Advertising & Marketing   CPO on Demand™   Intellectual Property   Privacy & Data Security   M&A Due Diligence   Technology

Privacy & Data Security

InfoLawGroup has a sophisticated information governance practice that addresses all aspects of privacy, data security and the issues associated with big data and the collection, storage and sharing of information.


Our Services

Privacy Counseling

Our lawyers work closely with clients on all aspects of privacy compliance, including with regard to federal, state (and sometimes local) regulation. Our advice is practical,
and our clients count on us to find solutions to business problems. We draft consumer, employee and b2b privacy notices and disclosures, advise on consent and choice
mechanisms, conduct audits, provide “privacy by design” advice for new products and services, and launch compliant marketing campaigns. We understand all aspects of the ad-tech industry, and regularly advise publishers, advertisers, data enhancement services, technology service providers, and others in the ecosystem on compliance. In addition to regularly advising on the FTC Act and related unfair and deceptive trade practice laws, we advise on specific statutes, regulations and industries, including:

  • Ed-Tech and student privacy laws (including FERPA and various state statutes)
  • Fin-Tech and U.S. financial privacy and security laws (including GLB Act and agency regulations)
  • Consumer credit laws (e.g. FCRA, FACTA, etc.)
  • Video Privacy Protection Act (VPPA) and similar state laws
  • Marketing to and collecting information from children (including COPPA and CARU regulations)
  • U.S. healthcare privacy and data security laws (including HIPAA and related state regulation)
  • Direct Marketing (including CAN-SPAM and TCPA compliance)
  • ADA accessibility for websites and online services (including W3C Web Content Accessibility Guidelines (WCAG) compliance)
  • Wiretapping laws (e.g. Electronic Communications Privacy Act)
  • Self-Regulation and behavioral advertising (including DAA and NAI compliance)
  • Bankruptcy and M&A data disposition
  • Analyzing transactions with third parties that contemplate data sharing and advising on any required consumer notice/consent

Security Counseling

Data security is a fundamental aspect of risk management. We provide counsel on the convergence of the legal and technology compliance issues, including:

  • Addressing key contractual clauses and drafting and negotiating data protection addenda
  • Advising on “reasonable” security in light of the data at issue and the potential applicable regulations
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Drafting internal guidelines and policies, addressing the legal issues associated with state security laws (including the Massachusetts Standards for the Protection of Personal Information, Nevada’s Security of Personal Information laws, and the New York Department of Financial Services security standards)
  • Coordinating with the IS and IT teams
  • Compliance with industry standards (for example, NIST and OMB standards and guidelines for information security)
  • Data storage, retention and disposal and drafting and implementing internal policies to address these issues

Global Privacy Issues

We work with clients to address compliance with non-U.S. laws and international agreements and standards that apply to their operations, coordinating and working with
local counsel as needed.

We advise on overall EU GDPR and ePrivacy and Canadian PIPEDA and CASL compliance for US companies, as well as cross border data transfers, required disclosures, data protection impact assessments, notifications or prior authorizations where required, participation in the US-EU and US-Swiss Privacy Shield programs, data protection addendum and data transfer agreements using EU-approved model contracts, and national authorizations or contractual arrangements outside the EU.

We have deep experience with compliance solutions for ecommerce or mobile apps, cross-border marketing campaigns, and human resources in multinationals operating in virtually every country with comprehensive data protection laws or relevant sectoral legislation. Because of this, we are able to quickly identify potential issues and help companies devise global solutions with practical local adaptations where needed.

Breach Notification & Incident Response

Our lawyers are instrumental in helping our clients navigate their preparedness for a data breach and in addressing the compliance in the event of an incident. Our work includes:

Planning and Policies

  • Records management (e.g. records retention, litigation hold planning, data classification, records disposal, etc.)
  • Security incident response planning (e.g. breach notice law compliance, HITECH Act, payment card and PCI-DSS breach planning, GDPR and Canadian breach notifications)
  • Written security incident response plans
  • Third party incident response planning and contracts (e.g. contractually ensuring that vendors are aligned with client’s incident response strategy)

Notice and Response

  • Coordinate incident response team (e.g. forensics, security, public relations, insurance, etc.)
  • Breach notice law applicability analysis
  • Drafting written notices to individuals affected by breach
  • Communication with law enforcement and governmental agencies (e.g. FTC, DOJ, local law enforcement, state attorneys general, consumer protection agencies, Canadian and European data protection authorities, etc.)
  • Develop communication strategies, including with affected stakeholders (e.g. consumers, employees, merchant banks, payment processors, card brands, issuing banks, etc.), HITECH Act notice response actions, and payment card breach notice response actions

Litigation Readiness and Electronic Evidence Management

  • Establish attorney-client privilege
  • Analyze legal risk of organization due to breach
  • Develop defense strategies and legal theories in the event of litigation
  • Determine mitigating actions of organization
  • Manage forensic team efforts for gathering relevant data
  • Coordinate preservation and collection of relevant data

Internal Compliance and Training

We assist with privacy and data security policies that govern the internal use, sharing, storage and securing of data. We also assist clients in obtaining third party audits,
working with consultants, and obtaining 3rd party seals and certifications. We conduct training sessions to assist our clients in ensuring ongoing compliance with the law and their own policies with regard to data.


We draft and negotiate contracts or specific provisions in contracts to address data security, data collection and data sharing issues.

I appreciate the expertise of InfoLawGroup, in particular that of Justine and Scott, in connection with our GDPR compliance project and related privacy issues. They combine expertise and breadth of knowledge with a common sense, practical approach to addressing our complex data privacy issues.
— Debra J. Stanek, Assistant General Counsel, Wilton Brands LLC