Menu
Patricia M. Carreiro
  • Patricia M. Carreiro
  • 305.539.7314
  • Share Share this page
Patricia M. Carreiro

Patricia M. Carreiro

Associate
In this section

Overview

Trish Carreiro is an experienced cybersecurity and privacy litigator who advises clients on privacy compliance and data breach response. She is certified with the International Association of Privacy Professionals (IAPP) as both a certified information privacy professional (CIPP/US) and certified information privacy manager (CIPM), and is co-chair of the IAPP’s South Florida chapter.

Trish is experienced in high-stakes cybersecurity litigation and has particular depth of experience in privacy and cybersecurity program management in highly regulated industries, such as insurance, health care, and financial services, as well as privacy compliance for large retailers and other organizations seeking broad privacy compliance.

Trish serves as outside privacy and cybersecurity counsel to companies of all sizes, tailoring her advice to her clients’ particular legal needs and risk tolerance. Her clients range from Fortune 500 companies to small universities and health care startups.

As a recognized privacy and cybersecurity thought leader, Trish uses her litigation perspective to guide clients to both avoid, and effectively handle, privacy and cybersecurity litigation. Her insights have been featured in publications including Bloomberg Health Law & Business, Law360, Law.com, Corporate Counsel, Today’s General Counsel, InsideCounsel, The Cybersecurity Law Report, Data Breach Today, Health IT Security, Healthcare IT News, Healthcare Infosecurity, Life Annuity Specialist, Fierce Healthcare, Daily Business Review, Miami Herald, Dark Reading, STAT, and Tampa Bay Business Journal.

A frequent speaker and author, Trish has written dozens of articles on cutting-edge topics such as:

  • Class action breach litigation.
  • The use of big data, machine learning, and AI in the life insurance industry.
  • The health care industry’s use of health apps and wearable technology, and challenges surrounding HIPAA compliance for work-from-home and telehealth programs.

When COVID-19 struck, Trish was one of the first to begin writing about the privacy and cybersecurity challenges facing the health care industry, and how to navigate them. She has represented health care providers in class action breach litigation, executed data breach response for numerous health care providers, represented health care providers throughout post-breach Office for Civil Rights and attorneys general investigations, and drafted comprehensive HIPAA compliance programs for HIPAA-covered entities.

Trish’s experience with emerging technologies has developed into a niche practice in the life insurance industry. She has helped numerous life insurers navigate the morass of state and federal privacy laws to market their products in new and innovative ways, streamline their privacy compliance, adjust to changing laws, digitize their application process, increase consumer engagement, and apply new technologies and data to underwrite their risk. From drafting the necessary notices and consents, to developing the process for presenting and recording authorizations, Trish has used her expertise to help propel the insurance industry forward.

Her prior experience includes time with the U.S. Department of Justice Criminal Division’s Fraud Section, the U.S. Securities and Exchange Commission Division of Enforcement, the New York State Attorney General’s Medicaid Fraud Unit, and the Connecticut Commission on Human Rights and Opportunities. She is proficient in Spanish and Portuguese.

Experience

Cybersecurity Class Action Litigation

  • Advised one of the nation’s largest banks on possible causes of action, defenses, class action strategy, and litigation options following nationwide data breach.
  • Advised large, publicly traded financial institution regarding multiple data breach class actions.
  • Defended health care provider in class action breach litigation stemming from ransomware attack. 

Privacy Compliance

Financial Institutions

  • Advised large life insurer and affiliated producer regarding privacy compliance throughout development of fully electronic automated underwriting application, including negotiating contractual agreements with third-party service providers, developing procedures for operationalizing and demonstrating privacy compliance, and drafting privacy policies, procedures, notices, and authorizations.
  • Counseled various financial institutions, including insurers, producers, and mortgage servicers, regarding compliance with privacy laws such as the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA), the Telephone Consumer Protection Act of 1991 (TCPA), the CAN-SPAM Act of 2003, the Telemarketing Sales Rule, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act (HIPAA), and National Association of Insurance Commissioners (NAIC) model laws, as applicable.
  • Advised multiple insurers regarding:
    • Notices and consents needed when seeking information about applicants/insureds from third parties, or seeking to share applicant/insured information with third parties for transactional or marketing purposes.
    • Privacy compliance regarding contacting applicants/insureds via varying means throughout the insurance application process.
    • Handling of consumer data subject requests to know, correct, delete, or limit sharing.
    • Cybersecurity obligations.
    • Responding to, and preparing for, examinations regarding cybersecurity and privacy practices.
  • Counseled financial institutions regarding intersection of the GLBA and the CCPA.
  • Advised large financial entities regarding contractual privacy provisions, privacy compliance, and cybersecurity insurance coverage.
  • Drafted privacy policies, associated notices, and privacy request processing procedures for organizations across industries, from financial institutions to nonprofits to retailers, including drafting sample communications and scripts.

