Menu

Cybersecurity and Privacy


Download Download PDF   
Share Share Page

Overview

We provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security, data breaches, and privacy.

Our cybersecurity clients seek our advice at the three phases of cybersecurity legal needs: (i) planning, preparation, and hardening against a cybersecurity event; (ii) as “breach coaches” during a cybersecurity event, including coordination of forensic services and working with law enforcement, through consumer notification; and (iii) in the litigation that may follow a cybersecurity event.

Our attorneys are trusted counsel both to international companies and to growth-stage companies on all manner of privacy compliance and litigation issues. We advise on long-standing federal standards such as HIPAA and Gramm-Leach-Bliley as well as emerging state standards, such as those in California and New York.

We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security, data breach law, and privacy laws and regulations to meet and anticipate our clients’ needs. Carlton Fields' team includes attorneys who have earned the designation of Certified Information Privacy Professional (e.g., CIPP/US, CIPM) as well as former federal cybercrime prosecutors.

Our services include: 

Data Breach and Incident Response

  • Help clients prepare for, and respond to, data breaches and the full range of government investigations they may prompt
  • Provide immediate support and rapid response, via phone and email, for clients that learn of a possible data breach and must act immediately to mitigate potential liability and discharge potential obligations stemming from the incident 
  • Develop and test comprehensive incident response plans that address internal and external actions to take in the wake of a data security incident

Litigation

  • Represent clients in all forms of litigation associated with data breaches and other security incidents. This includes class action defense in federal and state courts, and prosecution and defense of other complex matters.

Development and Implementation of Compliance Programs

  • Build full-scale compliance programs for domestic and international operations, including:
    • Data mapping and risk assessment
    • Data subject access request management policies, procedures, and workflows
    • Review and update of contracts and agreements to reflect data privacy obligations and data processing
    • Updates to internal and external privacy policies
    • Cookie consent and management of preferences
    • Privacy compliance for new product development and advertising
  • Update data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations  

Federal and State Privacy and Cybersecurity Laws 

  • Regularly assist clients with their obligations pursuant to laws, including Gramm-Leach-Bliley, the Fair Credit Reporting Act, HIPAA, and HITECH  
  • Assist clients in complying with emerging state privacy and cybersecurity laws, such as the California Consumer Privacy Act (CCPA), Nevada privacy law (SB-220), and the New York SHIELD Act

International Privacy Regulations and Global Policies 

  • Counsel clients on compliance with the GDPR and assist with the development of legal means for cross-border data transfers post Schrems II
  • Counsel clients on compliance with other international regulations, including Brazil’s Lei Geral de Protecção de Dados Pessoais (General Data Protection Law - LGPD) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Counsel clients on compliance with International Standards of Organization (ISO Series), the internationally recognized best practices for personal data use, transmission, and storage

Employee Privacy Issues 

  • Advise employers on a wide range of privacy areas, including compliance with federal and state regulations, including employer obligations under the CCPA
  • Counsel clients on compliance with the Fair Credit Reporting Act and analogous state laws regarding pre-employment background checks and post-hire investigations
  • Counsel businesses on privacy issues related to work-from-home and COVID-19

Genetic Information and Health Privacy

  • Develop and implement incident management response for data breaches relating to electronic personal health information
  • Manage security risk assessments to meet HIPAA, HITECH and state health information privacy and security requirements
  • Develop and implement full suite of policies and procedures necessary for compliance with HIPAA’s Privacy and Security Rules
  • Create compliance programs to accommodate emerging biometric data and genetic privacy laws domestically and internationally

Privacy and Cybersecurity Trainings

  • Provide off-the-shelf and white-labeled privacy training options to accommodate businesses of all sizes in privacy readiness and compliance, including trainings to meet compliance requirements for the CCPA, GDPR, LGPD, HIPAA, and EU Data Authority guidance
  • Plan and conduct tabletop exercises with companies to simulate a breach event, targeting to the company’s particular risk profile, often partnering with inside or outside forensic experts and media relations professionals

