Home



Privacy, Data Protection & Information Management Experience
Financial Data Health Data Children's Data Privacy In The Workplace Information Security Litigation Planning and Structuring Advice

Financial Data

Financial institutions are among the most heavily regulated businesses from a privacy, data protection and information management perspective.  Service providers to financial institutions are also impacted by that regulation.  These laws and regulations are complicated and, in some cases, have critical variations among regulators.

New laws have fundamentally changed the way that many financial institutions gather, process and use information about their customers.  Also, many entities that might not consider themselves to be "financial institutions" nevertheless are covered.  In different jurisdictions around the world, the definition of financial institution can cover not only core providers of financial services but also specified, related activities such as providing brokering or servicing loans, appraising real or personal property, real estate settlement services, investment advisory activities, tax preparation, management consulting and counseling activities, printing and selling checks, community development or advisory activities, selling traveler's checks, and providing financial data processing and transmission services, facilities, or databases.  In the United States, we advise clients on a broad array of compliance issues arising under the key U.S. law, the Gramm-Leach-Bliley Act. 

K&L Gates has advised financial institutions on a range of information management issues for many years including:

  • Developing opt-in and opt-out programs for clients' marketing and data sharing activities;
  • Drafting privacy and data protection policies and notices;
  • Analyzing information-sharing arrangements;
  • Drafting compliance guides for financial institutions and trade associations;
  • Establishing comprehensive information security programs;
  • Preparing employee policies, training materials and presentations;
  • Drafting privacy and confidentiality agreements between financial institutions, their service providers, and other third parties;
  • Representing clients in enforcement proceedings involving alleged violations of privacy and data protection law; and
  • Monitoring financial privacy and data protection developments and helping our clients adjust their programs and practices to those developments.

The types of financial institutions that we routinely represent include:

  • Depository institutions, including banks, savings associations and credit unions;
  • Mortgage lenders, investors, brokers and servicers;
  • Insurance companies and agents;
  • Investment companies, investment advisors and administrators, transfer agents, custodians and broker-dealers;
  • Other businesses, such as home builders, real estate appraisers and closing agents, whose activities can in some cases be covered by financial privacy requirements; and
  • Service providers to the above.

Health Data

The health care industry is regulated under a complex network of privacy and data protection laws that establish a diverse set of rules governing protection and disclosure of individual patient health data.  These diverse requirements generally impose a higher standard of responsibility on entities that process health data.

We regularly advise clients regarding the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), the key law in this area in the U.S.  We help clients: implement privacy and security compliance programs, including gap analysis; develop and review policies and procedures, safeguards, authorization, notice and consent forms; develop and review business associate agreements; and analyze HIPAA preemption and the continuing application of state confidentiality laws.  We also conduct privacy compliance audits and education and training programs for management and employees.

K&L Gates lawyers have provided advice on these laws and requirements to hospitals and health care systems, health plans, physician groups, family planning clinics, nursing homes, assisted living facilities, mental health and mental retardation providers, substance abuse providers, chain and independent pharmacies, and HMOs and other managed care plans.

The range of issues and projects has included:

  • Analysis of the use of patient information for commercial and marketing purposes;
  • Development of releases and patient consent forms, both general and with respect to specific conditions, such as HIV test results and mental health;
  • Assisting a federal contractor with gap analysis and negotiations with the U.S. Department of Defense regarding ongoing DITSCAP compliance;
  • Responses to requests for access to patient records by government agencies for audit and investigation;
  • Advice on professional privileges and confidentiality of client communications; and
  • Responses to subpoenas and search warrants.

Children's Data

In the U.S., the Children's Online Privacy Protection Act of 1998 ("COPPA") regulates the online collection, use, and disclosure of individually identifiable information of children under the age of 13.  COPPA requires "verifiable" parental consent prior to the online collection, use or disclosure of a child's personal information.  Under COPPA, persons that operate a website "directed to children," or who have actual knowledge that a person from whom they collect information is a child (under 13), must comply with a variety of requirements, such as posting a privacy policy, notifying parents that they wish to collect information from their children, and restricting use and disclosure of such information.

COPPA provides a safe harbor for companies that comply with self-regulatory programs that are approved by the Federal Trade Commission, such as the Children's Advertising Review Unit ("CARU") of the Better Business Bureau, ESRB Privacy Online and TRUSTe.