Telecommunications

  • Counseled and managed large telecommunications carrier regarding customer proprietary network information (CPNI) breach response and associated reporting and notifications.
  • Advised large telecommunications carrier on legal compliance and risk-reducing steps for numerous proposed uses and sharing of CPNI.

Health Care

  • Drafted comprehensive HIPAA compliance program for HIPAA-covered entity, including drafting associated policies and procedures.
  • Managed breach response for various HIPAA entities, including covered entities and business associates, throughout breach investigation, required reporting and notifications, and any associated litigation.
  • Advised business associate regarding compliance with the CCPA, including drafting necessary privacy notices and establishing procedures for processing associated privacy requests.

Privacy and Cybersecurity Program Management

  • Advised multiple Fortune 500 companies regarding adjustments needed to comply with new state privacy laws.
  • Design and implement privacy program for large U.S.-based retailer.
  • Create privacy policies and website terms of use.
  • Draft and negotiate data processing agreements and contractual provisions for vendor management.
  • Draft internal privacy and cybersecurity policies and procedures, including breach response, data retention/destruction, and others.
  • Advise regarding privacy and cybersecurity risk management, including key contractual provisions and policy best practices.

Data Breach Response

  • Represented companies in investigating and responding to phishing, ransomware, business email compromises, and wire diversion schemes.
  • Executed data breach response for companies of all sizes, including managing forensic investigation, data mining, and required reporting to regulators, law enforcement, media, and consumers for breaches of CPNI, GDPR data, and other personal information. Representative entities include health care providers, retailers, telecommunications carriers, and businesses large and small.
  • Represented health care providers throughout post-breach Office for Civil Rights and attorneys general investigations.

All Insights

10.20.2022
Financial Services Cyber Fraud: The Latest Risks and Best Responses
09.08.2022
Learn From Lemonade’s Privacy Lemon: Sweeten Compliance to Lessen Litigation Bitterness
05.11.2022
NAIC’s New Cybersecurity Working Group Prepares for Planting
05.11.2022
NAIC’s Privacy Protections Working Group Plans Extended Growing Season for Fall 2023 Harvest
05.11.2022
SEC Showers Down Proposed Cybersecurity Rules: 5 Steps for Staying Dry
03.14.2022
The SEC Has Proposed a New Cyber Disclosures Rule for Public Companies
ABA Securities Litigation Practice Points
03.11.2022
Four Takeaways From the SEC's Proposed Cyber Rule for Public Companies
02.15.2022
SEC Plants New Cybersecurity Regulations; Time Will Tell What Will Bloom
02.15.2022
The Health Data Use and Privacy Commission Act: Is HIPAA Getting a Facelift and Expanding Its Reach?
01.11.2022
Regulators Forecast Storm of Cybersecurity Activity
01.11.2022
When Congress Freezes Up, the NAIC’s Privacy Protections Working Group Lights a Fire
09.16.2021
Diving Into IoT Data? Here Are Some Privacy Considerations
08.17.2021
Bracing for 2023: 10 Steps to Prepare for a New Era in U.S. Privacy
07.15.2021
DFS Continues Focus on Cybersecurity: Issues Ransomware Guidance and Signals Increased Enforcement Actions
06.15.2021
Biden Administration Issues Practical Guidance for Ransomware Attacks
05.05.2021
Cast Into the Deep: Questions for Charting New Privacy Waters
05.05.2021
Spring Is Hot for State Privacy Legislation
02.19.2021
Florida's New Privacy Bill Promises Big Changes
12.29.2020
Health Care Providers Are Under Attack. Are You Ready for 2021?
12.15.2020
Eleventh Circuit Decisions May Chill Future Data Breach Class Actions
06.18.2020
Final CCPA Regulations Submitted, but Compliance Burden Could Increase
06.15.2020
HIPAA Compliance for Work-From-Home or Telehealth Programs: Five Frequently Overlooked Considerations
06.15.2020
Industry Voices — Relaxing Telehealth Regulations Does Not Mean Relaxing Fraud Enforcement
Fierce Healthcare
05.13.2020
10 Privacy Recommendations for Health App Developers From the AMA’s Latest Privacy Principles
05.06.2020
NAIC Restarts Its Work Revising Its Model Privacy Provisions
05.04.2020
Five Steps to Prepare for Telehealth Data Breach Litigation
04.30.2020
10 Steps for Responding to a Telehealth Data Breach
04.24.2020
New Funds Available Under the Small Business PPP and EIDL Programs
04.21.2020
Six Steps to Protect Against Increased Telehealth Cybersecurity Dangers
04.13.2020
OCIE Continues Relentless Cybersecurity Focus
04.13.2020
Spring Cleaning on the NAIC Model Privacy Laws
04.09.2020
Federal Reserve Moves to Assist Larger Businesses
04.01.2020
Privacy and Cybersecurity Perils in Hastily Signed Work-From-Home Vendor Contracts
03.31.2020
Small Business Administration Loans Summary Under the CARES Act
03.19.2020
Cybersecurity Considerations for Providers Considering Telehealth During COVID-19’s State of Emergency
03.18.2020
COVID-19 and Cybersecurity: Best Practices in an Uncertain Landscape
01.31.2020
Here Are Seven Phrases That Can Help Your Business Avert Cybersecurity Attacks
Miami Herald
01.14.2020
Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Professional & Community Involvement

