The rapid proliferation of security threats, technology innovation, and privacy laws demand a legal team with deep and varied expertise. Our privacy and data security practice group members have more than 35 years combined experience practicing exclusively in this subject matter. We represent diverse clients from a variety of industries, such as finance and banking, retail, healthcare, pharmaceutical and life sciences, technology, insurance, manufacturing, academia, and non-profit, including emerging growth companies.
Our team’s multidisciplinary experience allows us to identify trends and challenges across industries. We pride ourselves on taking a strategic and practical approach to effectuating compliance requirements and helping clients manage risk. We address all aspects of privacy and data security law, with areas of focus including:
- Operationalizing New Legal Requirements: Significant legal developments in privacy and data security require our clients to develop and redevelop their compliance programs at a break-neck pace. Our combination of legal expertise and practical implementation experience allow us to climb into the trenches with them and develop any legal postures, policy documents, consumer preference vehicles, and terms or contract templates needed to support compliance obligations and manage risk. This work often requires us to meld multiple sources of requirements, such as the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), new state data security requirements (e.g., NYDFS, SC DOI), and evolving litigation risk including TCPA and state biometric laws.
- Emerging Privacy and Technology Issues: Our diverse client base helps us stay on the cutting edge of technology implementation and privacy issues. For example, merging Internet of Things data generation and complex algorithms for real-time decisioning, harnessing artificial intelligence to drive health care and consumer transactions, and levering biometrics for authentication and consumer engagement. Our work in multiple industries gives us unique expertise our clients can rely on when the law on these matters is not yet settled.
- Data Security Breach Response and Cyber Risk: Our team has handled more than 500 data security incidents, guiding our clients through the response process from start to finish—assisting with the investigation process, including forensic analysis of data security incidents; advising on notification obligations under state and federal law; arranging notification to affected individuals and regulators; setting up call centers and credit monitoring services; responding to inquiries from state and federal regulators; and assisting with post-breach remediation and updates to policies and procedures. We also regularly participate in clients’ incident response planning, including advising on cyber insurance coverages.
- GDPR and International: We help our clients develop a strategic approach to compliance with international privacy and data security law, including advising on the EU General Data Protection Regulation, Privacy Shield implementation, and EU-US data transfer requirements. We also assist clients with data protection contract terms, including developing templates, global privacy notices, internal processes such as data protection impact assessments, and data breach response plans.
- Vulnerability, Risk, and Compliance Assessments: Partnering with data security firms is often critical to achieving a strong posture on compliance and risk. We frequently engage consultant partners for our clients who seek data security compromise assessments or vulnerability assessments such as pen testing. We also engage consultants regularly for clients to pursue security risk analyses (evaluating the likelihood and impact of security threats) and compliance evaluations (such as HIPAA assessments). These engagements are distinguishable from breach response in that they are undertaken proactively to minimize the risk of a data breach, to satisfy client or insurance requirements, and/or to enhance compliance with privacy and data security legal requirements.
- Licensing and Data Monetization: We partner with our firm’s IP practice to ensure that licensing data including personal information is compliant and priced appropriately. We help our clients weigh the value of their data, including valuating de-identified information and applying appropriate controls to achieve de-identification that align with applicable law. New and emerging laws like GDPR and CCPA also mean that more complex and individualized consumer preferences need to be addressed within these arrangements, and we help clients assess whether they or their data partners are appropriately positioned to manage these obligations and risks.
- Healthcare, Pharmaceutical, and Life Sciences: We frequently counsel clients in these industries on HIPAA/HITECH privacy and security compliance; whether and when HIPAA applies; technology implementation such as EMRs, HIEs, and patient portals; data analytics and leveraging third-party data sources; and patient outreach initiatives such as text messaging. Our expertise across the privacy spectrum allows us to address not only primary regulatory matters, but also emerging compliance concerns arising from OCR, FTC and state AGs enforcement, litigation risks surrounding data breach and text messaging, and cyber security risks such as ransomware and phishing.
- Financial Services and Insurance: We assist financial services and insurance industry clients to address compliance with the Gramm-Leach Bliley Act and underlying Privacy and Safeguards Rules, the Fair Credit Reporting Act and underlying Red Flags Rule, Affiliate Marketing Rule and FTC Disposal Rule, as well as various state laws governing the use and disclosure of consumer financial information that may be more stringent than federal requirements, such as the laws of California and Vermont. We also advise on regulatory audits in these industries, which are increasingly focused on cybersecurity.
- Mobile and Online Privacy: A procession of requirements pose challenges for connected devices (“Internet of Things”), mobile applications, websites, social media, digital advertising models, and similar technology platforms that leverage personal information and user-generated content to drive business decisions, deliver services, and enhance user experience and engagement. These include consent requirements, location tracking limitations, online behavioral advertising guidelines, statutes compelling privacy representations, state laws limiting employer access to social media accounts, and specific regulatory regimes like COPPA and California’s Online Privacy Protection Act.
- Data Analytics: Virtually all clients, regardless of industry, want to harness the power of their data through analytics. Whether they are evaluating the productivity of their workforce, discovering new insights about customers, developing new products, or improving health outcomes, we assist with compliance issues like patient authorizations, employee consents, regulatory constraints, and contractual limitations that may impact their plans. Our strategic and practical approach to evaluating and advising on risk helps clients identify use cases with promise before they invest resources in business models that may be unsustainable or high-risk.
- Consumer Outreach and Marketing: We advise clients on compliance with the extensive privacy regulations applicable to outreach programs that involve contacting consumers and employees. Outreach may include text messaging, robocalls, push notifications, email, and online advertising. Relevant legal regimes include the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rules, state telephone outreach regulation, the CAN-SPAM Act, and the FTC Act.
- Technology Implementation and Complex Transactional Matters: Increasingly, business deals are driven by data and analytics. Understanding whether the data is actually usable in a legal sense, and whether the analytics model is compliant, can be a material issue in these transactions. We assist clients in evaluating emerging opportunity with analytics and artificial intelligence, seeking or responding to diligence requests, and negotiate appropriate representations and contractual terms. We also regularly deal with service provider engagements where a vendor will be entrusted with sensitive information and contractual protections become a key part of the transaction. Our work also includes assistance with the compliance aspects of complex technology implementation, such as cloud computing or EMR implementation, as a natural extension of the transactional work.
- Workplace Privacy: We frequently advise business on workplace privacy, including monitoring of employee communications, Internet and information systems use, and location. We also address HIPAA and GINA compliance for health plans, FCRA compliance in using consumer reports or background checks, and social media issues arising from state law, FTC guidance, and NLRB enforcement. Our team also has significant experience advising on implementation of bring-your-own-device (BYOD) policies and programs through mobile device management and similar solutions.