K&L Gates assists its clients with COPPA compliance including:

  • Identifying actual and potential compliance issues;
  • Developing appropriate policies, terms of use, and business practices;
  • Assisting with website design and functionality;
  • Handling technology acquisitions; and
  • Responding to and resolving investigations by self-regulatory agencies.

Privacy In The Workplace

Privacy and data protection laws complicate an employer’s legitimate business interest in collecting and using information about employees and applicants in order to make informed employment decisions.   Employee access to and use of networked computer systems creates new risks for employers, but also new defenses and opportunities.

Privacy laws limit an employer’s ability to obtain, use, discloses and transfer certain information throughout the entire employment process; at the same time,   identity theft and other laws require employers to obtain certain information.  K&L Gates lawyers help clients blend traditional employment law restrictions with new privacy, data security, identity theft, cyberspace rules and more.  The result is a very different world for the employer’s internal policies, procedures and documentation.

K&L Gates’ privacy and data protection team provides clients with the following products and services in connection with privacy in the workplace:

  • Counseling businesses on employee privacy and data protection issues;
  • Developing and drafting employee privacy and data protection policies and procedures;
  • Analyzing employers’ existing policies and procedures for compliance with privacy and data protection requirements;
  • Updating these policies and procedures in consideration of new employer defenses under new cyberspace and other laws;
  • Assisting employers to establishing appropriate procedures, consent forms and vendor contract arrangements for collection and use of employees' genetic information in connection with legitimate business activity; and
  • Preparing employee training materials and presentations.

Information Security

The legal aspects of information management are complex.   Both civil and criminal laws are relevant to how companies define and manage the security of their information systems.  Federal regulations require certain businesses to have information security plans that involve administrative, technical and physical safeguards.  The transfer of information implicates laws requiring the use of encryption in some cases.  New types of insurance coverage are available, the scope of which is often heavily dependent upon security audits conducted by third parties.  Outsourcing and service agreements routinely require attention to data protection.

Companies are acquiring security technology software and products that can determine the future vitality of the business.   K&L Gates lawyers have been helping clients understand the law as it relates to technologies such as encryption, firewalls, access controls, authentication, digital signatures, and smartcards.

K&L Gates’ team has experience in addressing all aspects of information management – we’ve been doing so since 1990!  Our lawyers have consistently contributed to producing solutions for the business community, including:

  • Coauthoring The Law of Electronic Commercial Transactions (A.S. Pratt, 2003-2007) (Towle and Nimmer), an information rich treatise covering commercial law as impacted by digital systems, and including chapters on privacy, security and identity theft;
  • Authoring chapters in the Computer Security Handbook, 4th Edition, the authoritative industry bible on computer security, on “Privacy” and “E-Commerce Safeguards”;
  • Testifying, by invitation, to the National Computer Security and Privacy Advisory Board in the U.S. on the firm’s technology-driven compliance methodologies; and
  • Participating in the proceedings of the International Information Integrity Institute (“I4”), a recognized global forum of industry leaders on information security.

Our work has included:

  • Assisting clients in developing and authoring information security policies and procedures, including security breach response plans;
  • Developing Acceptable Use Policies concerning the information security practices to which employees must adhere;
  • Negotiating the acquisition of digital signature technologies and structuring use in producing electronic documents;
  • Analyzing client extranet signature systems and signature services for compliance with law;
  • Developing security architectures and applications for the overall operations of financial services firms, including the protection of all account information and online banking and other financial transactions;
  • Designing security incident response plans, which define how companies respond to computer attacks, viruses, hackers and similar incidents;
  • Drafting and negotiating data security and disposal provisions (for both data and hardware) in service contracts;
  • Negotiating and revising merchant payment system agreements and other processing agreements on behalf of retailers, clients who accept credit cards or debit cards (signature and PIN debit), and clients who engage in electronic transactions like ACH or electronic check conversions;
  • Evaluating and negotiating proposed insurance coverage for cyber-losses, and assisting clients in preparing or litigating claims for recovery of insurance proceeds;
  • Investigating possible criminal actions against computer systems and computer assets, including assisting in the performance of internal investigations involving employees or other highly sensitive circumstances; and
  • Advising clients subject to hacking incidents on obtaining and preserving evidence of incidents and whether evidence so obtained was sufficient to pursue civil claims against possible perpetrators or to refer such perpetrators to the relevant authorities for prosecution.

