European Union: EU Network And Information Security Directive: Is It Possible To Legislate For Cyber Security?

Last Updated: 27 October 2014
Article by Pearse Ryan

INTRODUCTION

The Network and Information Security Directive, commonly known as the Cybersecurity Directive (the "Directive"), was approved by the European Parliament (the "Parliament") on the 13 March 2014 with a strong majority of 521 votes for to only 22 against1. This approval comes after the Directive was significantly amended by the Parliament's Internal Market and Consumer Protection Committee ("IMCO"). The Directive is the European Union's first comprehensive attempt to establish a set of minimum cybersecurity standards that would apply across the continent.

This latest version will now move to the Council of the EU (the "Council") for negotiation, where interests of Member States will be brought to bear on the text. As a result, the extent of the reforms to be put in motion by the final Directive remains uncertain, as further amendments are expected. It is anticipated that the Directive will be adopted by 2015, leaving Member States eighteen months to transpose it into national law.

The Directive takes a multi-layered approach and places new obligations on a variety of actors. Member States would be required to appoint a competent central authority and develop a national cybersecurity strategy, along with other baseline security measures. Market operators responsible for critical national infrastructure would be subject to a series of new incident reporting requirements. The Directive contains a non-exhaustive list of such operators, which include operators in the energy, banking, health, transport and financial services sectors. The revised Directive has also included Internet exchange points (the physical infrastructures through which Internet traffic is exchanged between network providers) and the food supply chain within its scope. In addition, Member States will have a choice whether to subject public administrators to the Directive.

This Briefing discusses certain key aspects of the Directive and considers issues associated with attempting to legislate in the cybersecurity area. The area is not new and cyber threats have been with us for quite some time, but attempting to legislate, whether on a regional, national or international basis, is new. It remains to be seen whether or not this legislative approach will succeed in raising the EU's common security baseline, with many Member States favouring a more voluntary approach to boosting cooperation and preparedness.

BACKGROUND

The Directive was originally published by the European Commission (the "Commission") in February 2013. A strategy outlining the Commission's plans to ensure a common level of network security across Europe was published alongside the Directive (the "Strategy")2. The Strategy aims to reduce cybercrime and improve network resilience by raising awareness of the issues surrounding cybersecurity, developing an internal market for cybersecurity products and increasing research and development investment.

The Directive is the principle mechanism to achieve the Strategy's objectives. Its main aims are:

  • to ensure that Member States and private sector bodies providing certain critical infrastructure within the European Union ("EU") take appropriate steps to deal with cybersecurity threats; and
  • to facilitate information sharing about cybersecurity threats between the public and private sectors across Member States.

The Directive also sets out in general the standards and obligations that Member States must impose on the private sector.

THE NEED FOR LEGISLATIVE INTERVENTION

The threat posed by cybercrime, online industrial espionage and attacks on critical infrastructure is growing. It is estimated that 823 million individual data breaches occurred in 2013, up from 264 million in 2012.3 Last year in the UK, 93% of large corporations and 87% of small businesses experienced a cybersecurity breach, with estimated losses of £450,000 to £850,000.4 In Ireland a recent report estimated the cost of responding to a data breach "to be in the region of ¤194k".

The annual cost to the global economy from cybercrime and cyberespionage is estimated at over $400 billion. With information and communication technology now forming the backbone of the European economy, the growing prevalence of cybercrime has negative implications for both national security and economic stability.

The European Commission asserts that, in this context, lack of effective sharing of data on threats and incidents is hindering the EU's response to cybersecurity challenges. It claims that the existing, mostly voluntary and ad hoc, nature of information-sharing between businesses, governments and Member States results in "uncoordinated regulatory interventions, incoherent strategies and divergent standards, leading to insufficient protection against NIS across the EU."5 The Commission expressed similar sentiments as far back as 2001,6 though regulatory measures to combat cybercrime since then have been largely sectoral and fragmented in nature.7 This has led to gaps in cybersecurity regulation. The Directive seeks to address these concerns by creating a cross-sectoral legislative framework within and across Member States, in which information-sharing no longer takes place on a purely voluntary basis.

