United States: Data Security, Third-Party Privacy Claims, And Insurance Coverage Under CGL "Personal And Advertising Injury" Coverage
Last Updated: March 2 2010
Article by John E. Iole and Kevin D Lyles

Personal and advertising injury coverage appears in standard commercial general liability ("CGL") policies. Even though courts have been hostile to invasion of privacy claims based on data security breaches, such claims frequently are filed and are not always dismissed at an early stage. Particularly for companies that do not have specialized data security coverage, CGL coverage might provide a basis for the payment of defense costs and, if necessary, indemnity in response to such third-party claims.

For a company faced with a data breach resulting in the possible disclosure of private information, an important question is how, if at all, commercial general liability insurance will respond to third-party claims alleging damages. If your company has specialty coverage for data security loss, cybertheft, or similar liabilities, then your right to coverage might be clear.1 If you do not have such special coverage available, however, then you might nevertheless have a prospect of recovering defense costs and indemnity under your CGL policy.

Through both inadvertence and malice, corporate entities are exposed to the risk of data security breaches that can result in the revelation of the private data pertaining to millions of customers, employees, or others. The Privacy Rights Clearinghouse estimates that more than 343 million individual records containing sensitive personal information have been involved in data security breaches in the U.S. for the period January 2005 through January 2010. See Privacy Rights Clearinghouse, "Chronology of Data Breaches." (www.privacyrights.org/ar/ChronDataBreaches.htm#CP) The recent data attacks on Google and Yahoo! illustrate the way in which even the most technologically capable entities are subject to the risk that personal data of their customers can be revealed. See, e.g., The Wall Street Journal, "Google Investigating If China Staff Involved in Cyber Attack" (http://tinyurl.com/yb79bx7 ) (Jan. 21, 2010).

The opportunities for inadvertent loss and outright theft have grown exponentially with the ubiquity of laptops, PDA/BlackBerry devices, large-capacity microdisks, and external access to corporate systems and data. Furthermore, corporations have reported that targeted data attacks, originating from both inside and outside the entity, are on the rise. See, e.g., Outpacing Change: Ernst & Young's 12th Annual Global Information Security Survey (2009) (http://tinyurl.com/y9bggl3) (in 2009, "41% of respondents noted an increase in external attacks and 25% of respondents witnessed an increase in internal attacks."). Moreover, the sophistication of data analysis is such that even data believed to be safely encrypted can sometimes be decoded by determined parties. See, e.g, Valdez-Marquez, et al. v. Netflix, Inc., C09-05903 (N.D. Cal. 2009) (complaint filed Dec. 17, 2009) (anonymized video rental data allegedly de-anonymized and reviewed by third parties).

Just as the opportunities for security breaches escalate, legislative efforts to protect privacy rights have increased to the point of saturation. Numerous federal and state statutes now require both protection of data and notification of security breaches, meaning that customers and the public swiftly learn when a data breach occurs.2 These statutes can also provide for penalties or private rights of action. In what has been reported as the first instance of state enforcement under HIPAA, the Connecticut Attorney General recently sued Health Net, Inc. over an alleged failure to protect private data (and to report the breach of security) regarding more than 400,000 enrollees following the loss of a laptop computer. Attorney General v. Health Net of the Northeast, Inc., D. Conn., 3:10-CV-00057-PCD (complaint filed Jan. 13, 2010).

The insurance market has responded to these risks with special coverage written to address this type of claim.3 Nevertheless, for those companies with CGL insurance and no special coverage, there is an opportunity to seek coverage for defense costs (or indemnity payments, in the event of a settlement or judgment) for third-party claims under standard CGL policy wording.4

Third-Party Claims Based on Disclosure of Private Information

To date, courts have been somewhat hostile to claims seeking to recover damages for security breaches, rejecting them on the grounds that the plaintiffs assert only speculative loss. See, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (compromise of personal information was not a "compensable injury" as required for negligence or breach of contract under Indiana law).5 Nevertheless, there is no guarantee that all such claims will fail, and due to the wide variety of common-law and statutory provisions addressing this subject, it is likely that a significant number of such claims will survive early stages of litigation and potentially proceed to final resolution.6

For example, the United States District Court for the Northern District of Illinois recently declined to dismiss a putative class action alleging violations of the Fair Credit Reporting Act and an Illinois privacy statute, along with a common-law invasion of privacy claim. Rowe v. Unicare Life and Health Insur. Co., 2010 U.S. Dist. LEXIS 1576, 09-C-2286 (N.D. Ill. Jan. 10, 2010). In Rowe, the defendant health insurance providers advised individual plan members that some of their personal information inadvertently had been made available online to the general public. The private information included Social Security numbers, as well as medical and pharmacy information for the members and their dependents. There was no allegation that any of the information actually had been accessed or used, but simply that it had been made available online to persons who did not have the right to see it.

