Canada: Cybersecurity: 2017 Report & 2016 Reflections - What Businesses And Boards Need To Know

In 2016, cybersecurity continued to grow as a primary business risk for companies worldwide. Data breaches continued to escalate both in number and magnitude and the landscape of legal and regulatory liability evolved and expanded. In this report, the Bennett Jones Cybersecurity team analyses the key events in 2016 with a view to those issues that should be front and centre for companies and their directors in 2017.

What is a Cyber Event or Cyber Breach Event?

In 2016, "cyber" has entered the mind of the general public and the boardroom more than ever before.

Cyber events occur on, or are conducted through, a company's computer network in an attempt to gain unauthorized access to compromise the confidentiality, integrity or availability of the company's information, communication systems, or networks.

For the business community, cybersecurity incidents are intended to damage customer or stakeholder confidence, or financial, reputational, health or safety interests. These cyber incidents can affect an enterprise or group of commercial entities and their stakeholders. Preparing for cyber incidents has become an important risk-management focus for companies and their boards.

Cyber incidents are not restricted to ID theft or privacy breaches, and may also include things like:

  • ransomware;
  • distributed denial of service (DDoS) or local denial of service (LDoS);
  • web defacement;
  • physical or infrastructure harm (control devices harmed, e.g., Stuxnet);
  • theft of trade secrets, intellectual property, insider information; and
  • loss of data integrity.

Cybercrimes are often committed as a means to another end, typically to make money (theft of insider information from Wall Street law firms, in aid of criminal insider trading schemes; identity theft to compromise systems, or to perpetrate further commercial fraud such as bank and credit fraud).

In 2016, we saw non-commercial cyber incidents, such as "doxing", the publication of private information to the Internet (e.g., the Panama Papers information theft and disclosure, the Democratic National Committee email system information theft and disclosure, and cyber warfare attacks by national governments during regional conflicts in Estonia, Crimea, Ukraine, Syria, Egypt and Iraq).

Lessons Learned

Cyber breaches of 2016 have broadened our understanding of cybersecurity:

  • Cybercrime is becoming multi-pronged and no longer a simple breach or theft events.
  • Cybersecurity threat actors are becoming much more sophisticated. No longer are cyberattacks reserved for closet computer enthusiasts or the Anonymous movement. Organized criminal elements have adopted elements of IT network systems and social collaboration and media (e.g., dark-web presence and sophisticated business methods, targeting, tools, and black markets for tools, stolen information).
  • Cybercrime is being industrialized and scaled up at the social network scale.
  • Targets vary; while credit card information remains attractive, new focuses on healthcare, law firms and governments have emerged, with gambits like ransomware and extortion becoming common.
  • Cyber incidents may be the first event in a chain of criminal activities of some sophistication.
  • Unsophisticated analytical models are no longer useful in tackling either prevention or response to cyber incidents.
  • There is no activity more fruitful in avoiding cybersecurity risk than preparedness.

Next Steps

To combat cybercrime, you will need to:

  • understand what information and systems your organization controls, and whether they are valuable targets;
  • understand what can be done to harden your systems to be a less tempting target;
  • prepare for a seemingly inevitable cyber incident by understanding what could happen, providing for early detection and response, and planning mitigation steps (such as an incident response plan, insurance coverage, response readiness);
  • gain an awareness of local resources (law enforcement, IT response consultants, backup systems, external legal advisors); and
  • become thoughtful about your information and your systems.

Training your people about risks and risk avoidance is one of the most important steps. Your people are your best "intelligence agents" to enlist to protect your information and systems.

Bennett Jones has assembled a team with the skills, experience, expertise and connections able to help in cybersecurity preparedness and incident response and mitigation in the event of a cyber event. External legal counsel is an important element of your planning to deal with these types of problems.

Cybersecurity Governance: The Board's Role

When it comes to protecting your company's data, the most important place to start is the boardroom.

The cyberattack on Ashley Madison (the dating site for extramarital affairs) highlighted potential exposure for directors, should they fail to take reasonable steps to avoid and respond to an attack. The Joint Report between the Canadian and Australian Privacy Commissioners on the Ashley Madison breach does not expressly identify exposure for the company's directors; however, the report underscores that the standards expected of companies fall within the responsibility of the board.

