Menu

Cybersecurity and Privacy


Overview

We provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security and data breach. We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security and data breach law to meet and anticipate our clients’ needs.  Carlton Fields' team includes attorneys who have earned the designation of Certified Information Privacy Professional (CIPP/US)  as well as former federal cybersecurity prosecutors. They are active and hold leadership positions in data privacy and cybersecurity organizations, such as:

  • International Association of Privacy Professionals (IAPP) 
  • The Sedona Conference Working Group on Data Security and Privacy Liability 
  • DRI - Data Management and Security Committee 
  • ABA - Privacy and Computer Crime Committee CLE Working Group 
  • ABA - Computer and Software Legislation Committee 
  • ABA - Electronic Filing Committee 
  • ABA - Internet Relationships and Cloud Computing Committee 
  • ABA - Section of Science & Technology Law 
  • The International Security Management Association 
  • ISACA (Information Systems Audit and Control Association)


Our services include: 

Data Breach and Incident Response

  • Help clients prepare for, and respond to, data breaches and the full range of government investigations they may prompt 
  • Develop comprehensive incident response plans that address internal and external actions 
  • Provide immediate support, via phone and email, for clients that learn of a possible data breach and must act immediately to thwart potential liability 

Policy Drafting and Implementation 

  • Draft data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations  
  • Update existing client policies to meet evolving business challenges 

Federal and State Privacy Laws 

  • Regularly assist clients with their obligations pursuant to laws including, Gramm-Leach-Bliley, the Fair Credit Reporting Act, HIPAA, and HITECH  
  • Help clients navigate state breach notification laws 

International Privacy Regulations and Global Policies 

  • Counsel clients on compliance with the Privacy Shield negotiated between U.S. Department of Commerce and European Commission, which streamlines the method for U.S. companies to comply with the European data protection directive  
  • Counsel clients on compliance with the EU General Data Protection Regulation 
  • Counsel clients on compliance with International Standards of Organization, the internationally recognized best practices for personal data use, transmission, and storage 

Employee Privacy Issues 

  • Advise employers on a wide range of privacy areas, including compliance with federal and state regulations  
  • Counsel clients on compliance with the Fair Credit Reporting Act and analogous state law regarding pre-employment background checks and post-hire investigations

Website and Social Networking Issues 

  • Help ensure client compliance with FTC and other regulations  
  • Assist clients with the wide-ranging issues that arise as a result of social media use and an Internet presence, and help them develop related proactive policies and standards

Experience

  • Helped clients implement companywide privacy and security policies to ensure protection of sensitive data 
  • Helped clients that have experienced data breaches 
  • Defended clients being investigated by federal and/or state government agencies after complaints of privacy violations or data breaches (e.g., we help clients that are subject to the federal HIPAA privacy and security regulations respond to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights.) 
  • Assist and represent clients with creation and implementation of Vendor Management Programs, including policies and procedures related to vendor risk assessment, vendor due diligence, vendor supervision, and vendor contract negotiation and management.

 

All Insights

In California, a New Era in U.S. Privacy

In California, a New Era in U.S. Privacy

October 1, 2018

In June, California passed a sweeping new privacy law that will impact an estimated 500,000 businesses in the United States.

Louisiana Appeals Court Affirms Class Certification in Lingering Litigation Against Department of Insurance

Louisiana Appeals Court Affirms Class Certification in Lingering Litigation Against Department of Insurance

October 1, 2018

A Louisiana appeals court recently affirmed class certification in consolidated lawsuits, pending since 1991, against Louisiana’s Department of Insurance, other related state entities, and the state’s excess insurance carriers.

NAIC Summer National Meeting Spotlights Innovation and Insurtech

NAIC Summer National Meeting Spotlights Innovation and Insurtech

October 1, 2018

In response to the accelerating pace of change, the NAIC’s Summer National Meeting in Boston focused on innovation and insurtech.

NIST Provides Guide and Example Solution for IT Asset Management

NIST Provides Guide and Example Solution for IT Asset Management

October 1, 2018

On September 7, the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) published Special Publication 1800-5 – IT Asset Management Practice Guide (the Guide) to help financial services companies tackle challenges in managing both the hardware and software components of their information technology assets.

