Menu

Cybersecurity and Privacy


Overview

We provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security, data breaches, and privacy.

Our cybersecurity clients seek our advice at the three phases of cybersecurity legal needs: (i) planning, preparation, and hardening against a cybersecurity event; (ii) as “breach coaches” during a cybersecurity event, including coordination of forensic services and working with law enforcement, through consumer notification; and (iii) in the litigation that may follow a cybersecurity event.

Our attorneys are also trusted counsel both to international companies and to growth-stage companies on all manner of privacy compliance and litigation. We advise on long-standing federal standards such as HIPAA and Gramm-Leach-Bliley as well as emerging state standards, such as those in California and New York.

We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security, data breach law, and privacy laws and regulations to meet and anticipate our clients’ needs. Carlton Fields' team includes attorneys who have earned the designation of Certified Information Privacy Professional (e.g., CIPP/US, CIPM) as well as former federal cybercrime prosecutors.

Our services include: 

Data Breach and Incident Response

  • Help clients prepare for, and respond to, data breaches and the full range of government investigations they may prompt
  • Provide immediate support and rapid response, via phone and email, for clients that learn of a possible data breach and must act immediately to mitigate potential liability and discharge potential obligations stemming from the incident 
  • Develop and test comprehensive incident response plans that address internal and external actions to take in the wake of a data security incident

Litigation

  • Represent clients in all forms of litigation associated with data breaches and other security incidents. This includes class action defense in federal and state courts, and prosecution and defense of other complex matters.

Development and Implementation of Compliance Programs

  • Build full-scale compliance programs for domestic and international operations, including:
    • Data mapping and risk assessment
    • Data subject access request management policies, procedures, and workflows
    • Review and update of contracts and agreements to reflect data privacy obligations and data processing
    • Updates to internal and external privacy policies
    • Cookie consent and management of preferences
    • Privacy compliance for new product development and advertising
  • Update data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations  

Federal and State Privacy and Cybersecurity Laws 

  • Regularly assist clients with their obligations pursuant to laws, including Gramm-Leach-Bliley, the Fair Credit Reporting Act, HIPAA, and HITECH  
  • Assist clients in complying with emerging state privacy and cybersecurity laws, such as the California Consumer Privacy Act (CCPA), Nevada privacy law (SB-220), and the New York SHIELD Act

International Privacy Regulations and Global Policies 

  • Counsel clients on compliance with the GDPR and assist with the development of legal means for cross-border data transfers post Schrems II
  • Counsel clients on compliance with other international regulations, including Brazil’s Lei Geral de Protecção de Dados Pessoais (General Data Protection Law - LGPD) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Counsel clients on compliance with International Standards of Organization (ISO Series), the internationally recognized best practices for personal data use, transmission, and storage

Employee Privacy Issues 

  • Advise employers on a wide range of privacy areas, including compliance with federal and state regulations, including employer obligations under the CCPA
  • Counsel clients on compliance with the Fair Credit Reporting Act and analogous state laws regarding pre-employment background checks and post-hire investigations
  • Counsel businesses on privacy issues related to work-from-home and COVID-19

Genetic Information and Health Privacy

  • Develop and implement incident management response for data breaches relating to electronic personal health information
  • Manage security risk assessments to meet HIPAA, HITECH and state health information privacy and security requirements
  • Develop and implement full suite of policies and procedures necessary for compliance with HIPAA’s Privacy and Security Rules
  • Create compliance programs to accommodate emerging biometric data and genetic privacy laws domestically and internationally

Privacy and Cybersecurity Trainings

  • Provide off-the-shelf and white-labeled privacy training options to accommodate businesses of all sizes in privacy readiness and compliance, including trainings to meet compliance requirements for the CCPA, GDPR, LGPD, HIPAA, and EU Data Authority guidance
  • Plan and conduct tabletop exercises with companies to simulate a breach event, targeting to the company’s particular risk profile, often partnering with inside or outside forensic experts and media relations professionals

