United States: Data Security Breach Notification Requirements In The United States: What You Need to Know

Last Updated: February 21 2012

Article by Article by Peter J. Guffin1

Originally published in the December 2011 issue of inFocus, PRISM's Quarterly Journal

I. Introduction

Data security breach notification has become a significant compliance risk for most businesses today. A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations and class action lawsuits.

The Ponemon Institute, which conducts annual benchmark studies concerning the cost of data breach incidents of U.S. companies, estimates that a data security breach in the U.S. now costs an organization approximately $214 per compromised record or $7.2 million on average per incident, with notification expenses accounting for about 7% of the total cost.2 Interestingly, one of its top findings is that "more organizations favor rapid response to data breaches, and that is significantly costing them." Specifically, it found that:

Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these "quick responders" paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.

Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases. The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws.3

Complicating compliance is the maze of different (and sometimes conflicting) federal and state laws that can and often do apply to the same data security breach incident. The potential regulatory overlap is largely due to the fact that there is no single, comprehensive national data breach notification law in the U.S., making way for a "patchwork quilt" of various state laws, each imposing its own specific requirements. In addition, whereas U.S. federal data breach notification laws generally follow an industry sector approach, imposing notification obligations on persons subject to regulation in certain specific industries, such as healthcare and financial services, U.S. state data breach notification laws generally apply to all persons, regardless of industry sector or where the person or personal information is located. As a result, a single data security breach incident may result in enforcement action by different regulatory bodies in multiple jurisdictions, and sometimes even in the same U.S. state.

The story of Health Net of Connecticut ("Health Net") is instructive.

In May 2009, Health Net discovered that it had lost a computer hard drive containing the personal health information of approximately 500,000 Connecticut residents. In January 2010, the State of Connecticut commenced a lawsuit against Health Net alleging that it had failed timely to notify residents and state authorities about this data security breach incident. The suit alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA"), the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. Under the terms of a stipulated judgment entered into on July 6, 2010, Health Net agreed to pay $250,000 in penalties and implement a corrective action plan.4

In November 2010, the Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of that settlement agreement, Health Net agreed to pay $350,000 in penalties and to provide two years of credit monitoring protection to persons affected by the data breach.5

Shortly thereafter, on January 18, 2011, the State of Vermont settled an enforcement action against two affiliates of Health Net (Health Net, Inc. and Health Net of the Northeast, Inc.) arising out of the same data security breach incident, which had also affected approximately 525 Vermont residents. That suit alleged violations of HIPAA, Vermont's Security Breach Notice Act, and Vermont's Consumer Fraud Act. Under the terms of the consent decree, Health Net was assessed $55,000 in penalties and agreed to submit to a data security audit and to file reports with the State of Vermont for two years.6

As if all of the above fall-out were not enough, within days of the State of Vermont settlement, Health Net experienced yet another data security breach incident, this time affecting 1.9 million current and former members (including 845,000 Californians) stemming from loss of nine hard drives from its California data center. Health Net was made aware of the missing information on January 21, 2011, and it began notifying affected individuals on March 14, 2011. The California Department of Insurance has launched an investigation.7

This article summarizes the major federal and state data security breach notification requirements in the United States and discusses some of the key variations in these laws as well as the interplay among them.

II. U.S. State Breach Notification Laws

Forty six U.S. states have now adopted a breach notification law.8 The laws generally apply to all persons that own, license, store or maintain certain sensitive personally identifiable information ("PII") about a resident of the state, regardless of where the person or PII is located. In addition, in at least one state, Connecticut, the Insurance Commissioner has issued its own data beach notification rules applicable to insurance companies and other persons subject to its jurisdiction.

The specific requirements of the laws can vary substantially, but in very general terms, the laws mandate that if there is unauthorized acquisition, use or access to unencrypted PII that threatens the integrity or security of such PII creating a risk of identity theft, the person that "owns" such PII must notify affected state residents, state agencies, consumer protection agencies and, in some instances, statewide media. If a service provider maintains the PII on behalf of its customer (the data owner), the service provider generally must notify the data owner which, in turn, must make the required notices.

In practice, the variations in these laws can present significant challenges.

