontario, the OSC administers and enforces the Ontario Securities Act.28 The OSC's stated mandate is to "provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in capital markets".29 Section 122(1)(a) of the Securities Act, for instance, makes it an offense for an organization to make "misleading or untrue" statements to the public, or to fail to disclose a fact "that is required to be stated or that is necessary to make the statement not misleading".30

Under this provision, a data hack could conceivably expose a company to large regulatory penalties. For example, if a reporting issuer promised to safeguard its customers' data using industry-standard practices, but then failed to live up to its representations, the OSC could technically initiate investigations or proceedings under section 122(1)(a). Under the Securities Act, the OSC is empowered to seek fines of up to $5 million for contraventions of Ontario securities law – including contraventions of section 122(1)(a).31

2. Claims by Shareholders

In connection with a data breach, a company's shareholders could potentially bring an action against the corporation itself or against its directors (through a derivative claim, or depending on the case, a direct claim for oppression). To date, there have not been any shareholder actions litigated in Canada arising from a cyber breach. However, the litigation faced by companies and principals in the United States may be instructive.

In connection with the Target data breach, Target's shareholders filed at least four derivative action suits, which were consolidated and brought before the District Court of Minnesota in 2014.32 The shareholders alleged that, among other things, Target's directors and officers failed to "maintain proper internal controls" or take adequate steps to prevent the attack. They also alleged that Target failed to properly notify customers about the scope of the breach after it occurred. The shareholders sought damages arising from, among other things, amounts incurred by Target from defending the various class action suits and regulatory investigations.33

In connection with the Wyndham data breaches referenced above,34 Wyndham shareholders sued the company's directors and officers (through a derivative suit) for failing to take reasonable steps to maintain their customers' personal and financial information in a secure manner, and for failing to disclose the breaches to shareholders in a timely manner.35 The action was dismissed on factual grounds. Specifically, the court noted that the board of directors had met before the breach on numerous occasions to discuss and implement cybersecurity procedures, and had held 14 quarterly meetings after the breach to discuss the response to the attack, including the adoption of security enhancements.36 While the outcome was a good one for the company and its directors, this case highlights the risks that companies and directors may face in similar circumstances.

3. Claims by Victims

Victims of a cyber breach whose data has been compromised or misappropriated are likely litigants against companies and their directors. The high profile data breaches in Canada and the United States demonstrate the scope, scale and magnitude of potential attacks. There could be millions of individual victims whose personal or financial information is exposed.

In seeking damages against a company, a victim does not need to prove specific damages arising from the data breach. The Ontario Court of Appeal has held that intrusion upon seclusion is a tort for which damages may be awarded up to $20,000.37 Given the potential number of customers/employees whose data could be compromised from a cyber attack, this exposure can be significant. In addition to the tort of intrusion upon seclusion, there are potential damages that arise from a cyber attack, such as costs associated with identity theft.

In Canada, high profile cases involving claims by victims include:

  • Ashley Madison: A $760-million class action has been commenced in Ontario against Avid Life Media.38 The plaintiffs claim damages for, among other things, costs incurred to prevent identity theft, increased risk of identity theft, mental distress, emotional upset, anguish, anxiety and depression, lost time, inconvenience, and frustration.
  • Bank of Nova Scotia: A class action was commenced asserting unspecified damages against the Bank of Nova Scotia by customers whose confidential information was breached by a bank employee. The plaintiff class claims damages for, among other things, intrusion upon seclusion, inconvenience, discomfort, distress and aggravation. In the alternative, the plaintiff class seeks damages pursuant to the doctrine of waiver of tort, which are calculated by requiring the Bank to disgorge its profits during the relevant period of time. The action was certified as a class action in 2014. Leave to appeal from that decision was dismissed later that year.39
  • Target: A class action is pending against Target in Quebec for compensable damages. While the action was initially dismissed on jurisdictional grounds, it was reinstated by the Quebec Court of Appeal.40 The representative plaintiff has sought damages for fear, stress, inconvenience and loss of time due to the necessity of monitoring more closely his monthly statements of accounts. In the United States, there were more than 80 class actions instituted as a result of the Target data breach.41

4. Claims by Credit Card Issuers/Banks

A cyber attack may also give rise to claims by networks such as Visa or MasterCard or related financial institutions in connection with the costs incurred by those financial institutions for the cost of replacing credit cards and reimbursing fraudulent transactions.

