Menu

Cybersecurity and Privacy


Overview

We provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security and data breach. We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security and data breach law to meet and anticipate our clients’ needs. Carlton Fields' team includes attorneys who have earned the designation of Certified Information Privacy Professional (CIPP/US)  as well as former federal cybersecurity prosecutors. They are active and hold leadership positions in data privacy and cybersecurity organizations, such as:

  • International Association of Privacy Professionals (IAPP) 
  • The Sedona Conference Working Group on Data Security and Privacy Liability 
  • DRI - Data Management and Security Committee 
  • ABA - Privacy and Computer Crime Committee CLE Working Group 
  • ABA - Computer and Software Legislation Committee 
  • ABA - Electronic Filing Committee 
  • ABA - Internet Relationships and Cloud Computing Committee 
  • ABA - Section of Science & Technology Law 
  • The International Security Management Association 
  • ISACA (Information Systems Audit and Control Association)


Our services include: 

Data Breach and Incident Response

  • Help clients prepare for, and respond to, data breaches and the full range of government investigations they may prompt 
  • Develop comprehensive incident response plans that address internal and external actions 
  • Provide immediate support, via phone and email, for clients that learn of a possible data breach and must act immediately to thwart potential liability 

Policy Drafting and Implementation 

  • Draft data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations  
  • Update existing client policies to meet evolving business challenges 

Federal and State Privacy Laws 

  • Regularly assist clients with their obligations pursuant to laws including, Gramm-Leach-Bliley, the Fair Credit Reporting Act, HIPAA, and HITECH  
  • Help clients navigate state breach notification laws 

International Privacy Regulations and Global Policies 

  • Counsel clients on compliance with the Privacy Shield negotiated between the U.S. Department of Commerce and the European Commission, which streamlines the method for U.S. companies to comply with the European data protection directive  
  • Counsel clients on compliance with the EU General Data Protection Regulation 
  • Counsel clients on compliance with International Standards of Organization, the internationally recognized best practices for personal data use, transmission, and storage 

Employee Privacy Issues 

  • Advise employers on a wide range of privacy areas, including compliance with federal and state regulations  
  • Counsel clients on compliance with the Fair Credit Reporting Act and analogous state law regarding pre-employment background checks and post-hire investigations

Website and Social Networking Issues 

  • Help ensure client compliance with FTC and other regulations  
  • Assist clients with the wide-ranging issues that arise as a result of social media use and an Internet presence, and help them develop related proactive policies and standards

Experience

  • Helped clients implement companywide privacy and security policies to ensure protection of sensitive data 
  • Helped clients that have experienced data breaches 
  • Defended clients being investigated by federal and/or state government agencies after complaints of privacy violations or data breaches (e.g., we help clients that are subject to the federal HIPAA privacy and security regulations respond to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights.) 
  • Assist and represent clients with creation and implementation of Vendor Management Programs, including policies and procedures related to vendor risk assessment, vendor due diligence, vendor supervision, and vendor contract negotiation and management.

 

All Insights

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

August 6, 2019

When the California Consumer Privacy Act (CCPA) takes effect in January 2020, it will grant California residents new rights regarding their personal information and will impose new and significant obligations on businesses that collect this information.

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

August 4, 2019

Under section 1798.125(b) of the California Consumer Privacy Act of 2018 (CCPA), “[a] business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.

It’s 3 a.m., Do You Know Where Your Data Is? The Importance of Data Mapping and the California Consumer Privacy Act

It’s 3 a.m., Do You Know Where Your Data Is? The Importance of Data Mapping and the California Consumer Privacy Act

July 29, 2019

The California Consumer Privacy Act (CCPA) takes effect in January and imposes a number of requirements on how businesses collect, use, and transfer personal information.

CF on Cyber: Cybersecurity and Privacy Due Diligence for Private Equity

CF on Cyber: Cybersecurity and Privacy Due Diligence for Private Equity

July 25, 2019

In this podcast, cybersecurity attorneys Jack Clabby and Joe Swanson and M&A attorney Jackie Swigler offer their top five inquiries for cyber due diligence in this enhanced landscape.