Among other things, the plaintiff claimed damage due to anxiety and emotional distress, an increased risk of future identity theft, and invasion of privacy. With respect to the invasion of privacy claim, the plaintiffs alleged:

As alleged herein, Defendants allowed Plaintiff's and the Class' PHI [Private Health Information] records to be published via the Internet without such persons' knowledge, authorization or consent. The publication of such private facts and information is one that is highly offensive or objectionable to a reasonable person of ordinary sensibilities. The publication of such private facts and information does not include information which is of a legitimate public concern.
Defendants violated the rights of privacy of Plaintiff and the Class by publishing Plaintiffs and the Class' PHI records without their consent on the Internet where they were accessible to third parties.

The defendants moved to dismiss the complaint, contending that the plaintiff had not alleged injury or damage adequate to state a viable claim under any of the theories asserted. The district court denied the motion and allowed the case to proceed to discovery. In particular, the court determined that the mere "availability" of private information in a publicly accessible place (an unprotected part of the defendants' web site) might be enough to constitute a "communication" of private information for purposes of the Fair Credit Reporting Act. The court observed that, under a standard dictionary definition of "communication," if a simple expression of information is sufficient to constitute a "communication," then "the issue of whether anyone accessed the [private] information may be irrelevant." Id. at 4. Because the court was ruling on a motion to dismiss, it held out the possibility that, if the evidence established that private information actually was not accessed by any third party, then the FCRA claim might fail. The district court also permitted the case to proceed based largely on alleged emotional harm and an increased risk of future harm.

Addressing the common-law invasion of privacy claim, the court permitted the plaintiff to proceed based on asserted nonpecuniary harm (i.e., emotional or reputational harm). The court provisionally accepted the notion that a negligent or inadvertent disclosure of protected information, even if not accessed by unauthorized persons, was a "publication" of information sufficient to allege an invasion of privacy claim under Illinois common-law.7

It is likely that future statutory claims will be coupled with common-law invasion of privacy claims. A recent example is the class action lawsuit against Netflix, Inc. over customer movie rental data that allegedly could be "de-anonymized" in order to access private information. Although the complaint primarily asserts statutory claims under the Video Privacy Act and other statutes, the plaintiffs also assert a common-law breach of privacy claim. Valdez-Marquez, et al. v. Netflix, Inc., C09-05903 (N.D. Cal. 2009) (filed Dec. 17, 2009).8 As discussed below, claims such as these would appear to quite clearly fall within the basic CGL coverage grant for personal and advertising injury. Under the law of most jurisdictions, the defendant company therefore would be entitled to coverage of defense costs for all of the claims asserted against the company until such time as the covered claims are dismissed or, at a minimum, until there is a clear basis for allocation of defense costs among covered and noncovered claims.

CGL Coverage for Disclosure of Private Information

The foundation for coverage under the CGL policy form is in the Side B coverage for personal and advertising injury. See, e.g., ISO CG 00 01 12 07 ("We will pay those sums that the Insured becomes legally obligated to pay as damages because of 'personal and advertising injury' to which this insurance applies."). Whereas Side A coverage provides coverage for bodily injury and property damage, the "personal and advertising injury" found in Side B covers somewhat less common types of claims. In particular, the standard definition of "advertising injury" provides, in pertinent part:

14. "Personal and advertising injury" means injury, including consequential "bodily injury", arising out of one or more of the following offenses:
* * *
e. Oral or written publication, in any manner, of material that violates a person's right of privacy . . . .

The CGL form does not provide a definition for "injury," although it seems clear that the term means something more than "bodily injury," since injury "includes" (but is not limited to) consequential bodily injury.9 And, as observed by the court in Rowe, a plaintiff asserting a breach of privacy claim might be able to recover based on damages for emotional distress that are not linked to other bodily injury or to pecuniary loss. Rowe, slip op. at 16; see also Creative Hospitality Ventures, Inc., v. United States Liability Insurance Co., 655 F. Supp. 2d 1613 (S.D. Fla. 2009) ("advertising injury" is different from "bodily injury" and could include a violation of one's privacy interest in credit card information), adopted in part, ruling reserved in part, 655 F. Supp. 2d 1316 (S.D. Fla. 2009) (Zloch, J.).

