Overview
We provide clients across industries with comprehensive counsel on complex, evolving, and multifaceted issues related to information security, data breaches, and privacy.
Our cybersecurity clients seek our advice at the three phases of cybersecurity legal needs: (i) planning, preparation, and hardening against a cybersecurity event; (ii) as “breach coaches” during a cybersecurity event, including coordination of forensic services and working with law enforcement, through consumer notification; and (iii) in the litigation that may follow a cybersecurity event.
Our attorneys are trusted counsel both to international companies and to growth-stage companies on all manner of privacy compliance and litigation issues. We advise on long-standing federal standards such as HIPAA and Gramm-Leach-Bliley as well as emerging state standards, such as those in California and New York.
We blend our skills and experiences as litigators and transactional attorneys with a deep understanding of information security, data breach law, and privacy laws and regulations to meet and anticipate our clients’ needs. Carlton Fields' team includes attorneys who have earned the designation of Certified Information Privacy Professional (e.g., CIPP/US, CIPM) as well as former federal cybercrime prosecutors.
Our services include:
Data Breach and Incident Response
- Help clients prepare for, and respond to, data breaches and the full range of government investigations they may prompt.
- Provide immediate support and rapid response, via phone and email, for clients that learn of a possible data breach and must act immediately to mitigate potential liability and discharge potential obligations stemming from the incident.
- Develop and test comprehensive incident response plans that address internal and external actions to take in the wake of a data security incident.
Litigation
- Represent clients in all forms of litigation associated with data breaches and other security incidents. This includes class action defense in federal and state courts, and prosecution and defense of other complex matters.
Development and Implementation of Compliance Programs
- Build full-scale compliance programs for domestic and international operations, including:
- Data mapping and risk assessment
- Data subject access request management policies, procedures, and workflows
- Review and update of contracts and agreements to reflect data privacy obligations and data processing
- Updates to internal and external privacy policies
- Cookie consent and management of preferences
- Privacy compliance for new product development and advertising
- Update data privacy and information security policies, procedures, and programs for businesses of all sizes with both domestic and international operations.
Federal and State Privacy and Cybersecurity Laws
- Regularly assist clients with their obligations pursuant to laws, including Gramm-Leach-Bliley, the Fair Credit Reporting Act, HIPAA, and HITECH.
- Assist clients in complying with emerging state privacy and cybersecurity laws, such as the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), Nevada's privacy law (SB-220), the New York SHIELD Act, and the Virginia Consumer Data Protection Act (VCDPA).
International Privacy Regulations and Global Policies
- Counsel clients on compliance with the GDPR and assist with the development of legal means for cross-border data transfers post Schrems II.
- Counsel clients on compliance with other international regulations, including Brazil’s Lei Geral de Proteção de Dados (General Data Protection Law - LGPD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Jamaica's Data Protection Act (DPA).
- Counsel clients on compliance with International Standards of Organization (ISO), the internationally recognized best practices for personal data use, transmission, and storage.
Employee Privacy Issues
- Advise employers on a wide range of privacy areas, including compliance with federal and state regulations, including employer obligations under the CCPA.
- Counsel clients on compliance with the Fair Credit Reporting Act and analogous state laws regarding pre-employment background checks and post-hire investigations.
- Counsel businesses on privacy issues related to work-from-home and COVID-19.
Genetic Information and Health Privacy
- Develop and implement incident management response for data breaches relating to electronic personal health information.
- Manage security risk assessments to meet HIPAA, HITECH, and state health information privacy and security requirements.
- Develop and implement full suite of policies and procedures necessary for compliance with HIPAA’s privacy and security rules.
- Create compliance programs to accommodate emerging biometric data and genetic privacy laws domestically and internationally.
Privacy and Cybersecurity Trainings
- Provide off-the-shelf and white-label privacy training options to accommodate businesses of all sizes in privacy readiness and compliance, including trainings to meet compliance requirements for the CCPA, GDPR, LGPD, HIPAA, and EU data authority guidance.
- Plan and conduct tabletop exercises with companies to simulate a breach event, targeting to the company’s particular risk profile, often partnering with inside or outside forensic experts and media relations professionals.
Website and Social Networking Issues
- Help ensure client compliance with FTC and other regulations.
- Support brands and influencers in meeting requirements under Section 5 of the FTC Act.
- Draft privacy policies, social media policies, terms of use, and community policies, and develop internal legal management programs for emerging online issues.
- Assist clients with the wide-ranging issues that arise as a result of social media use and an internet presence, and help them develop related proactive policies and standards.
Online Harassment and Phishing Campaigns
- Represent and protect companies and their employees who are victims of online harassment, including nonconsensual pornography, cyber stalking, reputation attacks, identity theft, and other forms of digital abuse.
- Work with companies whose employees or customers are facing targeted, sophisticated phishing campaigns, including spoofing attempts and suspected email compromises.
- Our work can include support of the company’s investigations into these matters, packaging the evidence for cooperation with law enforcement, and protection of corporate intellectual property, particularly as to domain name abuse.
Due Diligence and Other Transactional Support
- Provide cybersecurity and privacy due diligence advice in connection with mergers and acquisitions, private equity investments, and other transactions.
- Represent private equity firms and other pooled-capital entities as standby counsel for their investigations into potential acquisitions, including of SaaS companies as well as more traditional brick-and-mortar companies for which cybersecurity is a concern, both at the term sheet level and pre-closing.
Our attorneys are active and hold leadership positions in data privacy and cybersecurity organizations, such as:
- International Association of Privacy Professionals (IAPP)
- International Security Management Association
- Sedona Conference Working Group on Data Security and Privacy Liability
- ABA - Privacy and Computer Crime Committee CLE Working Group
- ABA - Computer and Software Legislation Committee
- ABA - Electronic Filing Committee
- ABA - Internet Relationships and Cloud Computing Committee
- ABA - Section of Science & Technology Law
- DRI - Data Management and Security Committee
- ISACA (Information Systems Audit and Control Association)
Industries supported by our practice include:
- Advertising
- Artificial intelligence
- Biotechnology
- Construction and real estate
- Consumer brands
- Cosmetics
- Data analytics
- E-commerce
- Education (K-12 and universities) and education technology (edtech)
- Electronic gaming and esports
- Financial services sector
- Health care
- Insurance
- Media and entertainment
- Professional services
- Retail, including online retail
- Software
- Software as a service
- Technology
- Telecommunications
- Title insurance