A. Scope of Covered PII

The definition of covered PII varies among the states. Many states, such as Illinois, focus on the key data fields of name plus Social Security numbers, bank account numbers and credit or debit card numbers. Some states, such as Alaska, also include passwords, PINs and other access codes for financial accounts as separate data fields. Other states, such as North Dakota, have laws that cover a broad range of other data fields, such as date of birth, electronic signature, mother's maiden name, employer identification number and the like. Still other states, such as Nebraska and North Carolina, have laws that cover "unique biometric data," including fingerprints, voice prints and retinal images, within the definition of PII. Collectively, across the patchwork of state laws, there are more than 30 different categories of PII that can trigger a breach notification obligation.

B. Trigger for Notification Obligation

There are also variations as to what circumstances trigger an obligation to notify. For example, some states, such as Colorado, do not require notice unless misuse of the data is likely; similarly, some states, such as Maine, require notice if the breach creates a substantial risk of identity theft or fraud. In other words, in these states a "risk of harm" threshold applies before notice is required. In contrast, other states, such as Massachusetts, presume "risk of harm" and mandate notification whenever a person knows or has a reason to know that the covered PII was acquired or used by an unauthorized person or used for an unauthorized purpose.

C. Recipients of Notice

Although virtually all states with breach notification laws require some form of notice to residents affected by a data breach, individual states vary with respect to whether additional notice must be given to other entities, such as consumer reporting agencies or state agencies. In some states, such as Arkansas, no such additional notice is required. However, in Minnesota, if a data breach requires notification of more than 500 persons, then additional notice of the breach must be given to all national consumer reporting agencies. The threshold is different in other states, such as Michigan and Nevada, where the laws require national consumer reporting agencies to be notified if a data breach requires notification of more than 1,000 residents. And, in Georgia, notification of more than 10,000 residents is the relevant threshold for triggering notice to national consumer reporting agencies. Suffice it to say, there are similar variations among the states regarding notification of states agencies and attorneys general.

D. Content of Notice

Variations also apply regarding mandatory content in the notice. For example, North Carolina mandates that the notice to the individual must describe the nature of the incident. In contrast, Massachusetts specifies that the notice to Massachusetts residents must not describe the nature of the incident or the number of residents affected. Such direct conflicts generally drive towards different notices to different state residents, although such divergent requirements pose obvious challenges in situations where notice is also provided via the organization's website, given that both North Carolina and Massachusetts residents will view the same website.

E. Timing of Notice

Perhaps the most acute challenges arise on the timing of the notice. Many states, such as Massachusetts, require that notice be provided as soon as practicable and "without unreasonable delay." Some states establish specific timelines for notification in certain cases. For example, California requires notice in five days for certain health records. In contrast, other states, such as Arizona, impose affirmative obligations to conduct a reasonable investigation regarding the incident before notifying the affected individuals. In practice, a reasonable investigation could actually require substantially more than five days to complete, particularly if the situation involves a hacking incident or other complex scenario. The organization thus may not be able to satisfy both Arizona and California law on timing, even though both laws may apply to the same incident. Many states allow for delay in notification if requested by appropriate law enforcement agencies.

F. Enforcement

Most state breach notification laws do not directly establish a private right of action. Alaska, California and Delaware are among the few states that do provide a private cause of action. In some states, violation of breach notification laws may constitute an unfair practice, for which persons may bring suit when injured by such violation. In Massachusetts, the Attorney General may bring an action under the Massachusetts unfair and deceptive practices statute for violations of the breach notification law. Similarly, consumers in Maryland may bring actions under that state's law governing unfair and deceptive trade practices.

III. U.S. Federal Data Breach Notification Laws

There presently is no comprehensive national data breach notification law in the U.S. U.S. lawmakers over the past couple of years have tried to pass a national data breach notification law, but so far have been unsuccessful.

Earlier this year, President Obama unveiled a comprehensive cybersecurity proposal that includes rules and regulations for U.S. businesses in the event of a data breach.9 The proposed data breach law would apply to businesses that collect sensitive personally identifiable information on at least 10,000 individuals within a 12-month period. In the event of a breach, notification to affected individuals must be made within 60 days and media notification would be required when the number of affected individuals exceeds 5,000 in any state. The 5,000 threshold also triggers notification to the Department of Homeland Security.

Significantly, the proposal includes a risk-based safe harbor. If an entity determines there is no reasonable risk of harm from the breach, there is no obligation to notify.

The national law would supersede any state data breach laws and also carve out businesses that are subject to the breach notification requirements under the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

President Obama's proposal not only calls for enforcement by the Federal Trade Commission, but also allows state attorneys general to bring civil actions and seek fines of up to $1,000 per day, per affected individual, up to a maximum of $1 million per violation.

