Data breaches and privacy issues can lead to costly unplanned expenses and business disruptions, as well as regulatory enforcement actions and potential lawsuits. The mere occurrence of a data breach can do significant damage to a business’s reputation. Businesses that do not take adequate measures to protect against cyber events – legally, operationally and technologically – and prepare to respond to those events often put themselves in jeopardy.
Attorneys in Archer’s Data Privacy and Cybersecurity Group take a multi-discipline approach in providing data privacy and cybersecurity services, drawing upon the expertise of attorneys from several of the firm’s practice areas, including Business Counseling, Labor and Employment, Health Care, Litigation, Intellectual Property, Commercial Law and Transactions, and Government Affairs. This collaborative approach provides clients with unmatched experience on a full range of matters.
In conjunction with clients’ in-house or retained data security and insurance professionals, we help our clients develop concrete solutions to their privacy and data security issues, comply with legal and regulatory requirements, shape their business practices to avoid costly and threatening legal and regulatory exposures and best prevent cyber events, and minimize exposures should they suffer a data breach or other loss of legally protected or confidential information.
We also help our clients respond to a cyber event or data breach by managing the investigative process, advising on legal notification and reporting requirements, and providing advice and a defense to any claims or lawsuits that may be brought against them, either by private individuals or government entities. We know what regulators expect, how they investigate and enforce data protection concerns, and the strategies that best position our clients to achieve positive results.
Click here to print a copy of an overview of Archer’s Data Privacy and Cybersecurity Services.
Data Security Counseling and Data Security Audits
Our group counsels clients regarding state, federal and international data protection and privacy laws. Although every business has legal obligations in this area, we also offer counsel with regard to industry-specific laws and regulations, including, among others, Payment Card Industry Data Security Standard (PCI DSS), the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Electronic Communications Privacy Act, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, the Federal Trade Commission Act, and Sarbanes-Oxley.
In providing data security counseling, we address the legal requirements applicable to the individual business and assess the legal risks associated with each client’s business and practices. We also:
- Manage cyber risk assessments and data security audits
- Help develop incident response plans
- Oversee “penetration testing”
- Develop and document policies and procedures that address privacy and information security, such as:
- Data management (identification, classification, retention, and destruction of data)
- Business continuity and disaster recovery
- Monitoring (including audit logs, system events, security events, personnel and external service providers)
- Removable media protection and restrictions
- Anti-virus/anti-malware software
- Patch/upgrade management
- Remote access restriction
We assist covered entity and business associate clients, including health care providers, commercial health plans, billing companies and self-insured employer health plans, in understanding their HIPAA obligations and meeting HIPAA compliance requirements. We assist clients in:
- Working with security consultants to conduct risk analysis and identify the best approach to protecting data through the development of a security and risk management program
- Developing and implementing HIPAA policies and procedures required by the HIPAA Security and Privacy Rules
- Determining permissible uses and disclosures of PHI
- Responding to subpoenas, court orders and other demands for PHI
- Investigating potential security incidents and performing a risk analysis to determine obligations under the HIPAA Breach Notification Rule, as well as applicable State privacy laws
- Taking appropriate employment action in the event of impermissible uses and disclosures of PHI by employees
- Drafting HIPAA-compliant Business Associate Agreements and Authorizations
- Responding to subpoenas, court orders and other demands for PHI
Data Breach Response
Our attorneys work closely with clients in security breach matters — executing swift and effective response plans. In the unfortunate event of a data breach incident, our team can help a company navigate the legal and practical hurdles.
Our services in assisting clients after a breach occurs typically include:
- Advising clients about the applicable law and required response
- Overseeing incident investigation, including:
- Reporting to government authorities, including the FBI, U.S. Secret Service, State Attorneys General Offices, and State Police
- Coordinating and supervising efforts among clients, their outside data security professionals and insurers, and government authorities (FBI, U.S. Secret Service, State Attorneys General Offices, State Police)
- Notifying “victims”
- Providing legal advice concerning data backup, disaster recovery, and/or data restoration plans
- Providing legal advice concerning, and documenting, steps to prevent continued or future acquisition, access, use or disclosure of the compromised data
Data Breach Litigation
We litigate individual and class action data breach claims by and against owners of private information, credit card companies, financial institutions, financial services companies, retailers, energy companies, government agencies, healthcare providers, and manufacturers, among others. We also represent businesses in recouping losses from data breaches caused by others, often in matters in which vendors and other entities with whom our clients contracted failed to meet applicable legal and contractual data security standards.
Our data privacy and cybersecurity litigation attorneys have a detailed understanding of the evolving and often contradictory array of local, national and international rules that control information privacy law and cyber security law, as well as the multiple environments where critical data lives. This enables them to make an aggressive, rapid response to information privacy law and cyber security law challenges to help clients address allegations of inappropriate or inadequate data security practices or assert claims where warranted.