The CCPA’s Contractual Requirements Between Covered Businesses and Service Providers

The CCPA’s Contractual Requirements Between Covered Businesses and Service Providers

July 23, 2019

There is an equally impactful, yet often forgotten, obligation required by the CCPA that warrants attention: the need to make certain representations in written contracts between covered businesses and service providers.

The Research Exception to the CCPA’s Right to Deletion — Will It Ever Apply?

The Research Exception to the CCPA’s Right to Deletion — Will It Ever Apply?

July 17, 2019

Following in the footsteps of the GDPR, the California Consumer Privacy Act of 2018 (CCPA) grants California consumers the so-called right to deletion when it goes into effect January 1, 2020.

Is Your Organization Ready for the CCPA? The Importance of an Incident Response Guide

Is Your Organization Ready for the CCPA? The Importance of an Incident Response Guide

July 3, 2019

The CCPA’s looming effective date underscores the need for an incident response guide.

The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

June 26, 2019

This article summarizes this new requirement of a “Do Not Sell My Personal Information” link and provides some practical guidance.

Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

May 31, 2019

For local governments, the costs of these attacks could be severe.

CF on Cyber: GDPR Regulator Takes Narrow View of

CF on Cyber: GDPR Regulator Takes Narrow View of "Contract" Basis for Processing Data

April 26, 2019

Under the GDPR, businesses need to specify their basis for processing personal data, and the European Data Protection Board has recently released guidelines (2/2019) that take a narrow view of the "contract" basis under Article 6(1)(b). Join Mike Yaeger and Steve Blickensderfer as they discuss the guidelines and how they affect compliance for US businesses.

S1:E6 -  The Impact of Net Neutrality on the Esports and E-Gaming Industry

S1:E6 - The Impact of Net Neutrality on the Esports and E-Gaming Industry

April 24, 2019

Steve and Nick discuss the state of the law on net neutrality, and the cases for and against it. They also explore its rarely discussed impact on esports and the video game industry with professional streamer Kevin Murray (aka kmagic101), who offers valuable insight and a unique perspective on this hot-button topic.

S1:E5 -  Bugging Out: The Legal Effects of Bugs and Glitches in Games

S1:E5 - Bugging Out: The Legal Effects of Bugs and Glitches in Games

April 10, 2019

Steve and Nick explore the legal consequences of bugs in video games and exploits in esports with litigator and former prosecutor Jack Clabby.

S1:E4 - Raiding Your Vault: Cybersecurity in Gaming

S1:E4 - Raiding Your Vault: Cybersecurity in Gaming

March 26, 2019

Steve and Nick discuss cybersecurity incidents impacting the video game industry, from brute-force attacks to swatting. They also interview professional streamer Ben Bowman (AKA Professor Broman), and review potential legal recourse for those who have suffered a gaming-related cyber incident.

Be Prepared for the Next Wave of Biometric Data Laws: Five Tips for Businesses

Be Prepared for the Next Wave of Biometric Data Laws: Five Tips for Businesses

March 20, 2019

Advancements in technology have made it possible for more companies to use biometric data to streamline their business, improve security and workplace efficiency, and offer new services and features to customers.

Cybersecurity Obligations and Best Practices for Independent Schools

Cybersecurity Obligations and Best Practices for Independent Schools

March 15, 2019

An overview of independent schools' cybersecurity obligations and best practices to manage risk.

LAN Party Lawyers Live at Ultimate Gamer Miami

LAN Party Lawyers Live at Ultimate Gamer Miami

March 15, 2019

In this special episode recorded live on the floor of the inaugural UG competition in Miami, Steve and Nick interview UG CEO Steve Suarez and Esports host/commentator Arda Ocal. They discuss the vision behind UG and the rise and future of the Esports industry from an insider's perspective.

S1:E3 - Even the Games Have Eyes: Data Privacy and Gaming

S1:E3 - Even the Games Have Eyes: Data Privacy and Gaming

March 13, 2019

Steve and Nick take a deep dive into the emerging legal issues surrounding data privacy in gaming. They discuss the history of data collection in games and how that data has been used, and explore some of the regulatory restraints and challenges facing industry players. Then, in the 1v1 Showdown they debate various approaches to regulating these sensitive issues.

