Cyber Security, Data Management & Privacy

Business:
Privacy and Data Risks for Business

In today's hyper-connected world, organizations of every stripe have an insatiable appetite for data and other electronic content.  It can separate your enterprise from the rest of the pack, and help you grow your business and reach your goals faster, better and more efficiently.  While the reasons for collecting more and more data are obvious, the obligations and risks that arise from doing so may not be. 

That's where WTP's cybersecurity and privacy lawyers come in.  We understand that those who collect, store, transmit or access personally identifiable information or other confidential information are subject to an ever-growing and complex web of state, federal and foreign laws, regulatory schemes and industry standards intended to protect the public by holding you responsible for establishing, implementing and supporting appropriate privacy and data security standards and for mitigating the harm of any breach.  We also understand that data and privacy compliance may require your business to meet standards set forth in a host of contracts, with your customers, members, vendors and others.

Our Cybersecurity and Privacy lawyers can guide your compliance with those laws and contract duties, and help you manage, use and dispose of information in a way that is practical and cost-effective.  In the event of a breach, we walk our clients through all facets of the crisis, including by assisting with internal and external forensic investigations, communicating with law enforcement, determining the extent of any required notices to government authorities, affected people and others, ensuring that notices and other actions comply with applicable laws, mitigating the harm done, managing the damage to your reputation, and defending your business against regulatory penalties and lawsuits.

WTP's Cyber lawyers understand both the technology and the law of cybersecurity, data privacy, e-commerce and cyber insurance. We have combined our attorneys' experience and skills in business, trial and technology law with their substantive knowledge of data security breach, privacy and information security laws that govern the collection, use and protection of personal information, such as HIPAA, COPPA, GLBA, the European Privacy Directive, and various state data security procedures and notice laws. One of the group's leaders is a Certified Information Privacy Professional (CIPP/US).

Use our experience to protect your business

  • Compliance:  The alphabet soup of laws that you have to comply with may include Gramm-Leach-Bliley, HIPAA, CAN-SPAM, the Children's Online Privacy Protection Act, FISMA, FERPA, fair credit laws or others -- and that is only at the U.S. national level.  Most of the states where you have locations, members, customers or data have similar laws, and, if you deal across country lines, so do most nations in the world.
  • Industry standards:  You may also be subject to binding industry standards, such as the Payment Card Industry -- Data Security Standards (PCI-DSS), which apply to any business that accepts credit or debit card payments.
  • Understand where you are today: We have developed a comprehensive information governance audit/privacy audit to help you get a comprehensive overview of your information governance processes and policies and determine which aspects may be vulnerable or out of compliance with applicable legal and industry requirements.
  • Vendor contracts:  Outside of your own facilities and processes, you may be vulnerable because of your agreements with vendors, such as cloud service providers and web hosting firms.  We will review your existing contracts and negotiate or renegotiate your contracts to ensure that they comply with the standards that apply to your company and that you are protected if the vendor defaults.
  • Policies and processes:  Your company's policies are a first line of defense against both a breach and liability.  Employees need to be trained to respect the vulnerability of your data -- weak passwords, flash drives and memory sticks, laptops loaded with unprotected confidential data, these are all ways that a careless employee can expose you to a breach. Your policies and processes should reinforce the training: impose penalties for carelessness; use two-factor authentication; prevent employees from downloading apps and software programs onto the company's devices.  And remember that a disgruntled employee can cause a lot of damage.  Just as you may require two officers to sign off on major contracts or big payments, your IT department should not vest too much authority in any one employee acting alone. Finally, we partner with computer and system experts to ensure that you have the proper technical, administrative and physical safeguards in place.
  • Insurance policy assessments: The major insurance companies are beginning to jump into the arena of offering businesses insurance against the cost of a breach.  However, no industry standards have been agreed on yet. On the one hand, this can be terribly confusing, since each policy you will be offered can be quite different from the others.  On the other hand, as long as you fully understand the policy language and how it would apply in the event of a breach, there is still a lot of room to negotiate with the insurance companies because they don't yet speak with a united front.  However, the key fact here is whether you -- and the company -- truly understand the policy and the reality of the risks.
  • Practical, pragmatic advice: As business lawyers, we understand that you need to balance risk against costs, and run a successful business, which includes collecting, using, and storing important data.  We keep the big picture of your business needs firmly in mind, because your compliance with privacy and data security laws has to fit into your company's data governance needs.  And we can help you balance the different needs and interests of your internal stakeholders, such as accounting, marketing, human resources, IT and legal, to get the most value of out of the data you collect. These internal constituents need to be able to access the data they use in their daily work, but avoid the "silo" mentality that would prevent them from cooperating to protect the company as a whole.


