The rapid proliferation of security threats, technology innovation, and privacy laws demand a legal team with deep and varied expertise. Our privacy and data security practice group members have more than 20 years combined experience practicing exclusively in this subject matter. We represent diverse clients from a variety of industries, such as finance and banking, healthcare, pharmaceutical and life sciences, technology, insurance, academia, and non-profit, including emerging growth companies.
Our team’s multidisciplinary experience allows us to identify trends and challenges across industries. We pride ourselves on taking a strategic and practical approach to effectuating compliance requirements and helping clients manage risk. We address all aspects of privacy and data security law, with areas of focus including:
- Data Security Breach Response and Cyber Risk: Our team has handled more than 300 data security incidents, guiding our clients through the response process from start to finish—assisting with the investigation process, including forensic analysis of data security incidents; advising on notification obligations under state and federal law; arranging notification to affected individuals and regulators; setting up call centers and credit monitoring services; responding to inquiries from state and federal regulators; and assisting with post-breach remediation and updates to policies and procedures. We also regularly participate in clients’ incident response planning, including advising on cyber insurance coverages.
- Vulnerability, Risk, and Compliance Assessments: Partnering with data security firms is often critical to achieving a strong posture on compliance and risk. We frequently engage consultant partners for our clients who seek data security compromise assessments or vulnerability assessments such as pen testing. We also engage consultants regularly for clients to pursue security risk analyses (evaluating the likelihood and impact of security threats) and compliance evaluations (such as HIPAA assessments). These engagements are distinguishable from breach response in that they are undertaken proactively to minimize the risk of a data breach, to satisfy client or insurance requirements, and/or to enhance compliance with privacy and data security legal requirements.
- Healthcare, Pharmaceutical, and Life Sciences: We frequently counsel clients in these industries on HIPAA/HITECH privacy and security compliance; whether and when HIPAA applies; technology implementation such as EMRs, HIEs, and patient portals; data analytics and leveraging third-party data sources; and patient outreach initiatives such as text messaging. Our expertise across the privacy spectrum allows us to address not only primary regulatory matters, but also emerging compliance concerns arising from FTC and state AGs enforcement, litigation risks surrounding data breach and text messaging, and cyber security risks such as ransomware and phishing.
- Financial Services and Insurance: We assist financial services and insurance industry clients to address compliance with the Gramm-Leach Bliley Act and underlying Privacy and Safeguards Rules, the Fair Credit Reporting Act and underlying Red Flags Rule, Affiliate Marketing Rule and FTC Disposal Rule, as well as various state laws governing the use and disclosure of consumer financial information that may be more stringent than federal requirements, such as the laws of California and Vermont. We also advise on regulatory audits in these industries, which are increasingly focused on cybersecurity.
- Mobile and Online Privacy: A procession of requirements pose challenges for mobile applications, websites, social media, digital advertising models, and similar technology platforms that leverage personal information and user-generated content to deliver services and enhance user experience. These include location tracking limitations, online behavioral advertising guidelines, statutes compelling privacy representations, state laws limiting employer access to social media accounts, and specific regulatory regimes like COPPA and California’s Online Privacy Protection Act.
- Data Analytics: Virtually all clients, regardless of industry, want to harness the power of their data through analytics. Whether they are evaluating the productivity of their workforce, discovering new insights about customers, developing new products, or improving health outcomes, we assist with compliance issues like patient authorizations, employee consents, regulatory constraints, and contractual limitations that may impact their plans. Our strategic and practical approach to evaluating and advising on risk helps clients identify use cases with promise before they invest resources in business models that may be unsustainable or high-risk.
- Consumer Outreach and Marketing: We advise clients on compliance with the extensive privacy regulations applicable to outreach programs that involve contacting consumers and employees. Outreach may include text messaging, robocalls, push notifications, email, and online advertising. Relevant legal regimes include the Telephone Consumer Protection Act, the Telemarketing Sales Rules, state telephone outreach regulation, the CAN-SPAM Act, and the FTC Act.
- Technology Implementation and Complex Transactional Matters: Increasingly, business deals are driven by data and analytics. Understanding whether the data is actually usable in a legal sense, and whether the analytics model is compliant, can be a material issue in these transactions. We assist clients in seeking or responding to diligence requests, and negotiate appropriate representations and contractual terms. We also regularly deal with service provider engagements where a vendor will be entrusted with sensitive information and contractual protections become a key part of the transaction. Our work also includes assistance with the compliance aspects of complex technology implementation, such as cloud computing or EMR implementation, as a natural extension of the transactional work.
- Workplace Privacy: We frequently advise business on workplace privacy, including monitoring of employee communications, Internet and information systems use, and location. We also address HIPAA and GINA compliance for health plans, FCRA compliance in using consumer reports or background checks, and social media issues arising from state law, FTC guidance, and NLRB enforcement. Our team also has significant experience advising on implementation of bring-your-own-device (BYOD) policies and programs through mobile device management and similar solutions.
- International Data Transfer: We help our clients develop a strategic approach to compliance with international privacy and data security law, including advising on the European Data Protection Directive and EU-US data transfer requirements.