While it is impossible to predict when national legislation will be enacted, it appears to be only a matter of time before a national data breach law is enacted.

Today in the U.S. there are two major, industry-sector bodies of federal data breach notification laws, one applicable to the healthcare industry and the other applicable to the financial industry. In the healthcare area, U.S. federal data breach notification requirements are found in the HITECH Act, which is an amendment to HIPAA.10

In the financial area, U.S. federal breach notification requirements are found in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ("Guidance") issued by bank regulatory agencies pursuant to the Gramm-Leach-Bliley Act ("GLBA").11 The Guidance is intended to clarify the responsibilities of financial institutions under Section 501(b) of the GLBA.

To be sure, there are non-industry specific bodies of federal law, such as the Federal Trade Commission Act ("FTC Act"), which also may be applicable. Section 5 of the FTC Act prohibits unfair, deceptive or misleading acts. The Federal Trade Commission's position is that it is an unfair act/practice if you fail to:

  • Live up to your privacy policy;
  • Comply with applicable laws/regulations;
  • Recognize obvious signs of identity theft; and/or
  • protect information from recognized threats (e.g., SQL injection attacks).

The FTC has investigated data breach incidents and initiated actions against dozens of companies in the past 10 years, including Twitter, TJX, ValueClick, Life is Good, CardSystems Solutions, ChoicePoint, BJ's Wholesale Club, Rite-Aid and CVS Caremark.

In addition, the U.S. Securities and Exchange Commision's Division of Corporation Finance recently released guidance applicable to all publicly traded companies regarding disclosure obligations relating to cyber security risks and cyber incidents.12 According to the guidance:

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

. . . To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary. If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.13

A. HIPAA and HITECH Act Under the HITECH Act, healthcare providers, medical insurers and other "covered entities," as well as their "business associates," have notification duties in the event of breaches of unsecured protected health information ("PHI").14

A breach is defined as the unauthorized access, use, acquisition or disclosure of PHI that compromises the security of PHI. Security is compromised if there is a substantial risk of financial, reputational, or other harm to the individual who is the subject of the PHI.

Under the HITECH Act, a breach is not:

  • The unauthorized acquisition, access, use, or disclosure of de-identified PHI;
  • The unauthorized acquisition, access, use, or disclosure of encrypted PHI, if the encryption meets certain prescribed standards;
  • The unauthorized disclosure of PHI if the person would not reasonably be able to retain the information;
  • The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or a business associate if it was done in good faith and within the course and scope of the individual's employment or professional relationship; or
  • An inadvertent disclosure by an employee or individual acting under the authority of a covered entity or a business associate to a similarly situated individual if the PHI is not further acquired, accessed, used, or disclosed.

In the event of a breach, business associates must notify the covered entity, and covered entities must notify the affected individuals, the Department of Health and Human Services ("HHS"), and the media (if more than 500 persons in a state are affected). Notice must be provided "without unreasonable delay" and "in no case later than 60 days from discovery of the breach."

The content of the notice must include the following:

  • A brief description of what happened, including the date of the breach;
  • A description of the types of PHI that were involved in the breach;
  • The steps individuals should take to protect themselves from harm;
  • A brief description of the steps taken to investigate the breach, mitigate losses and protect against further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, web site, or postal address.

State laws are pre-empted to the extent they are contrary to the HITECH Act requirements. A state law is contrary if an entity could find it impossible to comply with both the state and HITECH Act requirements or if the state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the breach notification provisions. In most cases, a single notification can satisfy the state and HITECH notification requirements.

The HITECH Act put an increased emphasis on enforcement, including enhanced penalties. HHS has the authority to conduct compliance reviews of covered entities and business associates. Entities must cooperate with HHS, submit compliance reports as requested, and allow HHS access to facilities and records. In rare circumstances, individuals or entities may be held criminally liable for knowing violations of HIPAA. Imprisonment for up to 10 years is possible if the individual intended to sell or transfer individually identifiable health information for commercial gain or malicious harm.

There are four tiers of penalties, ranging from $100 for each violation (not to exceed $25,000 for the calendar year) to $50,000 for each violation (not to exceed $1,500,000 for the calendar year). In determining the amount of the penalty, HHS will consider the nature and extent of the violation and the nature and extent of the harm resulting from the violation.