Additionally, our data privacy and cybersecurity litigation attorneys work closely with Archer Discovery Strategies, an inter-practice team of firm attorneys, legal assistants and technical personnel with a particular focus on “eDiscovery” to offer clients and Archer litigation attorneys in other disciplines solutions for managing the intersection between information security law and discovery demands. These consultations occur most often when information protected by data privacy laws is relevant to litigation of any kind and subject to disclosure during the discovery process. We work to assure that our clients’ information remains protected and that other parties’ protected information is securely transferred and stored consistent with applicable laws and discovery protocols.
The manner in which a company responds to a government investigation of a cyber event may determine if it will survive the breach and continue business as usual. Government entities on all levels have authority to investigate cyber events, and different laws have different reporting requirements and obligations. Government investigations often require businesses to provide information about their customers and employees, as well as their cybersecurity practices. The business is often forced to navigate conflicting legal obligations arising out of multiple privacy and cybersecurity laws. Moreover, an evaluation of the results of an investigation could result in a recommendation to take administrative action or bring a case in court. Businesses must determine when and how to cooperate with any government investigation and how best to do so.
Based on the nature of a data breach, we work with clients to determine if they are obligated to inform law enforcement, or federal and state regulatory agencies, of the breach, and if so, the manner in which they should cooperate with a resulting investigation.
Labor & Employment Counseling
We provide labor and employment counseling to assist clients in developing and implementing privacy and information security policies that reflect the needs of their business. We review and write employee agreements and policies regarding the following, among other cyber-related areas:
- E-mail and privacy policies
- Codes of conduct
- BYOD (Bring Your Own Device)
- Social media
- Trade secrets, confidential information and intellectual property
Mergers & Acquisitions, Contract Counseling and Other Business Transactions
Important data issues arise in a variety of transactions, including mergers and acquisitions, and expose companies to substantial cybersecurity risks. Personal information and data are a strategic asset for companies and issues concerning the use, sharing or acquisition of data can have a long-term impact on a company’s business. For a company involved in the merger and acquisition process, assessing security risks is important to understand not only the information technology infrastructure and operational risks to the company, but also the security risks associated with breaches and data loss.
We counsel clients on data security and risk issues related to mergers, acquisitions, divestitures, restructurings, joint ventures, strategic alliances, outsourcing, licenses, software, website, application development agreements, and other commercial agreements. We assist clients in drafting contracts with cybersecurity requirements, as well as vendor contracts involving shared information and system access.
For transactions that involve contract review and drafting, we address the following issues:
- Ownership and licensing of data
- Definition of protected information
- Minimum security safeguards
- Oversight of security compliance (customer audits, auditing by service provider, security questionnaire)
- Obligations regarding notice/disclosure of security breaches or privacy-related compliance issues
- Security breach procedures
- Expenses of breach remediation
- Return/destruction of personal information
- Vendor/developer/licensor contracts involving shared information and system access
Insurance Coverage, Counseling and Litigation
Cyber insurance coverage is designed to cover losses arising out of cyber attacks and other privacy and data security breaches. It is an essential component of a company’s cyber risk management plan; however, many companies forego available policies due to the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organization will suffer a cyber attack. As there is no standardization of cyber insurance policies, and different industries have different kinds of risk, it is important to identify the nature and extent of an organization’s risk when considering cyber insurance. The terms and exclusions can vary dramatically from one insurer to the next. Cyber insurance policies can provide coverage for third-party liability, first-party losses or both.
There is additional perceived value to having insurance. Insurance places a dollar value on an organization’s cyber risk, which is useful for risk managers budgeting for cyber security. The underwriting process helps identify and eliminate cybersecurity gaps and provides for significant due diligence through extensive questionnaires. Insurers provide third-party assessment of an organization’s administrative, technical and physical controls. Many cyber policies bring supplemental value, as they include risk mitigation tools, significant incident response assistance following a cyber incident, and put approved vendors in place.
Our group advises clients when purchasing coverage to ensure that a policy matches a business’s specific needs. We advise on appropriate limits and sublimits and match a company’s limits with realistic exposure and the organization’s risk appetite.
International Data Privacy Compliance
We assist clients in understanding international data obligations and meeting data protection requirements in a variety of jurisdictions, including the forthcoming General Data Protection Regulation in the European Union and the EU-US Privacy Shield. We provide guidance to help identify the best approach to protecting, processing and transferring data and developing a data management program to be compliant with international obligations. Our group advises clients in cross-border discovery, including obtaining evidence located abroad and addressing evidence requests from parties to a foreign or international proceeding.