Main Content


In the current world of perpetual innovation and technological change, companies face unprecedented challenges in managing and safeguarding the personal data and other confidential information of their customers, employees, and other business associates.

With one of the largest and most experienced Intellectual Property and Information Technology practices in the Great Lakes Region, Calfee's privacy and data security attorneys are well-positioned to help companies respond to critical cybersecurity incidents and otherwise navigate the complex legal framework affecting the collection, use, protection, disclosure, and transfer of personal data and other confidential information.




Incident Response

No matter how effective a company's information security program may be, data security incidents are a growing phenomenon, in both frequency and consequence. However, with advance preparation and a thoughtful incident response plan, followed by effective execution, catastrophic damage to an enterprise suffering a data breach is not inevitable. Our attorneys have broad experience assisting companies both during and in the aftermath of security incidents, helping them to understand and navigate potential liabilities, insurance coverage, regulatory issues, notice requirements, public relations, and related considerations, as well as helping to identify ways to improve their information security programs moving forward. Key components of such services may include:

  • Working with in-house personnel and, as warranted, outside consultants, to determine and verify the occurrence of a breach or other data incident.
  • Identifying various laws and regulations implicated by such incidents/breaches.
  • Determining whether notice must be provided to regulators and affected individuals, including customers and company employees.
  • Drafting notifications to affected individuals, regulators, customers, and employees consistent with applicable laws.
  • Assisting with communications with external sources, including insurers, law enforcement, and potentially the media.
  • Advising clients with respect to legal and public relations decisions regarding post-incident assistance to affected individuals.
  • Assisting with the determination of whether insurance coverage exists, communicating with insurance companies to advocate for coverage, and preparing settlement agreements with insurance companies.
  • Partnering with third-party cybersecurity experts to conduct diagnostic testing and direct investigations related to security breaches.
  • Investigating and addressing criminal, employment, contractual, and other legal obligations involving the conduct of employees, vendors, or other business associates.
  • Defending companies in state and federal regulatory investigations, including actions commenced by state attorneys general.
  • Preparing for and defending companies in litigation that may arise from data security incidents.

Risk Assessment and Compliance

The most effective method for reducing the risk of a cyber incident affecting personal data, proprietary business information, or both is to prepare for it. Requirements for protecting such information continue to evolve, as its volume continues to grow exponentially. In the U.S., an ever-growing patchwork of state and federal laws and regulations requires companies to employ enterprise-level strategies to manage cyber risks. Our attorneys have broad experience helping companies across many industries assess such risks and develop comprehensive protection and mitigation policies and procedures to meet their legal obligations.

Key components of such risk assessment and compliance services may include:

  • Advising companies regarding the collection, use, protection, disclosure, and transfer of personal data and other confidential information.
  • Preparing and implementing comprehensive information governance directives, policies, and practices, with an enterprise-focused approach, including cybersecurity implementation plans, incident response plans, and vendor management programs.
  • Counseling company management and directors on responsibilities regarding data privacy, cybersecurity, and related reporting obligations.
  • Providing education and training to employees, officers, and directors relating to applicable privacy and information security obligations and responsibilities.
  • Preparing and updating public- and user-facing privacy policies and website terms of use.
  • Preparing and updating online agreements affecting data rights, privacy, and security, including website terms of service, Software-as-a-Service (SaaS) subscriptions, and end-user license agreements.
  • Preparing employment-related privacy notices and job applicant privacy policies.
  • Reviewing and negotiating contracts with third-party service providers and vendors having access to personal information and assisting with due diligence related to vendors’ information security programs.
  • Providing advice regarding the scope and application of cyber risk insurance policies, including negotiation of terms and conditions.
  • Providing guidance on privacy and information security issues during the due diligence phase of merger and acquisition transactions and analyzing loss scenarios related to potential security breaches.
  • Advising companies on strategies for complying with numerous federal and state laws regarding data rights, privacy, and cybersecurity.

Privacy and Data Security Regulations

Calfee’s Information Technology practice group has advised clients in a variety of industries regarding numerous laws, regulations, security standards, and privacy frameworks, including:

  • Federal Trade Commission Act (FTC Act)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Children’s Online Privacy Protection Act (COPPA)
  • CAN-SPAM Act
  • Electronic Communications Privacy Act (ECPA)
  • Computer Fraud and Abuse Act
  • Telephone Consumer Protection Act (TCPA)
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Bank Secrecy Act (BSA)
  • EU Data Protection Directive
  • EU General Data Protection Regulation (GDPR)
  • State privacy and breach notification laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), Colorado’s Privacy Act (CPA), and others.

Comprehensive and Collaborative Approach

Our experience cuts across numerous industries and multiple legal disciplines, including:

  • Compliance Services
  • Corporate and Finance
  • Insurance Coverage and Insurance Recovery
  • Information Technology
  • Intellectual Property
  • Labor and Employment
  • Litigation
  • White-Collar Defense

We strive to provide practical and actionable legal advice that allows clients to focus on achieving their business goals, knowing that their obligations regarding data rights, privacy, and cybersecurity are being addressed.

Global Reach

The ability to transfer customer information and other data around the world creates significant opportunities for businesses, both large and small. But with those opportunities comes risk in the form of ensuring compliance with the increasing number of privacy and information protection laws being enacted in other countries. In addition to our extensive experience with applicable U.S. federal and state data privacy laws and regulations, Calfee attorneys work with associates across the globe through our membership in Lex Mundi, the world's leading network of independent law firms with in-depth experience in more than 125 countries worldwide, to address data rights, privacy, and cybersecurity issues, including cross-border transfers of information.

News & Events


Jump to Page