Compliance / Regulatory: Privacy and Data Security

The most effective method for reducing the risk of a cyber incident is to prepare for it. Requirements for protecting information continue to evolve, as the amount of such information grows exponentially. In fact, a patchwork of state and federal laws and regulations requires companies to employ an enterprise-level approach to managing cyber risks. Our attorneys have broad experience in helping companies across many industries asses their cyber risks and develop comprehensive and legally compliant mitigation policies and procedures.

Key components of the risk assessment and compliance services we provide include:

• Advising companies regarding the collection, use, protection, and disclosure of confidential and personal information.
• Preparing and implementing comprehensive information governance and security programs and policies with an enterprise-focused approach, including incident response plans and vendor management programs.
• Providing education and training to employees, officers, and directors relating to applicable privacy and information security policies.
• Reviewing and negotiating the terms of agreements with third-party vendors having access to personal information and conducting due diligence relating to each vendor’s information security program.
• Providing advice regarding the scope and application of cyber risk insurance policies, including the negotiation of favorable terms and conditions.
• Providing guidance on privacy and information security issues during the due diligence phase of merger and acquisition deals.
• Advising companies on proactive and cost-effective strategies for complying with the Federal Trade Commission Act and other generally applicable laws and regulations.
• Advising companies on industry-specific laws and regulations, including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

Incident Response

No matter how effective a company’s information security program may be, data security incidents are unavoidable. That said, with advance preparation and a skilled incident response team, catastrophic damage to the company is not an inevitable result of a data security incident. Our attorneys have broad experience assisting companies both during and in the aftermath of security incidents by helping them understand and navigate regulatory issues, notice requirements, public relations, and improving their information security programs moving forward. Key components of the services we provide include:

• Identifying each of the various laws and regulations implicated by the breach.
• Determining whether notice must be provided to regulators and affected individuals, including customers and company employees.
• Drafting notifications that are compliant with all applicable laws.
• Communicating with external sources, including law enforcement, media, and affected individuals.
• Advising clients with respect to the legal and public relations decisions regarding post-incident assistance to affected individuals.
• Assisting with the determination of whether insurance coverage exists.
• Investigating and addressing any criminal, employment, contractual, or other legal obligations involving the conduct of employees, vendors, or other business associates.
• Defending companies in state and federal regulatory investigations, including actions commenced by state attorneys general.
• Preparing for and defending companies in litigation that may arise from data security incidents.

Comprehensive & Collaborative Approach

Calfee's Privacy & Data Security group is an interdisciplinary and collaborative team of attorneys who have extensive experience providing clients from start-up businesses to Fortune 500 corporations with proactive guidance regarding every aspect of privacy and information security.

Our experience cuts across multiple industries and involves nearly every practice group in the firm, including:

• Compliance Services
• Corporate and Finance
• Employee Benefits and Executive Compensation
• Government Relations and Legislation
• Federal Government Contract and Agency Regulations
• Health Care
• Insurance Recovery
• Intellectual Property including information technology and trade secrets
• Labor and Employment
• Litigation
• White-Collar Defense and Litigation

We excel at providing the type of practical legal advice that allows companies to focus on achieving their business goals knowing that their compliance obligations have been satisfied and their regulatory risks have been minimized.

Global Reach

The ability to transfer customer information and other data around the world creates significant opportunities for businesses, both large and small. But with those opportunities comes risk in the form of ensuring compliance with the increasing number of privacy and information protection laws being enacted in other countries. In addition to our extensive experience with applicable federal and state privacy regulations, Calfee attorneys are well-equipped to address global privacy and data security issues, including cross-border transfers of information.

Data breaches are rarely limited to one country or geographical area. With that in mind, Calfee is an exclusive member of the Lex Mundi Global Cyber-Breach Rapid Reaction Force, a team of cyber-experts who can equip your company with an extensive and adaptable response plan in the unfortunate event that confidential information is compromised. Lex Mundi is the world's leading network of independent law firms with in-depth experience in more than 125 countries worldwide.

Privacy and Data Security Regulations

Calfee’s Information Technology practice group has advised clients in a variety of industries regarding numerous laws, regulations, security standards, and privacy frameworks, including:

• Federal Trade Commission Act (FTC Act)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Children’s Online Privacy Protection Act (COPPA)
• CAN-SPAM Act
• Electronic Communications Privacy Act (ECPA)
• Computer Fraud and Abuse Act
• Telephone Consumer Protection Act (TCPA)
• Fair Credit Reporting Act (FCPA)
• Fair and Accurate Credit Transactions Act (FACTA)
• Bank Secrecy Act (BSA)
• EU Data Protection Directive
• EU General Data Protection Regulation (GDPR)
• State privacy and breach notification laws.