Information Security Considerations (Germany)

Resource ID: W-006-6878

PAUL VOIGT, TAYLOR WESSING PARTG MBB, WITH PRACTICAL LAW DATA PRIVACY ADVISOR

Search the Resource ID numbers in blue on Westlaw for more.

A Practice Note describing the laws, regulations, Information security programs protect the confidentiality, integrity, enforcement practices, and local resources to and availability of data and information technology (IT) assets. However, differences in local data security laws, practices, and consider when developing, implementing, and standards create challenges for global companies, and failure to maintaining an information security program comply with them can result in enforcement action and litigation. This Practice Note explains the German laws, regulations, in Germany or as applied to data originating enforcement practices, and local resources to consider when from Germany. It addresses related EU law, such developing, implementing, and maintaining an information security program in Germany or as applied to personal data originating as the EU General Data Protection Regulation from Germany. The Germany-specific guidance in this Note may be (Regulation (EU) 2016/679) (GDPR), the EU used with the generally applicable resources listed in the Global Information Security Toolkit (W-003-1855). Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) INFORMATION SECURITY LAWS AND REGULATIONS (NIS Directive), and Germany’s implementing Several German laws regulate information security and set related laws, including the Data Protection Adaptation standards, including: The Federal Data Protection Act (Bundesdatenschutzgesetz) and Implementation Act (Datenschutz- (BDSG), which protects personal data. Germany updated the Anpassungs- und Umsetzungsgesetz EU) Act to align with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), effective May 25, 2018 (see (DSAnpUG-EU) and the NIS Directive GDPR and the BDSG). Implementation Act (NIS-Richtlinien- The IT Security Act (IT-Sicherheitsgesetz) (in German) (IT-SiG), Umsetzungsgesetz). It also discusses critical which affects telemedia services, including websites, social media, and other online services, telecommunications, and other infrastructure issues and Federal Office for critical infrastructure sectors. Germany updated this Act when Information Security (Bundesamt für Sicherheit it transposed the EU Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) (NIS Directive) into in der Informationstechnik) (BSI) regulations, German law (see IT-SiG and NIS Directive Implementation). A first standards, and resources. The Germany- draft bill for the IT Security Act 2.0 is under consideration. Other legal regimes that protect at-risk data and interests (see specific guidance in this Note may be used Other Laws). with the generally applicable resources listed Data security requirements and expectations may also derive from in the Global Information Security Toolkit general compliance obligations. For example, the managing director (W-003-1855). of a German limited liability company (GmbH) has a general duty of care towards the company that may include implementing adequate