Website and Social Networking Issues 

  • Help ensure client compliance with FTC and other regulations  
  • Support brands and influencers in meeting requirements under Section 5 of the FTC Act
  • Draft privacy policies, social media policies, terms of use, and community policies, and develop internal legal management programs for emerging online issues
  • Assist clients with the wide-ranging issues that arise as a result of social media use and an internet presence, and help them develop related proactive policies and standards

Online Harassment and Phishing Campaigns

  • Represent and protect companies and their employees who are victims of online harassment, including non-consensual pornography, cyber stalking, reputation attacks, identity theft, and other forms of digital abuse.
  • Work with companies whose employees or customers are facing targeted, sophisticated phishing campaigns, including spoofing attempts and suspected email compromises
  • Our work can include support of the company’s investigations into these matters, packaging the evidence for cooperation with law enforcement, and protection of corporate intellectual property, particularly as to domain-name abuse.

Due Diligence and Other Transactional Support

  • Provide cybersecurity and privacy due diligence advice in connection with mergers and acquisitions, private equity investments, and other transactions
  • Represent private equity firms and other pooled-capital entities as standby counsel for their investigations into potential acquisitions, including of SaaS companies as well as more traditional brick-and-mortar companies for which cybersecurity is a concern, both at the term sheet level and pre-closing


Our attorneys are active and hold leadership positions in data privacy and cybersecurity organizations, such as:

  • International Association of Privacy Professionals (IAPP) 
  • The Sedona Conference Working Group on Data Security and Privacy Liability 
  • DRI - Data Management and Security Committee 
  • ABA - Privacy and Computer Crime Committee CLE Working Group 
  • ABA - Computer and Software Legislation Committee 
  • ABA - Electronic Filing Committee 
  • ABA - Internet Relationships and Cloud Computing Committee 
  • ABA - Section of Science & Technology Law 
  • The International Security Management Association
  • ISACA (Information Systems Audit and Control Association)


Industries supported by our practice include:

  • Advertising
  • Artificial intelligence
  • Biotechnology
  • Construction and real estate
  • Consumer brands
  • Cosmetics
  • Data analytics
  • E-commerce
  • Electronic gaming and esports
  • Financial services sector
  • Health care
  • Insurance
  • Media and entertainment
  • Professional services
  • Retail, including online retail
  • Software
  • Software as a service
  • Technology
  • Telecommunications
  • Title insurance

Experience

  • Served as breach coach and notifications counsel in responding to an extortionate ransomware attack on a B2B company with international operations, coordinating forensic response, threat actor engagement, coordination with law enforcement, and public and business-partner communications.
  • Helped dozens of corporate clients that have experienced data breaches due to theft (e.g., stolen laptops and servers), social engineering fraud (phishing, misdirected wires), hacking (stolen passwords, brute force attacks), and accident (e.g., natural disasters, lost backup tapes).
  • Defend clients under investigation by federal and/or state government agencies after complaints of privacy violations or data breaches. We frequently help clients, for example, that are subject to HIPAA privacy and security regulations respond to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights. 
  • Defend data breach class actions, including (i) a hospital system after the alleged theft of personal health and financial data of hospital patients; (ii) a public entity after the exposure of its employees’ tax information in a phishing scheme; and (iii) a multi-office medical practice that was the victim of a ransomware attack. In such cases, we have won at the motion to dismiss phase and class certification phases, and we have, in consultation with our clients and their insurance carriers, arranged for favorable resolutions at mediation.
  • Assist and represent clients with creation and implementation of vendor management programs, including policies and procedures related to vendor risk assessment, vendor due diligence, vendor supervision, and vendor contract negotiation and management.
  • Help clients implement companywide privacy and security policies to ensure protection of sensitive data.
  • Help clients design beginning-to-end privacy compliance programs for new products, means of advertising, or other uses of consumer data, including drafting and strategic placement of all necessary notices and authorizations, as well as negotiating associated contracts. Such engagements include compliance with the CCPA, GDPR, and similar privacy regimes.
  • Develop and implement GDPR compliance programs for international social media software as a service platform.
  • Represent, with local counsel, companies before EU Data Protection Authorities in regulatory inquiries.
  • Launch mobile application startups in app stores in international markets.
  • Scale privacy compliance programs as outside counsel from startup to IPO.
  • Help clients understand privacy compliance steps needed to expand current uses of consumer information.
  • Serve as the outside general counsel to education clients on privacy and cybersecurity legal issues, including advice on remote learning, interpretation of FERPA, issues related to sexting and cyberbullying, and incident response. Our clients include colleges and universities, as well as some of the country’s top private K-12 schools, school districts, and charter schools.

