Ropes & Gray LLP











Search
Go
Site MapDisclaimerContact UsPrivacy Policy
Privacy and Data Security

Advances in technology and electronic storage have changed today’s global business environment, and data privacy issues are everywhere, affecting individuals, businesses, and governments worldwide. Improving data security practices, understanding increasingly complex privacy laws and meeting data protection requirements must be top priorities. Our Privacy and Data Security attorneys are litigators, transactional lawyers, health care experts and intellectual property attorneys who work together to provide a wide range of privacy advice and counseling across a broad range of subject matters and industries for our clients. They are leaders in helping clients manage data privacy and protection risks, and in responding quickly to data breach situations and the resulting litigation, government investigations, and transaction-related problems that may arise when data is compromised.

Ropes & Gray's Privacy and Data Security attorneys are experienced in a wide range of areas, including technology, health care; antitrust, intellectual property, mergers & acquisitions, and consumer protection, giving us the skills to cover the full array of data privacy, protection and security matters, including:

  • Issues arising from the theft, loss, or unauthorized use of confidential or personal information
  • Data privacy and security compliance and counseling
  • Issues related to compliance with HIPAA and the data breach notification requirements under the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act")

Data Breaches & Intrusions
Theft, Loss, or Unauthorized Use of Confidential Information
Unauthorized or unintentional data security breaches occur frequently and under widely varying circumstances. They are concerning because they create a risk that proprietary business and personal information can be misused for identity theft, payment card fraud, or other improper purposes. Our attorneys act quickly to analyze the risk and potential exposure and organize a comprehensive plan to address the multitude of issues arising from a data breach or other loss of confidential information. Our Privacy and Data Security attorneys are skilled at working on multiple fronts simultaneously and developing a global strategy to help contain the problems stemming from a data breach or other loss of confidential information, including:

  • Civil litigation involving consumers, payment card companies, banks, employees or shareholders
  • Law enforcement or state, federal, or international regulatory investigations and/or enforcement matters (including the Department of Justice, Securities & Exchange Commission, Federal Trade Commission and state attorneys general)
  • Reporting, notification, and disclosure issues under the state and federal privacy statutes, federal securities laws, or other applicable regulations
  • Negotiations with payment card companies or financial institutions
  • Implementation of data privacy protection programs

Data Privacy Compliance & Counseling
As the number of state and federal laws aimed at the protection of data continue to grow, companies are faced with an ever-growing litany of requirements regarding the protection and privacy of data with which they must comply or face the risk of government investigation or private litigation. In this environment, a prudent company must understand the increasingly complex and growing area of privacy law and data protection requirements and ensure that it has and follows appropriate data security practices. Our attorneys are current on the ever-changing legal and regulatory landscape including the:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley (GLB) Act
  • Children's Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Credit Reporting Act (FCRA)
  • U.S.-E.U. Safe Harbor Program
  • A multitude of state privacy and data breach notification laws (currently enacted in 44 states)
  • The federal data breach notification provisions under the HITECH Act

We work with our clients to create data protection compliance programs, revise existing data privacy processes, and counsel on the contours of data protection and privacy requirements. In addition, our attorneys are skilled in the following areas:

Payment Card Company-Related Issues: We regularly deal with issues relating to payment card company relationships, including counseling clients on the Payment Card Industry Data Security Standards (PCI DSS) and assisting in the negotiation of agreements with acquiring banks that process a company's payment card transactions.

Service Provider Relationships: We counsel clients in connection with the negotiation of contracts with service providers who handle sensitive personal information.

Online and Electronic Marketing: We advise clients with respect to information security and privacy issues related to online data collection and processing as well as online and electronic marketing.

COPPA: We assist clients in developing Children's Online Privacy Protection Act (COPPA) compliant policies and procedures.

Mergers & Acquisitions: We regularly conduct due diligence investigations of data security and privacy issues at merger or acquisition targets for our clients and advise on the associated risks.

Gramm-Leach-Bliley Act Counseling: We regularly advise clients regarding compliance with the regulations adopted under the Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act), as well as state-specific regulations.

"Red Flag" Rules: We advise our clients on the recently adopted FTC regulations, commonly known as the “red flag rules,” that require certain financial institutions to adopt identity theft prevention programs.

Affiliate Marketing Rules: We counsel clients on their compliance obligations with regard to the sharing of non-public personal information among affiliated entities (including between parent and subsidiary companies, joint ventures, or private investment, mutual or private equity funds).

Healthcare Privacy/HIPAA/HITECH Act Compliance
Our Privacy and Data Security attorneys are also skilled at working with clients regarding the privacy and security of health care information. Our attorneys have extensive experience advising health care clients on the impact of the regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA). We have general HIPAA privacy experience in advising clients on the permitted uses and disclosure of protected patient information, billing and payment issues, transaction related issues and the development of privacy and security policies, agreements such as professional service and clinical trial agreements and authorization forms. In addition, our attorneys have developed broad experience in ensuring comprehensive compliance with HIPAA security requirements to ensure the confidentiality, integrity and availability of electronic protected health information. We counsel clients on the complex issues that may require changes to critical methods of doing business to comply with HIPAA, including working with a number of clients to prevent data disclosure breaches and counseling clients on how to appropriately respond to such data disclosure breaches in the event they occur, with the attendant expedited investigation, mitigation and notification requirements governed by HIPAA, the HITECH Act and a patchwork of state laws. We have completed numerous HIPAA educational engagements and continue to advise a wide variety of clients, including academic medical centers, community hospitals, nursing facilities, clinics, pharmaceutical companies and biotech companies, on the effect the HIPAA privacy and security regulations have on their operations, and on the development and implementation of HIPAA compliance strategies.

Health Information Technology Systems
In recent years, federal and state governments have actively promoted the development and implementation of interoperable health information technology (HIT) and electronic health records (EHR) systems in the public and private sectors. A key objective of such initiatives is to centralize patient health information to promote higher quality and more efficient health care. Because of the unique and highly sensitive nature of individual patient health information, federal and state regulators have mandated that the creation and operation of such HIT systems be in compliance with a comprehensive set of privacy and security regulations.

Ropes & Gray attorneys in the corporate health care department have worked closely with hospital systems, providers, physician groups, quasi-state agencies and information technology vendors to successfully license, design, implement (including compliance with the Stark Law and other regulatory requirements) and operate such HIT systems that securely and effectively integrate patient health information into a centralized electronic network. Ropes & Gray attorneys also have counseled clients in how to manage state disclosure and federal accounting requirements in connection with the unauthorized access of patient information from such systems.

©1996-2012 Ropes & Gray LLP. All rights reserved.
Back