Whether this shift in approach will work in practice is the subject of considerable debate. Concerns have been raised by certain Member States and business operators, who fear that more stringent, top-down regulation at European level will hinder business growth and competition. They argue that new reporting requirements could impose significant administrative burdens and become "a factor of reputational risk"8 for businesses (particularly for SMEs, which may not have the resources required to meet the new standards). It is also claimed that moving from a voluntary to a legislative approach risks creating a "static compliance approach" that could "divert scarce security resources from areas requiring greater investment towards areas with lower priority [and] decrease Europe's collective security."9 Many argue that a voluntary, industry-led set of standards, similar to those used in the United States, is a preferable approach.

ESTABLISHING A NATIONAL STRATEGY AND COMPETENT AUTHORITIES

Chapter II of the Directive requires Member States to ensure the security of the network and information systems in their territory. Member States must:

  • establish a national Network Information Security ("NIS") strategy and establish regulatory measures to achieve network security;
  • establish a competent authority ("NCA") to monitor and ensure the consistent application of the Directive in their territory and across Member States. The latest version of the Directive permits Member States to appoint several NCAs so long as one "national single point of contact" remains responsible and accountable; and
  • establish a Computer Emergency Response Team ("CERT") responsible for handling incidents and risk. As is the case with the establishment of NCAs, the text approved by the European Parliament allows for "at least one" national CERT.

These are positive measures as Member States will have an accountable authority to monitor compliance with the Directive, promote a NIS strategy and receive, collate and share information about cybersecurity threats across the EU in an efficient manner. These bodies will also help Member States develop minimum security requirements and encourage businesses to create ICT security plans.

However, the Directive is unclear in some circumstances. For example, no practical guidance is provided as to how a NCA will ensure the consistent application of the Directive in their territory and across Member States. The Directive also fails to elaborate on what a NCA must do when they receive a cyber-threat warning. These limitations might reduce the effectiveness of the Directive.

Furthermore, the European Network Information Security Agency ("ENISA") revealed only seventeen Member States currently have national cybersecurity strategies.10 This could reflect the different views of Member States as to the best approach to cybersecurity regulation. For example, the UK favours a non-regulatory approach whereas Germany favours regulation. The lack of consensus could undermine the overall effectiveness of national strategies, the consistent application of the Directive across Member States and any co-ordinated attempts to deal with cyber threats.

COOPERATION NETWORK BETWEEN COMPETENT AUTHORITIES

Chapter III of the Directive provides that NCAs and the Commission will form a cooperation network to coordinate against risks and incidents affecting network and information systems ("Cooperation Network"). The Cooperation Network will (amongst other things):

  • circulate early warnings about cyber threats. Member States must report to the Cooperation Network cyber threats that (a) grow rapidly in scale; or (b) exceed national response capacity; or (c) affect more than one Member State. The Cooperation Network must ensure a co-ordinated response across Member States to these threats;
  • publish non-confidential information on on-going early threat warnings and coordinated responses on a common website; and
  • exchange information and best practices with participants in the Cooperation Network.

The Strategy highlights the borderless nature of cybercrime and the importance of involving all actors, both the private and public sectors within and across Member States, when dealing with cyber threats and sharing information. The establishment of a Cooperation Network will address these issues. It will also support the creation of a coherent EU cybersecurity policy.

The Directive and subsequent measures will need to deal with a number of changes and consider a number of issues, which include the following:

  • the criteria used to determine when a NCA should report risks to the Cooperation Network is vague, meaning that Member States might apply different reporting thresholds in practice;
  • the Directive does not provide any guidance to deal with situations where Member States cannot agree on a co-ordinated response to a cyber-threat. As we will see, there is considerable resistance from some Council members to mandatory sharing of information between Member States;
  • the Directive does not address concerns that having to seek agreement from each Member State might slow down an effective response; and
  • a co-ordinated response across different Member States might be complicated as security levels differ and many nuances exist on aspects such as operator obligations and code-sharing.

