One of the fastest changing areas in law and business today is the protection of business data. Corporations are continuously developing new ways to protect sensitive data. Data thieves are simultaneously becoming more sophisticated in their ability to unlawfully access this data, and their attacks are resulting in more harmful consequences. In an attempt to manage the situation, regulators are imposing additional requirements and standards at an accelerated pace, causing further compliance challenges. New types of unpredictable litigation are also beginning to emerge due to the quickly changing laws and lack of precedent in this area.
The cybersecurity and data privacy team at HunterMaclean helps clients take a practical and strategic approach to managing the legal, business, and reputational risks associated with sensitive data. Our approach is methodical and individualized. We advise clients on a wide range of issues and help strategically prioritize and manage data privacy and cybersecurity risks in a proactive and coordinated manner. Below we outline some of the services we provide.
Incident Preparation & Breach Response
- Help clients comprehensively assess the specific data they hold and the unique risks and legal obligations associated with that data.
- Assist clients in the development of written information governance, privacy, security, and incident response plans, as well as evaluating and strengthening those plans through tabletop and other exercises. Examples include drafting:
- Data Transfer Agreements
- Data Processing Agreements
- Privacy and Security Policies
- Data Governance Policies
- Business Associate Agreements
- Website Terms and Conditions
- Incident Response Plans
- Bring Your Own Device (BYOD) Policies
- Counsel clients on creating procedures for whistleblowers to report data privacy and cybersecurity incidents internally.
- Participate as members of incident response teams to achieve the best possible outcome:
- Guide investigations
- Work with law enforcement
- Advise on notification obligations (or advise if no such obligations exist)
- Prepare notification letters
- Preserve privilege
- Manage crisis communications
- Participate in regularly scheduled meetings to discuss security incidents and recent developments in data privacy and security law and determine appropriate strategy and next steps.
- Work with senior management and corporate boards to formulate policies and provide oversight processes that address emerging data privacy and cybersecurity risks.
- Evaluate the effectiveness of existing internal cyber and privacy governance mechanisms to create a better, more efficient process.
- Advise on industry standards and best practices for similarly situated organizations.
Regulatory & Compliance
- Advise clients on regulatory and compliance obligations throughout the United States and the world. These regulations are too numerous to list (and changing daily), but some of the better-known ones include:
- Health Information Portability and Accountability Act (HIPAA) and related legislation, including Health Information Technology for Economic and Clinical Health (HITECH)
- Financial Services Modernization Act or Gramm-Leach-Bliley Act and its implementing regulations
- Fair Credit Reporting Act and its Fair and Accurate Credit Transactions Act (FACTA) amendment
- Electronic Communications Privacy Act and the Computer Fraud and Abuse Act
- Federal Trade Commission Act and the US Federal Trade Commission (FTC)
- Driver’s Privacy Protection Act
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)
- Telephone-Consumer Protection Act (TCPA) and associated regulations.
- Children’s Online Privacy Protection Act (COPPA)
- Video Privacy Protection Act (VPPA)
- Right to Financial Privacy Act
- Judicial Redress Act
- European Union General Data Protection Regulations (GDPR), including the EU-US Privacy Shield
- State privacy and breach notification requirements, including the California Consumer Privacy Act of 2018
- Pending legislation, including bills that would expand privacy regulation
- Clarifying Lawful Overseas Use of Data Act, or CLOUD Act of 2018 (and subsequent Executive Agreements)
- Help clients comply with a myriad of laws and regulations restricting international data transfers, such as International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR).
- Assist in privacy audits (and the changes necessary as the result of those audits) to decrease legal, business, and reputational risk.
- Advise on data retention and data destruction requirements for applicable data and draft policies related to the same.
- Provide advice on training employees to understand the risks and to protect the company’s data.
Contracting and Supply Chain Management
- Advise clients on the legal risks created by the use of third party vendors and approaches to mitigate this risk.
- Draft various agreements to help ensure proper privacy and security protections are utilized by third party vendors.
- Structure relationships with outside experts to access privacy and cybersecurity risks without putting the corporation further at risk.
- Draft vendor assessment questionnaires to assist in third party vendor due diligence.
- Defend clients after a breach of privacy and cybersecurity incidents.
- Litigate cutting edge data privacy and cybersecurity issues, including use of drones.
- Respond to government agency investigations.
- Represent clients in administrative and regulatory proceedings.