United States: Cybersecurity Incident Response: Planning Is Just The Beginning

Executive summary

By now, most senior-level executives have heard that either you have had a data breach or you just don't know that you've had a data breach. Cyberattacks are now as much a part of doing business as taxes and financial statements, and they are getting expensive. According to the 2015 U.S. Cost of a Data Breach Study1 by the Ponemon Institute, last year there was an 11% increase in the total cost of a data breach, to a $217 average per lost or stolen record. To be sure, those numbers are based on estimated costs of actual data loss incidents, not hypotheticals. In an effort to support senior financial executives in their cybersecurity incident planning and response, Grant Thornton LLP and Financial Executives Research Foundation (FERF) have identified several essential areas for their consideration.

This report's findings are based on in-depth interviews, conducted between August and September 2015, with 10 subject matter experts of various specializations, including legal, PR and communications, insurance, and IT security. The interviewees provided their perspectives on cyberrisk management strategies and best practices in cyberbreach response.

Key findings include:

  • Simply having a cybersecurity incident response (IR) plan is not enough. It must be reviewed and updated regularly as part of a comprehensive cybersecurity incident response program.
  • Regular training and exercises are important in keeping the IR plan effective. Employees can be a critical line of defense.
  • Board involvement is crucial. Senior management and the board need to have open dialogue about expectations regarding risk tolerances, budget considerations, IR planning and breach response.
  • General liability insurance and director's insurance most likely will not cover a cybersecurity incident. A full review of insurance should be an integral part of cyberrisk management.

Introduction

Today's organizations face a sobering reality. The question is no longer whether we will be breached but when we will be breached. Cybersecurity is a C-suite and board-level issue requiring a comprehensive risk management strategy, intelligent investment and integration across the organization.

While the costs associated with a data breach continue to rise, there are established best practices that can mitigate some of those costs. The 2015 U.S. Cost of a Data Breach Study2 found that having an IR plan and team in place, extensive use of encryption, business continuity management (BCM) involvement, chief information security officer (CISO) leadership, employee training, board-level involvement, and insurance protection are viewed as reducing the cost of a data breach. An IR team can decrease the average cost of a data breach from $217 to $193.2 (decrease = $23.8) per lost or stolen record. However, third-party error, a rush to notify, lost or stolen devices, and the engagement of external consultants to support the IR team respond to a breach increased data breach cost.

Clearly, having an IR plan and team in place, extensive use of encryption, BCM involvement, CISO leadership, employee training, board-level involvement, and insurance protection would all be considered best practices. These elements should be considered the foundation of a robust cybersecurity incident program. FERF, in cooperation with Grant Thornton LLP, spoke with several subject matter experts from a variety of fields to glean insights and recommendations for instituting an effective cybersecurity incident response program.

Cybersecurity incident response

When determined adversaries such as hacktivists, state-sponsored actors and organized criminal syndicates set their minds on finding a way inside, every organization with valuable digitized information is at risk of having its information assets breached and its critical assets compromised. Indeed, most organizations today would do well to expand their efforts to mitigate the consequences of inevitable breaches, which likely affect infrastructure systems and compromise key data such as personally identifiable information and confidential business information. A properly drafted IR plan guides the proactive planning and management necessary to effectively react to such breaches.

It all starts with a plan

The primary objective of an IR plan is to prepare for and manage a cybersecurity incident in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs.3 Unfortunately, IR plans are one of the most neglected aspects of information security.4 Without a plan, organizations do not respond to a cybersecurity incident — they react to it, and reactions are usually based on misinformation and misunderstanding or, worse yet, fear.

To this point, Melissa Krasnow, partner and U.S. Certified Information Privacy Professional (CIPP/US) with Dorsey & Whitney LLP, noted: "While a number of companies have them [IR plans], you might be surprised by the companies that do not have them even though there is guidance about them, regulators are encouraging companies to have them, and they are a best practice. Once a company or a competitor or a business partner experiences a breach, incident or cyberattack, they develop an awareness that often galvanizes preparation, including an IR plan."

Fellow attorney Liisa Thomas, chair of the principal and data security practice at Winston & Strawn LLP, said: "Most companies have a disaster recovery plan. If a 9/11 type of event happens, they know what to do. Typically, they will dust off that plan and make sure it works for them at least once a year, if not more."

