Privacy, Security and Data Protection
Practice Leader: Sharon R. Klein
Technology has allowed businesses to collect vast amounts of personally identifiable information and other sensitive data, and use that data to work better, faster and more efficiently with their customers, employees, business partners and others. Unfortunately, too often that sensitive information is not secure, leading to identity theft, intellectual property and trade secret theft, attacks on critical information systems, counterfeiting of valuable goods, and detrimental or even criminal activity.
To help combat those problems, businesses must comply with an increasingly complex array of state, federal and international laws designed to protect the privacy and security of personally identifiable or competitively sensitive information.
Pepper Hamilton LLP advises businesses on planning, drafting and implementing privacy, security and data protection policies and “best practices,” compliance with applicable laws, regulations and rules, and crisis management and litigation strategies for non-compliance. We counsel on such issues as data security and breach of security issues, online security and privacy, domestic and international anti-spam legislation, and issues specific to industries such as health care, financial services, and manufacturing and retail. We have defended litigation stemming from breaches of personally identifiable information and have defended executives and corporations in white collar investigations relating to compliance issues.
Members of Pepper’s Privacy, Security and Data Protection Group have diverse backgrounds and practices, but a common goal: helping businesses understand and comply with the complex and fast-moving area of privacy, security and data protection laws and regulations. The group includes experienced corporate and transactional lawyers, intellectual property counselors, health care lawyers, veteran trial lawyers and government contracts/regulatory and white collar attorneys.
Many of our lawyers have significant experience as in-house counsel for private corporations or the government, which offers a unique and valuable perspective when approaching privacy, security and data protection. In addition, our clients have immediate access to our more than 500 lawyers experienced in a wide range of related areas, such as intellectual property, health care, financial services, employment, international trade, technology and government contracts, to handle any legal issues as quickly and efficiently as possible.
Our clients include businesses of all sizes in all fields, including:
- software, data, cloud computing and technology services
- higher education
- database management and system integration
- Internet marketing, online advertising and sales
- health care, life science and pharmaceutical services
- social media, communications and entertainment
- financial services
- manufacturers and retailers.
We help clients develop privacy, security and data protection policies and practices tailored to their businesses. We advise on implementation and enforcement of privacy and security policies in transactions and agreements with vendors, business partners and other third parties. We help clients protect against and respond to security and privacy breaches.
Pepper lawyers also identify and address privacy, security and data protection issues in mergers, acquisitions and other corporate transactions, including those with the U.S. government. Additionally, we help clients navigate complex issues regarding e-discovery issues and employee surveillance in the workplace. As businesses increasingly move into online and digitized markets, we counsel them about new and continuing online privacy, security and consumer protection issues and litigate related compliance issues.
We focus on: Effective Procedures and Policies
- providing best practices and standard operating procedures to assure compliance with laws, rules and regulations
- creating corporate policies for voice mail, e-mail, social media and Internet use by employees, and security measures for third-party providers
- counseling regarding employee privacy issues, including searches of employee property and drug and alcohol testing; and advising clients regarding employee nondisclosure obligations for confidential and proprietary information
- counseling clients on securing, maintaining and enforcing cyber insurance policies
- developing and implementing permissible online marketing practices and advising on anti-spam legislation
- advising banks, financial institutions, higher education and health care institutions on the development and implementation of an information security program, including an effective customer response in the event of a security breach
- conducting comprehensive privacy, security and data protection audits.
Litigation and Regulatory Issues:
Assist clients with investigations and audits including:
- responding to government and third-party requests for information
- managing liability and defending litigation related to breach of security or privacy of personally identifiable information
- taking action, whether by way of suit or pursuit of administrative remedies, to stop and rectify breaches once they occur.
Pepper lawyers are knowledgeable about developments in U.S. federal, state and industry-specific privacy, security and data protection laws, regulations and practices, as well as global laws and regulations in the European Union, Asia, Canada and other jurisdictions.
We have experience analyzing and applying privacy, security and consumer protection laws and regulations, including the Gramm-Leach-Bliley Act, the Electronic Communications Act, the Computer Fraud and Abuse Act, the Privacy Act of 1974, the Video Privacy Protection Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Children’s Online Privacy Protection Act and the CAN-SPAM Act. We also are experienced in analyzing and assisting with compliance with international laws, such as the EU Data Protection Directive.
- advising on industry-specific privacy and security laws and regulations and assisting with investigations and reporting obligations to industry regulators
- counseling major global companies at the moment of the breach crisis in responding to security incidents
- advising companies on positioning a breach event in the best light to avoid litigation and reputational damage
- counseling clients on handling data breaches including assisting a major automobile manufacturer with breach notifications for residents of 44 states and special notifications to appropriate state attorney generals
- assisting a major pharmacy company with its reporting and monitoring obligations to comply with a FTC consent order and compliance plan including monitoring privacy and security certifications of third parties
- providing awareness training on legal obligations for privacy and security to a global testing company including computer based training and in person lectures
- creating compliance systems for government contractors
- counseling clients on the implications of state, federal and international laws and regulations, including California and other U.S. states, Canada, Asia, European Union and other foreign countries
- advising clients on de-identifying data.
- understanding ownership of data and databases, including advanced data analytics and data mining tools
- identifying and addressing privacy, security and data protection issues in mergers, acquisitions and other corporate transactions
- negotiating and managing the execution of offshore outsourcing to comply with U.S. and foreign regulations, including data protection
- counseling both sides of a transaction about data transfers and data governance
- facilitating the set up and operation of Web stores with international reach with an eye to the myriad of international regulations.
- obtaining substantial judgments for damages, attorneys’ fees and a permanent injunction against an Internet counterfeiter of software of four major software developers and an Internet seller of infringing software of several major developers
- proving the falsity of the claim of a senior corporate executive, terminated for cause, that all of the e-mails had been “scrubbed” from his corporate laptop without his knowledge, by identifying the rogue vendor of the scrubber software through expert analysis and then procuring from the vendor, under threat of contributory liability/subpoena, the customer record that positively identified the former executive
- defending litigation regarding a breach of privacy and security for a global electronics and electrical engineering company.
- assessing, designing and implementing more than 250 national and international information security and privacy compliance programs for corporations, state governments, retail organizations, financial institutions, health care providers and not-for-profit entities
- providing privacy, security and data protection advice relating to offshore processes in structuring outsourcing transactions (some exceeding $1 billion) to transfer all information technology to major outsourcing vendors and developing service levels to facilitate optimum performance
- assisting a large medical center in a breach response related to the improper disclosure of almost one million patient records
- advising a large regional banking organization following the loss of sensitive customer information affecting substantially all of its customer base, and assisting in all mitigation efforts and in compliance by such institution with all federal and state laws governing such data breach
- counseling with respect to a data breach involving customer personal financial information including counseling on the response, contacting regulatory authorities, working with public relations professionals, and advising on federal and state law requirements