Website and Social Networking Issues 

  • Help ensure client compliance with FTC and other regulations  
  • Support brands and influencers in meeting requirements under Section 5 of the FTC Act
  • Draft privacy policies, social media policies, terms of use, and community policies, and develop internal legal management programs for emerging online issues
  • Assist clients with the wide-ranging issues that arise as a result of social media use and an internet presence, and help them develop related proactive policies and standards

Online Harassment and Phishing Campaigns

  • Represent and protect companies and their employees who are victims of online harassment, including non-consensual pornography, cyber stalking, reputation attacks, identity theft, and other forms of digital abuse.
  • Work with companies whose employees or customers are facing targeted, sophisticated phishing campaigns, including spoofing attempts and suspected email compromises
  • Our work can include support of the company’s investigations into these matters, packaging the evidence for cooperation with law enforcement, and protection of corporate intellectual property, particularly as to domain-name abuse.

Due Diligence and Other Transactional Support

  • Provide cybersecurity and privacy due diligence advice in connection with mergers and acquisitions, private equity investments, and other transactions
  • Represent private equity firms and other pooled-capital entities as standby counsel for their investigations into potential acquisitions, including of SaaS companies as well as more traditional brick-and-mortar companies for which cybersecurity is a concern, both at the term sheet level and pre-closing


Our attorneys are active and hold leadership positions in data privacy and cybersecurity organizations, such as:

  • International Association of Privacy Professionals (IAPP) 
  • The Sedona Conference Working Group on Data Security and Privacy Liability 
  • DRI - Data Management and Security Committee 
  • ABA - Privacy and Computer Crime Committee CLE Working Group 
  • ABA - Computer and Software Legislation Committee 
  • ABA - Electronic Filing Committee 
  • ABA - Internet Relationships and Cloud Computing Committee 
  • ABA - Section of Science & Technology Law 
  • The International Security Management Association
  • ISACA (Information Systems Audit and Control Association)


Industries supported by our practice include:

  • Advertising
  • Artificial intelligence
  • Biotechnology
  • Construction and real estate
  • Consumer brands
  • Cosmetics
  • Data analytics
  • E-commerce
  • Electronic gaming and esports
  • Financial services sector
  • Health care
  • Insurance
  • Media and entertainment
  • Professional services
  • Retail, including online retail
  • Software
  • Software as a service
  • Technology
  • Telecommunications
  • Title insurance

Experience

  • Served as breach coach and notifications counsel in responding to an extortionate ransomware attack on a B2B company with international operations, coordinating forensic response, threat actor engagement, coordination with law enforcement, and public and business-partner communications.
  • Helped dozens of corporate clients that have experienced data breaches due to theft (e.g., stolen laptops and servers), social engineering fraud (phishing, misdirected wires), hacking (stolen passwords, brute force attacks), and accident (e.g., natural disasters, lost backup tapes).
  • Defend clients under investigation by federal and/or state government agencies after complaints of privacy violations or data breaches. We frequently help clients, for example, that are subject to HIPAA privacy and security regulations respond to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights. 
  • Defend data breach class actions, including (i) a hospital system after the alleged theft of personal health and financial data of hospital patients; (ii) a public entity after the exposure of its employees’ tax information in a phishing scheme; and (iii) a multi-office medical practice that was the victim of a ransomware attack. In such cases, we have won at the motion to dismiss phase and class certification phases, and we have, in consultation with our clients and their insurance carriers, arranged for favorable resolutions at mediation.
  • Assist and represent clients with creation and implementation of vendor management programs, including policies and procedures related to vendor risk assessment, vendor due diligence, vendor supervision, and vendor contract negotiation and management.
  • Help clients implement companywide privacy and security policies to ensure protection of sensitive data.
  • Help clients design beginning-to-end privacy compliance programs for new products, means of advertising, or other uses of consumer data, including drafting and strategic placement of all necessary notices and authorizations, as well as negotiating associated contracts. Such engagements include compliance with the CCPA, GDPR, and similar privacy regimes.
  • Develop and implement GDPR compliance programs for international social media software as a service platform.
  • Represent, with local counsel, companies before EU Data Protection Authorities in regulatory inquiries.
  • Launch mobile application startups in app stores in international markets.
  • Scale privacy compliance programs as outside counsel from startup to IPO.
  • Help clients understand privacy compliance steps needed to expand current uses of consumer information.
  • Serve as the outside general counsel to education clients on privacy and cybersecurity legal issues, including advice on remote learning, interpretation of FERPA, issues related to sexting and cyberbullying, and incident response. Our clients include colleges and universities, as well as some of the country’s top private K-12 schools, school districts, and charter schools.