As it relates specifically to cyberincidents, Thomas continued: "A potential data breach should be treated in much the same way. An IR plan should give high-level information about how the company will handle the incident. Not all breaches are the same. Some might be cyberevents; some might be internal thefts. I've seen plans that are 30, 40 or maybe 100 pages long. Often they're very focused on specific steps that the IT department would take to contain the incident. These plans may have their place, depending on the organization. But they might not instruct those outside of the IT department — senior leadership — on what to do at a high level. I advise clients to have a shorter, high-level document. The high-level document helps not only during an incident, but also before it, raising awareness with the senior leadership about the types of decisions they're going to be asked to make. A plan like that can be used by the decision-makers to practice against, just like they would a disaster recovery plan."

Johnny Lee, Grant Thornton managing director of Forensic, Investigative and Dispute Services, adds, "While the IR plan can resemble a high-level policy, it is important to note that each constituent department (IT, legal, communications, risk management, etc.) might have far more detailed protocols invoked during an incident response."

Jerry Wynne, CISO and senior director of enterprise security with Noridian Mutual Insurance, said his company does have a cybersecurity IR plan: "We are in the process of updating it again based on several breaches that have occurred within the industry in the last year. It will include some additional areas that are outside of the traditional cybersecurity IR time."

Those updates were the result of lessons learned within their industry peer group. This follows best practices, as IR plans should be revisited regularly to ensure that they don't get stale. Wynne continued, "We have a stronger legal presence on the team, and we've made sure that our privacy area and compliance areas are more heavily involved than they have been in the past."

Information security expert and former CISO Bill Barouski believes there are two aspects organizations should consider in reviewing their cybersecurity incident response plans: "I think every program, every plan should be reviewed at least annually. Then, probably every 18 to 24 months, have a third party review the plans. Any high-performing organization would want an outside view into their effectiveness."

IR team

When asked who should head the response team or what departments should be included in the team, John Kennedy, corporate partner in the IT and outsourcing, privacy, and information security group at Wiggin and Dana LLP, said: "It varies by organization, but I believe a best practice is to create an IR governance committee, which should include representatives from executive management, so that decisions can be made quickly. In terms of the preparedness side and the planning and the communications chain, it will include legal, IT, risk management, human resources, public relations and, in some cases, facilities management. There may be, in addition, a compliance officer as well as a risk officer. In the end, the incident response team should represent a cross-section of key stakeholder interests that will be affected by different kinds of incidents."

Ashley McCown, president at Solomon McCown, had a few suggestions regarding which business operations should be a part of the IR team: "The CFO certainly is included; there are obviously significant financial implications in a breach, so he or she needs to be at the table. The general counsel, and as companies are getting very organized around potential cyberattacks and identifying a law firm or lawyer with expertise in cybercrimes and breaches, that person can be brought into the effort. IT clearly should be involved; HR, sometimes, if employee data and personally identifiable information are leaked. Definitely the communications department, which could include internal and external communications."

She continued: "Additionally, you want to have backups and redundancies because people go on vacation. Even with cellphones and Wi-Fi everywhere, people can be out of touch, and being able to mobilize your team quickly is essential. Incidents don't often happen at the most opportune times."

Exercises and training

Putting a plan like this together, keeping it up-to-date and exercising it periodically is a lot of work — a major reason that it doesn't always get done. But when something bad happens (and it will), having the plan available and the experience that only comes from practice will save a lot of time and potentially avoid embarrassment at best, and litigation at worst.5

Having a cybersecurity incident response plan is an important step, but it's only the beginning. The plan is not of much use if it only exists on paper or on a server somewhere — it must be reviewed regularly and periodically exercised. All of the interviewees stressed the importance of tabletop exercises and employee training. Additionally, as they relate to tabletop exercises, these updates should include industry-, regulatory- and technology-specific scenarios. An executive director of information security with a large insurance company noted: "We've had numerous exercises in 2015. Traditionally, we've conducted exercises focused on business continuity and disaster recovery. However, we've stepped it up this year to do more crisis management tabletop exercises to address cybersecurity threats. We engage the threat response team, which is our cross-functional IT team, to participate in cybersecurity tabletop exercises based on real-life scenarios. We exercised our plans to determine how prepared we are to respond and to determine if our response plans are well-documented."

