The New Face of Commercial Crime - Cybersecurity Risks for Companies and their Directors

Bennett Jones LLP
Contact

The threat of commercial crime against companies is transforming. Technology has created new and innovative ways for fraudsters to exploit individuals and companies through cyber attacks. This new face of fraud can give rise to massive liability issues for a company and its directors following the theft of personal data held by the company.

In order to navigate this new terrain of litigation risks, companies and their directors should understand the evolving scope and nature of potential liability from a cyber attack.

Background

Computer hacking is nothing new. The Hackers Handbook was published more than 30 years ago,1 and the U.S. Congress passed the Computer Fraud and Abuse Act shortly thereafter.2 The hacktivist group, Anonymous, was formed more than a decade ago.3 Five years later, Anonymous hacked the Church of Scientology and disseminated stolen private documents across the Internet.4

Over the last few years, however, there have been several large-scale cyber attacks on sophisticated corporations in both the United States and Canada, giving rise to significant civil and regulatory liability issues for those companies and their directors:

  • In December 2013, a cyber attack on Target Corp. resulted in the exposure of personal and financial information of somewhere between 70 and 110 million customers.5 As a result of this breach, Target's profit fell by 46 percent in its fourth fiscal quarter of 2013 in the United States alone.6 Between lawsuits started by financial service-providers (such as Visa and MasterCard) and customers, Target ultimately spent over $110 million combined in civil settlements.7
  • In December 2013, cyber-hackers gained unauthorized access to the data-systems of Excellus BlueCross BlueShield, a nonprofit independent licensee of the BlueCross Blue Shield Association.8 The personal health data of more than 10 million members and patients was compromised, which included names, birth dates, social security numbers, member identification numbers, financial account information and claims information. As of November 2015, at least 12 lawsuits had been filed against the Rochester-based health insurer, its parent company, Lifetime HealthCare, and other Lifetime subsidiaries.9
  • In January 2014, news broke of an attack on American retailer Neiman Marcus, whereby its hackers obtained all debit and credit card information held by the company over a three-month period. Ultimately, 350,000 customers were affected by the hack. A class action against the company in the United States is pending.10
  • In September 2014, the largest home-improvement retailer, The Home Depot, confirmed it had been the victim of a data hack, whereby more than 53 million email addresses and credit-card numbers were stolen from customers across the United States and Canada. The company has since confirmed it is facing "at least" 44 civil lawsuits in connection with the breach, in addition to a spate of regulatory investigations.11
  • In November 2014, the notorious cyber-attack on Sony Pictures Entertainment Inc. wiped out the company's internal data centers and led to the cancellation of the theatrical release of "The Interview," a comedy about the fictional assassination of the North Korean leader, Kim Jong-un. Contracts, salary lists, film budgets, entire films and social security numbers were stolen. Sensitive personal emails were leaked. Sony ultimately agreed to pay up to $8 million to employees who alleged their personal data had been stolen.12
  • In December 2014, the Ontario Information Privacy Commissioner issued an order against Rouge Valley Health System's Scarborough Centenary Hospital, finding that there had been two major privacy breaches regarding new mothers' personal health information, which were stolen from the hospital's maternity ward.13 The hospital now faces a $400 million class action suit brought on behalf of patients.14
  • In February 2015, the American health insurer, Anthem Inc., was targeted by cyber-hackers, who compromised the personal and financial information of tens of millions of the company's customers and employees, including their names, social security numbers, birthdays, addresses, and income data. At least 26 lawsuits have since been commenced against Anthem.15
  • In July 2015, a hacker-group called the Impact Team announced it had obtained the user-data of infidelity website Ashley Madison's 39 million members. When Toronto-based parent company, Avid Life Media, Inc. refused to shut down the website, the cyber-hackers exposed the usernames and credit-card transactions of Ashley Madison's executives, and thereafter, of its members. Avid Life now faces class action claims for over $750 million, in addition to pending regulatory investigations.16

These high-profile cyber attacks are warning signs that large scale data breaches pose very real threats to corporations and their directors. Data breaches should be viewed as an inevitable business risk for which companies must prepare. In order for companies and directors to understand the nature of the risks involved, it is instrumental for them to understand how they may be found liable.