All Insights

DFS Continues Focus on Cybersecurity: Issues Ransomware Guidance and Signals Increased Enforcement Actions

DFS Continues Focus on Cybersecurity: Issues Ransomware Guidance and Signals Increased Enforcement Actions

July 15, 2021

The New York State Department of Financial Services is continuing its focus on financial institutions’ cybersecurity, issuing new guidance, probing cybersecurity as part of routine examinations, and signaling increased enforcement actions. This alert discusses this new guidance and its impact on financial institutions.

CF on Cyber: An Update on the Changes to the Florida Telemarketing Act

CF on Cyber: An Update on the Changes to the Florida Telemarketing Act

June 30, 2021

On June 29, Gov. Ron DeSantis signed into law a bill enacting substantial changes to the Florida Telemarketing Act. In this podcast, Carlton Fields shareholders Aaron Weiss and Charles Throckmorton discuss these changes and key new provisions in the act. If your company is considering any phone or text-based marketing in Florida, this podcast may be of particular interest.

No Password Required: A Cyber Practice Leader and Natural Optimist Who Believes Every Day Is the Best Day

No Password Required: A Cyber Practice Leader and Natural Optimist Who Believes Every Day Is the Best Day

June 30, 2021

Dan Burke is the Cyber Practice Leader at Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the US. Dan is a natural optimist and family man who believes every day is going to be the best day and the next shot will always be his greatest golf shot.

Biden Administration Issues Practical Guidance for Ransomware Attacks

Biden Administration Issues Practical Guidance for Ransomware Attacks

June 15, 2021

On June 2, 2021, President Biden issued a memorandum providing "recommended best practices" for protecting against ransomware.

No Password Required: An SOC Technical Manager Who Builds Things With Keyboards and Blowtorches...

No Password Required: An SOC Technical Manager Who Builds Things With Keyboards and Blowtorches...

May 20, 2021

Phillip Tarrant is the SOC Technical Manager at Compuquip Cybersecurity who is passionate about many things in life, including his pet chickens, building things both with and without a keyboard, disconnecting in nature, and welcoming people into the field of cybersecurity.

No Password Required: An OSINT Expert Who Credits Much of Her Success to Her Improv Comedy Skills...

No Password Required: An OSINT Expert Who Credits Much of Her Success to Her Improv Comedy Skills...

April 22, 2021

Rachel Tobac is the CEO and co-founder of Social Proof Security who hopes to one day work herself out of a job by improving education and awareness of social engineering attacks.

No Password Required: A Believer That the Key to Internet Safety Is Simple...

No Password Required: A Believer That the Key to Internet Safety Is Simple...

March 18, 2021

Roger Grimes is the defense-driven evangelist at KnowBe4 who confidently defines himself as the best in the world at defending against hackers. In this episode, Roger joins the No Password Required team to discuss how being a terrible accountant led him to the world of cybersecurity, why octopi cannot be trusted, and why music is the best way to create powerful connections.