She continued: "We've also done a tabletop with our midlevel executives, our vice presidents and other key stakeholders across the organization, to make sure plans are in place, including communication plans. Social media is going to be a big part of our response plan to make sure we handle social media issues timely and appropriately. Soon we're going to conduct an exercise with our senior-level executives so they are prepared to handle crisis management events. We are really putting a lot of effort and emphasis on tabletop exercises and preparedness as key to managing a major event."

John Kennedy, corporate partner at Wiggin and Dana, noted: "Organizations that are seriously focused on this issue are doing training directed at all employees who may be in a position to expose the company to risk by virtue of the activity that they're permitted within the company's network. We have done training sessions with hedge funds specifically for the issue of social engineering and phishing. The training was not just limited to the senior officers either; it was a room full of traders and analysts. Phishing attacks are becoming increasingly sophisticated; you hear stories where someone very high up in the organization was impersonated and a middle-management employee was duped to transfer funds or execute an order that was bogus."

Todd Fitzgerald, Grant Thornton International global director of Information Security, adds: "Training methods have to change from 45-minute slide decks to online cyberassessments, phishing simulations and interactive training to grab the end users' attention and deliver relevant 15-minute training. Only after users have been fake-phished will they really pay attention to the training where information flow and demands on our time are at all-time highs."

While there are those that will view employees as the weakest link in their organization's cyberincident preparedness, Bill Barouski, information security expert and former CISO, thinks the opposite. "Someone that is very well-trained and cyberaware is going to be far more effective than technology," he said. "People can become your strongest link."

For attorney Jason Bernstein, partner and co-chair of the data security and privacy group at Barnes & Thornburg LLP, training also means reinforcement: "If you do it once a month, people start getting kind of blind eyes, like a parent talking to a 16-year-old. With the IT directors and CIOs that I talk to, it's constant education. It does not matter how high- or low-level you are at this; these phishing attacks have gotten so good, and there are so many nuances in them that it's real easy to just click on them."

Board involvement

With recent high-profile legal cases involving board members making headlines, boards need to be more than just aware of cybersecurity incident response, they need to be involved in the IR planning. As Melissa Krasnow, partner and CIPP/US with Dorsey & Whitney LLP, pointed out, "The intersection of cybersecurity and corporate governance is an area that's developing and where awareness continues to increase."

She continued: "IT is in the middle of all this, and increasingly is being called upon by the board of directors and executives. Some companies are being transparent about their cybersecurity, for example stating, 'Here's where we're lacking in our security, and here's what we need to do to address it,' and providing steps that should be considered. Company ethics and culture may transcend legal requirements about how a company handles things. It's interesting to see this dynamic play out."

Unfortunately, the reality is that boards are often focused on other competing priorities. The former CISO of a large educational system noted that there was limited support at the board level: "If they did get involved, it did not trickle down to me. To my knowledge, senior management did not have much expectation from the board relating to cybersecurity. The board was focused on other topics."

However, other boards are very involved in cybersecurity. The executive director of information security with a large insurance company said the board in her organization takes this issue very seriously: "It's considered in every board meeting now. My boss is the chief information security officer, and he reports to the CIO. Every quarter, they have to give an update regarding not only IT in general, but also cybersecurity threats. The board is very interested and they do care, and I think it's helping to drive our investments in security, which is a good thing."

From the senior management perspective, she continued, "...the expectation of the board is to drive awareness. The board sets the tone so senior management and the end users know that it's important that security and the controls work properly."

Cyberinsurance

Given that cybersecurity is all about risk assessment and management, no cybersecurity IR program would be complete without a review of an organization's existing insurance coverage. Do not just assume the company's general liability or directors insurance coverage will suffice. That said, there are certainly some companies that are ahead of the curve. Jerry Wynne, CISO and senior director of enterprise security at Noridian Mutual Insurance, said his company has been carrying cyberliability insurance for several years: "We went down the road of cyberinsurance after recognizing the potential liability. The discussion focused on the financial impact a breach would be to the company and to everyone involved. In the end we decided that we really had to have cyberinsurance, so we've been maintaining that for about five years."