Scope of Liability Arising from a Data Breaches

Depending on the nature of the attack, company and director liability could arise from: (1) claims by regulators; (2) claims by shareholders; (3) claims by victims; and/or (4) claims by banks and/or credit card issuers.

Within each category, liability may arise from the company's failure to take reasonable steps to prevent a data breach and/or its failure to adequately respond to the breach. Each area of exposure is summarized below.

1. Regulatory Investigations/Proceedings

The Office of the Privacy Commissioner of Canada

The Personal Information Protection and Electronic Documents Act17 (PIPEDA or the Act) functions to regulate "commercial organizations" that collect, use, or disclose "personal information".18

PIPEDA came into force on January 1, 2000, and was most recently amended on June 18, 2015, by the Digital Privacy Act (certain provisions of which have not yet come into force).19 The Act is overseen and implemented by the Office of the Privacy Commissioner of Canada.

PIPEDA's main objective is to safeguard individual privacy rights and minimize the unauthorized use or abuse of personal information (including financial information), by governing the conduct of commercial organizations. Organizations governed by PIPEDA are required to manage, protect and safeguard the personal information.20 Under the Act, organizations must, among other things:

  • only use or disclose personal information for the purpose for which it was collected;
  • only keep personal information as long as necessary to satisfy the purpose for which it was collected;
  • implement guidelines and procedures for the retention and destruction of personal information; and
  • protect personal information from unauthorized access, disclosure, copying, use, or modification.

Under the new provisions of the Digital Privacy Act, commercial organizations will also be required to:21

  • notify individuals and organizations of breaches that create a "real risk of significant harm", and report such breaches to the Commissioner;
  • keep and maintain a record of every breach of security safeguards involving personal information under their control.

Under these new provisions, organizations that knowingly fail to report a breach to the Commissioner, or fail to notify individuals as required, could face fines of up to $100,000 per breach – which may mean $100,000 multiplied by the number of individuals whose information has been compromised.

The Commissioner may initiate proceedings against commercial organizations before the Federal Court. If the Federal Court finds an organization non-compliant, it can:

  • order the offending organization to take corrective measures;
  • publish a notice of their corrective measures; and/or
  • award damages to complainants.

Competition Bureau – Regulation of Unfair or Deceptive Practices

Considering the sanctions imposed by the Federal Trade Commission (FTC) in the United States, there is a prospect that organizations in Canada could face regulatory claims brought by the Competition Bureau. In the United States, the FTC has brought more than 50 enforcement actions against American companies for failing to adequately safeguard the personal information of consumers. The FTC has levied fines of up to $22.5 million (on Google Inc., for the 2012 data breach).22 The FTC has been pushing for greater authority to regulate the cybersecurity practices of companies based on its legal mandate to regulate unfair and deceptive practices.23

For example, in connection with the Wyndham Worldwide Corp. security breach, the FTC sued Wyndham claiming its online privacy policy – which promised to "safeguard our customers' personally identifiable information" using "industry standard practices" – was deceptive. The FTC alleged that contrary to this policy, Wyndham did not use commercially reasonable methods for protecting consumer data.24 Wyndham sought to strike the action on the basis that the FTC authority to regulate unfair or deceptive practices did not extend to the regulation of cyber security matters. The Third Circuit Court of Appeals upheld the decision of the district court, finding that FTC has jurisdiction with respect to data security practices.25

In Canada, the Competition Bureau investigates and oversees complaints of unfair or deceptive practices and enforces the provisions of the Competition Act.26 If the Competition Bureau finds a company non-compliant, it can initiate enforcement proceedings before the Competition Tribunal or before a civil court. Upon application by the Commissioner of Competition, the court can order a corporation with unfair or deceptive practices to pay an administrate penalty of up to $10 million and, for each subsequent order against that corporation, an amount of up to $15 million.27

To date, there have not been any reported attempts by the Competition Bureau to regulate cyber security matters based on its authority to regulate unfair or deceptive practices. However, given the approach by the FTC, the risk should not be ruled out.

