Cybersecurity and Privacy
Overview
Our team of certified privacy professionals and former cybercrime prosecutors provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security, data breaches, and privacy. We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security, data breach law, privacy laws and regulations, and our clients’ particular industries, to meet and anticipate our clients’ needs.
Our cybersecurity clients seek our advice at the three phases of cybersecurity legal needs: (i) planning, preparation, and hardening against a cybersecurity event; (ii) as “breach coaches” during a cybersecurity event, including coordination of forensic services and working with law enforcement and regulators, through consumer notification; and (iii) in the litigation, including class actions, that may follow a cybersecurity event.
Our privacy attorneys are trusted counsel to companies of all sizes across industries. From growth-stage companies to large international companies, our team has experience in all manner of privacy compliance and litigation issues.
Our services include:
- Help clients prepare for, and respond to, suspected data breaches and the full range of government investigations and class action litigation they may prompt.
- Provide immediate support and rapid response for clients that learn of a possible data breach and must act immediately to mitigate potential liability and discharge potential obligations stemming from the incident.
- Develop and test comprehensive incident response plans that address internal and external actions to take in the wake of a data security incident.
- Work with companies facing sophisticated attacks by cyber criminals, including malware, phishing campaigns, spoofing attempts, misdirected wires, and suspected email compromises.
- Represent clients in all forms of litigation associated with data breaches and other security incidents. This includes class action defense in federal and state courts across the country, and prosecution and defense of other complex matters.
- Represent clients in privacy litigation, including matters stemming from alleged violations of wiretapping statutes, the Video Privacy Protection Act (VPPA), and the Illinois Biometric Information Privacy Act (“BIPA”).
- Build full-scale compliance programs for domestic and international operations, including:
- Data mapping and risk assessments
- Data subject access request management policies, procedures, and workflows
- Negotiating agreements to reflect data privacy and data processing obligations
- Drafting or updating internal and external privacy policies, notices, procedures, and consents
- Artificial intelligence governance
- Privacy compliance for new product development, loyalty programs, and digital advertising campaigns
- Update data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations.
- Assist insurers, broker-dealers, advisors, and agents in privacy and cybersecurity compliance, including compliance with the Gramm-Leach-Bliley Act and associated regulations, California Financial Information Privacy Act, California Consumer Privacy Act, state insurance laws, Fair Credit Reporting Act, Telephone Consumer Protection Act of 1991, and others.
- Draft applicable policies, notices, disclosures, and consents, such as privacy policies, notice of information practices, website notices, and incident response plans.
- Advise clients on automated underwriting issues, cyber risk management, and marketing and customer engagement initiatives.
- Negotiate data processing agreements and assist in development of mobile applications and platforms.
- Represented 35 of 45 insurance companies on the Fortune 500 list in privacy, litigation, or regulatory matters.
- Counsel clients on compliance with international privacy laws, such as the GDPR, Brazil’s Lei Geral de Proteção de Dados (General Data Protection Law - LGPD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and others, including drafting requisite notices, processing privacy requests, and negotiating data processing agreements, including those involving cross-border data transfers.
- Counsel clients on compliance with International Standards of Organization (ISO), the internationally recognized best practices for personal data use, transmission, and storage.
- Advise employers on a wide range of privacy areas, including employee privacy notices and rights, such as those implicated by pre-employment background checks, post-hire investigations, employee monitoring, and employee biometrics.
- Counsel businesses on privacy issues related to work-from-home and BYOD policies.
- Represent providers in incident response, regulatory investigations, and litigations regarding data breaches and privacy allegations.
- Develop and implement incident management response for data breaches relating to electronic personal health information.
- Manage security risk assessments to meet HIPAA, HITECH, and state health information privacy and security requirements.
- Develop and implement full suite of policies and procedures necessary for compliance with HIPAA’s privacy and security rules.
- Create compliance programs to accommodate biometric data and genetic privacy laws.
- Provide off-the-shelf and white-label privacy training options to accommodate businesses of all sizes in privacy readiness and compliance, including trainings to meet compliance requirements for the CCPA, GDPR, LGPD, and HIPAA.
- Plan and conduct tabletop exercises with companies to simulate a breach event, targeting to the company’s particular risk profile, and often in partnership with forensic experts and media relations professionals.
- Advise clients regarding website technologies, including compliance and steps for mitigating the latest class action litigation related to the same.
- Draft privacy policies, social media policies, terms of use, and community policies, and develop internal legal management programs for emerging online issues.
- Assist clients with the wide-ranging issues that arise as a result of social media use and an internet presence.
- Provide privacy and security advice in connection with adtech solutions and digital monetization business lines.
- Work with clients on deploying robust online signature processes, terms and conditions, and, when appropriate, arbitration agreements and class action waivers, for web-facing business.
Learn more about our Digital and E-Commerce Engagement and Innovation practice.
- Provide cybersecurity and privacy due diligence advice in connection with mergers and acquisitions, private equity investments, and other transactions.
- Represent private equity firms and other pooled-capital entities as standby counsel for their investigations into potential acquisitions, including of SaaS companies as well as more traditional brick-and-mortar companies for which cybersecurity is a concern, both at the term sheet level and pre-closing.
