As global commerce becomes faster and more mobile, businesses are challenged to manage an increasing volume of potentially sensitive data. For several years running, cybersecurity and data privacy have been listed by various surveys as among the top issues concerning corporate General Counsel. While consumer data breaches grab headlines, privacy and security issues arise in a number of factual contexts under a wide variety of laws. Increasingly, even moderate level data breaches expose the c-suite, directors and managers to shareholder litigation and governmental investigation. A holistic approach is needed given the seriousness, complexity, and sprawling nature of these issues.
Our Cybersecurity, Information Governance and Privacy practice is a multi-disciplinary group of experienced lawyers who possess skill sets and subject matter experience in all aspects of privacy and data security. Skill sets include litigation, complex transactional counseling, intellectual property protection, communications, regulatory compliance, and public policy development. Our lawyers also have deep subject matter knowledge in financial services, healthcare, retail services, energy, insurance and other regulated industries. Our lawyers have guided clients through the toughest and most complex problems, transactions and crises, in the midst of sweeping industry, regulatory and legal change. Our objective for each engagement is a company-specific approach to understanding our clients’ particular privacy and data security challenges in full legal context, and offering practical, experienced counsel and compliance advice that is tailored to mitigate the often multi-faceted legal risks faced by the client.
Our Cybersecurity, Information Governance and Privacy practice regularly involves the following types of engagements:
Data Breach Litigation & Enforcement Actions
We represent clients in matters arising from data breaches, including assessment of a possible breach, analysis of the magnitude of a breach, assess the likelihood of litigation including possible claimants, and advice on notification obligations under federal, state and international requirements. We also represent clients in connection with government and regulatory inquiries, investigations and enforcement actions (particularly by Insurance Commissioners, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Office of Civil Rights within the US Department of Health and Human Services and State Attorneys General). We regularly defend individual and class actions brought by consumers under the plethora of federal and state privacy laws that apply to the collection, security, use and dissemination of consumer-specific data.
We provide compliance counseling regarding all federal, state and international privacy and information management laws, regulations and structures. We understand the complex federal legal and regulatory framework applicable to privacy and data security including the Gramm-Leach-Bliley Act (GLB) and the regulations promulgated thereunder including the Privacy and Disposal rules; the Fair Credit Reporting Act (FCRA); the Fair and Accurate Credit Transactions Act (FACTA); the CANSPAM Act; the Health Insurance Portability and Accountability Act (HIPAA) including the Privacy Rule and the Security Rule, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the HIPAA Omnibus Final Rule; the Federal Trade Commission’s Telemarketing Sales Rule (TSR); Telephone Consumer Protection Act (TCPA); Driver's Privacy Protection Act (DPPA); the Children's Online Privacy Protection Act (COPPA); the Stored Communications Act (SCA); the Electronic Communications Privacy Act (ECPA); and Federal Trade Commission Action Section 5. In addition, we understand state privacy and data security laws including state law analogs to many of the federal statutes such as California Security Breach Information Act; the California Online Privacy Protection Act; Massachusetts Regulation 201; and international laws such as the Canadian Personal Information Protection and Electronic Documents Act; the EU Data Protection Directive and the Directive on Privacy and Electronic Communications (as well as EU member state adoptions); and, the Hong Kong Privacy Data Ordinance.
Our experience includes industry-specific privacy and cybersecurity issues in sectors, including:
- Energy, including nuclear, electric, renewable, oil and gas, and energy construction;
- Financial Institutions, including bank and non-bank lenders, credit card companies, consumer reporting agencies, and servicers;
- Healthcare, including hospitals and health systems, physicians, other types of health providers, insurers, health information exchanges, health data sharing networks, accountable care organizations and health information technology vendors; and
- Background Screening, including for retail and wholesale background screening companies, prospective employers and landlords.
In addition, we have broad experience counseling retailers on compliance with state laws regulating the collection of personal identification information at the Point of Sale.
Prevention and Assessment
We help clients to prevent privacy violations. We develop and implement privacy policies and information security programs. We also assist clients in data security audits and in mergers and acquisitions due diligence in determining privacy and data security controls currently in place and in assessing risk.