These days, if your business or organization even touches data about individuals or other protected information – let alone collects, stores or shares it – it is likely subject to an ever-growing and complex web of state, federal and foreign laws, regulatory schemes and industry standards. These rules require your company or organization to implement and support appropriate privacy and data security safeguards, as well as mitigate the harm of any breach. Privacy and data security compliance also requires you to identify, understand and meet the increasingly heightened standards often included in contracts with customers, vendors, lenders, members and others.
Our privacy and data protection team can guide your compliance with those laws and contract duties, helping you manage, use and dispose of information in a way that is both practical and cost-effective. In the event of a breach, we walk our clients through all facets of the crisis, including by assisting with internal and external forensic investigations, communicating with law enforcement, determining the extent of any required notifications, ensuring that notices and other actions comply with applicable laws, mitigating the harm done, managing the damage to reputation, and defending against regulatory penalties and lawsuits.
Our team understands the technology, the laws and the underlying principles of privacy, data security and data management. For well over a decade, we have worked with clients to reduce privacy and data security exposure in a landscape of rapidly changing risks, while accounting for their unique circumstances and resources.
Use our experience to protect your business
- Compliance: The alphabet soup of U.S. laws requiring compliance includes HIPAA, HITECH, CAN-SPAM, COPPA, FISMA, FERPA, FCRA and others. And that is just at the U.S. national level. Most states have their own, unique laws, such as California’s CCPA. At the same time, foreign jurisdictions are increasingly adopting strict data protection laws with extraterritorial application that reaches U.S. organizations, including GDPR and ePrivacy laws (European Economic Area), PIPEDA (Canada) and other laws that are either copycats of, or inspired by, GDPR.
- Industry standards: You may also be subject to binding industry standards, such as the Payment Card Industry – Data Security Standards (PCI-DSS), which apply to any business that accepts credit or debit card payments.
- Understand where you are today: We have developed a comprehensive information governance audit/privacy audit to help you with a comprehensive overview of your information governance processes and policies and determine which aspects may be vulnerable, or out of compliance, with applicable legal and industry requirements.
- Vendor contracts: Outside of your own facilities and processes, you may be vulnerable because of your agreements with vendors, such as cloud service providers and web hosting firms. We will review your existing contracts and negotiate or renegotiate them to ensure compliance, as well as protection if the vendor defaults.
- Policies and processes: Weak passwords, flash drives and memory sticks, and laptops loaded with unprotected confidential data can all lead to exposure for a breach. Employees need to be trained to understand the vulnerability of your data. The right policies and processes can reinforce this training, including penalties for carelessness, two-factor authentication, and preventing employees from downloading apps and software programs onto the organization's devices. We partner with computer and system experts to ensure that you have the proper technical, administrative and physical safeguards in place.
- Insurance policy assessments: While major insurance companies offer insurance against the cost of a breach, there is as yet no agreement on industry standards. With a full understanding of the policy language and how it would apply in the event of a breach, we can provide you the room you need to negotiate with insurance companies.
- Practical, pragmatic advice: As business lawyers, we understand the need to balance risk against costs. We are experienced in helping clients manage the differing needs and interests of their internal stakeholders, including accounting, marketing, human resources, IT and legal.
And if a data breach does occur...
A security breach has financial, reputational, operational, physical and legal costs. When a breach occurs, it is important to react swiftly and comprehensively. Our Cybersecurity team has developed strategies for managing the risks that follow a breach, from crisis management to responding to governmental inquiries and investigations. And, in the disputes that can often follow a breach, we represent clients in all phases of resolution, whether in negotiated settlements or contentious litigation.