data security measures (Section 43(1), Limited Liability Company Act zzabilities to restore availability and access to personal data in a (Gesetz betreffend die Gesellschaften mit beschränkter Haftung) (in timely manner if a physical or technical incident occurs; and German) (GmbHG)). zza process for regularly testing, assessing, and evaluating the effectiveness of the organization’s technical and organizational GDPR AND THE BDSG security measures. The GDPR applies in all member states as of May 25, 2018. Germany (Article 32(1), GDPR.) enacted the Data Protection Adaptation and Implementation Act (Datenschutz-Anpassungs- und Umsetzungsgesetz EU) (DSAnpUG- For general information on the GDPR, see Practice Note, Overview EU) to update the BDSG and align it with the GDPR. The updated of EU General Data Protection Regulation (W-007-9580). For more BDSG provisions applied on the GDPR’s effective date. details on anonymization and pseudonymization as information security controls, see Practice Note, Anonymization and Pseudonymization For more information on the BDSG’s general requirements, see Under the GDPR (W-007-4624). Country Q&A, Data protection in Germany: overview (3-502-4080). IT-SiG AND NIS DIRECTIVE IMPLEMENTATION The GDPR broadly defines personal data to include any information relating to an identified or identifiable natural person (Article 4(1), The Federal Office for Information Security (Bundesamt für Sicherheit GDPR). Personal data generally includes information that alone or in der Informationstechnik) (BSI) in the Federal Ministry of the Interior in combination with other information that an organization has or is acts as Germany’s national cybersecurity authority, under the BSI likely to have access to directly or indirectly identifies an individual Act of 2009 (BSI-Gesetz) (BSIG), as amended by the IT-SiG. Germany data subject. updated the BSIG in mid-2017 to transpose the NIS Directive into German law under the NIS Directive Implementation Act The GDPR has additional rules that apply to processing special (NIS-Richtlinien-Umsetzungsgesetz). categories of personal data, which include: Racial or ethnic origin. These laws: Apply minimum information security standards to critical Political opinions. infrastructure (see Critical Infrastructure). Religious and philosophical beliefs. Update information security-related obligations under several Trade union membership. German sector-specific laws, including those that apply to public Health, sex life, or sexual orientation. websites and social media (see Sector-Specific Requirements). Genetic and biometric data. Require various sectors and service providers to notify the BSI and other agencies if a cyber incident occurs (see Cyber Incident (Article 9(1), GDPR.) Response and Data Breach Notification). The updated BDSG provisions under the DSAnpUG-EU contain some GDPR-permitted derogations, for example, relating to exceptions Critical Infrastructure from: Critical infrastructure includes facilities which are important to The information obligations (Section 33, BDSG and Article 23, Germany because a loss of their operation may lead to significant GDPR). supply shortages or endanger national security. The NIS Directive The designation of a data protection officer (Section 38(1), BDSG lays out security and cyber incident notification requirements for: and Article 37(4), GDPR). Digital service providers that offer certain information society services, including: The BDSG also contains provisions that regulate data protection zzonline marketplaces; outside the GDPR’s scope of application, for example, relating to the processing of personal data by public bodies responsible for zzonline search engines; and addressing criminal or administrative offenses (Sections 45-84, zzcloud computing services. BDSG and Recital 19, GDPR). (Article 4(6), NIS Directive; Section 2(11), BSIG.) The GDPR: Essential services operators across various critical infrastructure Requires controllers and their data processors to: sectors, including: zz zztake a risk-based approach to securing personal data; and Energy. zz zzimplement appropriate technical and organizational measures Transportation. commensurate with risks. zzBanking and financial market infrastructures. (Article 32, GDPR.) zzHealth care. Highlights several appropriate security measures, including: zzWater. zzpseudonymization and encryption; zzDigital infrastructure. zzabilities to ensure the ongoing confidentiality, integrity, (Article 4(4), NIS Directive; Section 2(10), BSIG.) availability, and resilience of data processing systems and services;

Under the NIS Directive, operators of essential services and digital zzimplement appropriate technological measures to protect service providers must take technical and organizational security against service interruptions and manage security risks (Section measures that: 109(2), TKG); and Are appropriate and proportionate to the risks posed. zzwarn customers if they detect that their network connections Consider the state of the art. are being used in cyberattacks, for example, as part of a botnet (for more information on botnets and other forms of malicious (Articles 14(1) and 16(1), NIS Directive; Section 8a(1), BSIG). software, see Practice Note, Cybersecurity Tech Basics: Malware and End User Attacks: Overview (W-003-4711)). German law further requires critical infrastructure providers, including essential service operators, to: Electricity supply network providers. The Energy Economy Act requires electricity supply network providers to protect the Adopt appropriate organizational and technological measures to telecommunications and IT systems necessary for safe and protect the availability, integrity, authenticity, and confidentiality of reliable electricity operations. The Federal Network Agency their IT systems and facilities that: (Bundesnetzagentur) and BSI together support standards for zzalign with state-of-the-art technology; and documenting and implementing these and related information zzmay leverage industry-defined sector-specific security standards security requirements. (for more information on IT baseline protection profiles for particular groups, see Industry Standards). OTHER LAWS zzEvery two years demonstrate to the BSI that their facilities meet German law protects other types of at-risk data and interests, IT-SiG requirements (see Program Review and Certification). including: BSI-Kritis regulations (BSI-Kritisverordnungen) further implement the Information and IT systems for public companies. The Stock IT-SiG’s information security and notification requirements in some Corporation Act (Aktiengesetz) (in German) (AktG) requires German sectors. For more information, see the critical information protection Stock Corporation managing boards to comply with all applicable website which supports a joint initiative from the BSI and the Federal laws, manage the corporation’s business diligently, and monitor Office of Civil Protection and Disaster Assistance (Bundesamt für corporation management (Section 93, AktG). These obligations Bevölkerungsschutz und Katastrophenhilfe) (BBK). may require the managing board to ensure the organization implements adequate information security measures, according to The NIS Directive and the European Commission’s implementing data sensitivity and risks. Managing board members may be liable regulations impose more detailed security requirements on digital for damages arising from a violation of these duties. service providers. However, the Directive also prohibits member Trade secrets. The Trade Secrets Protection Act (Gesetz zum states from imposing additional security and notification obligations Schutz von Geschäftsgeheimnissen) (in German) (GeschGehG) on digital service providers because of the cross-border nature of requires that information not be easily accessible to receive trade their services (Article 16(10), NIS Directive). secret protection (Section 2 number 1, GeschGehG). To ensure For more details on the NIS Directive and its requirements, see trade secret protection, organizations must: Practice Note, EU NIS Directive Implementation Activities: Overview zztake sufficient organizational and technological measures to (W-013-2158). protect their information; and zzprevent unauthorized third party access to their trade secrets. Sector-Specific Requirements Business contracts. Requirements to implement data security The IT-SiG updates information security-related obligations under measures may also arise under contractual duties. Conversely, several German sector-specific laws, including those that apply to: organizations that fail to support sufficient data security measures Telemedia services operators. The Telemedia Act may be liable for damages claims based on German contract and (Telemediengesetz) (in German) (TMG) includes public websites, tort law. Common obligation sources include: social media, and other online services. Under the updated zzdata processing agreements; TMG, operators must implement technologically feasible and zznon-disclosure agreements; and economically reasonable data security measures, such as encryption, regular software updates, and vendor management, zzgeneral contractual commitments to follow industry standards to: and practices, including implicit or unwritten expectations. zzensure that no unauthorized access to the services is possible; and INDUSTRY STANDARDS zzprotect the services from attacks that could result in service The BSI developed and has long offered organizations the interruptions. IT-Grundschutz, a set of information security standards, zz(Section 13(7), TMG.) recommendations, and best practices. The IT-Grundschutz: Telecommunications providers. The Telecommunications Act Takes a step-by-step methodology approach. (Telekommunikationsgesetz) (in German) (TKG) regulates providers Explains how to design, implement, and maintain an information of telecommunications facilities and services. Under the TKG, security management system and program. providers must: Includes companion resources on risk analysis and business continuity management.

