Ropes & Gray LLP











Search
Go
Site MapDisclaimerContact UsPrivacy Policy
Privacy and Data Security Counseling

Today’s global businesses collect, process, store, and share a wide range of data in constantly evolving environments. These records can contain vast amounts of sensitive and personal information, the loss or misuse of which creates significant business and legal risks. How these data are stored and used can implicate data privacy, information security, trade secret, and intellectual property concerns, governed by a competing array of legal and practical principles. For businesses worldwide, understanding increasingly complex privacy laws, improving data security practices, and meeting heightened consumer expectations regarding data protection are top priorities.

Ranked by Chambers USA 2011 as a leading “Privacy & Data Security” firm, our Privacy and Data Security team includes counselors, corporate lawyers, and litigators who work together to help clients navigate these laws and expectations. Having led client responses to some of the most publicized data security breaches, Ropes & Gray is uniquely positioned to assist clients in recognizing the importance of good data practices, including:

  • Data privacy and security laws, regulations, and best practices, including counseling, response, and prevention.
  • Issues arising from the theft, loss, or unauthorized use of confidential or personal information.
  • Design and implementation of privacy and data security programs incorporating “privacy by design” principles.

Data Privacy Compliance & Counseling

The litany of complex data handling requirements with which global businesses must comply or face the risk of government investigation or private litigation continues to grow. No uniform approach exists in the US. Rather companies face a complex set of state and federal requirements. The EU data protection scheme at first seems uniform, until one considers that approaches under it differ by nation and that the entire scheme itself is evolving. Our attorneys stay current on the ever-changing legal and regulatory landscape including:

  • Enforcement actions by the Federal Trade Commission, state attorneys general and other regulatory bodies
  • U.S.-E.U. Safe Harbor Program
  • Gramm-Leach-Bliley Act
  • Children’s Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Credit Reporting Act (FCRA)
  • A multitude of state privacy and data breach notification laws (currently enacted in 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands)

Leveraging the insight we have gained in resolving extensive data breach situations, we help clients create data privacy and security compliance programs, revise existing data privacy processes, and counsel on the contours of data protection and privacy requirements. In addition, our attorneys are skilled in:

  • Digital Media and Electronic Marketing: We advise clients on information security and privacy issues related to data collection and processing through digital and mobile media, including online and electronic marketing.
  • COPPA: We help clients develop Children’s Online Privacy Protection Act (COPPA) compliant policies and procedures.
  • Contractual Relationships: We negotiate contracts with service providers who handle sensitive personal information.
  • Payment Card Company-Related Issues: We counsel clients on the Payment Card Industry Data Security Standard (PCI DSS) and negotiate agreements with acquiring banks that process a company’s payment card transactions.
  • Gramm-Leach-Bliley Act Counseling: We advise clients on compliance with the regulations adopted under the Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act), as well as state-specific regulations.
  • Affiliate Marketing Rules: We counsel clients with regard to the sharing of non-public personal information among affiliated entities (including between parent and subsidiary companies, joint ventures, or private investment, mutual, or private equity funds).

Data Breaches & Intrusions

Data breaches and intrusions happen. When they do, Ropes & Gray’s Data Privacy and Security attorneys act quickly to analyze the risk and potential exposure and organize a comprehensive plan for clients to address the multitude of issues arising from data theft, loss, or unauthorized use of confidential information. We work on multiple fronts simultaneously and develop a global strategy to handle:

  • Immediate mobilization to guide the company through the critical first hours and days of a data breach incident.
  • Public relations and reporting, notification, and disclosure issues under applicable privacy statutes, securities laws, or other regulations.
  • Civil litigation involving consumers, card companies, banks, employees, and shareholders.
  • Law enforcement or state, federal, or international regulatory investigations and/or enforcement matters (including the Department of Justice, Securities & Exchange Commission, Federal Trade Commission, and state attorneys general).
  • Negotiations with payment card companies or financial institutions.
  • Implementation of data privacy protection programs.

Experience

The kind of work that led Ropes & Gray’s Data Privacy and Security team to be recognized by Chambers includes:

  • Representing various Sony entities as their global coordinating counsel with respect to the multiple litigations and government investigations that have arisen from the recent criminal cyber-attacks on certain of Sony’s computer networks.
  • Counseling The TJX Companies, Inc. on multiple fronts in connection with an unauthorized computer network intrusion(s). The intrusion(s) affected this leading national retailer’s store chains in the United States, Puerto Rico, and Canada, and raised certain issues related to the company’s U.K. and Ireland store chains. It spawned multiple actions and investigations by shareholders, customers, banks, payment card companies, and federal and state regulators, and received considerable attention in the press. These actions and investigations are now resolved – on favorable terms for TJX – with notable victories before the U.S. Court of Appeals for the First Circuit, where the Court ruled largely in favor of TJX in the class action litigation brought by various financial institutions.
  • Representing credit card processor Heartland Payment Systems, Inc. in multiple consumer class action and government inquiries resulting from a security breach of its computer system involving the use of malicious software, which recently settled on favorable terms, as well as financial institution class action cases that have been centralized in an MDL proceeding in the U.S. District Court for the Southern District of Texas.
  • Counseling a leading China-based internet company on proposed data sharing and web-based advertising arrangements with a US-headquartered multinational.
  • Providing risk management advice for a large software company regarding its handling of payment card data on behalf of its customers.
  • Advising leading life sciences companies on data security, PCI compliance issues, and documentation and implementation of data privacy procedures.
  • Leading data privacy and security assessments of corporate-wide data policies and programs.
  • Regularly reviewing clients’ proposed products, services, and programs to advise companies on related data collection, notice, and consent issues.
  • Counseling an insurance company on the implications of employee misuse of personal data.
  • Counseling public companies and private equity clients on PCI and data security matters related to potential investments and/or acquisitions.
  • Advising public and private companies on legal and contractual obligations related to their handling of payment card data and other sensitive personal information.
  • Counseling a global consulting company on the ramifications of a potential data loss and its notification and statutory reporting obligation.

Representative Clients

Clients our Data Privacy and Security team service include:

  • AFLAC
  • Aldo Group, Inc.
  • Blackstone Group, L.P.
  • ConnectEDU, Inc.
  • Genesco, Inc.
  • Hannaford Bros. Co.
  • Heartland Payment Systems, Inc.
  • Litle & Co., LLC
  • Liberty Dialysis, Inc.
  • Partners Healthcare System, Inc.
  • Pfizer
  • Sony Computer Entertainment America, LLC
  • The TJX Cos.
  • WellCare Health Plans, Inc.
  • Wyndham Hotels and Resorts, LLC
©1996-2012 Ropes & Gray LLP. All rights reserved.
Back