The board's role in IT infrastructure matters is no different from its role in dealing with other risks in the business. The board's role is one of oversight. The directors do not need to be or become experts in cybersecurity or IT. The board can rely on management to design and implement the IT infrastructure; but the board should ask sufficient questions to be satisfied that the right issues are being considered and addressed. The failure of the board to take appropriate steps in relation to cybersecurity matters can expose the directors to liability.

Accordingly, directors should have a basic understanding of the company's IT infrastructure so that they can identify risks that the company faces and assess whether those risks are being addressed. 

Assessing the Risks

The first issue for a director is to consider the nature and extent of the company's reliance on its IT infrastructure. A board should have a reasonable understanding of how the company acquires, uses and depends upon its IT infrastructure in its ordinary course of business. Based on that understanding, the next question is the impact that any degree of failure of the IT infrastructure may have on the company. The three key potential cybersecurity risks to the company may be categorized as follows:

  1. Business operational risk: interruptions in the company's business operations.
  2. Liability risk: for example, class actions from individuals whose information has been compromised; regulatory non-compliance risk (including Privacy Commissioners and Securities and Financial Institution regulatory regimes, which provide requirements for management and reporting of material security breaches and vulnerabilities).
  3. Reputational risk: harm to company's reputation.


Technology is a fundamental aspect of business value and risk. The issues involved go well beyond technological ones to fundamental questions of governance and risk management.

Developing Trends in Cybersecurity Regulation in Canada

Navigating the cybersecurity regulation in Canada (and elsewhere) has been a challenge for companies as it is an area of continued growth and change. Staying abreast of regulatory developments is critical for companies in order to understand their growing responsibilities in this domain.

Historically, cybersecurity threats have been addressed by governments in a piecemeal process through the adoption of various laws and regulations requiring the protection of certain categories of data (such as financial, health or personal information), the protection of certain key industries (such as critical infrastructure or banking) and the criminalization of certain activities (such as, Security of Information Act (Canada) section 19 (economic espionage) and Criminal Code (Canada) sections 342(3) (unauthorized use of credit card data), 342.1 (unauthorized use of a computer), 380 (fraud), and 402.2 (identity theft and identity fraud)). 

As a result, a complex, fragmented, patchwork of legislation and industry practices has evolved which has generally focused on particularly sensitive data or 'at risk' assets. 

Addressing the increasingly sophisticated and evolving cyber threats which are becoming more obvious now poses a significant challenge to regulators and organizations alike, and we have recently recognized a number of trends developing in the regulatory approach to cyber threats. In particular, there is an increased focus on: (i) cybersecurity incident disclosure; and (ii) the harmonization of regulation.

To counter-balance reluctance of organizations to disclose cyber incidents to help satisfy a perceived need for timely and relevant information to enable law enforcement to respond to cyber threats, there has been a focus on cyber incident disclosures by victims. For example, the tentative adoption of mandatory breach reporting has sprung up in a number of jurisdictions (such as the recent amendments to the Personal Information Protection Act (Alberta)) and the issuance of specific guidance on the disclosure of cybersecurity risks and incidents by publicly traded enterprises (see the Securities and Exchange Commission cybersecurity guidance (U.S.) and similar guidance for Financial Institutions).

We have also seen a growing recognition that the existing patchwork of laws and regulations can result in increased costs and complexity, impacting the competitiveness of enterprise. Although the United States has formally withdrawn from the Trans-Pacific Partnership (TPP) trade deal, the text of the TPP highlights a growing trend towards a coordinated, international response to the cyber threat.

It is anticipated that there will be continued developments on the regulatory front. In the meantime, these two trends highlight the current state of affairs and provide some guidance to companies regarding expectations that will be imposed on them by regulatory authorities.

Cybersecurity in Law Firms and Other Suppliers

Cybersecurity is top-of-mind for many businesses, particularly at organizations which deal with valuable or sensitive information such as member or user identities, credit card or account payment processing, industrial trade secrets, and similar obvious targets. 

Increasingly, other sensitive information is being targeted as well:

  • sensitive pricing or merger and acquisition information, which could affect share prices;
  • research and development information and patent-development material, which could give a competitive advantage in a market or process; and
  • sensitive information such as email archives, which could be used to embarrass or harass the target or be used to extort other things of value (passwords, access, or other behaviours).

