InfoLawGroup has a sophisticated information governance practice that addresses all aspects of the information lifecycle that includes counseling on:

 

  • Breach notice laws (e.g. requiring notice if personal information exposed in a security breach)
  • “Reasonable security” under common law negligence
  • State personal information and privacy laws (e.g. Massachusetts Standards for the Protection of Personal Information, Nevada’s Security of Personal Information law, etc.)
  • Unfair and deceptive trade practice laws (e.g. FTC Act and state equivalents)
  • U.S. financial privacy and security laws (e.g. GLB Act and agency regulations, FFIEC guidance, Bank Secrecy Act, PATRIOT Act, etc.)
  • U.S. healthcare privacy and security laws (e.g. HIPAA, HITECH, and state laws regulating medical data, etc.)
  • Payment Card Industry Digital Security Standard (PCI DSS) (including, card brand security programs, contractual obligations and card brand operating regulations, etc.)
  • Identity theft laws (e.g. Identity Theft Red Flag Rules)
  • Common-law privacy torts (e.g. false light, intrusion upon seclusion, misappropriation of commercial likeness, public disclosure of private facts)
  • Consumer privacy laws (e.g. FCRA, FACTA, etc.)
  • Government privacy laws (e.g. U.S. Federal Privacy Act, E-Government Act, FISMA, etc.)
  • Wiretapping laws (e.g. Electronic Communications Privacy Act)
  • Student and parent data privacy laws (e.g. FERPA/the Buckley amendment, etc.)
  • Data destruction and disposal laws (e.g. state social security disposal laws, FACTA consumer report disposal rules)
  • Child privacy laws (e.g. COPPA)
  • Electronic voting
  • Website privacy policy and notice laws (e.g. California’s Online Privacy Protection Act)
  • Compliance with industry standards (NIST and OMB standards and guidelines for information security, Common Criteria, ISO 17799 / 27000 / 27001 / 27002, SAS 70, CoBit, OASIS, W3C, OpenID, TCG TPM, etc.)
  • International privacy and data security laws (e.g. EU Data Protection Directive, Canada PIPEDA, UK Data Protection Act, and similar laws in other countries such as Russia, Japan, Australia, Hong Kong, Israel, etc.)
  • Behavioral advertising (e.g. FTC’s Behavioral Advertising Privacy Principles)
  • Web 2.0 and new media (e.g. social networking, blogging, message boards, instant messaging, websites, etc.)
  • Intellectual property (e.g. trade secrets, copyright, trademark, domain name ownership, etc.)
  • Direct marketing – faxing, telemarketing, email marketing (e.g. FTC’s Telemarketing Sales Rule, Telecommunications and Telemarketing Consumer Protection Act, CAN-SPAM, TCPA, Junk Fax Prevention Act, etc.)
  • Privacy and security policy review and development
    • Privacy and security audits and privacy impact assessments
    • Privacy and security policy development and drafting
    • Privacy notices and management of consumer consent
    • Registration and approvals of privacy policies (e.g. from data protection authorities in Europe and elsewhere)
  • “Cyber” insurance consulting and drafting
    • Policy and endorsement drafting for carriers
    • Traditional policy coverage gap analysis
    • Cyber risk policy coverage analysis
  • Information handling and IT use policies (e.g. email policies, Internet usage policies, web-browsing policies, acceptable use polices, social networking policies and blogging policies)
  • Data retention and disposal practices review and policies
  • Transborder data flow
  • Bankruptcy and M&A data disposition