All Insights

California Bill Extending Employment and B2B Compliance Obligations for CCPA Heads to Governor Newsom's Desk

California Bill Extending Employment and B2B Compliance Obligations for CCPA Heads to Governor Newsom's Desk

September 3, 2020

A bill that would extend California Consumer Privacy Act (CCPA) compliance obligations for employment information and business-to-business information has passed through both chambers of the California Legislature and has been sent to Governor Gavin Newsom's desk for signature before the end of September.

Guidance Released From German Data Protection Authority: Time to Review EU Data Transfer Mechanisms

Guidance Released From German Data Protection Authority: Time to Review EU Data Transfer Mechanisms

August 28, 2020

This week, guidance finally emerged from one data protection authority in Germany. The data protection authority of Baden-Württemberg issued its own guidance on how companies should approach their data transfer analysis in a post-Schrems II world.

The California Consumer Privacy Act: Are You Ready?

The California Consumer Privacy Act: Are You Ready?

August 25, 2020

This webinar will help you understand the current landscape of the CCPA and other privacy regimes, including the status of the regulations, and anticipated litigation and enforcement priorities.

The Final CCPA Regulations May Be Ready, But Is Your Business?

The Final CCPA Regulations May Be Ready, But Is Your Business?

August 19, 2020

On August 14, California’s attorney general announced the approval of the final regulations for the CCPA. This alert discusses principal changes and key highlights in the final regulations.

Canna We Talk Cannabis? Cybersecurity Risks Bring Growing Pains to Cannabis Businesses

Canna We Talk Cannabis? Cybersecurity Risks Bring Growing Pains to Cannabis Businesses

February 10, 2020

This episode explores the circumstances involved in a recent data breach involving the cannabis industry.

The CCPA for the Land Title Industry: Practical Compliance With CCPA and New Privacy Laws

The CCPA for the Land Title Industry: Practical Compliance With CCPA and New Privacy Laws

February 6, 2020

Join Elizabeth Reilly from Fidelity National Financial and Carlton Fields’ attorneys Jack Clabby, Joe Swanson, and Steve Blickensderfer as they answer real questions from real members of the American Land Title Association on the resources and tools available to members of the land title industry, as well as some practical compliance tips for companies as they work to comply with the CCPA.

The CCPA for the Land Title Industry: CCPA Resources and Compliance Tips

The CCPA for the Land Title Industry: CCPA Resources and Compliance Tips

January 29, 2020

Join Elizabeth Reilly from Fidelity National Financial and Carlton Fields’ attorneys Jack Clabby, Joe Swanson, and Steve Blickensderfer as they answer real questions from real members of the American Land Title Association on the resources and tools available to members of the land title industry, as well as some practical compliance tips for companies as they work to comply with the CCPA.

The CCPA for the Land Title Industry: Service Providers and Sale of Data Under the CCPA

The CCPA for the Land Title Industry: Service Providers and Sale of Data Under the CCPA

January 22, 2020

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

The CCPA for the Land Title Industry: Who Does the CCPA Apply To?

The CCPA for the Land Title Industry: Who Does the CCPA Apply To?