In addition to the HHS imposed penalties, if a state attorney general has reason to believe that a resident of the state has been threatened or adversely affected by an entity that violates the breach notification requirements, the attorney general may bring a civil suit against the entity. There is no private right of action under the HITECH Act.

B. GLBA

The Guidance issued by bank regulators requires that the financial institution notify affected customers "as soon as possible," if the institution determines that misuse of "sensitive customer information" has occurred or is reasonably possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification may interfere with a criminal investigation and requests in writing that the institution delay notification. The notice may be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it.

"Sensitive Customer Information" means "a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components or customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number."15

Under the Guidance, the notice must contain the following content:

  • Describe the incident in general terms and the type of customer information that was the subject of the unauthorized access or use;
  • Describe what the institution has done to protect the customers' information from further unauthorized access;
  • Provide a telephone number that customers can call for further information and assistance;
  • Remind customers of the need to remain vigilant and to promptly report incidents of suspected identity theft to the institution; and
  • Provide recommendations and other information (e.g., how to place a fraud alert in the customer's consumer reports and how to obtain a credit report), when appropriate, to protect against identity theft.

IV. Other Breach Notification Considerations

Data breach notification is a global compliance risk. Non-U.S. jurisdictions have begun to adopt breach notification requirements, and they often apply to a much broader range of data about individuals than the personal information regulated under laws in the United States. For example, under the Federal Data Protection Act,16 Germany has adopted breach notification requirements that apply to a wide array of personal data, including: (i) special categories of personal data (defined as any information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life); (ii) personal data specifically protected by professional secrecy duties (e.g., in the medical, insurance or legal industry); (iii) personal data concerning criminal acts, administrative offenses, or the suspicion of the same; and (iv) personal data in relation to bank or credit card accounts.

Beyond regulatory obligations, breach notification duties can arise pursuant to contractual obligations between relevant parties. For example, merchants that accept credit cards and their service providers have various notification duties pursuant to Payment Card Industry, or PCI, requirements. The required timing for these notifications can often be significantly shorter than those that apply under regulatory duties.

V. Conclusions and Lessons

According to the experts, a data breach is not a single incident but rather a series of incidents. From the moment of discovery to the point of containment, proper investigation of a date breach can often take a significant amount of time, in many cases weeks and in some cases months. Given the stakes — disruption of business operations, damage to brand reputation and customer relationships, and possibility of government investigations and class action lawsuits — it is critical that an organization perform a proper investigation and know what it is talking about before it notifies affected individuals. Premature notification is not a good strategy and often may cause more harm than good.

In the event of a data breach, it's essential to know what laws apply and what each law requires. Complicating compliance is the maze of U.S. federal and state laws and regulations applying to data security breaches, with the result that different (and sometimes conflicting) laws can and often do apply to the same data security incident depending on factors such as the industry sector involved and the residency of affected individuals. Compliance requirements under each of these laws in turn will be determined by the role of the business and the nature of the personal information involved.

Footnotes

1 The author is a partner at Pierce Atwood LLP, a leading regional law firm with offices in Boston, MA, Portland and Augusta, ME, Portsmouth, NH, Providence, RI, Washington, DC, and Stockholm, Sweden, and leads the firm's Privacy and Data Security Practice Group and is a member of its Intellectual Property and Technology Practice Group.

2 2010 U.S. Cost of a Data Breach, Ponemon Institute (March 2011) http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon

3 Id. at page 4.

4 http://www.ct.gov/ag/lib/ag/fraud/soctvhealthnetstipjudgment.pdf

5 http://www.ct.gov/cid/cwp/view.asp?Q=427650&A=1269

6 http://www.atg.state.vt.us/news/attorney-general-settles-security-breach-allegations-against-health-insurer.php

7 http://www.examiner.com/health-insurance-in-sacramento/health-net-data-breach-affects-1-9m-enrollees http://www.thompson.com/public/newsbrief.jsp?cat=HEALTHCARE&id=3442

8 The four exceptions are Alabama, Kentucky, New Mexico and South Dakota.

9 http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/Cybersecurity-letters-to-congress-house-signed.pdf

10 http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf

11 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 70 Fed. Reg. 15736, (March 29, 2005).

12 http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

13 Id. at pages 3 and 5.

14 A similar set of notification requirements applies to vendors of personal health records pursuant to Federal Trade Commission regulations issued under the HITECH Act.

15 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 70 Fed. Reg. 15736, 15741 (March 29, 2005).

16 http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf%3F__blob%3DpublicationFile (updated through June 2010).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.