S1:E2 - One Step Closer to Skynet: Artificial Intelligence and Gaming

S1:E2 - One Step Closer to Skynet: Artificial Intelligence and Gaming

February 27, 2019

Steve and Nick examine how increasingly complex AI and neural networks have been developed using games as the testing grounds. They also interview Pedro Pavón, a thought leader in AI, about the legal and policy implications AI has for the future.

CF on Cyber: Cybersecurity Due Diligence in M&A Deals Under the CCPA and GDPR

CF on Cyber: Cybersecurity Due Diligence in M&A Deals Under the CCPA and GDPR

February 20, 2019

In this podcast, cybersecurity attorneys Jack Clabby and Joe Swanson and M&A attorney Jackie Swigler offer their top five inquiries for cyber due diligence in this enhanced landscape.

CF on Cyber: The GDPR’s New Territorial Scope Guidelines

CF on Cyber: The GDPR’s New Territorial Scope Guidelines

December 6, 2018

This podcast discusses the new GDPR guidelines and how they affect businesses not only in the EU, but around the world.

In California, a New Era in U.S. Privacy

In California, a New Era in U.S. Privacy

October 1, 2018

In June, California passed a sweeping new privacy law that will impact an estimated 500,000 businesses in the United States.

Louisiana Appeals Court Affirms Class Certification in Lingering Litigation Against Department of Insurance

Louisiana Appeals Court Affirms Class Certification in Lingering Litigation Against Department of Insurance

October 1, 2018

A Louisiana appeals court recently affirmed class certification in consolidated lawsuits, pending since 1991, against Louisiana’s Department of Insurance, other related state entities, and the state’s excess insurance carriers.

NAIC Summer National Meeting Spotlights Innovation and Insurtech

NAIC Summer National Meeting Spotlights Innovation and Insurtech

October 1, 2018

In response to the accelerating pace of change, the NAIC’s Summer National Meeting in Boston focused on innovation and insurtech.

NIST Provides Guide and Example Solution for IT Asset Management

NIST Provides Guide and Example Solution for IT Asset Management

October 1, 2018

On September 7, the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) published Special Publication 1800-5 – IT Asset Management Practice Guide (the Guide) to help financial services companies tackle challenges in managing both the hardware and software components of their information technology assets.

New Opinions From Second and Sixth Circuit Courts Rock Phishing Loss Coverage Landscape

New Opinions From Second and Sixth Circuit Courts Rock Phishing Loss Coverage Landscape

July 16, 2018

On July 6, the Second Circuit Court of Appeals set off some fireworks in the insurance coverage litigation field when it found coverage for a “social engineering”/phishing scheme loss, bucking the trend among its sister courts.

California Passes Stringent Privacy Law Akin to GDPR

California Passes Stringent Privacy Law Akin to GDPR

July 9, 2018

California passed a sweeping new privacy law similar to the EU’s GDPR. This article, which is relevant to all businesses that handle the personal information of California consumers, discusses rights and obligations under the new law, its scope, and the consequences of noncompliance.

Are Administrative Fees and Costs a Benefit to the Class as a Whole? A Circuit Split Continues

Are Administrative Fees and Costs a Benefit to the Class as a Whole? A Circuit Split Continues

July 3, 2018

The Eighth Circuit’s deference to district courts in awarding attorney’s fees in these circumstances is in line with the approach taken by the Ninth Circuit.

South Carolina First State to Adopt NAIC Insurance Data Security Model Law

South Carolina First State to Adopt NAIC Insurance Data Security Model Law

June 24, 2018

On May 3, Governor Henry McMaster signed the South Carolina Insurance Data Security Act, making South Carolina the first state to adopt the NAIC Insurance Data Security Model Law.

Supreme Court Rules Government Must Obtain Search Warrant for Mobile Phone Location Data

Supreme Court Rules Government Must Obtain Search Warrant for Mobile Phone Location Data

June 22, 2018

The U.S. Supreme Court ruled that the government cannot generally obtain mobile phone location data absent a warrant. This article discusses the decision, which ends years of uncertainty.

Client Alert: Eleventh Circuit Affirms No Coverage Under Computer Fraud Provision of Insurance Policy

Client Alert: Eleventh Circuit Affirms No Coverage Under Computer Fraud Provision of Insurance Policy

May 10, 2018

Both insurers and insureds alike must recognize the need to laser focus on the precise terms employed in these policies to determine the scope of coverage.