No Password Required: A Pen Tester at Rapid7 With a Passion for LEGO Bricks, Star Wars, and Sometimes LEGO Star Wars

No Password Required: A Pen Tester at Rapid7 With a Passion for LEGO Bricks, Star Wars, and Sometimes LEGO Star Wars

February 18, 2021

Shane Young is a penetration tester at Rapid7 whose real-life acting and cyber skills would have been a great addition to the “Oceans 11” team. In this episode, Shane joins the No Password Required team to share some of his exciting stories as a penetration tester, how hacking his high school’s network got him into the world of cybersecurity, and why LEGO bricks are really made for adults, not kids.

No Password Required: An Inherently Trusting Person in an Inherently Distrusting Profession

No Password Required: An Inherently Trusting Person in an Inherently Distrusting Profession

February 18, 2021

Melinda Lemke is the Head of Information Security at King & Spalding with a decade of leadership experience in the cyber industry. In this episode, Melinda joins the No Password Required team to talk about her experience as a woman and leader in this field, how professional mentors can enhance success, and the best yacht-rock bands of all time. Maybe most importantly, the team discusses the John Hughes movie universe and why Kevin McAllister is a better problem-solver than Ferris Bueller.

No Password Required: A Journey From Math Camp to Cyber Intelligence

No Password Required: A Journey From Math Camp to Cyber Intelligence

February 18, 2021

Stephen “Scuba” Gary is a cyber intelligence professor at the University of South Florida with over 15 years of experience in the cybersecurity industry. In this episode, Scuba joins the No Password Required team to discuss his journey in the field of cybersecurity, how one gets the nickname Scuba without scuba diving, and why math nerds throw the best parties. Scuba, Ernie, and Clabby analyze ransomware attacks in Florida, security lessons to be learned from the 2020 elections, and more.

What the Heck is Happening in California? An Update on California’s Privacy Laws

What the Heck is Happening in California? An Update on California’s Privacy Laws

February 12, 2021

In a period of less than two years, the California privacy law landscape has changed dramatically. With the effective enforcement date of the CCPA in January 1, 2020, to a new privacy law, the California Privacy Rights Act (CPRA), passed by California voters in November 2020, as well as a new Attorney General on the horizon, California will certainly be a place to watch in 2021.

Ledgers and Law: Real-World Planning for Cyber Attacks

Ledgers and Law: Real-World Planning for Cyber Attacks

December 15, 2020

The COVID-19 pandemic has changed the way millions of people work. Remote workers are especially vulnerable to cyber threats such as ransomware and business email compromise. Joe Swanson, chair of Carlton Fields’ Cybersecurity and Privacy Practice, discusses important cybersecurity trends, what companies should do to prepare for cyber breaches, how to mitigate risk if an employee makes a mistake, vendor management issues, and the importance of a game plan if you are hit with an attack.

Brazil’s LGPD: What You Need to Know Before 2021

Brazil’s LGPD: What You Need to Know Before 2021

October 29, 2020

Overlooked in a year dominated by a “wait-and-see” dynamic with both the finalization and enforcement of the California Consumer Privacy Act (CCPA), Brazil’s General Data Protection Law—Lei Geral de Proteção de Dados (LGPD)—is another major privacy compliance obligation that must be undertaken for 2021.

California Bill Extending Employment and B2B Compliance Obligations for CCPA Heads to Governor Newsom's Desk

California Bill Extending Employment and B2B Compliance Obligations for CCPA Heads to Governor Newsom's Desk

September 3, 2020

A bill that would extend California Consumer Privacy Act (CCPA) compliance obligations for employment information and business-to-business information has passed through both chambers of the California Legislature and has been sent to Governor Gavin Newsom's desk for signature before the end of September.

Guidance Released From German Data Protection Authority: Time to Review EU Data Transfer Mechanisms

Guidance Released From German Data Protection Authority: Time to Review EU Data Transfer Mechanisms

August 28, 2020

This week, guidance finally emerged from one data protection authority in Germany. The data protection authority of Baden-Württemberg issued its own guidance on how companies should approach their data transfer analysis in a post-Schrems II world.