A 2007 data breach involving TJX Companies stores – brands like T.J. Maxx and Marshalls – involved the compromise of at least 46 million customers' information. In the face of claims by Visa, TJX agreed to fund up to $40.9 million42 for payments to certain financial institutions. TJX also settled with MasterCard for approximately $20 million.43


While the risk of a cyber attack and the corresponding claims for damages cannot be eliminated, it can be managed.

Companies should prepare and implement a data breach plan that includes steps for resisting and responding to cyber attacks. Directors should be engaged with this process. In the aftermath of an attack, there is no time to waste on last-minute plans.

A central component of the response plan should involve immediate consultation with counsel regarding a number of critical matters such as:

  • whether the law requires notice to be given to third parties of the breach and if not required, whether it is advisable to do so in any event;
  • the content of the notice so that required information is included and because the content of the notice could later be used against the company in litigation by those individuals whose information has been compromised;
  • whether a press release should be issued and regarding the content of the press release;
  • an internal investigation to determine how the breach occurred so that steps can be taken to contain the breach and rectify the weakness in the system. The investigation should be overseen by external counsel so that solicitor/client privilege remains over the investigation report and witness statements;
  • what steps are necessary to contain the effects of the breach and to prevent any further breach; and
  • cross-border implications of the data breach.

Companies and their directors should consult with counsel on a routine basis in order to ensure that their data breach plan factors in the evolving legal requirements or standards expected of companies.

Further, in the event of an attack, it is imperative for companies to consult with counsel as soon as possible, in order to avoid any legal missteps that could result in increased litigation claims and/or greater financial consequences.


1 Hugo Cornwall, The Hacker's Handbook (London: E Arthur Brown, 1985).

2 Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1986).

3 Around 2004, users on an online discussion board called 4chan started referring to their hacker collective as "Anonymous". David Kushner, "The Masked Avengers: How Anonymous incited online vigilantism from Tunisia to Ferguson", The New Yorker (8 September 2014) online:

4 Claudine Beaumont, "Hackers wage web war on Scientologists", The Telegraph (4 February 2008) online:

5 Anthony Wing Kosner, "Actually Two Attacks In One, Target Breach Affected 70 to 110 Million Customers", Forbes (17 January 2014) online:

6 See Maggie McGrath, "Target Profit Falls 46% On Credit Card Breach And The Hits Could Keep On Coming", Forbes (26 February 2014) online: See also Jim Finkle, "Exclusive: Cybercrime firm says uncovers six active attacks on U.S. merchants", Reuters (17 January 2014) online:

7 Ahiza Garcia, "Target settles for $39 million over data breach" CNN Money, (2 December 2015) online:

8 As published on the company's website, "Notice of Cyberattack Affecting Excellus BlueCross Blueshield", Excellus BlueCross Blueshield (18 January 2015), online:

9 Joanne Finnegan, "Excellus BCBS still unclear Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online:

10 Alison Frankel, "The 7th Circuit just made it a lot easier to sue over data breaches", Reuters (21 July 2015) online:

11 See The Home Depot, Press Release, "The Home Depot Reports Findings in Payment Data Breach Investigation", (6 November 2014) online: See also Michael Calia, "Home Depot Facing at Least 44 Civil Suits in Data Breach", The Wall Street Journal, (25 November 2014) online:

12 See Sony Corporation, News Release, "Consolidated Financial Results Forecast for the Third Quarter Ended December 31, 2014, and Revision of Consolidated Forecast for the Fiscal Year Ending March 31, 2015", (4 February 2015) online : See also Edvard Pettersson, "Sony to Pay as Much as $8 Million to Settle Data-Breach Case", Bloomberg Business (20 October 2015) online:

13 Information and Privacy Commissioner of Ontario, News Release, "Rouge Valley Health System Failed to Protect Patient Health Information", (16 December, 2014) online:

14 Joel Eastwood, "Rouge Valley faces $400M class-action lawsuit over privacy breach", Toronto Star (25 June 2014) online: Note that, because of the provisions of the Personal Health Information Protection Act, the company had to notify patients of the privacy breach, which was confirmed in early July 2014.