Securities Regulators

If an organization subject to a data breach is a reporting issuer, it could potentially face regulatory prosecutions brought by securities commissions, including the Ontario Securities Commission (OSC).

In Ontario, the OSC administers and enforces the Ontario Securities Act.28 The OSC's stated mandate is to "provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in capital markets".29 Section 122(1)(a) of the Securities Act, for instance, makes it an offense for an organization to make "misleading or untrue" statements to the public, or to fail to disclose a fact "that is required to be stated or that is necessary to make the statement not misleading".30

Under this provision, a data hack could conceivably expose a company to large regulatory penalties. For example, if a reporting issuer promised to safeguard its customers' data using industry-standard practices, but then failed to live up to its representations, the OSC could technically initiate investigations or proceedings under section 122(1)(a). Under the Securities Act, the OSC is empowered to seek fines of up to $5 million for contraventions of Ontario securities law – including contraventions of section 122(1)(a).31

2. Claims by Shareholders

In connection with a data breach, a company's shareholders could potentially bring an action against the corporation itself or against its directors (through a derivative claim, or depending on the case, a direct claim for oppression). To date, there have not been any shareholder actions litigated in Canada arising from a cyber breach. However, the litigation faced by companies and principals in the United States may be instructive.

In connection with the Target data breach, Target's shareholders filed at least four derivative action suits, which were consolidated and brought before the District Court of Minnesota in 2014.32 The shareholders alleged that, among other things, Target's directors and officers failed to "maintain proper internal controls" or take adequate steps to prevent the attack. They also alleged that Target failed to properly notify customers about the scope of the breach after it occurred. The shareholders sought damages arising from, among other things, amounts incurred by Target from defending the various class action suits and regulatory investigations.33

In connection with the Wyndham data breaches referenced above,34 Wyndham shareholders sued the company's directors and officers (through a derivative suit) for failing to take reasonable steps to maintain their customers' personal and financial information in a secure manner, and for failing to disclose the breaches to shareholders in a timely manner.35 The action was dismissed on factual grounds. Specifically, the court noted that the board of directors had met before the breach on numerous occasions to discuss and implement cybersecurity procedures, and had held 14 quarterly meetings after the breach to discuss the response to the attack, including the adoption of security enhancements.36 While the outcome was a good one for the company and its directors, this case highlights the risks that companies and directors may face in similar circumstances.

3. Claims by Victims

Victims of a cyber breach whose data has been compromised or misappropriated are likely litigants against companies and their directors. The high profile data breaches in Canada and the United States demonstrate the scope, scale and magnitude of potential attacks. There could be millions of individual victims whose personal or financial information is exposed.

In seeking damages against a company, a victim does not need to prove specific damages arising from the data breach. The Ontario Court of Appeal has held that intrusion upon seclusion is a tort for which damages may be awarded up to $20,000.37 Given the potential number of customers/employees whose data could be compromised from a cyber attack, this exposure can be significant. In addition to the tort of intrusion upon seclusion, there are potential damages that arise from a cyber attack, such as costs associated with identity theft.