Indeed, information targeted by a cybersecurity breach is often only one step in a larger crime or attack. For instance, several Wall Street firms' email accounts were compromised by criminals who used the stolen insider information for illegal trading gains; the Democratic National Committee email information was published to embarrass the organizers and affect a national presidential election campaign; and a law firm was compromised in the Panama Papers hack to gain access to tax-avoidance plans related to public and political figures over the world to embarrass or negatively affect those persons' careers and reputations.

In addition, analyses of a variety of large scale cybersecurity events reveals that the attack vector, or the "way in" to these systems was via vulnerabilities in vendor or supplier systems or operations. The Target breach is a prime example, where an air-conditioning subcontractor's accounts were breached and then used to infiltrate Target's systems. Bad guys seeking to breach a system will test for and attack the weakest link, which may sometimes be outside of the organization's direct control.

In light of these broadening risks, and the hacking of consultants and suppliers (in some cases law firms, banks and accountants, not just IT or air-conditioning suppliers), part of the focus of any cybersecurity initiative has shifted to the security and preparedness of suppliers–to safeguard the organization's information assets.

What Can an Organization Do?

  1. Understand the nature of the information and systems which are accessible to third-party suppliers, the risks associated with subcontracting or permitting third-party accesses, and the consequences of a cyber event affecting that information or those systems.
  2. Review consultant and supplier contract terms to ensure that there is at least a duty or obligation to keep the organization's information and systems secure and confidential.
  3. Ensure that the organization will be informed by a supplier whenever a cyber breach is experienced by the supplier organization; consider whether this should apply to all breaches they experience, or just breaches they identify as directly involving the organization's systems or information.
  4. Consider the scope and scale of access by the supplier to information and whether access can be restricted or the scope and scale of the information or systems available can be limited, thereby containing the risk.
  5. Obtain assurances that the supplier or contractor has adequate and appropriate security systems, people and processes in place to protect the organization's interests; consider auditing those security arrangements periodically and controlling the contractor's right to subcontract.
  6. Understand the location and control over sensitive information or systems (the "cloud" problem), and ensure that there is adequate accountability to the organization if these are offshore or under third-party control not subject to privity of contract with the organization.

We mentioned that law firms might be targeted as an 'attack vector'. U.S. law enforcement authorities have been warning the industry for several years that law firms are increasingly targeted in information crimes. Law firms hold very sensitive information and information of great value–they trade on trust and confidence. Until recently, law firms were also the 'soft underbelly' in terms of risk, thought of as being relatively undisciplined and lax in information protection in the IT realm (although acknowledged as being very sensitive and protective in policy, ethics and professional realms).

2016 saw a dramatic increase in the awareness within law firms of these cyber risks, sharing of risk and threat information, hardening of IT systems and processes, and tightening of ethical and professional governance rules. Still, organizations are prudent to discuss concerns about cybersecurity with all suppliers, including their most trusted legal advisors.

At Bennett Jones, we take our duties and obligations to protect our clients' interests and information very seriously. As a part of our prudential and protective approach to information, we have implemented systems, policies and procedures which in 2016 attained certification after third-party audits proved us to be fully compliant with the ISO 27001 standard. By working in this area of law, including work on compliance and policy involved in the ISO Certification process, we have unique insights and expertise which we make available to our clients.

The Importance of Cyber Insurance Coverage

In the world of inevitable cybersecurity breaches, companies have increasingly set their sights on insurance policies that purport to protect against the risks of an attack. However, experience teaches that some policies do not protect against the full scope of risks.

A 2016 United States decision highlights the importance of involving legal counsel to help protect against liability arising from a cyberattack. 

In P.F. Chang's v Federal Insurance Co,1 hackers obtained and posted on the internet 60,000 credit card numbers belonging to P.F. Chang's customers. This resulted in an assessment by the credit card companies against P.F. Chang's servicer, Bank of America. In turn, Bank of America pursued indemnification under its service contract with P.F. Chang's. A federal district court held that P.F. Chang's insurance policy did not provide coverage for this claim because the policy required that the claimant suffer a personal injury. In this case, Bank of America was the claimant and Bank of America did not suffer a personal injury, as the stolen records belonged to the customers. The court came to its conclusion even though the insurance company marketed the policy as "a flexible insurance solution designed by cybersecurity risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world."2 The court also noted that the parties were sophisticated and that the policy did not apply in the circumstances even though a "[c]ourt is expected to broadly interpret coverage clauses so as to provide maximum coverage for an insured."3

This case highlights the importance of ensuring that the insurance policy covers for all possible contingencies arising from a cyberattack. Given the novelty of cybersecurity breaches and the continuing development of Canadian jurisprudence and legislation, companies are advised to retain legal counsel to assist with identifying the scope of insurance coverage required. 