Our attorneys are active and hold leadership positions in data privacy and cybersecurity organizations, such as:
- International Association of Privacy Professionals (IAPP)
- International Security Management Association
- InfraGard
- Sedona Conference Working Group on Data Security and Privacy Liability
- U.S. Secret Service Cyber Fraud Task Force
- Florida Bar Association - Cyber and Privacy Committee
- ISSA (Information Systems Security Association)
- SANS (SysAdmin, Audit, Network, and Security)
- GIAC (Global Information Assurance Certification)
Industries supported by our practice include:
- Advertising
- Artificial intelligence
- Construction and real estate
- Consumer brands
- Data analytics
- E-commerce
- Education (K-12 and universities) and education technology (edtech)
- Electronic gaming and esports
- Financial services
- Healthcare
- Insurance
- Media and entertainment
- Private equity
- Professional services
- Retail
- Software
- Software as a service
- Technology
- Telecommunications
- Title insurance
Experience
Financial Services
- Assisted registered investment advisers with SEC cyber exams.
- Advised various financial institutions including insurers, producers, broker-dealers, and investment advisors regarding:
- Notices and consents needed when seeking information about consumers from third parties or seeking to share consumers information with third parties for transactional or marketing purposes.
- Handling of consumer data subject requests to know, correct, delete, or limit sharing.
- Responding to, and preparing for, examinations regarding cybersecurity and privacy practices.
- Advised large financial entities regarding contractual privacy provisions, privacy compliance, and cybersecurity insurance coverage.
Health Care
- Defended data breach class actions, including (i) a hospital system after the alleged theft of personal health and financial data of hospital patients; and (ii) a multi-office medical practice that was the victim of a ransomware attack. In such cases, we have won at the motion to dismiss phase and class certification phases, and we have, in consultation with our clients and their insurance carriers, arranged for favorable resolutions at mediation.
- Drafted comprehensive HIPAA compliance program for HIPAA-covered entity, including drafting associated policies and procedures.
- Managed breach response for various HIPAA entities, including covered entities and business associates, throughout breach investigation, required reporting and notifications, and any associated litigation.
- Advised business associate regarding compliance with the CCPA, including drafting necessary privacy notices and establishing procedures for processing associated privacy requests.
Litigation
- Represented numerous defendants across industries in data breach class actions and demands alleging privacy violations.
- Defended clients under investigation by federal and/or state government agencies after complaints of privacy violations or data breaches. We frequently help clients, for example, that are subject to HIPAA privacy and security regulations respond to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights.
Cybersecurity
- Served as breach coach and notifications counsel for law firms responding to extortionate ransomware attacks.
- Helped dozens of corporate clients that have experienced data breaches due to theft (e.g., stolen laptops and servers), social engineering fraud (phishing, misdirected wires), hacking (stolen passwords, brute force attacks), malware (e.g., ransomware), and accident (e.g., natural disasters, lost backup tapes).
- Served as incident response counsel for numerous private schools.
- Served as breach coach and notifications counsel in responding to an extortionate ransomware attack on a B2B company with international operations, coordinating forensic response, threat actor engagement, coordination with law enforcement, and public and business-partner communications.
- Assisted in M&A due diligence of payments companies and cyber surveillance companies.
- Served as the outside general counsel to education clients on privacy and cybersecurity legal issues, including advice on remote learning, interpretation of FERPA, issues related to sexting and cyberbullying, and incident response. Our clients include colleges and universities, as well as some of the country’s top private K-12 schools, school districts, and charter schools.
Privacy Compliance
- Created privacy policies and website terms of use.
- Drafted and negotiated data processing agreements and contractual provisions for vendor management.
- Drafted internal privacy and cybersecurity policies and procedures, including breach response, data retention/destruction, and others.
- Scaled privacy compliance programs as outside counsel from startup to IPO.
- Helped clients understand privacy compliance steps needed to expand current uses of consumer information.
- Assisted and represent clients with creation and implementation of vendor management programs, including policies and procedures related to vendor risk assessment, vendor due diligence, vendor supervision, and vendor contract negotiation and management.
- Helped clients implement companywide privacy and security policies to ensure protection of sensitive data.
- Helped clients design beginning-to-end privacy compliance programs for new products, means of advertising, or other uses of consumer data, including drafting and strategic placement of all necessary notices and authorizations, as well as negotiating associated contracts.
- Developed and implement GDPR compliance programs for international social media software as a service platform.
- Advised multiple Fortune 500 companies regarding adjustments needed to comply with new state privacy laws.
- Advised regarding privacy and cybersecurity risk management, including key contractual provisions and policy best practices.
- Designed and implemented privacy program for large U.S.-based retailer.
Emerging Technology
- Advised businesses of varying sizes regarding use of artificial intelligence, including analysis of risks, required policies and procedures, contract negotiations, and required disclosures and rights associated with the same.
- Counseled businesses across industries regarding use of various technologies and methods for increasing digital engagement, including use of various advertising technologies.
- Advised regarding launch and maintenance of mobile applications.