Cyber Security, Data Management & Privacy

These days, if your business or organization even touches data about individuals or other protected information – let alone collects, stores or shares it – it is likely subject to an ever-growing and complex web of state, federal and foreign laws, regulatory schemes and industry standards. These rules require your company or organization to implement and support appropriate privacy and data security safeguards, as well as mitigate the harm of any breach. Privacy and data security compliance also requires you to identify, understand and meet the increasingly heightened standards often included in contracts with customers, vendors, lenders, members and others.

Our privacy and data protection team can guide your compliance with those laws and contract duties, helping you manage, use and dispose of information in a way that is both practical and cost-effective. In the event of a breach, we walk our clients through all facets of the crisis, including by assisting with internal and external forensic investigations, communicating with law enforcement, determining the extent of any required notifications, ensuring that notices and other actions comply with applicable laws, mitigating the harm done, managing the damage to reputation, and defending against regulatory penalties and lawsuits.

Our team understands the technology, the laws and the underlying principles of privacy, data security and data management. For well over a decade, we have worked with clients to reduce privacy and data security exposure in a landscape of rapidly changing risks, while accounting for their unique circumstances and resources.

Use our experience to protect your business

  • Compliance:  The alphabet soup of U.S. laws requiring compliance includes HIPAA, HITECH, CAN-SPAM, COPPA, FISMA, FERPA, FCRA and others. And that is just at the U.S. national level. Most states have their own, unique laws, such as California’s CCPA. At the same time, foreign jurisdictions are increasingly adopting strict data protection laws with extraterritorial application that reaches U.S. organizations, including GDPR and ePrivacy laws (European Economic Area), PIPEDA (Canada) and other laws that are either copycats of, or inspired by, GDPR.
  • Industry standards:  You may also be subject to binding industry standards, such as the Payment Card Industry – Data Security Standards (PCI-DSS), which apply to any business that accepts credit or debit card payments.
  • Understand where you are today: We have developed a comprehensive information governance audit/privacy audit to help you with a comprehensive overview of your information governance processes and policies and determine which aspects may be vulnerable, or out of compliance, with applicable legal and industry requirements.
  • Vendor contracts:  Outside of your own facilities and processes, you may be vulnerable because of your agreements with vendors, such as cloud service providers and web hosting firms. We will review your existing contracts and negotiate or renegotiate them to ensure compliance, as well as protection if the vendor defaults.
  • Policies and processes:  Weak passwords, flash drives and memory sticks, and laptops loaded with unprotected confidential data can all lead to exposure for a breach. Employees need to be trained to understand the vulnerability of your data. The right policies and processes can reinforce this training, including penalties for carelessness, two-factor authentication, and preventing employees from downloading apps and software programs onto the organization's devices. We partner with computer and system experts to ensure that you have the proper technical, administrative and physical safeguards in place.
  • Insurance policy assessments: While major insurance companies offer insurance against the cost of a breach, there is as yet no agreement on industry standards. With a full understanding of the policy language and how it would apply in the event of a breach, we can provide you the room you need to negotiate with insurance companies.
  • Practical, pragmatic advice: As business lawyers, we understand the need to balance risk against costs.  We are experienced in helping clients manage the differing needs and interests of their internal stakeholders, including accounting, marketing, human resources, IT and legal.


And if a data breach does occur...

A security breach has financial, reputational, operational, physical and legal costs. When a breach occurs, it is important to react swiftly and comprehensively. Our Cybersecurity team has developed strategies for managing the risks that follow a breach, from crisis management to responding to governmental inquiries and investigations. And, in the disputes that can often follow a breach, we represent clients in all phases of resolution, whether in negotiated settlements or contentious litigation.

Autopsy Of A Cyber Nightmare - WTP Speaking

Using today’s business technology is a double-edged sword – you need it to compete, yet it exposes you to a ghastly horde of cyber monsters. The ever-evolving cyber threat landscape is a dark and mystifying realm for non-technical executives, obscured by nightmarish tales spattered throughout the daily headlines.

Don’t let the fear of the unknown entomb your business. Our panel of spirited cyber experts will arm you with a goodie bag of straight-forward strategies to help protect your organization.

Developing an Insider Threat Program: Risk Mitigation and Compliance

Wednesday, November 30, 2016, marks the deadline by which affected contractors must comply with new US Government insider threat mitigation requirements. The US National Industrial Security Program (NISPOM) mandates measures companies must take to secure classified information. On May 18, 2016, the Department of Defense issued Change 2 to NISPOM, significant because it requires contractors (defined as any "industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency") to implement an Insider Threat Program no later than November 30, 2016. We're two weeks away from that deadline, and yesterday the Chesapeake Regional Technology Council convened a forum in which experts discussed mitigating the insider threat at the Chesapeake Innovation Center in Odenton, Maryland, to give companies some perspective on what NISPOM Change 2 means to them.

"Don't be evil"? Security breaches catch even the best-intentioned companies off guard

As Google and Facebook and countless others have discovered, most netizens tend to be pretty blasé about privacy – until all of a sudden they aren’t. While we all love the detailed photo views on Google Maps, the revelation that Google’s camera cars were also sweeping WiFi networks as they captured those images was met with outrage.  And, Facebook users seemed to carelessly love that app’s ability to track down long-lost friends, until last week it pulled friends’ phone numbers into a handy online directory “for you”.

Whiteford, Taylor going after cyber security clients with new group

A Baltimore law firm sees a business opportunity in helping thwart the growing number of online crooks trying to swipe a company’s sensitive data or disrupt its computer network.

Whiteford, Taylor & Preston LLP, a 153-lawyer business law firm, has launched a new industry group to advise clients on the legal issues related to cyber security and the protection of online data.

Beware of Transmitting Social Security Numbers - How Maryland's New Social Security Number Privacy Act May Affect You and Your Business

Maryland’s new Social Security Number Privacy Act became effective January 1, 2006. The Act prohibits, among other things, the public posting of an individual’s Social Security number or the public display of an individual’s Social Security number. Very few employers or businesses actually contemplate posting Social Security numbers for the public to see, so at first blush the Act may not seem relevant to your company.

Howard Feldman Interview on CyberWire

An interview with WTP Partner Howard Feldman was included in a special edition podcast on cyber risk presented by CyberWire, a Baltimore-based cyber security news service. CyberWire spoke with experts in the security, insurance and legal sectors about quantifying cyber risk: how you determine it, what you do with it, and why it matters. Click here for more.

Cyber Alert: Anthem Data Breach: Self-Insured Plans

On February 4, Anthem, Inc., the second largest health insurer in the U.S., reported that hackers breached one of its IT systems and stole personal information relating to consumers and employees.  Described as “very sophisticated,” the attack involved the records of an estimated 80 million people.  While information accessed apparently did not involve medical information or credit card numbers, it did include such personally identifiable information as names, social security numbers, and income data. 

Howard Feldman to Join Trade Mission to Israel

The Daily Record reports that Howard Feldman, Co-Chair of the firm’s Cyber Security and Information Privacy Group, will be a guest of the Maryland/Israel Development Center’s second trade mission to Israel in March.  MIDC is a nonprofit, public-private partnership between Maryland’s Department of Business and Economic Development, the Israeli Ministry of Industry, Trade and Labor, and The Associated: Jewish Community Federation.  Click here to read the full article.