In the past year, the cyber insurance marketplace has matured dramatically, with new cyber insurance products which are meant to mitigate risks not handled by other business coverage. Premiums and costs, however, seem to be volatile, as insurers gain more loss experience and are able to refine their underwritings. Enterprises seeking cyber insurance are well-advised to be particular in choosing coverage and integrating insurance policies to mitigate cyber risk.

Expanding Scope of Invasion of Privacy Claims

A 2016 Ontario decision may signal increasing exposure for companies which are subject to a cyberattack under an "invasion of privacy" claim.


In its 2012 decision Jones v Tsige, 2012 ONCA 32, the Ontario Court of Appeal recognized a right of action for invasion of privacy. In short, this means that a person may be liable to another if they intentionally (or recklessly) intrude upon the other's private affairs. Proof of harm to an economic interest is not required.

A company that is subject to a cyber breach, could be liable if the company's employee is responsible for the breach4 or if the company failed to maintain an adequate system to safeguard personal information in its possession. 

2016 Decision

In Jane Doe 464533 v ND, 2016 ONSC 54, the Ontario Superior Court expanded the scope of claims that could be advanced under "invasion of privacy". In this case, the court recognized a right of action for invasion of privacy in the context of public disclosure of embarrassing facts. 

This decision signals the expansion of claims that may be advanced based upon theories of invasion of privacy. For companies hit with a cyber breach, this decision may open them to claims by those individuals whose personal information has been disclosed by a cyber breach.

National Mandatory Breach Notification Comes to Canada

A key factor in mitigation of risk in instances of a cybersecurity breach is notification of the affected individuals. Most U.S. states have mandatory breach notification requirements. 

The Canadian scene is changing. While Alberta has had mandatory breach notification since 2010, in 2015 the federal Personal Information Protection and Electronic Documents Act (PIPEDA), will bring mandatory breach notification to all entities subject to its jurisdiction.

The national mandatory breach notification rules are broadly modelled on the earlier Alberta rules. PIPEDA includes a mandatory requirement for organizations to give notice to affected individuals and to the office of the federal Privacy Commissioner about data breaches, where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual." This test is similar to the test under Alberta's law. Under PIPEDA, "significant harm" includes, humiliation, damage to reputation or relationships, and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse, and other factors that may be set out in regulations. 

The notification under PIPEDA is to be given "as soon as possible" after the breach has occurred. A form of notification may be set out in regulations.

Unlike the Alberta law, PIPEDA also requires an organization to notify other organizations and the government where such notifications may reduce risks or mitigate harm. PIPEDA will require organizations to keep and maintain records of every breach of safeguards involving personal information under their control. Where required those records may be provided to the federal Commissioner. 

Additional nuances for these new rules, which have yet to come into force, are to be developed by regulation. The government has sought input on various issues to be addressed by the new regulations but has not yet issued draft regulations.

Organizations preparing for cyber breaches should contemplate that breach notification can be risk-mitigating and will soon be mandatory for more organizations in Canada. Notification responsibilities will arise under law and under many relationships such as, insurance contracts and financing covenants. Evidence from cyber breaches shows that time and money can be saved if an organization has assessed its notification responsibilities before an incident has occurred.

Cybersecurity Class Actions: The Next Big Thing?

Are cybersecurity cases the next big thing in Canadian class actions? Several well-known data breach cases have received significant media exposure, including those involving Ashley Madison and Yahoo! Inc. These cases involve novel areas of law, including the the liability of a company for its employee's breach of customer privacy. Last year saw representative plaintiffs file a number of cases with similar allegations. 