15 See Danny Yadron and Melinda Beck, "Health Insurer Anthem Didn't Encrypt Data in Theft", The Wall Street Journal (5 February 2015) online: See also Dori Zweig, "Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online:

16 See Sadaf Ahsan, "$750M class-action lawsuit filed against Ashley Madison on behalf of Canadian subscribers following data leaks", National Post (20 August 2015) online: See also Chris Isidore and David Goldman, "Ashley Madison hackers post millions of customer names", CNN Money, (19 August 2015) online:

17 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA).

18 PIPEDA, ibid, at ss. 2(a), under which "personal information" is defined as "information about an identifiable individual".

19 As a result of the Digital Privacy Act, S.C. 2015, c. 32.

20 PIPEDA, supra note 17 at ss. 5-10 and Schedule 1,which sets out ten principles with which commercial organizations must comply, including: accountability, consent, accuracy, and safeguards.

21 While all other new provisions came into force upon the Act gaining Royal Assent, those dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and implemented.

22 Josh Ladeau, "The FTC: What You Need To Know About one of the Most Relentless Federal Cyber Regulators", Advisen Insurance Intelligence (3 June 2015) online:

23 Ontario Securities Commission, "About", (21 January 2015) online:

24 Federal Trade Commission v. Wyndham Worldwide Corporation, Case No. 14-3514 (3d Cir. 2015).

25 Ibid.

26 Competition Act, RSC 1985, c C-34, at s. 74.01.

27 Ibid at ss. 74.1(1)(c)(ii).

28 Securities Act, RSO 1990, c S.5 (Securities Act).

29 Ontario Securities Commission, supra note 23.

30 Securities Act, supra note 28 at ss. 21(1)(a).

31 Securities Act, supra note 28 at ss. 122 (1)(c).

32 In Re Target Corp. Customer Data Sec. Breach Litig., Case No. 14-cv-00203 (D. Minn. 2014).

33 See Complaint at 3 ¶ 7, Kulla, No. 14-cv-00203-PAM-JJK (D. Minn. 2014); also see Complaint at 6 ¶ 12, Collier, No. 14-cv-00266-PAM-JJK (D. Minn. Jan 29, 2014).

34 Vedder Price, Newsletter/Bulletin, "Lessons from the Dismissal of Wyndham Shareholders Derivative Action", (19 November 2014) online:

35 Palkon v Holmes, Case No. 2:14-cv-01234 (D.N.J. 2014).

36 Brenda R. Sharton, Gerard M Stegmaier and Goodwin Procter, "Breaches in the boardroom: What directors and officers can do to reduce the risk of personal liability for data security breaches", Thomson Reuters online:

37 Jones v Tsige, 2012 ONCA 32.

38 Statement of Claim, Court File No. CV-15-22622CP.

39 Evans v The Bank of Nova Scotia, 2014 ONSC 7249 (Sup Ct).

40 See Zuckerman v Target Corporation, Québec Superior Court (Court File No. 500-06-000686-143, 2014). See also "Quebec Court of Appeal sends Target data breach class action jurisdiction application back to lower courts", Canadian IT Law Association (25 November 2015) online:

41 Zuckerman v Target Corporation, 2015 QCCS 1285.

42 The TJX Companies, Inc., Press Release, "The TJX Companies, Inc. Announces Settlement Agreement with Visa U.S.A. Inc. and Visa Inc.; Estimated Costs Already Reflected in Previously Announced Charge", (30 November 2007) online:

43 Robin Sidel, "Target Nears Settlement With MasterCard Over Data Breach", The Wall Street Journal (14 April 2015) online:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Ruth Promislow
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.