Finally, there are a number of bodies already working on different aspects of European cybersecurity. These include ENISA, the European Public–Private Partnership for Resilience ("EP3R") and CERT-EU. The Directive does not specify exactly how this range of organisations is to cooperate, or how the Cooperation Network is intended to complement their functions. Caution must be exercised to ensure that it is understood who talks to whom and how coordination and co-operation is achieved when responding to a cyber-threat in order to avoid uncertainty.11

INFORMATION SHARING AND INCIDENT NOTIFICATIONS

Chapter IV of the Directive provides for mandatory security breach and incident notification requirements. This provision applies to market operators who provide critical infrastructure "the disruption or destruction of which would have a significant impact on a Member State". The Directive contains a non-exhaustive list of such operators, which includes operators in the energy, banking, health, transport and financial services sectors.

This test could be difficult to apply in practice and further guidance may be needed to clarify exactly which sectors are subject to the Directive. Indeed, Chapter IV obligations have been the subject of rigorous debate during the legislative process.

In the European Commission's original proposal, "key Internet enablers", such as e-commerce platforms, social networks, search engines, cloud services and app stores, came within the scope of the Directive's mandatory reporting requirements. However, the IMCO elected to exclude these actors from its version of the Directive, limiting breach and incident notification obligations to operators of critical infrastructure "essential for the maintenance of vital economic and societal activities".12 It is also interesting to note that Internet exchange points, the organisations which provide network operators with Internet traffic exchange facilities, were added by the IMCO to the Directive's list of critical infrastructure operators. This is a significant addition that takes account of the centrality of electronic communications to national infrastructure.

Importantly, Member States can decide exactly how "critical" an operator of critical infrastructure is, and therefore whether it should be covered by the Directive. Alongside this greater level of discretion, the Directive also allows more flexibility with regard to information-sharing between companies and national authorities, leaving open more avenues for voluntary means of cooperation.

The exclusion of Internet enablers could significantly water down the effect of the Directive, as such operators are central to the online world and the economy as a whole. Critical infrastructure operators engage with software developers, cloud storage providers, e-commerce platforms and others to a growing extent as more of their functions become digitised, making it increasingly difficult to draw a clear distinction between the categories set out in the Directive.

Member States also now have a choice whether to impose Chapter IV obligations on public administrators after the original draft automatically included them. This amendment could again undermine the effectiveness of the Directive, as the Strategy noted the importance of all relevant stakeholders, whether public authorities or private sector, taking action to strengthen cybersecurity.

While the Parliament's version of the Directive reduces the scope of companies affected by reporting requirements, it also defines the conditions under which a report should be made more precisely. The revised Directive attempts to set out exactly what constitutes an incident with "significant impact" that would warrant notification, after a report by the Economic and Scientific Policy Department (the "Report") highlighted a lack of clarity in this regard.13 Whether an incident has a significant impact will depend on, inter alia, the number of users of the core services who are affected, the duration of the incident and the geographical area affected by the incident.

In addition, the revised Directive provides that if an incident affects services in more than one Member State, upon notification a NCA will pass on relevant information to the NCA of any other affected Member States. This measure has addressed previous concerns that multiple notifications of the same incident would be required. It remains to be seen how effective incident notification by market operators will be in practice. The Report highlighted that "large discrepancies" were found in how prepared businesses across all sectors and Member States are to deal with cybersecurity incidents.14

PUBLICATION OF INCIDENT REPORTS BY NATIONAL AUTHORITIES

The Directive provides that a NCA can inform the public, or require market operators (or public administrators if applicable) to do so, where it believes the publication of an incident is in the public interest. The NCA is also required to submit an annual report of notifications received and any subsequent action taken to the Cooperation Network. Publication of notifications will help raise awareness of cyber threats but there were concerns that it could result in reputational damage to the market operator or result in a breach of any confidentiality obligations. Moreover, there were data protection concerns about treating the practice of publishing notifications containing personal data as necessary and legitimate.15

The revised Directive attempts to address some of these concerns. It now provides that the NCA must consult with the market operator and give them a chance to be heard before making its decision whether to publish information about a security incident. In the event that the NCA decides to publish information it must act to ensure it is made as "anonymous as possible".