Organizations that implement the IT baseline protection of the IT- Establishing that the organization takes appropriate steps, Grundschutz can apply for internationally-recognized ISO/IEC 27001 especially if a data breach or other cyber incident occurs where certification. litigation or enforcement action could follow. The BSI modernized the IT-Grundschutz to make it more flexible and For more details on building comprehensive information security responsive to current cybersecurity needs. This approach: programs, see the resources and guidance in Global Information Offers organizations three risk-based approaches, including: Security Toolkit (W-003-1855). zzbasic protection, which focuses on basic information security German laws, including sector-specific requirements, and industry functions and is targeted to small and medium-sized standards may affect an organization’s considerations when enterprises; implementing several key information security program elements, zzcore protection, which expands protection but emphasizes including: securing fundamental business processes; and Assigning accountability (see Information Security Coordinator zzstandard protection, which reflects the current IT baseline or Officer). protection approach and addresses a broader set of issues. Identifying and assessing risks (see Risk Assessments). Supports greater community engagement, including opportunities Developing information security policies (see Policies). to help develop state-of-the-art technology modules. Selecting safeguards (see Safeguards). Includes IT baseline protection profiles which: Evaluating program effectiveness and compliance (see Program zzallow similar organizations to share information security know- Review and Certification). how and best practices; and zzmay provide the basis for developing and maintain sector- INFORMATION SECURITY COORDINATOR OR OFFICER specific security standards, as the IT-SiG encourages for critical The GDPR requires some organizations to appoint a data protection infrastructure sectors. officer (DPO) who oversees an organization’s activities to protect personal data, including its information security measures. The IT-Grundschutz methodology, other selected BSI standards, and Specifically organizations must designate a DPO if: related publications are available in English on the BSI’s website. They are a public authority or body that processes personal data, except for courts acting in their judicial role. DEVELOPING, IMPLEMENTING, AND MAINTAINING AN INFORMATION SECURITY PROGRAM They regularly and systematically monitor individuals on a large scale. German laws obligate most organizations to support an information Their core activities include processing special categories of security program for one or more purposes, such as: personal data or personal data related to criminal offenses and To protect the personal data they collect and use, including convictions on a large scale. employee data (see GDPR and the BDSG). To secure their public websites, social media, or other online or (For more information on the GDPR, see GDPR and the BDSG.) telemedia services (see Sector-Specific Requirements). Organizations also must designate a DPO if they constantly employ To protect facilities or services considered critical infrastructure as a rule at least ten persons dealing with the automated processing (see Critical Infrastructure). of personal data (Section 38(1), BDSG). These laws require some organizations to support specific The BSI standards urge organizations to assign accountability safeguards or other program elements. However, other organizations for information security to upper management and designate an must develop, implement, and maintain a comprehensive, standards- information security officer or coordinator. Some sector-specific laws based information security program. Some standards, including the also include related requirements. For example, the TKG requires IT-Grundschutz and ISO 27001, refer to an organization’s overarching telecommunications providers to appoint a telecommunication program or approach to information security as an information security officer to assess risks and implement appropriate security security management system (ISMS). measures, which may include cybersecurity controls (Section 109(4), TKG). Documenting an organization’s ISMS may provide significant risk management benefits, even if not explicitly required by law, for Organizations should consider applicable industry standards, any example, by: sector-specific obligations, and their overall risks and business needs Demonstrating the organization’s alignment with applicable when choosing how to assign accountability for information security. industry standards (see Industry Standards). RISK ASSESSMENTS Prompting the organization to proactively assess risk and implement safeguards. The BSI standards take a risk-based approach to information security and provide guidance on performing risk assessments (see Industry Communicating information security expectations and practices Standards). German law does not include a general obligation to leadership, employees, customers, and other interested parties, to perform overall data security risk assessments. However, including regulators. risk assessments play a crucial role in maintaining information