In Canada, high profile cases involving claims by victims include:

  • Ashley Madison: A $760-million class action has been commenced in Ontario against Avid Life Media.38 The plaintiffs claim damages for, among other things, costs incurred to prevent identity theft, increased risk of identity theft, mental distress, emotional upset, anguish, anxiety and depression, lost time, inconvenience, and frustration.
  • Bank of Nova Scotia: A class action was commenced asserting unspecified damages against the Bank of Nova Scotia by customers whose confidential information was breached by a bank employee. The plaintiff class claims damages for, among other things, intrusion upon seclusion, inconvenience, discomfort, distress and aggravation. In the alternative, the plaintiff class seeks damages pursuant to the doctrine of waiver of tort, which are calculated by requiring the Bank to disgorge its profits during the relevant period of time. The action was certified as a class action in 2014. Leave to appeal from that decision was dismissed later that year.39
  • Target: A class action is pending against Target in Quebec for compensable damages. While the action was initially dismissed on jurisdictional grounds, it was reinstated by the Quebec Court of Appeal.40 The representative plaintiff has sought damages for fear, stress, inconvenience and loss of time due to the necessity of monitoring more closely his monthly statements of accounts. In the United States, there were more than 80 class actions instituted as a result of the Target data breach.41

4. Claims by Credit Card Issuers/Banks

A cyber attack may also give rise to claims by networks such as Visa or MasterCard or related financial institutions in connection with the costs incurred by those financial institutions for the cost of replacing credit cards and reimbursing fraudulent transactions.

A 2007 data breach involving TJX Companies stores – brands like T.J. Maxx and Marshalls – involved the compromise of at least 46 million customers' information. In the face of claims by Visa, TJX agreed to fund up to $40.9 million42 for payments to certain financial institutions. TJX also settled with MasterCard for approximately $20 million.43

Conclusion

While the risk of a cyber attack and the corresponding claims for damages cannot be eliminated, it can be managed.

Companies should prepare and implement a data breach plan that includes steps for resisting and responding to cyber attacks. Directors should be engaged with this process. In the aftermath of an attack, there is no time to waste on last-minute plans.

A central component of the response plan should involve immediate consultation with counsel regarding a number of critical matters such as:

  • whether the law requires notice to be given to third parties of the breach and if not required, whether it is advisable to do so in any event;
  • the content of the notice so that required information is included and because the content of the notice could later be used against the company in litigation by those individuals whose information has been compromised;
  • whether a press release should be issued and regarding the content of the press release;
  • an internal investigation to determine how the breach occurred so that steps can be taken to contain the breach and rectify the weakness in the system. The investigation should be overseen by external counsel so that solicitor/client privilege remains over the investigation report and witness statements;
  • what steps are necessary to contain the effects of the breach and to prevent any further breach; and
  • cross-border implications of the data breach.

Companies and their directors should consult with counsel on a routine basis in order to ensure that their data breach plan factors in the evolving legal requirements or standards expected of companies.

Further, in the event of an attack, it is imperative for companies to consult with counsel as soon as possible, in order to avoid any legal missteps that could result in increased litigation claims and/or greater financial consequences.

 