ENFORCEMENT AND SANCTION

The Directive provides that Member States must ensure a NCA has all the necessary powers to scrutinise and investigate any non-compliance with Chapter IV obligations. Market operators will be required to provide all information that is necessary to assess the security of their networks and to undergo security audits. The Directive further provides for the imposition of effective, proportionate and dissuasive sanctions. It is expected that offending market operators will be fined a certain percentage of their revenue.

Effective enforcement and sanctions mechanism are important to ensure the objectives of the Directive are achieved. Commissioner Kroes pointed out that only 26% of companies in the EU had formally-defined ICT security policies. The threat of audit and subsequent sanction should ensure companies take network security more seriously.16 In addition, the revised Directive has made a number of welcome amendments to the enforcement and sanction provisions. NCA's will now be permitted to tailor the level of scrutiny a market operator is placed under depending on how critical its systems are judged rather than applying a standardised level. Furthermore, market operators will only be subject to penalties for non-compliance with Chapter IV obligations where they arise as a result of intent or gross negligence.

PARALLEL INTERNATIONAL DEVELOPMENTS

In the United States a Presidential Executive Order (the "Order") was published in February 2013 that encouraged the United States government to work with owners and operators of critical infrastructure17 to share information about cyber threats and implement minimum cybersecurity standards. In February 2014 the National Institute for Standards and Technology issued a framework to achieve these objectives (the "Framework"). It provides common security standards to identify and report security risks, measures to recover from attacks and methods to protect against security threats. The Framework resists the mandatory approach adopted in the EU and instead provides a non-regulatory system with incentives to comply with the standards. The different approach adopted by the US could undermine the effectiveness of the Directive. Cybercrime by nature is a global issue and a failure to align with the U.S. could result in gaps in the global cybersecurity framework or slow down responses to threats. It might be sensible for the US and EU to adopt a joint policy position on global cybersecurity threats.

TIMELINE

Having been approved by the European Parliament, the Directive now needs to be agreed by the Council of EU telecommunications ministers. The next meeting of this Council configuration is due to take place on 27 November 2014. Between now and then, the text will continue to be debated in trialogue meetings18 between representatives from the European Parliament, Commission and the Italian Presidency, as well as between Member States' Permanent Representatives.

The Council came to what the Italian Presidency called a "general convergence of views" on the Parliament's text in its most recent meeting on 5/6 June 2014.

However, Member States remained divided on a number of key questions, including whether or not cloud providers should be covered by the legislation, and the extent to which the Directive should dictate operational cooperation between different agencies. A number of Member States expressed a preference for more general guidelines for information exchange between national authorities in the final text, rather than the more prescriptive "cooperation network" envisaged by the Parliament's version. These concerns could result in a weaker compromise text at the November Council.

A change of personnel in the EU institutions could also have a significant bearing on the Directive's final shape. A new European Commission, set to take office on 1 November 2014, is likely to give added impetus to trialogue negotiations following a period of uncertainty and institutional transition. The Digital Single Market ("DSM") has been highlighted as a priority for the new Commission, and a new Commission Vice President, former Estonian Prime Minister Andrus Ansip, has been appointed to lead work towards its completion.

Ansip will lead a "project team" of Commissioners working on different aspects of the DSM, which includes a Commissioner for Digital Economy and Society who is tasked with making the EU "a leader in cybersecurity preparedness and trustworthy ICT".19 In his confirmation hearing before the European Parliament Ansip stated that it is "extremely important" to make the Directive a reality, echoing the view of the European Council that "the timely adoption of [...] the Cybersecurity Directive is essential for the completion of the DSM by 2015."20

There is, therefore, a good deal of political impetus behind the Directive and the new European Commission will be eager to mark its completion as an early success. Time is fast running out before the 27 November Council meeting, however, and it remains to be seen if this momentum will be enough to overcome remaining disagreements between Member States. If the Council is to approve the Directive in its next meeting, it is likely that additional compromises will need to be found in the Parliament's text.

