In today’s global and digital business environment, advances in technology have greatly increased the value of data as an asset, and regulation of data has increased its risk as a liability affecting individuals, businesses and governments worldwide. Ropes & Gray’s Data Practice helps clients manage the full array of issues and matters that arise from the collection, use, storage, commoditization, disclosure, transfer and disposal of data, including:
- Privacy and cybersecurity compliance and counseling, including advice on the key components of relevant laws and regulations, developing tailored compliance plans, and preparing for and responding to cyber incidents.
- Corporate and transactional support, including privacy and cybersecurity-related diligence for mergers and acquisitions and advice related to the buying, selling and licensing of data, as well as complex collaborations to develop or exploit data.
- Regulatory investigations and litigation arising from cyberincidents and any resulting theft, loss or unauthorized use of confidential or personal information, as well as alleged violations of applicable data privacy requirements.
Compliance and Counseling
Our attorneys help clients properly comply with the law and minimize privacy and cybersecurity risks. By undertaking comprehensive privacy and security risk assessments, building global compliance programs, and providing ongoing counseling and advice, we help clients understand and meet their legal obligations and position themselves to avoid attacks on their systems. Our attorneys also provide advice to clients on how to prepare for a cyber incident and assist clients in responding after an incident has occurred. Our goal is to help clients manage information and leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, and solidify brand and consumer trust.
Corporate and Transactional
Our attorneys help clients identify privacy and cybersecurity risks that may be underlying a potential deal, performing privacy- and cybersecurity-specific due diligence to assess and address risk in the context of private equity deals, mergers and acquisitions, and other corporate transactions. They also provide support for securities offerings and issuances, review and negotiate contracts concerning data and vendor relationships, review investment disclosures, and analyze risks inherent in the investment in and use of alternative data.
Litigation and Enforcement
Even when companies prepare well and respond properly to an incident, claims of privacy violations and/or cybersecurity failures often follow. If an incident does occur, our litigation and enforcement attorneys advise on the myriad legal issues that arise, representing clients in all manner of federal, state and international regulatory and civil claims. Our team handles the class-action litigation, regulatory investigations, and related disputes and lawsuits that frequently result from these situations or accusations, drawing on our extensive knowledge and experience to master the relevant facts quickly for asserting or defending the company’s interests on all of these fronts.
Ropes & Gray has been retained by clients in many of the most complex and groundbreaking privacy and cybersecurity cases.
- Managed a global team of privacy and security experts providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, the Middle East, Africa and Asia
- Performed a privacy, security and digital risk assessment for a consumer products company with operations in more than 100 countries
- Developed a comprehensive suite of policies mapped to the National Institute of Standards and Technology cybersecurity framework with HIPAA Security Rule requirements layered in for a health industry client
- Overhauled vendor onboarding processes and diligence of cybersecurity practices for a multinational asset management client, reporting regularly to the board committee overseeing the project
- Conducted a comprehensive, global cybersecurity risk assessment a multinational analytical science and instrument development company
- Advised on the privacy and cybersecurity aspects of home automation systems, wearable devices and geolocation tracking components, including privileged security assessments (testing of both hardware and software), security vulnerability remediation, and the implications of the EU’s General Data Protection Regulation, among other areas
Regulatory Enforcement & Litigation
- Representing LabMD in its petition to the U.S. Court of Appeals for review of the first FTC decision holding a company liable for allegedly having unreasonable data security practices that violate Section 5 of the FTC Act
- Serving as lead counsel for Arby’s Restaurant Group in defending against all third-party claims arising from a payment card incident announced in February 2017
- Advised The Home Depot in responding to card brand inquiries stemming from the cyberincident that Home Depot announced in September 2014
- Served as lead outside counsel for Supervalu Inc. in defending and responding to all litigation claims and regulatory inquiries stemming from the cyberincident that Supervalu announced in August 2014
- Represented Target as lead outside counsel in responding to card brand inquiries and defending card issuer litigation stemming from the cyberincident that Target announced in December 2013
- Represented Heartland Payment Systems in obtaining dismissal of all class-action claims, and closure of all regulatory investigations, stemming from one of the largest computer cyberincidents ever
- Advised Wyndham Hotels and Resorts with regard to card brand claims and regulatory investigations stemming from cyberincidents involving a number of the independently owned Wyndham-branded hotels
- Represented TJX in favorably resolving the class-action litigation, card brand claims and regulatory investigations stemming from what was then the largest cyberincident ever
- Represented Genesco in the first lawsuit against Visa to challenge the lawfulness of cyberincident penalties imposed by Visa
- Regularly advise both small and large financial institutions, health care institutions, and other companies that have experienced security breaches and other security events involving personal data
- Developed a comprehensive incident response plan for large insurance and financial industry clients, addressing coordinated response and crisis management across the organization
- Managed privileged cybersecurity assessments for a complex financial industry client and conducted a successful red team exercise
- Provide ongoing cybersecurity advice to one of the world’s leading franchisors, with more than 19,000 locations around the globe
A successful legal cybersecurity representation often depends on the support of cybersecurity experts that can put highly technical facts and forensic data into a form that we as lawyers can use in advising our clients, whether such representation involves:
- advising clients regarding their cyber-risk profile and their cybersecurity posture so as to help them meet applicable cybersecurity standards;
- assisting clients in developing or enhancing effective cyber-incident response capabilities;
- helping clients, when a cyber-incident occurs, to investigate, understand, and contain the incident so as to meet their legal obligations as to notification, evidence preservation, and security enhancement; and/or
- developing defense strategies in the event that a cyber-incident results in litigation or a regulatory investigation.