security and many organizations are increasingly subject to related communications facilities. However, employers who permit obligations. For example, organizations must assess and manage personal use may be subject to communications secrecy laws. In information security risks to: both cases, the GDPR likely limits any monitoring without consent, Protect personal data. The GDPR and BDSG require and data protection authorities generally question consent as organizations to adopt appropriate security measures a legal basis in the employment context. For more information commensurate with risks (see GDPR and the BDSG). Organizations on employee monitoring issues, see Practice Note, Employee must perform risk assessments to reliably identify appropriate Monitoring: Germany (W-008-3362). security measures. Bring your own device to work. Organizations with a works Meet enhanced IT security obligations. The IT-SiG requires council that support bring your own device to work (BYOD) must various organizations to adopt appropriate safeguards to protect establish a works council agreement for related policies and their systems and facilities, which implies assessing and managing procedures. Organizations should also consider BDSG obligations risks. For example, these obligations apply to organizations such to protect personal data when: as: zzestablishing BYOD policies; zzcritical infrastructure operators; and zzentering into BYOD agreements with individuals; and zztelemedia services operators, including public websites, social zzselecting BYOD technical controls such as data segmentation, media, and other online services. encryption, and remote wiping capabilities. (For more information on IT-SiG requirements, see IT-SiG and NIS Directive Implementation.) SAFEGUARDS Evaluate external service providers. Organizations that outsource German law generally requires organizations to take organizational processing personal data and other IT functions must include and technical measures appropriate to protect the data they collect information security risk assessments in their due diligence and and the risks they face. Some laws specify particular safeguards, for service provider oversight processes to avoid surprises and meet example: their own obligations. The GDPR and BDSG require organizations to implement appropriate controls to protect personal data (see GDPR and the POLICIES BDSG). German law does not include a general requirement for The IT-SiG: organizations to develop, implement, and maintain information zzrequires critical infrastructure operators to use state-of-the-art security policies. However, the GDPR and BDSG requirements for technology; appropriate security measures imply the need for policies in most zzcalls on telemedia services operators to prevent unauthorized organizations. access and service interruptions; and Enhanced information security standards also require some zzencourages industry groups to develop sector-specific security organizations to implement policies (see IT-SiG and NIS Directive standards. Implementation). Organizations may benefit from a policy by: (For more information on IT-SiG requirements, see IT-SiG and NIS Establishing information security as a core value. Directive Implementation.) Helping employees and others understand information security The BSI’s industry standards include detailed recommendations for risks and take appropriate actions to minimize them. selecting and implementing safeguards and training employees (see Providing clear strategies and rules for using and protecting the Industry Standards). organization’s information and other IT resources. PROGRAM REVIEW AND CERTIFICATION Policy Considerations for Employers Organizations should periodically review their information security Companies that have implemented a works council, typically program, especially when there is a material change in business German workplaces with more than five employees, must practices, IT systems, or the risks they face. consider co-determination rights when developing information security policies and controls. Specifically, the Works Constitution Under the BSIG, critical infrastructure operators: Act (Betriebsverfassungsgesetz) (in German) (BetrVG) provides Must every two years demonstrate to the BSI that their facilities workers with co-determination rights regarding employers’ use of meet BSIG requirements through audits, examinations, or technologies that monitor employee behavior or performance. These certifications (Section 8a(3), BSIG (as amended by the IT-SiG)). obligations likely affect technical controls that scan communications Are subject to fines of up to EUR50,000 for failures (Section 14, or network traffic, including anti-virus software, firewalls, intrusion BSIG (as amended by the IT-SiG)). detection and prevention programs, and data loss prevention tools. Other German laws may affect typical information security policy CYBER INCIDENT RESPONSE AND DATA BREACH areas, including: NOTIFICATION Employee monitoring and personal use. Employers in Germany Germany does not generally mandate cyber incident response are free to choose whether they allow or prohibit personal use planning. However: of an organization’s email, telephone, internet access, or other