Looking further ahead, Member States will have eighteen months to transpose the Directive into national law once it is adopted.

CONCLUSION

The Directive represents an ambitious and timely attempt to legislate for the prevention of cybercrime in the EU. If adopted, its proposals would help ensure market operators of critical infrastructure, Member States and the EU are all adequately prepared to deal with cyber threats by providing a common baseline of shared standards. The latest version of the Directive has made welcome amendments that have provided guidance to key elements such as the definition of "significant impact" and what constitutes an operator of critical infrastructure.

Nevertheless a significant degree of uncertainty remains on certain key issues, such as how to co-ordinate EU wide responses and exactly which companies are to be subject to the Directive. In spite of the widespread acknowledgement that better frameworks for information exchange are required, there is still considerable resistance to mandatory models of reporting and cooperation. With time running out before the November Council meeting, the final shape of the Directive and how it will be transposed by Member States remains uncertain. It is likely that further compromises will be required before the Parliament's text is approved by the Council, and the final version will have to strike a careful balance between stimulating better exchange of information and adding unnecessary burdens to businesses. Legislating for cybersecurity is a relatively new and untested approach. In this context, the EU's first attempts to shift away from a purely voluntary model of cooperation will be a fascinating test case for future legislative actions in Europe and beyond.

Footnotes

1. Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (2013/0027(COD)), 13 March 2014 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0244

2. Resolution on a Cybersecurity Strategy of the European Union: an open, safe and secure cyberspace (2013/2606(RSP)), 12 September 2013 (http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-376

3. Risk Based Security/Open Security Foundation, "2013 Data Breach Trends", February 2014 (https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf)

4. The Department for Business Innovation & Skills, "2014 Information Security Breach Survey" (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

5. Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union [COM/2013/048 final - 2013/0027 (COD)], February 2013 (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52013PC0048&from=EN)

6. The European Commission, "Communication Network and Information Security: Proposal for A European Policy Approach" COM(2001) 298.

7. For example, the Markets in Financial Instruments Directive (Directive 2004/39/EC) requires those in the financial services industry to adopt certain reporting and network security risk measures. Telecommunications companies are required to report cybersecurity incidents under the risk management and incident-reporting obligations set out in the revised EU Telecom Framework Directive (Directive 2009/140/EC)

8. AmCham EU's response to the European Commission's Consultation on Network and Information Security (NIS), 15 October 2012 (http://ec.europa.eu/digital-agenda/en/news/consultation-network-and-information-security-publication-individual-responses)

9. Information Technology Industry Council (ITIC) Position Paper on the Directive, 24 June 2013 (http://www.itic.org/dotAsset/a748f2f7-7d73-4d62-8ea0-b5ad35e3af27.pdf)

10. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world

11. http://www.europarl.europa.eu/RegData/etudes/note/join/2013/507476/IPOL-ITRE_NT(2013)507476_EN.pdf

12. http://www.europarl.europa.eu/oeil/popups/summary.do?id=1342725&t=e&l=en

13. Ibid at 24

14. Ibid at 16

15. http://ico.org.uk/~/media/documents/consultation_responses/response-to-eu-directive-on-network-and-information-security-call-for-evidence-responses-to-consultations-and-inquiries.pdf

16. http://europa.eu/rapid/press-release_SPEECH-13-51_en.htm

17. The Order defines critical infrastructure as, "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters".

18. The European Parliament's Committee for Internal Market and Consumer Protection ("IMCO") voted to give a mandate to its Rapporteur, Andreas Schwab MEP, to enter trialogue discussions on 6 October 2014.

19. European Commission Mission Letter to Commissionerdesignate Günther Oettinger, 10 September 2014 (http://ec.europa.eu/about/juncker-commission/docs/oettinger_en.pdf)

20. European Council Conclusions, 25 October 2013 (https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.