Privacy & Data Security

Advances in technology and electronic storage have changed today’s global business environment, and privacy and data security issues are everywhere, affecting individuals, businesses, and governments worldwide. Understanding increasingly complex privacy and data security laws and meeting those legal requirements must be top priorities for any organization. Should an organization be accused of violating those laws, expert legal advice is a must, especially where the accusation arises out of a data security breach suffered by the organization. Ranked as a leading “Privacy & Data Security” practice by Chambers Global 2016 and Chambers USA 2017, our team has also recently been listed in the top tier nationally in “Media, technology and telecoms: Cybercrime” by the Legal 500 US 2016 rankings and in January 2017, was named “Privacy Group of the Year” by Law360 for the fourth time in the past six years.  Our privacy and data security attorneys are litigators, transactional lawyers, health care attorneys and intellectual property practitioners who work together to provide a wide range of advice and counsel across the full array of privacy and data security matters, including:

  • Issues arising from data security breaches and any resulting theft, loss, or unauthorized use of confidential or personal information
  • Issues arising from alleged violations of the applicable privacy and data security requirements
  • Privacy and data security compliance, counseling, response, and prevention
  • Healthcare privacy/HIPAA compliance

Data Security Breaches

Our attorneys act quickly to analyze the risk and potential exposure and organize a comprehensive plan to address the multitude of issues arising from a data security breach and any related data theft or loss, or unauthorized use of confidential information. We work on multiple fronts simultaneously and develop a global strategy to handle:

  • Forensic investigation of the scope of, and reasons for the breach, and implementation of appropriate security enhancement programs
  • Civil litigation involving consumers, payment card companies, banks, employees, or shareholders
  • Law enforcement or state, federal, or international regulatory investigations and/or enforcement matters (including the Department of Justice, Securities & Exchange Commission, Federal Trade Commission (FTC), and state attorneys general)
  • Reporting, notification and disclosure issues under the state and federal breach notification statutes, federal securities laws, or other applicable regulations
  • Negotiations with payment card companies, financial institutions, or other entities making claims arising from the breach

Privacy and Data Security Violations

When an organization is accused of having violated applicable privacy and/or data security requirements, our attorneys already fully understand the contours of those requirements and already have the experience needed to master quickly the facts relevant to the particular matter at issue. Through that knowledge and experience, we develop and implement efficient and successful defenses against the claimed violation at hand, no matter what particular requirement is being invoked, and no matter who (whether a private litigant or a governmental authority) is invoking it. Our experience in defending against claimed violations of this sort includes:

  • Handling consumer and financial institution class actions, and claims by card brands and other parties asserting injury from the breach in question, alleging that our client failed to employ legally required measures to protect the data in question after theft.
  • Handling consumer class actions alleging that our client either unlawfully collected or unlawfully used consumer information.
  • Defending federal, state, and foreign regulatory investigations of whether our client unlawfully collected or used, or failed to employ legally required measures to protect against theft of, consumer information.

Privacy and Data Security Compliance & Counseling

Companies are faced with a growing litany of complex state and federal requirements governing privacy and data security with which they must comply or face the risk of government investigation or private litigation. Our attorneys are current on the ever-changing legal and regulatory landscape including the:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act
  • Children’s Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Credit Reporting Act (FCRA)
  • U.S.-E.U. Safe Harbor Program
  • A multitude of state privacy and data breach notification laws (currently enacted in 47 states)

We help clients create data protection compliance programs, revise existing data privacy processes, understand the contours of data protection and privacy requirements, and conduct privacy and data security assessments in an attorney-client privileged fashion.

In addition, our attorneys are skilled in:

  • Payment Card Company-Related Issues: We counsel clients on the Payment Card Industry Data Security Standards (PCI DSS) and negotiate agreements with acquiring banks that process a company’s payment card transactions.
  • Service Provider Relationships: We negotiate contracts with service providers who handle sensitive personal information.
  • Online and Electronic Marketing: We advise clients on information security and privacy issues related to online data collection and processing as well as online and electronic marketing.
  • COPPA: We help clients develop Children’s Online Privacy Protection Act (COPPA) compliant policies and procedures.
  • Mergers & Acquisitions: We conduct due diligence investigations at merger or acquisition targets for our clients and advise on the associated risks.
  • Gramm-Leach-Bliley Act Counseling: We advise clients on compliance with the regulations adopted under the Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act), as well as state-specific regulations.
  • “Red Flag” Rules: We advise our clients on recently adopted FTC regulations, commonly known as “red flag rules,” that require certain financial institutions to adopt identity theft prevention programs.
  • Affiliate Marketing Rules: We counsel clients on their compliance obligations with regard to the sharing of non-public personal information among affiliated entities (including between parent and subsidiary companies, joint ventures, or private investment, mutual, or private equity funds).

Health Care Privacy/HIPAA Compliance

Our attorneys have extensive experience advising health care clients on the impact of the regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA). We have completed numerous HIPAA educational engagements and continue to advise a wide variety of clients, including academic medical centers, community hospitals, nursing facilities, clinics, pharmaceutical companies and biotech companies. Our advice encompasses the effect the HIPAA privacy and security regulations have on their operations, as well as on the development and implementation of comprehensive HIPAA compliance and notification strategies.

Health Information Technology Systems

In recent years, federal and state governments have actively promoted the development and implementation of interoperable health information technology (HIT) and electronic health records (EHR) systems in the public and private sectors. The key objective is to centralize patient health information to promote higher quality and more efficient health care. Complying with a comprehensive set of privacy and security regulations is essential.

We work closely with hospital systems, providers, physician groups, quasi-state agencies, and information technology vendors to successfully license, design, implement (including compliance with the Stark Law and other regulatory requirements), and operate secure and effective HIT systems. And we counsel clients on how to manage state disclosure and federal accounting requirements in the event of unauthorized system access.