New Opinions From Second and Sixth Circuit Courts Rock Phishing Loss Coverage Landscape

New Opinions From Second and Sixth Circuit Courts Rock Phishing Loss Coverage Landscape

July 16, 2018

On July 6, the Second Circuit Court of Appeals set off some fireworks in the insurance coverage litigation field when it found coverage for a “social engineering”/phishing scheme loss, bucking the trend among its sister courts.

California Passes Stringent Privacy Law Akin to GDPR

California Passes Stringent Privacy Law Akin to GDPR

July 9, 2018

California passed a sweeping new privacy law similar to the EU’s GDPR. This article, which is relevant to all businesses that handle the personal information of California consumers, discusses rights and obligations under the new law, its scope, and the consequences of noncompliance.

Are Administrative Fees and Costs a Benefit to the Class as a Whole? A Circuit Split Continues

Are Administrative Fees and Costs a Benefit to the Class as a Whole? A Circuit Split Continues

July 3, 2018

The Eighth Circuit’s deference to district courts in awarding attorney’s fees in these circumstances is in line with the approach taken by the Ninth Circuit.

South Carolina First State to Adopt NAIC Insurance Data Security Model Law

South Carolina First State to Adopt NAIC Insurance Data Security Model Law

June 24, 2018

On May 3, Governor Henry McMaster signed the South Carolina Insurance Data Security Act, making South Carolina the first state to adopt the NAIC Insurance Data Security Model Law.

Supreme Court Rules Government Must Obtain Search Warrant for Mobile Phone Location Data

Supreme Court Rules Government Must Obtain Search Warrant for Mobile Phone Location Data

June 22, 2018

The U.S. Supreme Court ruled that the government cannot generally obtain mobile phone location data absent a warrant. This article discusses the decision, which ends years of uncertainty.

Client Alert: Eleventh Circuit Affirms No Coverage Under Computer Fraud Provision of Insurance Policy

Client Alert: Eleventh Circuit Affirms No Coverage Under Computer Fraud Provision of Insurance Policy

May 10, 2018

Both insurers and insureds alike must recognize the need to laser focus on the precise terms employed in these policies to determine the scope of coverage.

9th Circ. Assesses Insurance For Social Engineering Scams

9th Circ. Assesses Insurance For Social Engineering Scams

April 27, 2018

Every company in the market for insurance coverage should inquire specifically about coverage for social engineering schemes.

SEC Issues Cybersecurity Disclosure Guidance

SEC Issues Cybersecurity Disclosure Guidance

March 31, 2018

On February 21, the SEC published interpretive "Guidance" to help public operating companies prepare disclosures about cybersecurity risks and incidents.

Supreme Court Denies Insurer’s Petition to Review Standing in Data Breach Class Actions

Supreme Court Denies Insurer’s Petition to Review Standing in Data Breach Class Actions

March 31, 2018

In recent years, the insurance and financial services industries have been targets of high profile data breaches.

When Innovation Meets Regulation: InsurTech and State Licensing Laws

When Innovation Meets Regulation: InsurTech and State Licensing Laws

March 31, 2018

The rise of InsurTech — which brings technological innovations to the business of insurance — is having a significant impact on the insurance industry, including through advancements in cybersecurity tools, the introduction of blockchain, and the use of big data for underwriting and claims.

HIPAA - Lessons From the Fresenius Settlement

HIPAA - Lessons From the Fresenius Settlement

March 30, 2018

In an industry overrun with news of almost daily privacy breaches, what makes the Fresenius settlement especially newsworthy is the size of the fine compared to the size of the breach and the types of breaches involved.

Recent Developments in Securities Class Actions and Companies' Disclosure Obligations Regarding Cybersecurity Risks and Events

Recent Developments in Securities Class Actions and Companies' Disclosure Obligations Regarding Cybersecurity Risks and Events

March 8, 2018

Some recent events may encourage shareholder attorneys to pursue securities fraud class actions after disclosure of a cyber incident leads to a drop in the stock price.

Beyond the European Union: How the GDPR Affects US Companies

Beyond the European Union: How the GDPR Affects US Companies

February 19, 2018

The effective date of the European Union’s General Data Protection Regulation (GDPR) will affect many organizations across the globe, even those not located in the EU.

The NAIC Says Aloha

The NAIC Says Aloha

December 29, 2017

The National Association of Insurance Commissioners held its Fall National Meeting December 2-4 in Hawaii, saying aloha to 2017 and aloha to 2018.