A question likely will arise as to whether an unknowing, unintended, or inadvertent release of information—or indeed a theft of private information—can fulfill the requirement of "publication" necessary both to support a claim and to invoke coverage for the publication.10 As discussed above, the Rowe court held in the context of a motion to dismiss that it might be satisfactory simply for the information to be available to the public in order for it to be "communicated" within the meaning of the FCRA.11

A federal magistrate judge for the United States District Court for the Southern District of Florida recently considered the concept of "publication" under the standard CGL wording, concluding that the phrase "publication, in any manner" is so broad that it does not require public dissemination. Creative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 655 F. Supp. 2d 1319 (S.D. Fla. 2009) (Rosenbaum, U.S.M.J.), adopted in part, ruling reserved in part, 655 F. Supp. 2d 1316 (S.D. Fla. 2009) (reserving ruling on determination that publication requirement had been fulfilled) (Zloch, U.S.D.J.). The magistrate judge observed that publication for purposes of insurance coverage is not limited to the concept of publication required for defamation, ruling that even a disclosure to the owner of the information stated a satisfactory allegation for purposes of the duty to defend and, potentially, to indemnify. Id. at 9–11.12

As shown by the magistrate judge's opinion in Creative Hospitality Ventures opinion, tort-law definitions of "publication" do not necessarily strictly control the meaning of "publication" for purposes of insurance coverage. Nevertheless, tort law references can still be useful in making a coverage determination. For example, the Restatement (Second) of Torts provides guidance on the meaning of publication in the context of defamation law. The Restatement view is that, as long as defamatory information is revealed by way of negligence, it is sufficient to constitute publication. Restatement (Second) of Torts §577 ("Publication of defamatory matter is its communication intentionally or by a negligent act to one other than the person defamed."). One of the examples given by the Restatement is that of a cartoonist who leaves a defamatory drawing on his desk in the middle of an office where passersby can see it. Id. cmt. k(5). Likewise, if an underlying claimant is able to show that a company has negligently allowed private information to be accessed by the outside world, it is likely that a strong argument for "publication" can be made.

Limitations on Personal and Advertising Injury

Of course, it is not enough simply to analyze the CGL coverage grant for purposes of determining whether a data breach claim might be covered. The other policy terms also must be considered.

In particular, there is an exclusion for "knowing" violations of another's rights.13 Under the type of claim addressed here, however, the policyholder is not likely to have knowingly published or released the private information of the underlying claimants. Instead, the underlying cause of the breach is likely to have been negligence or theft, as in the case of a lost or stolen laptop computer. Therefore, this standard exclusion to personal and advertising injury coverage should not apply, because the policyholder would not possess the requisite advance knowledge.

Another limitation on coverage under personal and advertising injury is that the injury must be caused by an "offense" arising out of the policyholder's business that is committed in the coverage territory during the policy period. This type of requirement ought to be readily satisfied by most data breaches. A further coverage limitation that sometimes is asserted is that the conduct creating liability must have occurred in the course of the policyholder's "advertising." That is, an insurer might take the position that the policy does not provide coverage unless the publication in dispute is an "advertisement." This limitation does not, however, apply to the "invasion of privacy" coverage under the standard wording. When an invasion of privacy is asserted, the coverage responds to "oral or written publication, in any manner, that violates a person's right of privacy," and no restriction to advertising conduct exists.14

The magistrate judge in Creative Hospitality Ventures discussed the distinction between invasion of privacy coverage and other advertising injury. There, the insurers contended that publication could only occur in the context of an "advertisement." Id. at 1328 n.6. The court rejected this argument, stating:

This idea does not assist the Court, however as the definition of "personal and advertising injury" dos not necessarily require a covered injury to be incurred as a result of an "advertisement." . . . Nothing in these descriptions [of covered forms of conduct and injury] requires that such injuries be incurred as the result of an "advertisement."

Id.

A final exclusion that should be considered is Exclusion (p), which is entitled "Distribution of Material in Violation of Statutes."15 As it pertains to personal and advertising injury, the exclusion eliminates coverage for injury arising directly or indirectly from actual or alleged violations of the Telephone Consumer Protection Act, the CAN-SPAM Act, and other statutes, ordinances, or laws that prohibit the sending, transmitting, communicating, or distribution of material or information. This exclusion initially appeared as a stand-alone exclusion but now is incorporated into the basic policy form.16 It was interpreted by the magistrate judge in Creative Hospitality Ventures to exclude coverage for claims under the Fair and Accurate Transaction Act, 15 U.S.C. § 1681c(g). 655 F. Supp. 2d at 1339-40.17 The exclusion does not, however, purport to address common-law breach of privacy claims, and it will be a matter for litigation to determine exactly what the reach of this exclusion will be.