January 15, 2020

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

CF on Cyber: Leveraging the Incident Response Guide to Prepare for the CCPA

CF on Cyber: Leveraging the Incident Response Guide to Prepare for the CCPA

November 7, 2019

In this program, Jack Clabby, Joe Swanson and Steve Blickensderfer give practical advice on the attorneys’ role in a data security incident response guide, which is a key document in preparing for California’s new data privacy law, the CCPA.

CF on Cyber: Key Takeaways from the California AG’s Proposed CCPA Regulations

CF on Cyber: Key Takeaways from the California AG’s Proposed CCPA Regulations

October 15, 2019

The California AG recently published its long-awaited proposed regulations to implement the CCPA. This podcast describes a few key points from those draft regulations, including as they relate to online privacy notices, verifying consumer requests, and financial incentive offerings.

CF on Cyber & FICPA presents Refeathering the Pillow: Catching, Containing & Cleaning up Cyber Fraud

CF on Cyber & FICPA presents Refeathering the Pillow: Catching, Containing & Cleaning up Cyber Fraud

October 4, 2019

In this podcast, cybersecurity attorney Jack Clabby discusses safety and risk management in data loss incidents with Mia Thomas, CPA, CGMA, Director of Learning for the FICPA.

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

The CCPA's 50,000 California Resident Requirement - Easier to Meet Than It Might Seem

August 6, 2019

When the California Consumer Privacy Act (CCPA) takes effect in January 2020, it will grant California residents new rights regarding their personal information and will impose new and significant obligations on businesses that collect this information.

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

Show Me the Money: How the CCPA Provides a Mechanism for Consumers to Monetize Their Personal Data

August 4, 2019

Under section 1798.125(b) of the California Consumer Privacy Act of 2018 (CCPA), “[a] business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.

It’s 3 a.m., Do You Know Where Your Data Is? The Importance of Data Mapping and the California Consumer Privacy Act

It’s 3 a.m., Do You Know Where Your Data Is? The Importance of Data Mapping and the California Consumer Privacy Act

July 29, 2019

The California Consumer Privacy Act (CCPA) takes effect in January and imposes a number of requirements on how businesses collect, use, and transfer personal information.

CF on Cyber: Cybersecurity and Privacy Due Diligence for Private Equity

CF on Cyber: Cybersecurity and Privacy Due Diligence for Private Equity

July 25, 2019

In this podcast, cybersecurity attorneys Jack Clabby and Joe Swanson and M&A attorney Jackie Swigler offer their top five inquiries for cyber due diligence in this enhanced landscape.

The CCPA’s Contractual Requirements Between Covered Businesses and Service Providers

The CCPA’s Contractual Requirements Between Covered Businesses and Service Providers

July 23, 2019

There is an equally impactful, yet often forgotten, obligation required by the CCPA that warrants attention: the need to make certain representations in written contracts between covered businesses and service providers.

The Research Exception to the CCPA’s Right to Deletion — Will It Ever Apply?

The Research Exception to the CCPA’s Right to Deletion — Will It Ever Apply?

July 17, 2019

Following in the footsteps of the GDPR, the California Consumer Privacy Act of 2018 (CCPA) grants California consumers the so-called right to deletion when it goes into effect January 1, 2020.

Is Your Organization Ready for the CCPA? The Importance of an Incident Response Guide

Is Your Organization Ready for the CCPA? The Importance of an Incident Response Guide

July 3, 2019

The CCPA’s looming effective date underscores the need for an incident response guide.

The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

June 26, 2019

This article summarizes this new requirement of a “Do Not Sell My Personal Information” link and provides some practical guidance.

Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

Baltimore's Three-Week Ransomware Is a Warning for Other Local Governments to Prepare for Cyberattacks

May 31, 2019

For local governments, the costs of these attacks could be severe.

CF on Cyber: GDPR Regulator Takes Narrow View of

CF on Cyber: GDPR Regulator Takes Narrow View of "Contract" Basis for Processing Data

April 26, 2019

Under the GDPR, businesses need to specify their basis for processing personal data, and the European Data Protection Board has recently released guidelines (2/2019) that take a narrow view of the "contract" basis under Article 6(1)(b). Join Mike Yaeger and Steve Blickensderfer as they discuss the guidelines and how they affect compliance for US businesses.