Information security program standards imposed on some public and private organizations. The DPA for the state in which organizations, such as critical infrastructure providers, typically relevant activities take place is generally responsible for investigation include incident response planning. and enforcement. State DPAs can initiate investigations on their own The Article 29 Working Party (now the European Data Protection or in response to an individual’s complaint. Board (EDPB)) guidance under the GDPR emphasizes that State DPAs have the authority to: organizations have a responsibility to implement incident response plans (Introduction, Guidelines on Personal data breach Issue cease orders to resolve irregularities. notification under Regulation the GDPR (WP250) (Feb. 6, 2018)). Impose fines. Industry standards typically include response planning Limit the use of particular data processing procedures. requirements. Prohibit personal data collection, processing, or use. A robust, well-tested incident response plan can help any (Article 58(2), GDPR.) organization respond more effectively to cyber incidents and data breaches (for an example plan, see Standard Document, Global The Federal Commissioner for Data Protection and Freedom Cyber Incident Response Plan (IRP)) (W-004-5781). of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit) (BfDI) monitors personal data processing by: The GDPR requires notification to affected individuals and authorities Federal agencies. for applicable breaches of personal data. Some organizations, including certain critical infrastructure and other service providers, Private organizations subject to the Security Screening Act must report cyber incidents, even if they do not involve a personal (Sicherheitsüberprüfungsgesetz) (in German), which establishes data breach. procedures for security clearances related to national security, defense, and other sensitive activities. For details on responding to cyber incidents and providing data Some other private organizations, including telecommunications breach notification, including interacting with Germany’s computer and postal services providers. emergency response team (CERT) resources, see Practice Note, Cyber Incident Response and Data Breach Notification (Germany) Like the state DPAs, the BfDI’s office can initiate investigations on its (W-006-9022). own or in response to an individual’s complaint. The GDPR imposes potential administrative fines for failure to CYBERSECURITY INFORMATION SHARING provide appropriate security measures under Article 32 of up to Germany supports public-private partnerships for cybersecurity EUR10 million or 2% of the organization’s annual global turnover information sharing through the BSI, including: (Article 83(4), GDPR).