Several data breach cases are awaiting certification. One class action seeks $50 million in damages from Casino Rama on behalf of employees, customers and vendors whose confidential information was stolen in a cyberattack on the casino.5 Another seeks $75 million in damages from the Family and Children's Services of Lanark, Leeds and Grenville, which provided affected individuals with child and family welfare services.6 In addition to alleging negligence, breach of fiduciary duty, breach of confidence, negligent misrepresentation and invasion of privacy, this case argues a breach of the Canadian Charter of Rights and Freedoms because the defendant operated under the Ministry of Children and Youth Services. 

At the same time, 2016 saw courts certify and approve settlements for a number of cybersecurity class actions. Though R v John Doe7 did not deal strictly with a cyber breach, the plaintiffs made claims under the same causes of action after Health Canada sent class members large envelopes labelled "Marijuana Medical Access Program". The Federal Court of Appeal certified the class action in negligence and breach of confidence. 

Courts also approved settlements in Drew v Walmart Canada Inc.8 and Lazanski v The Home Depot, Inc.,9 based on allegations of data breaches compromising customers' private information. Those cases settled for up to $750,000 and $520,000 respectively–which are small settlements as class actions go.

Cybersecurity class actions will only be the next big thing when they command significant damages awards. One thing is for certain: you do not want your company name to become synonymous with data breach liability if and when they do.

Lessons from the Ashley Madison Decision in the Context of Cybersecurity

On August 22, 2016, the Office of the Privacy Commissioner of Canada (OPC) issued a joint decision with the Australian Privacy Commissioner/Acting Australian Information Commissioner regarding the highly publicized data breach that Avid Life Media Inc. (ALM) experienced in 2015. This decision articulates key considerations for companies that collect, use or disclose personal information.

The Facts

By way of background, ALM, since renamed Ruby Corp., operates a number of adult dating websites, including Ashley Madison, which targets individuals seeking to have discreet extramarital affairs. ALM is headquartered in Toronto, Canada, but its websites can be accessed globally, with users in over 50 countries. In July 2015, hackers stole data from ALM and published a large number of files online, including profile, account and billing information from approximately 36 million Ashley Madison user accounts.

Key Takeaways from Decision

  1. Personal information under the custody or control of an organization must be protected by safeguards appropriate to the sensitivity of the information. The determination of the necessary safeguards must be: (i) context-based; (ii) proportionate to the sensitivity of the personal information; and (iii) guided by the potential risk of harm to individuals arising from a data breach. In making this determination, an organization should not focus exclusively on financial harm, (e.g., fraud or identity theft); the impact of an individual's "physical and social wellbeing", including "potential impacts on relationships and reputational risks, embarrassment or humiliation" should be considered too.
  2. Safeguards adopted by an organization should be based on an "adequate and coherent" information security governance and risk management framework that is appropriate to the sensitivity and amount of personal information collected.
  3. Organizations should document their security policies and procedures regarding measures to prevent cyberattacks and measures to detect intrusions.
  4. Organizations must monitor indications of intrusion or other unauthorized activity on a regular basis and document their risk assessments.
  5. Organizations should rely upon multi-factor authentication for controlling remote administrative access by authorized users.


This decision sets some key parameters for organizations trying to understand obligations when it comes to protecting data. However, there is no clear road map on how to implement these principles for any given organization. Businesses are advised to seek legal counsel on how best to meet the known standards for preventing and responding to cyberattacks.

International Exposure from Cybersecurity Attacks: Yahoo! Inc.'s Cautionary Tale

The fallout from the multiple data breaches suffered by Yahoo! Inc. (Yahoo), which were reported in late 2016, highlights the cross-border ramifications for a company hit with a cyberattack.

Yahoo Cyberattacks

In September 2016, Yahoo announced hackers stole account information–including names, emails, addresses, birth dates, and encrypted passwords–of at least 500 million users in 2014 (2014 breach).10 At the time, the 2014 breach was the largest in history into a company's computer network, but it was only the beginning of Yahoo's data breach troubles.11

In mid-December 2016, Yahoo announced that it discovered a separate cyberattack that occurred on its network in 2013, which compromised more than 1 billion user accounts. Similar to the 2014 breach, the 2013 breach resulted in stolen information, including names, emails, addresses, birth dates, and encrypted passwords.12

These breaches are thought to comprise the largest technical breach to date. In addition to obtaining personal account information of its customers and users, hackers accessed Yahoo's cookie creation software and users' security questions and answers, enabling further hacks.