Notes

  1. Hugo Cornwall, The Hacker's Handbook (London: E Arthur Brown, 1985).
  2. Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1986).
  3. Around 2004, users on an online discussion board called 4chan started referring to their hacker collective as "Anonymous". David Kushner, "The Masked Avengers: How Anonymous incited online vigilantism from Tunisia to Ferguson", The New Yorker (8 September 2014) online: http://www.newyorker.com/magazine/2014/09/08/masked-avengers.
  4. Claudine Beaumont, "Hackers wage web war on Scientologists", The Telegraph (4 February 2008) online: http://www.telegraph.co.uk/technology/3356210/Hackers-wage-web-war-on-Scientologists.html.
  5. Anthony Wing Kosner, "Actually Two Attacks In One, Target Breach Affected 70 to 110 Million Customers", Forbes (17 January 2014) online: http://www.forbes.com/sites/anthonykosner/2014/01/17/actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers/#2715e4857a0b322a17db596e.
  6. See Maggie McGrath, "Target Profit Falls 46% On Credit Card Breach And The Hits Could Keep On Coming", Forbes (26 February 2014) online: http://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-credit-card-breach-and-says-the-hits-could-keep-on-coming/#2715e4857a0b4f7c6cc35e8c. See also Jim Finkle, "Exclusive: Cybercrime firm says uncovers six active attacks on U.S. merchants", Reuters (17 January 2014) online: http://www.reuters.com/article/us-target-databreach-idUSBREA0G18P20140117.
  7. Ahiza Garcia, "Target settles for $39 million over data breach" CNN Money, (2 December 2015) online: http://money.cnn.com/2015/12/02/news/companies/target-data-breach-settlement/.
  8. As published on the company's website, "Notice of Cyberattack Affecting Excellus BlueCross Blueshield", Excellus BlueCross Blueshield (18 January 2015), online: http://www.excellusfacts.com/.
  9. Joanne Finnegan, "Excellus BCBS still unclear Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online: http://www.fiercehealthpayer.com/story/anthem-slammed-lawsuits-due-data-breach/2015-07-13.
  10. Alison Frankel, "The 7th Circuit just made it a lot easier to sue over data breaches", Reuters (21 July 2015) online: http://blogs.reuters.com/alison-frankel/2015/07/21/the-7th-circuit-just-made-it-a-lot-easier-to-sue-over-data-breaches.
  11. See The Home Depot, Press Release, "The Home Depot Reports Findings in Payment Data Breach Investigation", (6 November 2014) online: https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf. See also Michael Calia, "Home Depot Facing at Least 44 Civil Suits in Data Breach", The Wall Street Journal, (25 November 2014) online: http://www.wsj.com/articles/home-depot-facing-at-least-44-civil-suits-in-data-breach-1416917359.
  12. See Sony Corporation, News Release, "Consolidated Financial Results Forecast for the Third Quarter Ended December 31, 2014, and Revision of Consolidated Forecast for the Fiscal Year Ending March 31, 2015", (4 February 2015) online : http://www.sony.net/SonyInfo/IR/library/fr/150204_sony.pdf. See also Edvard Pettersson, "Sony to Pay as Much as $8 Million to Settle Data-Breach Case", Bloomberg Business (20 October 2015) online: http://www.bloomberg.com/news/articles/2015-10-20/sony-to-pay-as-much-as-8-million-to-settle-data-breach-claims.
  13. Information and Privacy Commissioner of Ontario, News Release, "Rouge Valley Health System Failed to Protect Patient Health Information", (16 December, 2014) online: https://www.ipc.on.ca/images/Resources/2014-12-16-HO-013-e_1.pdf.
  14. Joel Eastwood, "Rouge Valley faces $400M class-action lawsuit over privacy breach", Toronto Star (25 June 2014) online: http://www.thestar.com/news/gta/2014/06/25/rouge_valley_faces_400m_classaction_lawsuit_over_privacy_breach.html. Note that, because of the provisions of the Personal Health Information Protection Act, the company had to notify patients of the privacy breach, which was confirmed in early July 2014.
  15. See Danny Yadron and Melinda Beck, "Health Insurer Anthem Didn't Encrypt Data in Theft", The Wall Street Journal (5 February 2015) online: http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560. See also Dori Zweig, "Anthem faces lawsuits over data breach", Fierce Health Payer (13 July 2015) online: http://www.fiercehealthpayer.com/story/anthem-slammed-lawsuits-due-data-breach/2015-07-13.