The California Consumer Privacy Act: Are You Ready?

The California Consumer Privacy Act: Are You Ready?

August 25, 2020

This webinar will help you understand the current landscape of the CCPA and other privacy regimes, including the status of the regulations, and anticipated litigation and enforcement priorities.

The Final CCPA Regulations May Be Ready, But Is Your Business?

The Final CCPA Regulations May Be Ready, But Is Your Business?

August 19, 2020

On August 14, California’s attorney general announced the approval of the final regulations for the CCPA. This alert discusses principal changes and key highlights in the final regulations.

Canna We Talk Cannabis? Cybersecurity Risks Bring Growing Pains to Cannabis Businesses

Canna We Talk Cannabis? Cybersecurity Risks Bring Growing Pains to Cannabis Businesses

February 10, 2020

This episode explores the circumstances involved in a recent data breach involving the cannabis industry.

The CCPA for the Land Title Industry: Practical Compliance With CCPA and New Privacy Laws

The CCPA for the Land Title Industry: Practical Compliance With CCPA and New Privacy Laws

February 6, 2020

Join Elizabeth Reilly from Fidelity National Financial and Carlton Fields’ attorneys Jack Clabby, Joe Swanson, and Steve Blickensderfer as they answer real questions from real members of the American Land Title Association on the resources and tools available to members of the land title industry, as well as some practical compliance tips for companies as they work to comply with the CCPA.

The CCPA for the Land Title Industry: CCPA Resources and Compliance Tips

The CCPA for the Land Title Industry: CCPA Resources and Compliance Tips

January 29, 2020

Join Elizabeth Reilly from Fidelity National Financial and Carlton Fields’ attorneys Jack Clabby, Joe Swanson, and Steve Blickensderfer as they answer real questions from real members of the American Land Title Association on the resources and tools available to members of the land title industry, as well as some practical compliance tips for companies as they work to comply with the CCPA.

The CCPA for the Land Title Industry: Service Providers and Sale of Data Under the CCPA

The CCPA for the Land Title Industry: Service Providers and Sale of Data Under the CCPA

January 22, 2020

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

The CCPA for the Land Title Industry: Who Does the CCPA Apply To?

The CCPA for the Land Title Industry: Who Does the CCPA Apply To?

January 15, 2020

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

CF on Cyber: Leveraging the Incident Response Guide to Prepare for the CCPA

CF on Cyber: Leveraging the Incident Response Guide to Prepare for the CCPA

November 7, 2019

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

CF on Cyber: Key Takeaways from the California AG’s Proposed CCPA Regulations

CF on Cyber: Key Takeaways from the California AG’s Proposed CCPA Regulations

October 15, 2019

The California AG recently published its long-awaited proposed regulations to implement the CCPA. This podcast describes a few key points from those draft regulations, including as they relate to online privacy notices, verifying consumer requests, and financial incentive offerings.

CF on Cyber & FICPA presents Refeathering the Pillow: Catching, Containing & Cleaning up Cyber Fraud

CF on Cyber & FICPA presents Refeathering the Pillow: Catching, Containing & Cleaning up Cyber Fraud

October 4, 2019

In this podcast, cybersecurity attorney Jack Clabby discusses safety and risk management in data loss incidents with Mia Thomas, CPA, CGMA, Director of Learning for the FICPA.

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

August 6, 2019

When the California Consumer Privacy Act (CCPA) takes effect in January 2020, it will grant California residents new rights regarding their personal information and will impose new and significant obligations on businesses that collect this information.

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

August 4, 2019

Under section 1798.125(b) of the California Consumer Privacy Act of 2018 (CCPA), “[a] business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.

Key Contacts

Other Team Members

Gary K. Slinger

Gary K. Slinger

Director of Security & Business Continuity

Featured Insights

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.