For over 15 years, our firm also has been in the forefront of data protection issues in Washington D.C. and is widely recognized for its cyber-security policy expertise including:

  • Leading the effort to liberalize export controls on American encryption products and to prevent domestic limitations on the use of encryption;
  • Preventing government designed technological mandates in broad anti-terrorism legislation (the PATRIOT Act) and obtaining a provision specifically stating that the bill did not require companies to develop new technologies or design new systems to facilitate government access to electronic information;
  • Representing the leading software trade association to ensure that efforts to promote cybersecurity and protect critical information infrastructure are market-driven and industry-led;
  • Lobbying successfully for legislation to protect against the disclosure of corporate cybersecurity information that is voluntarily submitted to the government.   That bill also required all federal agencies to meet a baseline level of computer security while ensuring that the standards for such security will be technology and product-neutral; and
  • Working on federal data breach legislation that would establish a reasonable national procedure for notification while recognizing corporate efforts to protect data.

We are also experienced in assisting clients at the state legislative level on cyberspace, technology, contracting, and consumer protection legislation.

Most U.S. states now have their own data breach notification laws.  We routinely advise clients regarding data breach response, including breach notification and identity theft prevention measures.  In order to assist our clients in responding rapidly and appropriately to breaches throughout the U.S., we have developed a database of these state laws that analyzes each state’s requirements.

Litigation

In litigation, privacy/data protection issues and information management practices frequently intersect with other legal concerns.  In any litigation, lawyers must address the need for comprehensive and effective discovery while observing the privacy and data authorization rights of the litigants, their witnesses and other involved parties.  Businesses need to manage their information so as to minimize the burden and exposure from electronic discovery requests, and they need to employ computer forensics to gain crucial information.  They also need to comply with new Federal Rules of Civil Procedure regarding electronic records.

Our team, in coordination with our Litigation Practice and Document Analysis and Technology Group, advises clients in connection with:

  • Litigation and subpoena compliance;
  • Determining the validity of a subpoena and analyzing the propriety of the issuance of the subpoena; and

Analyzing privacy-related First Amendment issues, confidentiality of party information, class action defense and statutory violations.

Planning and Structuring Advice

We regularly advise businesses in a variety of industries with respect to the legal issues associated with data ownership, licensing, data and information issues arising in restructurings, business reorganizations, company and asset acquisitions, asset transfers, and other operational contexts.  This includes work relating to:

  • Selling or licensing consumer information;
  • Structuring of affiliate data and IP licensing relationships to address various business and strategic objectives;
  • Advising clients during bankruptcy proceedings in connection with any sale of assets that may contravene privacy and data protection policies and applicable regulations;
  • Advising clients regarding the Federal Rules of Civil Procedure for electronic records and document retention plans and procedures, and utilizing specialized software to make document production cost effective and efficient;
  • Advising clients regarding the ownership or transfer of personally identifiable information in connection with mergers and acquisitions and corporate restructurings; and

Using the rights of data access under the U.K. Data Protection Act of 1998 in connection with the court disclosure proceedings.

Return to Privacy, Data Protection & Information Management home


Terms and Conditions of UsePrivacy PolicyCopyright and Trademark NoticeUse of CookiesRSS 
©1996-2010 K&L Gates LLP. All Rights Reserved.

K&L Gates is comprised of multiple affiliated entities: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the United States, in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in Dubai, U.A.E., in Shanghai (K&L Gates LLP Shanghai Representative Office), in Tokyo, and in Singapore; a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining offices in London and Paris; a Taiwan general partnership (K&L Gates) maintaining an office in Taipei; a Hong Kong general partnership (K&L Gates, Solicitors) maintaining an office in Hong Kong; a Polish limited partnership (K&L Gates Jamka sp. k.) maintaining an office in Warsaw; and a Delaware limited liability company (K&L Gates Holdings, LLC) maintaining an office in Moscow. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners or members in each entity is available for inspection at any K&L Gates office.