Litigation and Regulatory Proceedings

As a result of Yahoo's data breaches, the company is currently facing significant litigation and regulatory exposure, spanning a number of jurisdictions across the globe.

In relation to the 2014 breach alone, Yahoo reported that it was subject to 23 consumer class action lawsuits in the United States and other jurisdictions.13 While the report does not specify, the number of lawsuits likely includes one of the two class actions commenced against Yahoo in Canada.

In December 2016, the Securities and Exchange Commission opened an investigation of Yahoo and issued requests for documents relating to the data breaches. The Commission's investigation is in its early stages but is focused on whether Yahoo's disclosures about the data breaches complied with reporting requirements and securities laws.14 It remains to be seen whether the Commission will bring an enforcement action against Yahoo as a result of the data breaches. Whatever the result, the Commission's investigation will likely set a precedent for a company's disclosure requirements in the wake of a data breach.

The European Union's Data Protection Supervisor outlined serious concerns it had about Yahoo's data breaches, and is currently seeking more information regarding the nature and content of the stolen data, the consequences of the breach, and the numbers of people affected in the European Union.15

Yahoo is also being "urgently examined" by the Irish Data Protection Commissioner in connection with the data breaches to determine whether any formal investigation will be launched for breaching European data protection laws.16

Cautionary Tale

The Yahoo breaches highlight the exposure to international claims and regulatory proceedings for a company that is subject to a cybersecurity breach. Heading into 2017, companies must factor in this international risk when assessing the potential exposure from an attack.

As a footnote, a bid by Verizon to purchase Yahoo made prior to these announcements appears to have stumbled, and the breaches may have affected pricing or other terms. Yahoo has announced that its CEO will resign from the company's board after the planned merger.

Ransom Attacks and the Bitcoin World

In 2016, ransom attacks were on the rise. A data ransom attack is one where the attacker infiltrates an IT system or database, and either locks it up while creating a "key" to unlock the system, or threatens to publicly disclose private information unless a ransom is paid. Victims of ransomware attacks in 2016 included dating sites, retail stores, hospitals, universities, government agencies, financial institutions, casinos and law firms.

Typically, a data ransom attack mimics a traditional kidnapping in several ways: 

  1. The demand (usually received by email rather than a disguised phone call) is non-negotiable with a tight 24–48 hour deadline to respond.
  2. A sample of the sensitive data that has been compromised is provided at a link to show that the threat is serious and real (just like a photograph of the distressed hostage holding the current newspaper).
  3. The victim is cautioned to avoid involving the authorities (which may not assist in any event).
  4. The attacker warns of the consequences associated with having to disclose the privacy breach if the ransom is not paid exactly as instructed.

Instead of asking for a suitcase of money to be dropped off at a dark location, today's data kidnappers want payment in bitcoin–the electronic currency which is said to be untraceable.

In the face of a ransomware attack, companies need specialized and experienced advice, an immediate threat assessment, containment on a need-to-know basis, and a communications and mitigation plan. In order to contain the potential damages from the attack, companies are advised to seek legal counsel immediately upon learning of the attack.


1 No CV-15-01322-PHX-SMM (D. Ariz 2016).

2 Yahoo Statement, An Important Message About Yahoo User Security, September 22, 2016.

3 Ibid at 1.

4 In the class action proceeding against Bank of Nova Scotia, 2014 ONSC 7249, the court permitted a claim against the bank to proceed based on vicarious liability for intrusion upon seclusion by the bank's employee.

5 Harman v Casino Rama Inc, 97892/16.

6 M.M. v Family and Children's Services of Lanark, Leeds and Grenville, CV-16-551363-00CP.

7 2016 FCA 191.

8 2016 ONSC 8067.

9 2016 ONSC 5447.

10 Ibid at 2

11 New York Times, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, September 22, 2016.

12 Yahoo Statement, Important Security Information for Yahoo Users, December 14, 2016.

13 Yahoo, Form 10-Q Quarterly Report, November 9, 2016.

14 The Wall Street Journal, Yahoo Faces SEC Probe Over Data Breaches, January 24, 2017.

15 Article 29 Working Party, Article 29 Data Protection Working Party letter, October 28, 2016.

16 Data Protection Commissioner, DPC statement on Yahoo data breach, December 15, 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Ruth Promislow
Stephen Burns
Martin P.J. Kratz
David Cassin
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions