Data Protection, Privacy, and Security: Cyber Preparedness and Response and Privacy Compliance
From helping clients assess network and data security and insurance coverage to dealing with the aftermath of a cyberattack, our international Cyber Preparedness and Response and Privacy Compliance team has deep experience in assisting clients with all aspects of addressing and mitigating cyber risks.
Our capabilities include preventing and deterring attacks, pursuing perpetrators, responding to breaches, and helping clients mitigate risk and loss through insurance. We are experienced in analyzing each breach in light of each relevant statute to determine whether the notice is required, advisable, or inadvisable. We do this for breaches occurring locally, nationally, and internationally.
Data Retention and Deletion Policies
We advise clients on their regulatory obligations to retain personal information, including developing policies that address minimum retention timelines for the company’s personal information and policies regarding the safe disposal and destruction of retained personal information.
Using interviews and questionnaires, we help our clients understand where they have gaps in their standing against privacy and data protection regulations, as well as work with our clients to address and close deficiencies in their privacy programs.
Policy Review and Drafting
Our team works with clients to help them achieve compliance with data privacy regulations by drafting internal policies and procedures and contractual provisions regarding privacy and security of the company’s data and records, as well as discovery, investigation, remediation, and reporting of security incidents and breaches. We also investigate incidents to determine the scope of a breach and analyze what is required under applicable laws.
We advise clients on how to address the risks of sharing or allowing access to company data to service providers, vendors, and affiliates. This includes advice regarding laws mandating particular provisions for service contracts, as well as drafting, reviewing, and negotiating contracts, including data protection and information security agreements. We protect our clients’ rights, limit their liability, and allocate and address logistics of responding to breaches.
Training and Preparedness
We help clients draft internal policies for responding to potential data security breaches under all applicable statutes and regulations, including Federal Trade Commission, Health Insurance Portability and Accountability Act, California Consumer Privacy Act, and General Data Protection Regulation privacy and security regulations, especially those regarding the use, transmission, storage, and protection of electronic protected health information, or “e-PHI.” We also offer several levels of training as required by applicable law to ensure client personnel are familiar with such policies. It is impossible to avoid all breaches, so we have extensive experience helping clients respond to large and small data security breaches.
Risk Assessments/Advice and Counsel
Our Cyber Preparedness and Response and Privacy Compliance team helps manage internet security and prevent cyberattacks and data breaches through a unique skill set that includes a technical lab and cyberforensic investigators, extensive experience in internet tracking, and a rapid response team of professionals to deal with current attacks. Our team in the United States has experience working with the Federal Bureau of Investigation and information technology forensic consultants after attacks. In Europe, we are experienced in working with national and regional data protection authorities.
Cyber Liability Insurance Coverage Opinions
We counsel clients regarding insurance coverage for data security breach liability, including when insurers dispute their obligation to cover such incidents. We also provide counsel regarding the types of coverages advisable to protect against risks associated with data security breaches.
Our firm has developed unique compliance techniques and approaches, including an industry-leading process-oriented approach to information management issues that assists clients in making choices about using technology to achieve legal compliance. We also advise clients on information security management systems and standards compliance such as ISO 2700X, PCI-DSS, and NIST Framework.
Incident Response, Breach, and Crisis Counseling
Our Cybersecurity and Privacy group includes an experienced policy team, cyberforensic investigators with extensive experience in successful internet tracking, a rapid response team to handle active attacks, and experienced insurance coverage counsel, among others. Our team has a unique blend of skills that span various practice areas and jurisdictions to help clients deal with cybersecurity issues.
Digital Crisis Management
Our Digital Crisis Planning and Response team helps corporations, educational institutions, and high-profile individuals proactively plan for and manage any digital crisis by considering your unique business needs and designing a personalized action plan. We approach a crisis from every angle, working diligently on implementing our multifaceted process to counteract the speed at which information travels online. This work, coupled with our elite cybersecurity and forensic tools, ensures that you are well positioned to address any digital threat.
Our global Cybersecurity and Privacy team regularly assists clients with U.S. Securities and Exchange Commission disclosures and data breach notifications under Sect. 4 Directive 2002/58/EC.
Regulatory Enforcement Actions and Investigations
We work to ensure that government cybersecurity standards and mandates are industry led and technology neutral and that we have obtained legislation to broaden and strengthen criminal penalties for cybercrimes. In the United States, we led the effort to liberalize export controls on American encryption products and to prevent United States-domestic limitations on the use of encryption. In Europe, we have assisted clients in cybersecurity initiatives at regional and local levels, notably with the European Commission and various member states.
We represent clients in lawsuits, including class action defenses, arising out of data security breaches. As one example, we successfully litigated the class action case of Kahle v. Litton Loan Servicing LP, one of the important, early cases holding that speculative theories of injury could not support a class action against an entity suffering a data security breach. We have also successfully filed “John Doe” lawsuits to identify computer hackers and others whose identities are shielded by Internet service providers.