Privacy and Data Security

Our lawyers work closely with clients on all aspects of privacy compliance, including with regard to federal, state (and sometimes local) regulation. Our advice is practical, and our clients count on us to find solutions to business problems. We draft consumer, employee and b2b privacy notices and disclosures, advise on consent and choice mechanisms, conduct audits, provide "privacy by design" advice for new products and services, and launch compliant marketing campaigns. We understand all aspects of the ad-tech industry, and regularly advise publishers, advertisers, data enhancement services, technology service providers, and others in the ecosystem on compliance. In addition to regularly advising on the FTC Act and related unfair and deceptive trade practice laws, we advise on specific statutes, regulations and industries, including:

• Ed-Tech and student privacy laws (including FERPA and various state statutes)
• Fin-Tech and U.S. financial privacy and security laws (including GLB Act and agency regulations)
• Consumer credit laws (e.g. FCRA, FACTA, etc.)
• Video Privacy Protection Act (VPPA) and similar state laws
• Marketing to and collecting information from children (including COPPA and CARU regulations)
• U.S. healthcare privacy and data security laws (including HIPAA and related state regulation)
• Direct Marketing (including CAN-SPAM and TCPA compliance)
• ADA accessibility for websites and online services (including W3C Web Content Accessibility Guidelines (WCAG) compliance)
• Wiretapping laws (e.g. Electronic Communications Privacy Act)
• Self-Regulation and behavioral advertising (including DAA and NAI compliance)
• Bankruptcy and M&A data disposition
• Analyzing transactions with third parties that contemplate data sharing and advising on any required consumer notice/consent

Data security is a fundamental aspect of risk management. We provide counsel on the convergence of the legal and technology compliance issues, including:

• Addressing key contractual clauses and drafting and negotiating data protection addenda
• Advising on "reasonable" security in light of the data at issue and the potential applicable regulations
• Payment Card Industry Data Security Standard (PCI DSS)
• Drafting internal guidelines and policies, addressing the legal issues associated with state security laws (including the Massachusetts Standards for the Protection of Personal Information, Nevada's Security of Personal Information laws, and the New York Department of Financial Services security standards)
• Coordinating with the IS and IT teams
• Compliance with industry standards (for example, NIST and OMB standards and guidelines for information security)
• Data storage, retention and disposal and drafting and implementing internal policies to address these issues

We work with clients to address compliance with non-U.S. laws and international agreements and standards that apply to their operations, coordinating and working with local counsel as needed.

We advise on overall EU GDPR and ePrivacy and Canadian PIPEDA and CASL compliance for US companies, as well as cross border data transfers, required disclosures, data protection impact assessments, notifications or prior authorizations where required, participation in the US-EU and US-Swiss Privacy Shield programs, data protection addendum and data transfer agreements using EU-approved model contracts, and national authorizations or contractual arrangements outside the EU.

We have deep experience with compliance solutions for ecommerce or mobile apps, cross-border marketing campaigns, and human resources in multinationals operating in virtually every country with comprehensive data protection laws or relevant sectoral legislation. Because of this, we are able to quickly identify potential issues and help companies devise global solutions with practical local adaptations where needed.

Our lawyers are instrumental in helping our clients navigate their preparedness for a data breach and in addressing the compliance in the event of an incident. Our work includes:

Planning and Policies

• Records management (e.g. records retention, litigation hold planning, data classification, records disposal, etc.)
• Security incident response planning (e.g. breach notice law compliance, HITECH Act, payment card and PCI-DSS breach planning, GDPR and Canadian breach notifications)
• Written security incident response plans
• Third party incident response planning and contracts (e.g. contractually ensuring that vendors are aligned with client's incident response strategy)

Notice and Response

• Coordinate incident response team (e.g. forensics, security, public relations, insurance, etc.)
• Breach notice law applicability analysis
• Drafting written notices to individuals affected by breach
• Communication with law enforcement and governmental agencies (e.g. FTC, DOJ, local law enforcement, state attorneys general, consumer protection agencies, Canadian and European data protection authorities, etc.)
• Develop communication strategies, including with affected stakeholders (e.g. consumers, employees, merchant banks, payment processors, card brands, issuing banks, etc.), HITECH Act notice response actions, and payment card breach notice response actions

Litigation Readiness and Electronic Evidence Management

• Establish attorney-client privilege
• Analyze legal risk of organization due to breach
• Develop defense strategies and legal theories in the event of litigation
• Determine mitigating actions of organization
• Manage forensic team efforts for gathering relevant data
• Coordinate preservation and collection of relevant data

We assist with privacy and data security policies that govern the internal use, sharing, storage and securing of data. We also assist clients in obtaining third party audits, working with consultants, and obtaining 3rd party seals and certifications. We conduct training sessions to assist our clients in ensuring ongoing compliance with the law and their own policies with regard to data.

We draft and negotiate contracts or specific provisions in contracts to address data security, data collection and data sharing issues.

A purchase or investment in a company raises key privacy and data security issues, which can affect both valuation and potential liabilities. We assist companies, venture capital firms and other investors, along with their M&A attorneys, in conducting key due diligence and integration compliance tasks, including:

• Assessing whether consumer data may be transferred under seller's privacy policy and the legal risk of the transfer of information from one entity to another, advise on any restrictions or necessary steps to be taken in connection with the transfer, and help clients mitigate any risk
• Drafting privacy and data security portion of due diligence questionnaire
• Investigate potential vulnerabilities and prior liabilities, including any previous data security breaches
• Drafting privacy and data security clauses, including representations and warranties and appropriate indemnification, for Asset Purchase and similar agreements
• Analyzing existing data held by the target company (e.g., consumer and employee data) and the seller's current state of legal compliance, including in connection with applicable laws (e.g., Telephone Consumer Protection Act (TCPA), Children's Online Privacy Protection Act of 1998 (COPPA), CAN-SPAM Act, and the Video Privacy Protection Act (VPPA))
• Advising clients on mergers and acquisitions in specific business sectors in which privacy is heavily regulated, such as the health care industry (including HIPAA, HITECH, and state laws regulating medical data), the financial industry (including GLB Act and agency regulations), and consumer reporting industry (including Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA))
• Reviewing target company cybersecurity and data privacy programs
• Assessing target company's key vendor contracts with regard to privacy, data security and integration issues
• Assisting in all aspects of data integration and post-investment or sale compliance