When Innovation Meets Regulation

When Innovation Meets Regulation

December 29, 2017

The rise of InsurTech — which brings technological innovations to the business of insurance — has recently had a significant impact on the insurance industry, including through advancements in cybersecurity tools, the introduction of blockchain, and the use of big data for underwriting and claims.

NAIC Big Data Working Group Update

NAIC Big Data Working Group Update

September 26, 2017

Regulators are hard at work considering insurers’ use of big data and analytics. The Big Data (Ex) Working Group, chaired by Oregon Commissioner Laura Cali Robison, adopted three charges for 2017.

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

September 26, 2017

The National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Working Group (Cybersecurity WG) approved Version 6 (Finalized) of its Insurance Data Security Model Law (Model) on August 7 at the NAIC Summer 2017 National Meeting in Philadelphia.

OCIE Lessons From Cybersecurity 2 Initiative

OCIE Lessons From Cybersecurity 2 Initiative

September 26, 2017

On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert containing observations from its Cybersecurity 2 Exam Initiative. As a follow-up to the 2014 Cybersecurity 1 initiative, the Cybersecurity 2 Initiative examined the cybersecurity preparedness of 75 SEC-registered broker-dealers, investment advisers, and investment companies (funds) for the period of October 2014 through September 2015. In its report, OCIE identified issues of continuing concern, and articulated some best practices recommendations.

New York DFS Tightens Cybersecurity Gaps

New York DFS Tightens Cybersecurity Gaps

September 19, 2017

Equifax takes no deposits and makes no loans, but New York now says that it, as well as all other consumer reporting agencies, must protect consumer data to the same degree as banks and other financial institutions.

Business Continuity and Disaster Recovery Checklist

Business Continuity and Disaster Recovery Checklist

September 6, 2017

Conducting a risk assessment and putting a business continuity plan in place now might mean the difference between hours out of operation and days out of operation.

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of August 13, 2017

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of August 13, 2017

August 31, 2017

Discovery tips for proportionality, deposition conduct, production and spoliation.

Blockchain Technology: Inevitable Disruption or Inflated Hype?

Blockchain Technology: Inevitable Disruption or Inflated Hype?

August 23, 2017

This article offers a high-level overview of blockchain technology and how it might impact industries such as finance, insurance, smart contracts, real estate and logistics.

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 31, 2017

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 31, 2017

August 21, 2017

Discovery tips for expert witnesses, sanctions, discovery costs, and corporate representative depositions.

Big Data: Insurance Innovation Regulation

Big Data: Insurance Innovation Regulation

August 17, 2017

The use of big data and analytics, and other innovative technologies, is transforming the way the insurance business is being conducted. This article describes some of the changes that are occurring and how regulators are attempting to keep pace with them.

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

August 13, 2017

Version 6 of the Model incorporates significant changes from the first version released on March 2, 2016, including the narrowed purpose of establishing "standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees…"

Podcast: What is so important about blockchain?

Podcast: What is so important about blockchain?

August 1, 2017

It seems everyone today is talking about blockchain and cryptocurrencies. In this podcast, you're going to hear from David Adams, Matthew Kohen, and Justin Wales, who consult on these exciting emerging technologies.

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 24, 2017

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 24, 2017

July 31, 2017

Discovery tips for spoliation, proportionality, ESI costs, and boilerplate objections.

Are the Bad Old Days of Blind Stonewalling in Discovery Finally Coming to a Close?

Are the Bad Old Days of Blind Stonewalling in Discovery Finally Coming to a Close?

July 21, 2017

This article compares blind stonewalling to what many consider contemporary best practices. It also provides case law you can use to support the “new way.”

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 14, 2017

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 14, 2017

July 21, 2017

Discovery tips for cloud computing, text messages, predictive coding and proportionality.

Your Apps May Be Selling You Out

Your Apps May Be Selling You Out

July 12, 2017

While most people are vaguely aware, even if they are in denial, that their browsers give advertisers access to their search histories, they are probably unaware that information is being sold or given to third parties via the apps they use on their personal phones or mobile devices.

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 7, 2017

Bullet-Point Update: Electronic and Federal Court Discovery Issues for the Week of July 7, 2017

July 7, 2017

Discovery tips for cloud computing, text messages, predictive coding and proportionality.