S1:E6 -  The Impact of Net Neutrality on the Esports and E-Gaming Industry

S1:E6 - The Impact of Net Neutrality on the Esports and E-Gaming Industry

April 24, 2019

Steve and Nick discuss the state of the law on net neutrality, and the cases for and against it. They also explore its rarely discussed impact on esports and the video game industry with professional streamer Kevin Murray (aka kmagic101), who offers valuable insight and a unique perspective on this hot-button topic.

S1:E5 -  Bugging Out: The Legal Effects of Bugs and Glitches in Games

S1:E5 - Bugging Out: The Legal Effects of Bugs and Glitches in Games

April 10, 2019

Steve and Nick explore the legal consequences of bugs in video games and exploits in esports with litigator and former prosecutor Jack Clabby.

S1:E4 - Raiding Your Vault: Cybersecurity in Gaming

S1:E4 - Raiding Your Vault: Cybersecurity in Gaming

March 26, 2019

Steve and Nick discuss cybersecurity incidents impacting the video game industry, from brute-force attacks to swatting. They also interview professional streamer Ben Bowman (AKA Professor Broman), and review potential legal recourse for those who have suffered a gaming-related cyber incident.

Be Prepared for the Next Wave of Biometric Data Laws: Five Tips for Businesses

Be Prepared for the Next Wave of Biometric Data Laws: Five Tips for Businesses

March 20, 2019

Advancements in technology have made it possible for more companies to use biometric data to streamline their business, improve security and workplace efficiency, and offer new services and features to customers.

Cybersecurity Obligations and Best Practices for Independent Schools

Cybersecurity Obligations and Best Practices for Independent Schools

March 15, 2019

An overview of independent schools' cybersecurity obligations and best practices to manage risk.

LAN Party Lawyers Live at Ultimate Gamer Miami

LAN Party Lawyers Live at Ultimate Gamer Miami

March 15, 2019

In this special episode recorded live on the floor of the inaugural UG competition in Miami, Steve and Nick interview UG CEO Steve Suarez and Esports host/commentator Arda Ocal. They discuss the vision behind UG and the rise and future of the Esports industry from an insider's perspective.

S1:E3 - Even the Games Have Eyes: Data Privacy and Gaming

S1:E3 - Even the Games Have Eyes: Data Privacy and Gaming

March 13, 2019

Steve and Nick take a deep dive into the emerging legal issues surrounding data privacy in gaming. They discuss the history of data collection in games and how that data has been used, and explore some of the regulatory restraints and challenges facing industry players. Then, in the 1v1 Showdown they debate various approaches to regulating these sensitive issues.

S1:E2 - One Step Closer to Skynet: Artificial Intelligence and Gaming

S1:E2 - One Step Closer to Skynet: Artificial Intelligence and Gaming

February 27, 2019

Steve and Nick examine how increasingly complex AI and neural networks have been developed using games as the testing grounds. They also interview Pedro Pavón, a thought leader in AI, about the legal and policy implications AI has for the future.

CF on Cyber: Cybersecurity Due Diligence in M&A Deals Under the CCPA and GDPR

CF on Cyber: Cybersecurity Due Diligence in M&A Deals Under the CCPA and GDPR

February 20, 2019

In this podcast, cybersecurity attorneys Jack Clabby and Joe Swanson and M&A attorney Jackie Swigler offer their top five inquiries for cyber due diligence in this enhanced landscape.

CF on Cyber: The GDPR’s New Territorial Scope Guidelines

CF on Cyber: The GDPR’s New Territorial Scope Guidelines

December 6, 2018

This podcast discusses the new GDPR guidelines and how they affect businesses not only in the EU, but around the world.

Key Contacts

Other Team Members

Gary K. Slinger

Gary K. Slinger

Director of Security & Business Continuity

Featured Insights

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.