Patricia M. Carreiro

Experience

Artificial Intelligence and Emergent Technologies

• Advised businesses of varying sizes regarding use of artificial intelligence, including analysis of risks, required policies and procedures, contract negotiations, and required disclosures and rights associated with the same.
• Counseled businesses across industries regarding use of various technologies and methods for increasing digital engagement.

Cybersecurity Class Action Litigation

• Advised one of the nation’s largest banks on possible causes of action, defenses, class action strategy, and litigation options following nationwide data breach.
• Advised large, publicly traded financial institution regarding multiple data breach class actions.
• Defended health care provider in class action breach litigation stemming from ransomware attack. 

Privacy Compliance

Financial Institutions

• Advised large life insurer and affiliated producer regarding privacy compliance throughout development of fully electronic automated underwriting application, including negotiating contractual agreements with third-party service providers, developing procedures for operationalizing and demonstrating privacy compliance, and drafting privacy policies, procedures, notices, and authorizations.
• Counseled various financial institutions, including insurers, producers, and mortgage servicers, regarding compliance with privacy laws such as the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA), the Telephone Consumer Protection Act of 1991 (TCPA), the CAN-SPAM Act of 2003, the Telemarketing Sales Rule, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act (HIPAA), and National Association of Insurance Commissioners (NAIC) model laws, as applicable.
• Advised multiple insurers regarding:
  • Notices and consents needed when seeking information about applicants/insureds from third parties, or seeking to share applicant/insured information with third parties for transactional or marketing purposes.
  • Privacy compliance regarding contacting applicants/insureds via varying means throughout the insurance application process.
  • Handling of consumer data subject requests to know, correct, delete, or limit sharing.
  • Cybersecurity obligations.
  • Responding to, and preparing for, examinations regarding cybersecurity and privacy practices.
• Counseled financial institutions regarding intersection of the GLBA and the CCPA.
• Advised large financial entities regarding contractual privacy provisions, privacy compliance, and cybersecurity insurance coverage.
• Drafted privacy policies, associated notices, and privacy request processing procedures for organizations across industries, from financial institutions to nonprofits to retailers, including drafting sample communications and scripts.

Telecommunications

• Counseled and managed large telecommunications carrier regarding customer proprietary network information (CPNI) breach response and associated reporting and notifications.
• Advised large telecommunications carrier on legal compliance and risk-reducing steps for numerous proposed uses and sharing of CPNI.

Health Care

• Drafted comprehensive HIPAA compliance program for HIPAA-covered entity, including drafting associated policies and procedures.
• Managed breach response for various HIPAA entities, including covered entities and business associates, throughout breach investigation, required reporting and notifications, and any associated litigation.
• Advised business associate regarding compliance with the CCPA, including drafting necessary privacy notices and establishing procedures for processing associated privacy requests.

Privacy and Cybersecurity Program Management

• Advised multiple Fortune 500 companies regarding adjustments needed to comply with new state privacy laws.
• Design and implement privacy program for large U.S.-based retailer.
• Create privacy policies and website terms of use.
• Draft and negotiate data processing agreements and contractual provisions for vendor management.
• Draft internal privacy and cybersecurity policies and procedures, including breach response, data retention/destruction, and others.
• Advise regarding privacy and cybersecurity risk management, including key contractual provisions and policy best practices.

Data Breach Response

• Represented companies in investigating and responding to phishing, ransomware, business email compromises, and wire diversion schemes.
• Executed data breach response for companies of all sizes, including managing forensic investigation, data mining, and required reporting to regulators, law enforcement, media, and consumers for breaches of CPNI, GDPR data, and other personal information. Representative entities include health care providers, retailers, telecommunications carriers, and businesses large and small.
• Represented health care providers throughout post-breach Office for Civil Rights and attorneys general investigations.

Recognition

• The Best Lawyers in America: Ones to Watch, Commercial Litigation, Health Care Law (2024)

Professional & Community Involvement

• Greater Miami Chamber of Commerce 
  • Technology and Innovation Committee
• Connecticut Bar Association
  • House of Delegates District 12 (Hartford) Representative (2018–2019)
  • Executive Committee, Women in the Law Section (2016–2019)
•  FAIR Institute
  • Cyber Insurance Workgroup (2018)
• International Association of Privacy Professionals
  • Women Leading Privacy
  • Co-Chair, South Florida KnowledgeNet Chapter
• United Way Women United

Speaking Engagements

• "Website Tech Fueling Privacy Litigation: How to Reduce Your Risk," Carlton Fields (April 17, 2023)
• "Cybersecurity Fraud Threats: Attacks Against Insurers, Contract Owners, and Retirement Account Holders," 2022 ALIC Regional Insurance Counsel Roundtable (October 25, 2022)
• "Financial Services Cyber Fraud: The Latest Risks and Best Responses," Carlton Fields (October 20, 2022)
• "The Latest Cyber Threats and Coverage Issues," Carlton Fields (June 28, 2022)
• "An Overview of Life Insurers’ Privacy and Cybersecurity Requirements," Carlton Fields (June 21, 2022)
• “Digital Marketing: Thriving, Surviving, or Dead on Arrival?,” International Association of Privacy Professionals (March 2022)
• “Data Breach Litigation,” Global Aesthetics Conference (November 2021)
• “HIPAA Breaches,” Miami Cosmetic Surgery & Aesthetic Dermatology Symposium (August 2021)
• "Decision-Making with FAIR - Quantification and the Rise of Class Action Lawsuits," 2020 FAIR Conference (October 2020)
• "Privacy Leaders Circle: Miami," Truyo (July 9, 2020)
• "Privacy Policy and Terms of Use Basics for Start Ups," Nova Southeastern University Shepard Broad College of Law (March 2020)
• "Evaluating Cyber Insurance Using the FAIR Doctrine," Legal Services Information Sharing and Analysis Organization (LS-ISAO) (May 2019)
• "Using FAIR to Optimize Your Cyber Insurance Coverage," 2018 FAIR Conference on Information Risk Management (October 2018)
• "Data Breach Litigation: Recent Trends and Developments," The Knowledge Group (June 2018)
• "Cyber & Law: It’s Really About the Money," Evolver (January 2018)
• "Which Insurance Would Cover a Breach-Related Injury?," Healthcare Info Security (October 2017)
• "Cyber Risk and Liability Insurance: What Is It and Why You Need It," The Knowledge Group (October 2017)
• "She Leads: Women in the Law," Quinnipiac University School of Law (November 2016)
• "Cybersecurity Litigation and the Role of Cyber Insurance," Connecticut Law Tribune (September 2015)

Credentials

Background

• Litigation Associate, Axinn, Veltrop & Harkrider LLP, Hartford, CT (2015–2019)
• Litigation Associate, Wofsey Rosen Kweskin & Kuriansky LLP, Stamford, CT (2013–2015)

Areas of Focus