Colorado Set to Regulate Cybersecurity Practices of Broker-Dealers and  Investment Advisers

Colorado Set to Regulate Cybersecurity Practices of Broker-Dealers and Investment Advisers

June 23, 2017

On May 15, Colorado became the latest state to publish major regulations tackling cybersecurity in the financial services industry when the Colorado Division of Securities released amendments to existing division rules previously proposed in late March 2017.

Eleventh Circuit to Weigh in on ‘Business Email Compromise’ Coverage Under Fidelity Bond

Eleventh Circuit to Weigh in on ‘Business Email Compromise’ Coverage Under Fidelity Bond

June 23, 2017

Banks have historically been at the forefront of technological advances in commerce. So it should be no surprise that they and other financial institutions were also among the first to suffer losses related to computer fraud and hacking.

New HHS Cybersecurity Preparedness Checklist

New HHS Cybersecurity Preparedness Checklist

June 14, 2017

The Department of Health and Human Services’ Office of Civil Rights (OCR) recently published a checklist to guide HIPAA-covered entities and business associates.

Sprouting Activity at the NAIC

Sprouting Activity at the NAIC

April 10, 2017

Various NAIC groups have planted seeds for a number of regulatory initiatives that impact life insurers.

Regulators Demand Third-Party Risk Management

Regulators Demand Third-Party Risk Management

April 9, 2017

While third-party risk management has been a required component of an effective enterprise risk management program for many years, the topic is receiving elevated attention at insurance companies and related businesses.

Cyber Update: Five Tips from the Front Lines of Practice to Limit Your Company’s Losses from a Breach

Cyber Update: Five Tips from the Front Lines of Practice to Limit Your Company’s Losses from a Breach

March 28, 2017

We help companies prepare for, respond to, and clean up data breaches and related events. We are lawyers, but in this role, we often look over the shoulders of cybersecurity technical experts, who are advising companies on the nuts and bolts of protecting against, containing, and eradicating intrusions.

Hacking of Medical Devices is No Longer Just an Outlandish Movie Plot

Hacking of Medical Devices is No Longer Just an Outlandish Movie Plot

March 24, 2017

2016 was a big year for health care data br eaches with 106 major hacker-attributed breaches reported to the federal government, ex posing 13.5 million individuals' records. [1] According to a June Ponemon Institute/IBM report on data breaches, loss of a single record cost health care institutions an average of $402, which adds up to $2. 8 billion spent on 2016 hacking incidents

Scratching the Surface: The FTC’s Phishing Tips for Victim Companies Are a Good First Step but Companies Should Not Stop There

Scratching the Surface: The FTC’s Phishing Tips for Victim Companies Are a Good First Step but Companies Should Not Stop There

March 12, 2017

In one type of phishing, fraudsters impersonate your business when contacting consumers. Phishing victims think they’re giving information to your company — by phone or Internet —but instead give personal or financial information to the fraudster.

Cybersecurity and Privacy Policy as a Board of Directors Issue

Cybersecurity and Privacy Policy as a Board of Directors Issue

January 17, 2017

Cybersecurity and privacy of customer information have become such a critical issues that in-house counsel should treat them as board of directors-level issues.

Bullet Points on a Primer: The Quick Version of the Sedona Conference’s Data Privacy Primer

Bullet Points on a Primer: The Quick Version of the Sedona Conference’s Data Privacy Primer

January 16, 2017

Privacy law began in 1890 when Harvard Law Review published “The Right to Privacy” by Samuel Warren and Louis Brandeis.

Cybersecurity Still Top FINRA Operational Risk

Cybersecurity Still Top FINRA Operational Risk

January 12, 2017

While FINRA acknowledges that there is no one-size-fits-all approach to cybersecurity, its 2017 letter reinforces its commitment to advising an approach grounded in risk management and effective control mechanisms for maintaining firms’ security and integrity.

FTC Brings Action Against D-Link in Ongoing Effort to Secure the Internet of Things

FTC Brings Action Against D-Link in Ongoing Effort to Secure the Internet of Things

January 8, 2017

One area of concern for data privacy and cybersecurity professionals is the security of the Internet of Things, which refers to the digitally connected smart devices present in almost every aspect of our lives and growing exponentially in number every day.

Key Contacts

Other Team Members

Gary K. Slinger

Gary K. Slinger

Director of Security & Business Continuity

Featured Insights

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.