Companies collect, store, and process a wide range of personal information from both their customers and their employees. Whether it is customer bank account or credit card information, or employee social security numbers, all businesses are custodians of sensitive data that needs to remain private and secure.
Our attorneys advise clients on data security best practices, compliance with legal requirements, and industry-specific rules in an ever-changing landscape. In the event of a data breach, we work with companies to develop a plan for containing and communicating the breach, complying with notice requirements, and developing a strategic plan to help prevent further issues.
There is a patchwork of state and federal laws, and industry-specific rules, that govern data security and the collection and use of data. We help our clients understand these ever-changing laws and rules and draft information security policies to ensure compliance. We also help our clients make sure that they are providing proper notifications regarding how data is collected, stored, and used.
- Our attorneys advise clients on a broad range of issues under the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), including review and updating of vendor contracts.
- We have advised a wide range of businesses regarding collection, storage, and use of data—including software vendors, a mobile payment company, video game companies, and e-commerce websites.
- We regularly advise educational institutions on compliance with the Family Educational Rights and Privacy Act (FERPA).
- We review, revise, and draft website privacy policies to accurately disclose how client websites are collecting, storing, and using data.
We help companies that have experienced a data breach understand their legal obligations, investigate the source of the breach, develop a strategy for an appropriate response, and help them notify regulators and/or affected individuals. Our attorneys work with in-house counsel and IT departments in multiple industries on breach response.
- We assisted a major global diversified manufacturing and marketing company that experienced a data breach of social security numbers and other sensitive employee data.
- Our attorneys worked with a non-profit to respond to a hacker intrusion into their human resources database. Sensitive information was stolen and used for identity theft. We helped with drafting the data breach response and developed a press release regarding the response.
- We helped a fast food franchise manage a data breach caused by an IT software vendor that had conducted maintenance on their system and had inadvertently taken down the system security.
- We assisted a clinic in responding to a breach of patient health information, including assistance with compliance under the Health Insurance Portability and Accountability Act (HIPAA).
- We worked with a global internet company to develop and implement responses to the Edward Snowden revelations regarding monitoring of internet traffic.
- We advised a major government entity with homeland security issues regarding their data breach response program and information security issues. We trained in-house legal and IT staff on data security issues and participated in a simulated data breach exercise.
- We trained legal and IT staff at major utilities and a government transportation entity regarding data security.
- We advised a regional bank on compliance with FFIEC data security standards and on preparation for a regulatory audit.
- We performed in-house trainings to assist companies with following the best practices for preventing unauthorized access to data.
Data Security Audits
Every company should establish and regularly update their policies regarding the secure receipt, storage, and transmission of consumer and employee data. We help our clients examine their practices, identify what data they are collecting, storing, and transmitting, and what the law or other rules require them to do regarding that data. With that information in hand, we help clients develop policies that are both compliant and compatible with their goals. Once policies are in place, we also assist our clients with updating those policies to reflect new requirements and best practices.
- We performed a data security audit for an educational institution, which resulted in identifying that there were different practices for handling data between departments. Our attorneys advised the institution as to best practices for harmonizing practices across divisions. In addition, the audit identified the need to revise their FTC Red Flag policy, which we assisted with.
- We performed an audit of a public entity that was preparing to collect credit card payments. Our attorneys helped the agency develop their strategy for complying with the Payment Card Industry Data Security Standard (PCI DSS).
- We have assisted clients with developing and improving their incident response plans.
Vendor Contracts, Risk Transfer & Insurance
Our attorneys understand the intersection of contract and insurance law and data security. We have reviewed and negotiated hundreds of vendor contracts that involve these issues, including cloud computing, information technology, networking, data center, and database agreements. Our work includes contracts that involve both domestic and international transactions.
- We regularly advised one of the largest global internet companies on domestic and international data security issues arising in transactions involving internet networking, data centers, and related vendor contracts. We have extensive experience working with in-house legal departments, engineers, sales teams, and multiple other corporate channels.
- We have negotiated hundreds of contracts that involve sensitive data security and privacy issues, including agreements involving cloud storage, sharing sensitive information, data centers, networking, colocation, dark fiber, IP transit, communications services and equipment, complex server systems, wireless networks, equipment leases, device trials, spectrum leases, cell tower leases, and many other issues. These transactions were for services in 35 different countries in North America, South America, Africa, Europe, and Asia.
- We have advised companies in multiple industry sectors—including banks, construction firms, educational institutions, and manufacturing and retail—on cyber-insurance and other risk transfer strategies in vendor and other contracts.
Employee Training and Presentations
Keeping data secure and making sure that data policies are properly executed requires awareness and understanding from all employees who handle that data. Our attorneys regularly give presentations and provide training to give an introduction to the data security laws that pertain to a particular company and the best practices to avoid unauthorized persons from gaining access to data.