  16. See Sadaf Ahsan, "$750M class-action lawsuit filed against Ashley Madison on behalf of Canadian subscribers following data leaks", National Post (20 August 2015) online: http://news.nationalpost.com/news/750m-class-action-lawsuit-filed-against-ashley-madison-on-behalf-of-all-canadians-following-data-leaks. See also Chris Isidore and David Goldman, "Ashley Madison hackers post millions of customer names", CNN Money, (19 August 2015) online: http://money.cnn.com/2015/08/18/technology/ashley-madison-data-dump/.
  17. Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA).
  18. PIPEDA, ibid, at ss. 2(a), under which "personal information" is defined as "information about an identifiable individual".
  19. As a result of the Digital Privacy Act, S.C. 2015, c. 32.
  20. PIPEDA, supra note 17 at ss. 5-10 and Schedule 1,which sets out ten principles with which commercial organizations must comply, including: accountability, consent, accuracy, and safeguards.
  21. While all other new provisions came into force upon the Act gaining Royal Assent, those dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and implemented.
  22. Josh Ladeau, "The FTC: What You Need To Know About one of the Most Relentless Federal Cyber Regulators", Advisen Insurance Intelligence (3 June 2015) online: http://www.advisenltd.com/wp-content/uploads/2015/06/the-ftc-report-2015-06-03.pdf.
  23. Ontario Securities Commission, "About", (21 January 2015) online: https://www.osc.gov.on.ca/en/About_about_index.htm.
  24. Federal Trade Commission v. Wyndham Worldwide Corporation, Case No. 14-3514 (3d Cir. 2015).
  25. Ibid.
  26. Competition Act, RSC 1985, c C-34, at s. 74.01.
  27. Ibid at ss. 74.1(1)(c)(ii).
  28. Securities Act, RSO 1990, c S.5 (Securities Act).
  29. Ontario Securities Commission, supra note 23.
  30. Securities Act, supra note 28 at ss. 21(1)(a).
  31. Securities Act, supra note 28 at ss. 122 (1)(c).
  32. In Re Target Corp. Customer Data Sec. Breach Litig., Case No. 14-cv-00203 (D. Minn. 2014).
  33. See Complaint at 3 ¶ 7, Kulla, No. 14-cv-00203-PAM-JJK (D. Minn. 2014); also see Complaint at 6 ¶ 12, Collier, No. 14-cv-00266-PAM-JJK (D. Minn. Jan 29, 2014).
  34. Vedder Price, Newsletter/Bulletin, "Lessons from the Dismissal of Wyndham Shareholders Derivative Action", (19 November 2014) online: http://www.vedderprice.com/lessons-from-dismissal-of-wyndham-shareholders-derivative-action/.
  35. Palkon v Holmes, Case No. 2:14-cv-01234 (D.N.J. 2014).
  36. Brenda R. Sharton, Gerard M Stegmaier and Goodwin Procter, "Breaches in the boardroom: What directors and officers can do to reduce the risk of personal liability for data security breaches", Thomson Reuters online: http://legalsolutions.thomsonreuters.com/law-products/news-views/corporate-counsel/breaches-in-the-boardroom-what-directors-and-officers-can-do-to-reduce-the-risk.
  37. Jones v Tsige, 2012 ONCA 32.
  38. Statement of Claim, Court File No. CV-15-22622CP.
  39. Evans v The Bank of Nova Scotia, 2014 ONSC 7249 (Sup Ct).
  40. See Zuckerman v Target Corporation, Québec Superior Court (Court File No. 500-06-000686-143, 2014). See also "Quebec Court of Appeal sends Target data breach class action jurisdiction application back to lower courts", Canadian IT Law Association (25 November 2015) online: http://www.it-can.ca/2015/11/25/quebec-court-of-appeal-sends-target-data-breach-class-action-jurisdiction-application-back-to-lower-courts/.
  41. Zuckerman v Target Corporation, 2015 QCCS 1285.
  42. The TJX Companies, Inc., Press Release, "The TJX Companies, Inc. Announces Settlement Agreement with Visa U.S.A. Inc. and Visa Inc.; Estimated Costs Already Reflected in Previously Announced Charge", (30 November 2007) online: http://investor.tjx.com/phoenix.zhtml?c=118215&p=irol-newsArticle_pf&ID=1082977.
  43. Robin Sidel, "Target Nears Settlement With MasterCard Over Data Breach", The Wall Street Journal (14 April 2015) online: http://www.wsj.com/articles/target-nears-settlement-with-mastercard-over-data-breach-1429050238.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bennett Jones LLP | Attorney Advertising

Written by:

Bennett Jones LLP
Contact
more
less

Bennett Jones LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.