  • Connecticut Bar Association
    • House of Delegates District 12 (Hartford) Representative (2018–2019)
    • Executive Committee, Women in the Law Section (2016–2019)
  •  FAIR Institute
    • Cyber Insurance Workgroup (2018)
  • International Association of Privacy Professionals
    • Women Leading Privacy
    • Co-Chair, South Florida KnowledgeNet Chapter
  • United Way Women United

Speaking Engagements

  • "Cybersecurity Fraud Threats: Attacks Against Insurers, Contract Owners, and Retirement Account Holders," 2022 ALIC Regional Insurance Counsel Roundtable (October 25, 2022)
  • "Financial Services Cyber Fraud: The Latest Risks and Best Responses," Carlton Fields (October 20, 2022)
  • "The Latest Cyber Threats and Coverage Issues," Carlton Fields (June 28, 2022)
  • "An Overview of Life Insurers’ Privacy and Cybersecurity Requirements," Carlton Fields (June 21, 2022)
  • “Digital Marketing: Thriving, Surviving, or Dead on Arrival?,” International Association of Privacy Professionals (March 2022)
  • “Data Breach Litigation,” Global Aesthetics Conference (November 2021)
  • “HIPAA Breaches,” Miami Cosmetic Surgery & Aesthetic Dermatology Symposium (August 2021)
  • "Decision-Making with FAIR - Quantification and the Rise of Class Action Lawsuits," 2020 FAIR Conference (October 2020)
  • "Privacy Leaders Circle: Miami," Truyo (July 9, 2020)
  • "Privacy Policy and Terms of Use Basics for Start Ups," Nova Southeastern University Shepard Broad College of Law (March 2020)
  • "Evaluating Cyber Insurance Using the FAIR Doctrine," Legal Services Information Sharing and Analysis Organization (LS-ISAO) (May 2019)
  • "Using FAIR to Optimize Your Cyber Insurance Coverage," 2018 FAIR Conference on Information Risk Management (October 2018)
  • "Data Breach Litigation: Recent Trends and Developments," The Knowledge Group (June 2018)
  • "Cyber & Law: It’s Really About the Money," Evolver (January 2018)
  • "Which Insurance Would Cover a Breach-Related Injury?," Healthcare Info Security (October 2017)
  • "Cyber Risk and Liability Insurance: What Is It and Why You Need It," The Knowledge Group (October 2017)
  • "She Leads: Women in the Law," Quinnipiac University School of Law (November 2016)
  • "Cybersecurity Litigation and the Role of Cyber Insurance," Connecticut Law Tribune (September 2015)

Credentials

Education
  • New York University School of Law (J.D., 2013)
  • Duke University (B.A., 2008)
Bar Admissions
  • Florida
  • Connecticut
Industry Specialization Certifications
  • CIPP/US
  • CIPM
Languages
  • Spanish
  • Portuguese
Court Admissions
  • U.S. District Court, Middle District of Florida
  • U.S. District Court, Southern District of Florida
  • U.S. District Court, District of Connecticut

Background

  • Litigation Associate, Axinn, Veltrop & Harkrider LLP, Hartford, CT (2015–2019)
  • Litigation Associate, Wofsey Rosen Kweskin & Kuriansky LLP, Stamford, CT (2013–2015)

Cookies

This site uses cookies to provide you with more responsive and personalized service. By using this site you agree to our Legal Disclaimer and Online Privacy and Cookie Policy

I Accept
©2011-2022 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. All Rights Reserved. Attorney Advertising.

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

Accept Cancel