Data Privacy and Protection
"A great band of lawyers.... They have a vast pool of knowledge to give us the answers we need in a short amount of time."
2012, NJ and CT Litigation: General Commercial
Strategic Planning, Crisis Management, and Litigation Defense
The Data Risk Crisis
Innovations in technology have increased our access to information, but at the same time created many new challenges in managing and protecting confidential and personal data. The potential business and legal implications of data breaches are complex and can include data loss, loss of customer loyalty and brand value, negative press, litigation, and regulatory and compliance pressures (at the state, federal, and international levels).
The vast majority of businesses in the United States face expanding responsibility and risk in the area of data security. At Day Pitney LLP, we have formed a multidisciplinary team of lawyers to help clients review data privacy and protection practices and policies, design and implement new policies where needed, plan for the effective management of crises that might arise as a result of data security breaches and disclosures, quickly and efficiently respond to such events, and defend any resulting litigation. We work closely with in-house legal counsel, compliance officers, IT management, senior management, accountants, independent auditors, insurance companies, data breach preparation and remediation consultants, crisis responders, and boards of directors on these tasks. Our goal is to provide practical and timely advice in the face of a constantly changing data privacy and protection landscape.
Our Services in Data Privacy and Protection
Legal protection of private personal information and personal health information has become increasingly complex over the past decade. In the United States, a labyrinth of state and federal legislation and regulation has developed, beginning with the provisions of the Health Insurance Portability and Accountability Act of 1996 and the Gramm-Leach-Bliley Act of 1999, and now including Federal Trade Commission and other federal agency rules, the Sarbanes-Oxley Act, a large number of state laws, and a variety of industry self-regulatory requirements. Moreover, evolving technology makes strategic planning for data protection even more difficult.
Widespread public concern about data security breaches, identity theft, and class action litigation has created a tremendous focus on business data protection practices and a growing awareness of the risks resulting from lax practices. Boards of directors have demanded increased management oversight and reporting relating to enterprise-wide data privacy and protection practices. Many large and small companies have begun regular reviews of existing data privacy and protection policies and crisis management planning.
At Day Pitney LLP, we believe that new strategies need to be developed in order to cost-effectively review existing enterprise-wide data privacy and protection policies, design and implement new policies where warranted, and plan for the effective management of the crises/litigation that might arise as a result of proscribed data disclosures. To support our clients in this important undertaking, our team of lawyers works closely with our clients and other necessary professionals to focus on the complex task ahead. Drawing upon our broad experiences in the fields of law, compliance, information technology, finance, and public policy, Day Pitney's Data Privacy and Protection practice group is well-situated to provide sound, innovative advice on evolving privacy and data protection issues.
We stand prepared to assist our clients in connection with the necessary strategic thinking and fast response required to develop and implement an effective data privacy and protection plan or response.
Day Pitney has counseled many clients on the reduction and management of data risk or following actual and suspected data breach incident. We have assisted clients with investigations and the regulatory notice and remediation required under various states' laws. Our extensive experience in data risk management and reduction gives our clients an edge in responding to confirmed or alleged data breaches. The following are some representative matters:
- Advised a large retail chain after it was discovered that a trusted employee had permitted unauthorized parties access to credit card transaction files. During the course of a forensic investigation conducted under Day Pitney's supervision and guidance, changes to processes and procedures were implemented.
- During the course of an ongoing cyberattack, advised a services company that was responsible for hosting online banking websites for major regional banks and credit unions. Day Pitney assisted in coordinating international, federal, and state governmental investigations and responses.
- Counseled client's board of directors in connection with its responses to inquiries from bank clients and bank regulatory agencies.
- Served as outside privacy counsel for a large health insurance company, responding to unauthorized disclosures of personal health information and personal financial information.
- Advised a large retail chain in connection with preparing notices to consumers and governmental agencies throughout the United States, following the discovery of a data breach resulting from employee misconduct.
- Counseled a small online e-commerce company after it was advised that it was the alleged gateway of an intrusion that had originated offshore and had been detected at a third-party financial institution.
- Counseled a school system following the loss of a laptop containing records protected under FERPA and HIPAA.
- Successfully defended putative class action brought against an online retailer, alleging violations of federal law requiring credit card information to be maintained confidential and preventing disclosure in receipts and other communications with customers. Court dismissed the action pursuant to Day Pitney's motion based on Seventh Circuit law.
- Counseled a regional bank regarding compliance with state and federal laws and regulations regarding notices to law enforcement, regulators, and customers after it was discovered that a trusted employee was stealing and selling the bank's used computer hard drives to a computer reseller.
- Represented an e-commerce website operator regarding notices to law enforcement and customers in various states and its agreements with credit card companies after it was discovered that the website's systems had been breached and credit card information accessed.
- Served as lead counsel to a State-funded Health Information Exchange on all phases of formation and operation, including drafting and implementing information privacy and security policies, developing and implementing patient consent procedures, drafting associated consent forms, performing risk analysis, and assessing vendor technology capabilities and interoperability and vendor compliance. Representation included identifying industry best practices and tracking federal and state policies and regulations and proposed legislation. It also included interpretive guidance concerning HIPAA, HITECH, and FTC compliance, as well as compliance with federal substance abuse regulations and other federal and state medical privacy laws.
Our attorneys are frequent lecturers and are often quoted in the press on all aspects of consumer privacy and data privacy and protection.