And if a data breach does occur...

A security breach will lead to financial, reputational, operational, physical and legal costs, so it is important to react swiftly and comprehensively when a breach occurs.  Our Cybersecurity team has developed strategies to effectively manage the risks that follow a breach, from crisis management and emergency response techniques, to responding to governmental inquiries and investigations.

We can represent you in negotiated settlements, crisis management, investigations by state and federal regulators, and, should it reach that point, litigation.

Articles

Developing an Insider Threat Program: Risk Mitigation and Compliance

Wednesday, November 30, 2016, marks the deadline by which affected contractors must comply with new US Government insider threat mitigation requirements. The US National Industrial Security Program (NISPOM) mandates measures companies must take to secure classified information. On May 18, 2016, the Department of Defense issued Change 2 to NISPOM, significant because it requires contractors (defined as any "industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency") to implement an Insider Threat Program no later than November 30, 2016. We're two weeks away from that deadline, and yesterday the Chesapeake Regional Technology Council convened a forum in which experts discussed mitigating the insider threat at the Chesapeake Innovation Center in Odenton, Maryland, to give companies some perspective on what NISPOM Change 2 means to them.

"Don't be evil"? Security breaches catch even the best-intentioned companies off guard

As Google and Facebook and countless others have discovered, most netizens tend to be pretty blasé about privacy – until all of a sudden they aren’t. While we all love the detailed photo views on Google Maps, the revelation that Google’s camera cars were also sweeping WiFi networks as they captured those images was met with outrage.  And, Facebook users seemed to carelessly love that app’s ability to track down long-lost friends, until last week it pulled friends’ phone numbers into a handy online directory “for you”.

Whiteford, Taylor going after cyber security clients with new group

A Baltimore law firm sees a business opportunity in helping thwart the growing number of online crooks trying to swipe a company’s sensitive data or disrupt its computer network.

Whiteford, Taylor & Preston LLP, a 153-lawyer business law firm, has launched a new industry group to advise clients on the legal issues related to cyber security and the protection of online data.

Beware of Transmitting Social Security Numbers - How Maryland's New Social Security Number Privacy Act May Affect You and Your Business

Maryland’s new Social Security Number Privacy Act became effective January 1, 2006. The Act prohibits, among other things, the public posting of an individual’s Social Security number or the public display of an individual’s Social Security number. Very few employers or businesses actually contemplate posting Social Security numbers for the public to see, so at first blush the Act may not seem relevant to your company.

Events

Autopsy Of A Cyber Nightmare - WTP Speaking

Using today’s business technology is a double-edged sword – you need it to compete, yet it exposes you to a ghastly horde of cyber monsters. The ever-evolving cyber threat landscape is a dark and mystifying realm for non-technical executives, obscured by nightmarish tales spattered throughout the daily headlines.

Don’t let the fear of the unknown entomb your business. Our panel of spirited cyber experts will arm you with a goodie bag of straight-forward strategies to help protect your organization.

ASAE Annual Meeting - WTP Speaking

Keith Moulsdale will be leading a Cybersecurity Roundtable on behalf of the ASAE Healthcare Community Committee.

News

Howard Feldman Interview on CyberWire

An interview with WTP Partner Howard Feldman was included in a special edition podcast on cyber risk presented by CyberWire, a Baltimore-based cyber security news service. CyberWire spoke with experts in the security, insurance and legal sectors about quantifying cyber risk: how you determine it, what you do with it, and why it matters. Click here for more.

Cyber Alert: Anthem Data Breach: Self-Insured Plans

On February 4, Anthem, Inc., the second largest health insurer in the U.S., reported that hackers breached one of its IT systems and stole personal information relating to consumers and employees.  Described as “very sophisticated,” the attack involved the records of an estimated 80 million people.  While information accessed apparently did not involve medical information or credit card numbers, it did include such personally identifiable information as names, social security numbers, and income data. 

Howard Feldman to Join Trade Mission to Israel

The Daily Record reports that Howard Feldman, Co-Chair of the firm’s Cyber Security and Information Privacy Group, will be a guest of the Maryland/Israel Development Center’s second trade mission to Israel in March.  MIDC is a nonprofit, public-private partnership between Maryland’s Department of Business and Economic Development, the Israeli Ministry of Industry, Trade and Labor, and The Associated: Jewish Community Federation.  Click here to read the full article.