The rapid proliferation of security threats, technology innovation, and privacy laws demands a legal team with deep and varied expertise. Our Privacy & Data Security practice group represents diverse clients from a variety of industries, such as finance and banking, media, retail, healthcare, pharmaceutical and life sciences, technology, insurance, manufacturing, academia, and nonprofits, including emerging companies. The team regularly publishes insights on key developments in the field on our blog, Practical Privacy.
Our team’s multidisciplinary experience allows us to identify trends and challenges across industries. We pride ourselves on taking a strategic and practical approach to addressing compliance requirements and helping clients manage risk. We address all aspects of privacy and data security law, with areas of focus including:
- Operationalizing New Legal Requirements: Significant legal developments in privacy and data security require our clients to develop and redevelop their compliance programs at a break-neck pace. Our combination of legal expertise and practical implementation experience allows us to climb into the trenches with them and develop any legal postures, policy documents, consumer preference vehicles, and terms or contract templates needed to support compliance obligations and manage risk. This work often requires us to meld multiple sources of requirements, including comprehensive state privacy laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA); international privacy laws and regulations such as the European Union’s General Data Protection Regulation (GDPR); sector-specific state data security requirements (e.g., NYDFS, SC DOI); and evolving litigation risk under the Telephone Consumer Protection Act (TCPA) and state biometric privacy laws.
- Emerging Privacy and Technology Issues: Our diverse client base helps us stay on the cutting edge of technology implementation and privacy issues. For example, merging Internet of Things data generation and complex algorithms for real-time decisioning, harnessing artificial intelligence to drive healthcare and consumer transactions, and leveraging biometrics for authentication and consumer engagement. Our work in multiple industries gives us unique expertise our clients can rely on when the law on these matters is not yet settled.
- Data Security Breach Response and Cyber Risk: Our team has handled hundreds of data security incidents, guiding our clients through the response process from start to finish—assisting with the investigation process, including forensic analysis of data security incidents; advising on notification obligations under state and federal law; arranging notification to affected individuals and regulators; setting up call centers and credit monitoring services; responding to inquiries from state and federal regulators; and assisting with post-breach remediation and updates to policies and procedures. We also regularly participate in clients’ incident response planning, including advising on cyber insurance coverages.
- GDPR and International: We help our clients develop a strategic approach to compliance with international privacy and data security laws, including advising on the GDPR. In particular, we help multinational clients implement solutions to comply with the cross-border data transfer restrictions imposed by the GDPR and the Court of Justice of the European Union’s landmark decision in Schrems II, including by implementing transfer tools such as the Standard Contractual Clauses and assisting with corresponding transfer impact assessments. We also advise on the design and implementation of compliance programs to address other organizational obligations under the GDPR, the EU-US Privacy Shield Framework, and other international data protection rules by developing data protection contract templates and privacy notices and designing and implementing internal processes and procedures, such as for data subject request fulfillment, data protection impact assessments, and data breach response.
- Vulnerability, Risk, and Compliance Assessments: Partnering with data security firms is often critical to achieving a strong posture on compliance and risk. We frequently engage consultant partners for our clients who seek data security compromise assessments or vulnerability assessments such as pen testing. We also engage consultants regularly for clients to pursue security risk analyses (evaluating the likelihood and impact of security threats) and compliance evaluations (such as HIPAA assessments). These engagements are distinguishable from breach response in that they are undertaken proactively to minimize the risk of a data breach, to satisfy client or insurance requirements, and to enhance compliance with privacy and data security legal requirements.
- Licensing and Data Monetization: We partner with our firm’s IP practice to ensure that licensing data that includes personal information is compliant and priced appropriately. We help our clients weigh the value of their data, including valuating de-identified information and applying appropriate controls to achieve de-identification in a manner that aligns with applicable law. New and emerging laws like GDPR and CCPA also mean that more complex and individualized consumer preferences need to be addressed within these arrangements, and we help clients assess whether they or their data partners are appropriately positioned to manage these obligations and risks.
- Healthcare, Pharmaceutical, and Life Sciences: We frequently counsel clients in these industries on HIPAA/HITECH privacy and security compliance; whether and when HIPAA applies; technology implementation such as EMRs, HIEs, and patient portals; data analytics and leveraging third-party data sources; and patient outreach initiatives such as text messaging. Our expertise across the privacy spectrum allows us to address not only primary regulatory matters, but also emerging compliance concerns arising from OCR, FTC, and state AG enforcement, litigation risks surrounding data breach and text messaging, and cyber security risks such as ransomware and phishing.
- Financial Services and Insurance: We assist financial services and insurance industry clients to address compliance with the Gramm-Leach Bliley Act and underlying Privacy and Safeguards Rules, the Fair Credit Reporting Act and underlying Red Flags Rule, Affiliate Marketing Rule and FTC Disposal Rule, as well as various state laws governing the use and disclosure of consumer financial information that may be more stringent than federal requirements, such as the laws of California and Vermont. We also advise on regulatory audits in these industries, which are increasingly focused on cybersecurity.
- Mobile and Online Privacy: A procession of requirements pose challenges for connected devices (“Internet of Things”), mobile applications, websites, social media, digital advertising models, and similar technology platforms that leverage personal information and user-generated content to drive business decisions, deliver services, and enhance user experience and engagement. These include consent requirements, location tracking limitations, online behavioral advertising guidelines, statutes compelling privacy representations, state laws limiting employer access to social media accounts, and specific regulatory regimes like COPPA and California’s Online Privacy Protection Act.
- Data Analytics: Virtually all clients, regardless of industry, want to harness the power of their data through analytics. Whether they are evaluating the productivity of their workforce, discovering new insights about customers, developing new products, or improving health outcomes, we assist with compliance issues like patient authorizations, employee consents, regulatory constraints, and contractual limitations that may impact their plans. Our strategic and practical approach to evaluating and advising on risk helps clients identify use cases with promise before they invest resources in business models that may be unsustainable or high-risk.
- Consumer Outreach and Marketing: We advise clients on compliance with the extensive privacy regulations applicable to outreach programs that involve contacting consumers and employees. Outreach may include text messaging, robocalls, push notifications, email, and online advertising. Relevant legal regimes include the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rules, state telephone outreach regulation, the CAN-SPAM Act, and the FTC Act.
- Technology Implementation and Complex Transactional Matters: Increasingly, business deals are driven by data and analytics. Understanding whether the data can legally be used for the purpose intended, and whether the analytics model is compliant, can be material issues in these transactions. We help clients evaluate emerging opportunities with analytics and artificial intelligence, seeking or responding to diligence requests, and negotiating appropriate representations and contractual terms. We also regularly deal with service provider engagements where a vendor will be entrusted with sensitive information and contractual protections become a key part of the transaction. Our work also includes assistance with the compliance aspects of complex technology implementation, such as cloud computing or EMR implementation, as a natural extension of the transactional work.
- Workplace Privacy: We often advise businesses on workplace privacy, including monitoring of employee communications, Internet and information systems use, and location tracking. We also address HIPAA and GINA compliance for health plans, FCRA compliance in using consumer reports or background checks, and social media issues arising from state law, FTC guidance, and NLRB enforcement. Our team also has significant experience advising on implementation of bring-your-own-device (BYOD) policies and programs through mobile device management and similar solutions.
To discuss our Privacy & Data Security expertise and services, please contact Lynn Percival at 919.865.1103 or firstname.lastname@example.org.
Privacy Cannot Be a Casualty of the CoronavirusElizabeth Johnson was quoted in the New York Times piece. April 7, 2020