Nolan Wilson, Southeast region leader of professional risk solutions at AON, notes: "Probably more do not purchase [cyberinsurance] than do, even though it's such a big topic today. I think from a general liability perspective, it's more and more common to see a specific exclusion for access or disclosure of confidential and personal information. It's critical to not just assume that you have insurance that will cover a specific incident, and to make sure that you're looking at the policy and any exclusions that it might have."

John Kennedy, corporate partner at Wiggin and Dana LLP, noted more policy review: "Companies are paying much more attention to it. At least some of them are waking up to the fact that commercial general liability (CGL) policies and other kinds of standard policies do not address cyberrisk. We do a fair amount of work in the insurance sector, so we've actually worked with insurance companies on how to draft cyberinsurance policies, but also how to draft cyberrisk exclusions from their CGL policies."

Kennedy continued: "Companies just don't seem to pay the same degree of attention to the risk of loss to their information assets as they do to their tangible assets, and therefore may not understand that data loss is not covered. Or if you outsourced something and that third-party provider lost your data, your policies may not cover that. Insurance provisions have gotten very detailed and demanding. Customers are telling their vendors or their suppliers that they've got to carry all these types of cyberliability coverage, criminal cyberliability coverage, etc., in addition to the other types of insurance."

Todd Fitzgerald, Grant Thornton International global director of Information Security, also notes: "Cyberinsurance is an important tool to mitigate risk; however, this cannot be a substitute for having reasonable controls and an adequate IR program. Many policies have exclusions for not having minimum controls, such as an exclusion for losses due to unencrypted laptops, or not having a plan in place. Some policies will also require the use of their service providers in the event of an incident. These policies should be reviewed carefully to determine acceptable coverage for the organization."

Third-party risk

Just because an organization's systems do not suffer a breach does not mean its information cannot be compromised. Third-party or vendor risk is another key area of consideration for a company's cybersecurity IR program. Are they protecting data with the same fervor you are? To find out, it's critical to conduct an assessment of your partners' cybersecurity measures and assess your vendors' management processes. You'll need to determine how these organizations will protect your data, either through contractual agreements, assessments or audits. Depending on the size of your organization, your vendor management group may be able to handle this, or it might require a combined effort, with your accounting group and IT security staff working together to look at vendors.6 The former CISO of a large educational system said he instituted vendor security and a vendor assessment questionnaire: "Anytime a new vendor would come on board, we would have them complete the questionnaire and we would make a risk recommendation whether or not to proceed. Now the organization could always accept the risk, but IT would at least make some recommendation based on our vendor security review."

Bill Barouski, information security expert and former CISO, noted: "I think this has started to get more attention in the last 18 months. Any large, extended enterprise will have a very wide array of third-party vendors and partners. They're saying, 'We need to take a holistic view of cyberrisk across the entire enterprise, including contractors, vendors, partners, etc.' so I see a lot of energy around this topic, especially in the financial services industry."

Ashley McCown, president of Solomon McCown, commented: "In business in general, we are hearing more about companies requiring verification from third-party vendors to show what systems and processes they have in place to protect data. I think that's becoming much more commonplace."

An executive director of information security with a large insurance company said her company has spent a lot of time looking at third parties because incidents can occur outside your systems but have implications for your company: "Many times it had to do with a third party either having some kind of entry point into your system, or just the fact that we're sharing our data with third parties. So we have a strong, robust third-party vendor management program. We look at it from a privacy, security and legal perspective. But we know it's really working with our procurement department, as well as our business partners, to have a strategy of what type of information lends itself to be hosted externally with third parties and the criticality of the business. So we're putting a lot of criteria and strategy around our third-party vendor management to make sure we're providing the right oversight."

She continued: "If vendors have access to critical and/or confidential information, we require what's called a minimum security requirements document that's a part of the contract, like an addendum, and one of our requirements is data security at rest, in addition to many other things. It seems like the industry has shifted, and a lot of companies and third-party vendors — at least the ones that deal in health care information — are taking it seriously and adhering to that requirement."

Communications

PR and communications must be an integral part of any cybersecurity incident response plan. This is the area of expertise of Ashley McCown, president of Solomon McCown, and she summed this up perfectly: "Social media is a game changer in our world in terms of how quickly information and/or rumors can spread. Now hackers will often be the ones that go onto a blog or other social channels to put it out there that they've hacked an organization or company. So then the clock starts ticking. Someone's going to tell the story, and you want that someone to be you and your company and not other people."