Ropes & Gray attorneys regularly leverage the skills of such experts to best serve our clients and have significant experience in structuring and overseeing such engagements in ways that have defeated challenges to the privileged nature of such experts’ work. Our long-term relationships with certain such experts have matured into formal partnerships that enable us to collaborate quickly and seamlessly with them to meet our clients’ cybersecurity needs and to have a full team ready to hit the ground running if those needs involve responding to a major cyber-incident. While we have worked and do work with all the major cybersecurity firms, our key partners in this space include:
Mandiant, a FireEye company, is a leader in assisting in the response to critical breaches worldwide and identifying ways that companies can proactively protect against cyber security threats. Since 2004, Mandiant has been dealing with advanced threat actors globally. Our partnership with law firms such as Ropes & Gray, which are focused on responding to incidents and providing pre-incident preparedness and compliance counseling services, are critical for organizations that need assistance to develop comprehensive and highly effective incident response plans. Mandiant provides expertise on the evolving threat landscape, arming Ropes & Gray with the information needed to advise its clients on cyber risk.
Kroll works on more than 400 cyber incidents every year, with engagements involving over 70% of the Fortune 100. Our experts handle some of the most complex and highest profile matters in the world, delivering timely and seamless services for information security needs that range from proactive threat assessments, data security, and intrusion prevention to cyber investigations, incident response, and breach notification.
The Crypsis Group works to create a more secure digital world by providing the highest quality cyber security incident response, risk management, and digital forensics services. Combining our deep security knowledge, digital forensics expertise, and experience as expert witnesses for criminal and civil matters, Crypsis consultants assist counsel in proactively identifying and mitigating enterprise risk and responding to sophisticated network intrusions with solutions and support at every stage. We have responded to and conducted investigations of complex data breach incidents of global organizations, including attacks by nation-state actors, insiders, and cyber criminals looking to steal confidential, sensitive, or proprietary data.
The Crypsis Group also offers a unique Ransomware Recovery Service when organizations experience a ransomware attack. Assuming payment is the only option, Crypsis will engage the attacker, obtain confirmation that the attacker can actually decrypt your files, make a cryptocurrency payment from one of its wallets, attempt to negotiate a lower ransom payment, analyze/reverse the attacker provided decryption utility and ultimately help with the decryption process.
Ropes & Gray has been pre-approved to act as incident response and third-party claims counsel for insureds under cyber insurance policies issued by AXA XL. As part of that partnership, Ropes & Gray and AXA XL have agreed to pre-approved rates available to AXA XL insureds.
Ropes & Gray’s partnerships with Mandiant, Kroll, Crypsis and AXA XL enable us to leverage their broad, and deep, cybersecurity expertise as we advise clients on all aspects of cybersecurity, from assessments designed to evaluate compliance with applicable cybersecurity standards to cyber-incident preparedness and response to defending against cybersecurity enforcement or litigation proceedings brought by regulators or private litigants. The service offerings we provide for projects involving one of these firms, such as cybersecurity compliance assessments or tabletop exercises designed to enhance clients’ incident response capabilities, often are available at a single fixed fee that covers both our services and those of the expert assisting us. And all such service offerings can be and are structured by us so as to afford maximum protection for the privileged nature of our and the expert’s work.
- Financial services / asset management
- Bain Capital
- The Carlyle Group
- TPG Capital
- Health care
- Heartland Dental
- Aurora Health Care Inc
- Life sciences
- Banks and investment banks
- Santander Bank
- Colleges & universities
- Wake Forest