9th Circ. Assesses Insurance For Social Engineering Scams

9th Circ. Assesses Insurance For Social Engineering Scams

April 27, 2018

Every company in the market for insurance coverage should inquire specifically about coverage for social engineering schemes.

SEC Issues Cybersecurity Disclosure Guidance

SEC Issues Cybersecurity Disclosure Guidance

March 31, 2018

On February 21, the SEC published interpretive "Guidance" to help public operating companies prepare disclosures about cybersecurity risks and incidents.

Supreme Court Denies Insurer’s Petition to Review Standing in Data Breach Class Actions

Supreme Court Denies Insurer’s Petition to Review Standing in Data Breach Class Actions

March 31, 2018

In recent years, the insurance and financial services industries have been targets of high profile data breaches.

When Innovation Meets Regulation: InsurTech and State Licensing Laws

When Innovation Meets Regulation: InsurTech and State Licensing Laws

March 31, 2018

The rise of InsurTech — which brings technological innovations to the business of insurance — is having a significant impact on the insurance industry, including through advancements in cybersecurity tools, the introduction of blockchain, and the use of big data for underwriting and claims.

HIPAA - Lessons From the Fresenius Settlement

HIPAA - Lessons From the Fresenius Settlement

March 30, 2018

In an industry overrun with news of almost daily privacy breaches, what makes the Fresenius settlement especially newsworthy is the size of the fine compared to the size of the breach and the types of breaches involved.

Recent Developments in Securities Class Actions and Companies' Disclosure Obligations Regarding Cybersecurity Risks and Events

Recent Developments in Securities Class Actions and Companies' Disclosure Obligations Regarding Cybersecurity Risks and Events

March 8, 2018

Some recent events may encourage shareholder attorneys to pursue securities fraud class actions after disclosure of a cyber incident leads to a drop in the stock price.

Beyond the European Union: How the GDPR Affects US Companies

Beyond the European Union: How the GDPR Affects US Companies

February 19, 2018

The effective date of the European Union’s General Data Protection Regulation (GDPR) will affect many organizations across the globe, even those not located in the EU.

The NAIC Says Aloha

The NAIC Says Aloha

December 29, 2017

The National Association of Insurance Commissioners held its Fall National Meeting December 2-4 in Hawaii, saying aloha to 2017 and aloha to 2018.

When Innovation Meets Regulation

When Innovation Meets Regulation

December 29, 2017

The rise of InsurTech — which brings technological innovations to the business of insurance — has recently had a significant impact on the insurance industry, including through advancements in cybersecurity tools, the introduction of blockchain, and the use of big data for underwriting and claims.

NAIC Big Data Working Group Update

NAIC Big Data Working Group Update

September 26, 2017

Regulators are hard at work considering insurers’ use of big data and analytics. The Big Data (Ex) Working Group, chaired by Oregon Commissioner Laura Cali Robison, adopted three charges for 2017.

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law

September 26, 2017

The National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Working Group (Cybersecurity WG) approved Version 6 (Finalized) of its Insurance Data Security Model Law (Model) on August 7 at the NAIC Summer 2017 National Meeting in Philadelphia.

OCIE Lessons From Cybersecurity 2 Initiative

OCIE Lessons From Cybersecurity 2 Initiative

September 26, 2017

On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert containing observations from its Cybersecurity 2 Exam Initiative. As a follow-up to the 2014 Cybersecurity 1 initiative, the Cybersecurity 2 Initiative examined the cybersecurity preparedness of 75 SEC-registered broker-dealers, investment advisers, and investment companies (funds) for the period of October 2014 through September 2015. In its report, OCIE identified issues of continuing concern, and articulated some best practices recommendations.

New York DFS Tightens Cybersecurity Gaps

New York DFS Tightens Cybersecurity Gaps

September 19, 2017

Equifax takes no deposits and makes no loans, but New York now says that it, as well as all other consumer reporting agencies, must protect consumer data to the same degree as banks and other financial institutions.

Key Contacts

Other Team Members

Gary K. Slinger

Gary K. Slinger

Director of Security & Business Continuity

Featured Insights

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.