We have more than 50 years of experience in privacy, information management, and cybersecurity matters across many different industries. Our attorneys have served clients ranging from publicly-traded multi-national corporations to small startups as in-house counsel, counsel to the board, and in private practice. We regularly counsel clients on the effects of privacy and cybersecurity requirements on their business operations, and have extensive experience in representing their interests before federal regulators and policymakers. Our clients range from early-stage start-ups to some of the largest companies in the world.
We regularly advise clients on privacy laws and cybersecurity issues in the United States and internationally. We have performed audits and privacy risk analyses and advised clients on legal issues pertaining to website operations, behavioral advertising, mobile applications and location-based services. Our attorneys have broad experience in developing and revising privacy policies, business associate and data protection agreements, website privacy programs, and training and awareness programs for various industries.
Our attorneys have counseled clients on issues ranging from student privacy, telemarketing, online marketing, and employment privacy to international cross-border data transfers and the use of privacy by design to accommodate worldwide data protection requirements. As technological innovation occurs, we have helped our clients stay ahead on emerging issues such as text messaging marketing, Bring-Your-Own-Device, cloud security, facial recognition software, records management and data retention policies, Unmanned Aircraft Systems, and the Internet of Things. Managing and advising as to the cross-functional integration of data privacy and security policies, marshaling the resources of information technology security, human resources, finance, sales, marketing, and public relations, as well as legal expertise also plays a role in our practice.
The firm’s attorneys also regularly assist our clients in developing and implementing cybersecurity policies and procedures, as well as developing a layered approach to data breaches and incident response. This includes legal, technical, and forensic capabilities and the ability to protect what matters. Working closely with our clients, we devise comprehensive plans to protect critical data and counsel on new and evolving domestic and international developments in the areas of data collection and cybersecurity. We conduct and oversee tabletop exercises, which help to identify and remediate key cybersecurity vulnerabilities.
Our practice group’s attorneys are available around the clock to help clients immediately respond to data breaches and other cybersecurity incidents. If a client experiences a data breach, we conduct internal investigations, data breach investigations, and comprehensive compliance assessments, and ensure that the client fulfills notification obligations under state and federal laws. Our longstanding relationships with the nation’s top cybersecurity forensics firms enable us to quickly engage technological experts to assess and remediate damage caused by the incident. We coordinate and oversee the work of these forensics experts, and communicate with services providers and law enforcement when necessary. We have deep experience in analyzing corporate insurance coverage for cybersecurity coverage and, when necessary, negotiating coverage with carriers.
We also have years of experience in advocating our clients’ positions before Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Telecommunications and Information Administration, and state attorneys general in regulatory policy and enforcement proceedings involving privacy and cybersecurity. Our attorneys also have significant experience in assisting clients with related legislative matters before the Congress.
Representative matters include:
- Advising clients on compliance with federal and state laws governing text message marketing, email marketing, telemarking, behavioral advertising, online ad networks, and location-based services, including the Telephone Consumer Protection Act, the CAN-SPAM Act, Section 5 of the Federal Trade Commission Act, state consumer protection statutes, and the Computer Fraud and Abuse Act.
- Negotiating data privacy and security contract terms for use in contracts with customers and third-party service providers.
- Drafting website privacy policies, terms of use and terms and e-commerce conditions of sale for US and global use, and revising such policies in light of changing legal and business requirements.
- Responding to data breaches, website defacement, denial-of-service attacks, and other cybersecurity incidents that threaten clients’ business operations, and working with law enforcement to remediate these attacks.
- Counseling clients on their notification obligations under state data breach laws and on how to prepare for and respond to data breaches.
- Drafting comprehensive information security and incident response policies for clients, and developing employee training materials based on these policies.
- Advising clients on insurance coverage for data breaches and other cybersecurity incidents.
- Providing legal assistance to a major information service provider regarding customer consent requirements for text messaging marketing and information campaigns.
- Implementing privacy by design for products to accommodate world-wide data protection requirements.
- Performing comprehensive data privacy and security audits for clients, including a review of data collection and handling practices in the United States and globally.
- Counseling educational institutions regarding student privacy issues under the Family Educational Rights and Privacy Act.
- Assisting covered entities and business associates to perform risk assessments under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and to create and implement HIPAA compliant policies and procedures and related internal documentation.
- Drafting notices of privacy practices, authorization forms, patient consent forms, business associate agreements, and assisting companies to take other related steps to comply with the HIPAA privacy and security rules.
- Conducting privacy risk analyses and assisting companies with strategic decision making regarding data collection and handling practices.
- Creating and implementing comprehensive data privacy and security compliance programs covering customer, consumer and employee data under US and international law, including drafting relevant company policies and procedures.
- Conducting a privacy a major software/SaaS company, together with cross-functional implementation of data security and PCI standards.
- Assisting clients in addressing relevant cross-border data transfer restrictions under EU and other international laws, including assisting clients to join the US-EU and US-Swiss Safe Harbor privacy frameworks and implementing model contracts.
- Advising financial institutions on issues relating to compliance with the Gramm-Leach-Bliley Act, including reviewing and drafting privacy and opt-out notices, and otherwise advising on the reuse and redisclosure of non-public personal information.
- Securing exemption for bona fide newsletters from FTC regulations implementing the CAN-SPAM Act.
- Litigating allegations of privacy law violations and inadequate cybersecurity safeguards in federal and state courts
- Advising a wide range of companies with an online presence on compliance with the Children’s Online Privacy Protection Act.
- Counseling a leading wireless carrier on the Electronic Communications Privacy Act and on federal and state laws relevant to location-based services.
- Providing advice to government contractors regarding the Federal Information Security Management Act (FISMA).
- Successfully advocating resolution in Toysmart case establishing legal framework for sale of customer lists in bankruptcy proceedings.
- Participating in multistakeholder proceedings before the NTIA on improving the transparency of privacy disclosures by mobile applications and on privacy issues and disclosures relating to facial recognition software.
- Negotiating cloud computing and information technology backbone contracts for a leading software provider.
- Helping clients understand US and global marketing restrictions and assisting with creating appropriate company policies and procedures.
- Developing privacy training materials and internal policies and procedures to educate US personnel on the requirements of US and international data privacy laws.
- Drafting comments to the Federal Trade Commission, Federal Communications Commission, and other regulators on proposed changes to U.S. privacy regulations
- Counseling and Compliance
- Data Security
- Health Information Privacy
- Investigations and Enforcement
- Privacy Litigation