The Alliance for Cyber Security, which provides: BSI and Other Agencies zza nationwide cooperative platform for sharing information The BSI and the Federal Network Agency enforce the IT-SiG and regarding cyber threats and attack response; NIS Directive Implementation Act and can impose fines on critical zzgeneral cybersecurity information and research; and infrastructure operators, including telecommunications providers, zztraining and industry-focused activities. that fail to: UP KRITIS, which focuses on critical infrastructure protection and Provide appropriate notifications (see Cyber Incident Response and includes sector-specific working groups that assist in developing Data Breach Notification). standards under the IT-SiG. Meet periodic program review and certification standards (see The BSI shares information on identified cybersecurity vulnerabilities Program Review and Certification). and malicious software (malware) trends with interested Different state authorities in Germany may impose fines on telemedia organizations and the public on its website. The BSI also describes services providers that fail to implement technologically feasible and and analyzes the causes and methods of current cyberattacks in its economically reasonable data security measures (Section 16 (2)(3), annual State of IT Security in Germany report. TMG). The competent state authority varies from state to state and depends on the distribution of responsibilities undertaken by each ENFORCEMENT AND LITIGATION state government. For example, the Bavarian State Agency for Data Protection is responsible for imposing fines on telemedia service REGULATORY ENFORCEMENT providers. Competent regulators have authority to assess and audit If the state government has not otherwise distributed responsibilities, organizations’ facilities, including the organizational and technical the highest state authority for fine proceedings of the district in measures they take to protect information and IT systems. which the offense was committed, discovered, or in which the Data Protection Authorities offender resides can impose fines (Sections 36 (1)(2)(a) and 37(1), Administrative Offences Act (Ordnungswidrigkeitengesetz) (OWiG)). Data protection authorities (DPAs) in each German state Regulators can fine operators of public websites, social media, and (Landesdatenschutzbehörden) monitor BDSG and GDPR compliance, other online services up to EUR50,000 (Section 16(3), TMG). including the collection, processing, and use of personal data by

PRIVATE ACTIONS PROTECTING SENSITIVE INFORMATION SECURITY RECORDS Affected individuals can bring tort actions or claim injunctive relief Organizations should exercise caution and protect from unnecessary against public and private organizations that fail to adopt adequate disclosure sensitive information security analyses, such as risk data security measures as required by the BDSG (Section 823, assessments and cyber incident investigations, where possible. German Civil Code (Bürgerliches Gesetzbuch) (BGB)). For example, The attorney confidentiality obligation and the secrecy of the Federal Court of Justice ruled that press organizations may be communications may protect sensitive information security records. liable to private individuals for damages that result from insufficient However, there is no work-product doctrine in Germany. data security measures (Bundesgerichtshof (BGH) Federal Court of Justice Apr. 4, 2010, no. VI ZR 245/08, recital 24). German law generally protects communication between lawyers and their clients under the professional confidentiality obligations of the The GDPR and DSAnpUG-EU provide data subjects with a private Federal Lawyers’ Act (Bundesrechtsanwaltsordnung) (BRAO) (Section right of action against organizations that violate data protection 43a(2), BRAO). This professional confidentiality obligation allows law (Article 79, GDPR; Section 44(1), BDSG (as amended by the attorneys to withhold information from prosecutors and protects DSAnpUG-EU)). the attorney’s files from government access. However, attorney confidentiality does not generally extend to documents held by a Organizations that protect and enforce consumers’ interests may client, except in some criminal investigation circumstances. also bring claims against those who violate the BDSG’s data protection requirements, under limited circumstances supported by Public authorities may access records under certain circumstances, the Unfair Terms and Conditions Act (Unterlassungsklagengesetz) (in where sensitive information security records do not fall under these German) (UKlaG) (Section 2(1)(11), UKlaG). These rights and actions legal protections. For example, the German Federal Criminal Office typically affect obligations related to consumer notices, consent, and may access IT systems without knowledge of the system’s owner if whether the organization has a legitimate basis for data processing. there are indications of a danger for very important legally protected They do not generally extend to information security-related issues. rights such as the life of a person (Section 20k, Federal Criminal Office Act (Bundeskriminalamtgesetz) (BKAG)). The police may However, an organization’s false claim about the adoption of data also confiscate security records if they are of evidentiary relevance security measures in its terms of service may be a crime under in a criminal investigation (Section 94, Criminal Procedure Act Section 16(1) of the Act Against Unfair Competition (Gesetz gegen den (Strafprozessordnung) (StPO)). unlauteren Wettbewerb) (UWG). False claims can also violate UWG, Section 5 that forbids misleading commercial practices. Consumer protection agencies may bring claims against the organization for Section 5 violations.

ABOUT PRACTICAL LAW Practical Law provides legal know-how that gives lawyers a better starting point. Our expert team of attorney editors creates and maintains thousands of up-to-date, practical resources across all major practice areas. We go beyond primary law and traditional legal research to give you the resources needed to practice more efficiently, improve client service and add more value.

If you are not currently a subscriber, we invite you to take a trial of our online services at legalsolutions.com/practical-law. For more information or to schedule training, call 1-800-733-2889 or e-mail [email protected].

06-19 © 2019 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf) and Privacy Policy (https://a.next.westlaw.com/Privacy). 7