Conclusion

When a third-party claimant alleges a data security breach involving a failure to safeguard private information, a corporate insured should look not only to any specialty coverage but also to its CGL policies to see if there is a prospect of coverage. Indeed, once a data breach is known, a prudent policyholder will seek advice as to whether notice to insurers is advisable even before a claim is asserted. Any complaint is likely to assert several theories of recovery, including both statutory and common-law claims. As long as one of the asserted claims appears to involve coverage, then the policyholder may have a viable argument for reimbursement of defense costs. Moreover, if the underlying claim proceeds toward full resolution, the policyholder may also have a basis for indemnification.

Footnotes

1.The prospect of CGL coverage could, however, raise issues under an "other insurance" provision in any specialty policy.

2.For example, the following statutes protect private information:

  • The Personal Data Privacy & Security Act of 2007
  • The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
  • The Gramm-Leach-Bliley Act of 1999
  • The Fair Credit Reporting Act ("FCRA")
  • The Fair & Accurate Credit Transactions Act of 2003 ("FACTA")
  • The Electronic Communications Privacy Act of 1986
  • The Family Educational Rights & Privacy Act ("FERPA")
  • The Video Privacy Protection Act, 18 U.S.C. § 2710

In addition, there are more than 40 state-specific laws protecting data security.

3.Depending on the type of conduct and harm alleged, it is possible that coverage could be provided by a specialized privacy liability policy or by E&O, commercial crime, computer crime, cyber/internet security, or other policies. Each of these coverages, if available, should be studied. This discussion focuses on standard CGL wording, but some of the concepts may be relevant under other coverages.

4.This Commentary does not address first-party claims, such as claims for the expense of customer notification, data retrieval and restoration, or loss of business income. A first-party claim would not be covered under CGL advertising injury coverage, although coverage could be available under specialty forms of coverage. See, e.g., First Bank v. Federal Insurance Company, No. 4:09-cv-00532 (Mo. Cir. Ct., March 23, 2009).

5.See also id. at 639 ("Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy."); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 282 (S.D.N.Y. 2008) (dismissing negligence claim based on failure to safeguard personal data when "[d]espite a full and fair opportunity to conduct discovery, there is no evidence . . . regarding the motive or capabilities of the thief . . . [and] no evidence that this plaintiff's data has been accessed or used by anyone as a result of the theft.").

6.Data breach invasion of privacy cases are different from "blast fax" invasion of privacy cases. In a blast fax case, the information sent to the recipient/claimant typically is not the private information of the claimant, and therefore, even if there is a "publication" (usually also disputed), there is no revelation of private information to assert as a ground for coverage. E.g., Am. States Ins. Co. v. Capital Assocs. of Jackson County, Inc., 392 F.3d 939 (7th Cir. 2004). However, in the blast fax context, the plaintiffs can allege an invasion of their privacy right to seclusion, as opposed to the revelation of private data. See, e.g., Penzer v. Transportation Ins. Co., 2010 Fla. Lexis 111, No. SC08-2068 (Fla., Jan. 28, 2010) (answering question of Florida law certified from 11th Circuit, holding that liabilities for blast faxes that breached right of seclusion were covered under advertising injury coverage as "publications" of material that violated a person's right of privacy).

7.The court did not address the question that the defendants would not have "published" the material if they did not actually intend for the private information to be made public. This issue might still be litigated in future proceedings. For purposes of defamation, the Restatement (Second) of Torts takes the view that a completely non-negligent revelation of private information ordinarily will not constitute publication but suggests that a negligent revelation would constitute a publication. Restatement (Second) of Torts 2d § 577, cmt o.

8.Plaintiffs assert: "By its conduct, Netflix has knowingly and intentionally caused the public disclosure of private facts concerning Plaintiffs and members of the U.S. Resident Class. These private facts are ones that a reasonable person would not wish disclosed and that are not newsworthy. . . . Plaintiffs and members of the U.S. Resident Class have suffered harm as a result of Netflix's public disclosure of private facts about them." Complaint at ¶¶ 137-139.

9.The CGL form defines "bodily injury" as "bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time."