Bill Barouski, information security expert and former CISO, noted: "What I've observed, increasingly so, is the sooner you're able to provide clear and unambiguous information, the sooner you reduce the attention, uncertainty and the number of news stories. By nature, if the public doesn't believe you're being straightforward or cooperating, the scrutiny and intensity increase. But I think you've seen in the last two years how firms are much quicker to announce what they do know even without full understanding of what's happened."

While putting out a public communication statement following a breach is important, Jason Bernstein, partner and co-chair of the data security and privacy group at Barnes & Thornburg LLP, did provide some words of caution: "A lot of times when we're talking about a small company, they don't have a PR firm, certainly not a PR firm that knows how to deal with data breach communications. Part of what we do in our role is to help manage this whole process, and one of the things that a PR firm and certainly the client tends to do in terms of communication is say, 'We are guilty, we're sorry, mea culpa.' We try and advise them on what they should be saying or not to say just yet."

He continued: "One key to managing communications is to communicate early and clearly what you do know, and that you will provide more details as they become available. In a major breach incident, it's not a good idea to release information that is not confirmed. Delaying an initial announcement makes the public suspicious of your motivations. But restating the facts later is likely to be more damaging. So managing that communications process is a balancing act. And, in the big picture, the way the company handles communications will be remembered long after the breach is fixed and individuals have been taken care of, and this is the key to minimizing damage to the company's brand reputation and regaining trust."

Conclusion

Hardly a day goes by without cyberattacks and data breaches grabbing media headlines. No company, organization or even government is immune. That's the bad news. The good news is that companies can use these events to bolster their own cybersecurity incident response. Once again we consider those factors that can reduce the cost of a data breach. Some of the most valuable investments companies can make seem to be an IR plan, extensive use of encryption, the involvement of business continuity management, the appointment of a CISO with enterprise-wide responsibility, employee training, board-level involvement and insurance protection.7

Prevention through implementing reasonable controls is still very important; however, these controls are point-in-time and, even if implemented correctly 100% of the time, there are new threats and exploits that are emerging. There will always be a gap between the implemented controls and the resources available to a determined attacker. Thus, planning for this situation by implementing an IR program is critical to reducing the risk and cost to the enterprise.

The risks of cyberattacks span functions and business units, companies and customers. Given the stakes and the challenging circumstances related to becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior management team.8 Cybersecurity is not a check-the-box-and-you're-done issue. It requires a commitment of time and resources. It's too late to start planning for a breach once a breach has taken place. Start planning now; best practices begin with a cybersecurity incident response plan as part of a comprehensive IR program.

Interviewees

Ten in-depth research interviews provided insights into how companies are reacting to cybersecurity. The following subject matter experts participated in these interviews:

  • Bill Barouski, information security expert and former CISO
  • Jason Bernstein, partner, data security and privacy group, Barnes & Thornburg LLP
  • John Kennedy, corporate partner, IT and outsourcing, privacy, and information security group, Wiggin and Dana LLP
  • Melissa J. Krasnow, corporate partner and CIPP/US, Dorsey & Whitney LLP; Governance Fellow, National Association of Corporate Directors
  • Ashley McCown, president, Solomon McCown
  • Liisa Thomas, chair, privacy and data security practice, Winston & Strawn LLP
  • Nolan Wilson, Southeast region leader, professional risk solutions, AON
  • Jerry Wynne, CISO and senior director of enterprise security, Noridian Mutual Insurance
  • Anonymous, executive director of information security with a large insurance company
  • Anonymous, former CISO of a large educational system

Footnotes

1 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

2 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

3 Bailey, Tucker; Brandley, John, and Kaplan, James. How Good Is Your Cyberincident-Response Plan? McKinsey & Company, December 2013.

4 Parkinson, John. "How to respond to a data breach," CFO.com, July 14, 2015.

5 Parkinson, John. "How to respond to a data breach," CFO.com, July 14, 2015.

6 See " Unprepared organizations pay more for cyberattacks" for more information.

7 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

8 Bailey, Tucker; Kaplan, James; and Rezek, Chris. Why Senior Leaders Are the Front Line Against Cyberattacks, McKinsey & Company, June 2014.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.