10.For example, the court in Ruiz v. Gap, Inc., granted a motion for judgment on the pleadings with respect to a California state constitutional breach of privacy claim on the basis that the facts underlying the breach (theft of two laptop computers) were not sufficiently egregious breaches of societal norms of conduct. 540 F. Supp. 2d 1121 (N.D. Cal. 2009). Nevertheless, until there is an adjudication that no publication or actionable breach of privacy has occurred, there is a basis to seek defense costs.

11.The concept of "communication" for FCRA purposes is not precisely the same as "publication" for invasion of privacy purposes, but it is similar enough to allow one to contend that communication constitutes publication.

12.The court distinguished the decision in Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677 (W.D. Pa. 2008), in which the district court considered a different version of the personal and advertising injury wording, and concluded that the allegations and claims in the complaint did not sufficiently allege a publication that resulted in an invasion of privacy.

13.The CGL form excludes coverage for "'Personal and advertising injury' caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict 'personal and advertising injury.'" See ISO CG 00 01 12 07, Coverage B, Exclusion (a).

14.The standard wording also contains a limiting exclusion for insureds in "Media and Internet Type Businesses." See ISO CG 00 01 11 07, Coverage B, Exclusion (j). For this exclusion to apply, courts have sometimes considered whether the insured's "principal" business falls within the specific language of the exclusion. See, e.g., State Auto Prop. & Cas. Ins. Co. v. Travelers Indem. Co. of Am., 343 F.3d 249 (4th Cir. 2003); American Emplrs' Ins. Co. v. Delorme Publ'g Co., 39 F. Supp. 2d 64 (D. Maine 1999) (exclusion "clearly applies to insureds whose primary, essential, chief or principal business is publishing"). A policyholder faced with such an issue therefore will want to consider the case law in the relevant jurisdiction.

15.See ISO CG 00 01 12 07, Coverage B, Exclusion (p).

16See ISO CG 00 67 030 05.

17.See also Employers Mutual Casualty Company v. Witham Sales & Service, Inc., No. 2:08-CV-233, 2009 U.S. Dist. LEXIS 109985 (November 23, 2009) (reserving determination on exclusion's applicability to FACTA and FCRA until necessary party could be joined).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

More Popular Related Articles on Insurance from USA
The Patient Protection and Affordable Care Act has gone from a distant deadline to an imminent reality, with the controversial "play or pay" provisions scheduled to take effect on January 1, 2014.
A commentary on a recent decision in the case of Engineering & Construction Innovations, Inc., v. L. H. Bolduc Co., interpreting a subcontractor's agreement to indemnify a contractor, the subcontractor's contractual obligation to procure insurance to cover that indemnity agreement and the impact of the Minnesota anti-indemnification statute on such contract provisions.
Less than two weeks apart, two appellate courts issued opinions analyzing whether faulty work claims are covered under commercial general liability policies, each reaching a different result.
Like many companies who made products containing asbestos, Kaiser Cement and Gypsum Corporation has over the past several decades defended thousands of asbestos bodily injury claims brought by construction workers who allege they were exposed and suffered bodily injury resulting from exposure to Kaiser Cement’s asbestos containing products.
Many jurisdictions have announced that they plan to more actively pursue natural resource damages from potentially responsible parties deemed liable under CERCLA or Superfund.
As reported in our November 2012 Client Alert entitled Latest Regulatory Developments Concerning Unclaimed Life Insurance Benefits, a few states have passed new laws governing claims investigation practices to address the issue of unclaimed life insurance benefits.
A New York appellate court recently upheld a supreme court ruling that an insurer had a duty to defend a manufacturer’s faulty workmanship where it resulted in third party property damage. I.J. White Corp. v. Columbia Cas. Co., 2013 NY Slip Op 2500 (N.Y. App. Div. 1st Dep’t Apr. 16, 2013).
In Farkas v. National Union Fire Insurance Company of Pittsburgh, PA, No. 12-1481, 2013 WL 1459248 (4th Cir. Apr. 11, 2013), the United States Court of Appeals for the Fourth Circuit affirmed the district court’s summary judgment order and held that a Directors & Officers (D&O) liability insurer had no duty to defend the chairman of the policyholder after he was convicted of criminal fraud.
 
In association with
Recently viewed items tracks each article you read and gives you a quick link back to that article if you need to review it again.
To activate recently viewed, you just need to login or register with us above.
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
Free News Alert
 
News Alert|Login|Register
Register for Access and our Free Biweekly Alert
Close Me
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.