Privacy & Data Security

Data breach, breach response, cyberliability, drones, and encryption are just a few of the terms that have worked their way into our vocabulary as businesses use evolving technologies to collect and maintain increasing amounts of electronic data. Competitive pressures require companies to take advantage of these efficiencies, but raise a host of new and ever-changing security risks, privacy considerations, compliance concerns, and legal requirements.

Our interdisciplinary team has significant experience in advising legal departments, boards, executive leadership, and compliance and IT teams on sophisticated and practical data management, data security and privacy matters, including proactive data security and privacy strategic planning, breach preparation and cybersecurity risk management, security breach response, national and global privacy and security program design and implementation. We provide practical advice to clients on how they can collect, use, and share data and still meet their operational and organizational goals while complying with the ever-changing privacy laws, regulations, and industry standards, including: California Consumer Privacy Act (CCPA); EU General Data Protection Regulation (GDPR); EU ePrivacy Directive; Health Insurance Portability and Accountability Act (HIPAA); Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); China’s Cybersecurity Law; Fair Credit Reporting Act (FCRA); Gramm-Leach-Bliley Act (GLBA); Telephone Consumer Protection Act (TCPA); Electronic Communication Privacy Act (ECPA); Children’s Online Privacy Protection Act (COPPA); U.S. state privacy laws; Federal Trade Commission (FTC) Guidance; Payment Card Industry Standards (PCI); and the Network Advertising Initiative’s Code of Conduct.  Our attorneys closely track developments at the state, federal and international levels to ensure that our clients always are fully informed of and compliant with changes in the legal and regulatory environment.

With regard to HIPAA/HITECH specifically, we counsel hospital companies and healthcare providers on the increasingly stringent federal laws and regulations related to HIPAA compliance and the privacy and security of personal health information, including federal and state security standards, business associate standards and breach reporting requirements. We navigate state and other requirements related to the responding to data breaches and preventing identity theft, implementing necessary policies and training employees. As providers are incorporating information security and electronic health records (EHR) into their compliance plan and patient experience, we counsel them with respect to the use of mobile devices, including physician use of mobile devices to transmit and access electronic patient records.

Our attorneys assist clients with:

Data Security Graphic

  • Data security and privacy policies and procedures.
  • Incident response plans.
  • Employee training.
  • Negotiation of vendor and other business partner contracts.
  • Investigation of data security incidents.
  • Data breach responses and customer notifications.
  • Cybercrime investigations and reporting.
  • Interacting with law enforcement and regulators.
  • Pursuit of claims against responsible parties.
  • Defense of claims from customers, business partners and regulators.
Information Blocking

The information blocking regulations issued by the Office of the National Coordinator of Health Information Technology (ONC) pursuant to the 21st Century Cures Act (Information Blocking Rules) present complex operational, compliance and security challenges for a variety of entities across the healthcare landscape. Healthcare providers, health IT developers of certified IT, and health information exchanges and networks (HIEs/HINs) must take proactive steps to comply with the new regulatory structure that upsets traditional methods for addressing requests for electronic health information (EHI).

Drawing from our extensive knowledge of healthcare regulatory and data privacy matters, our multidisciplinary team provides practical solutions to the commercial and regulatory issues that come with navigating the intersection of Information Blocking Rules, Health Insurance Portability and Accountability Act (HIPAA), other federal and state laws and operational concerns. We assist a wide range of healthcare companies with compliance and implementation of the Information Blocking Rules, including operationalizing these rules in alignment with existing processes. We advise healthcare providers, health IT developers and HIEs/HINs on the following:

  • Interpreting the Information Blocking Rules and how to maintain HIPAA and 42 CFR Part 2 compliant programs.
  • Developing compliance plans, including revising existing policies and drafting new polices and advising on how to support new workflows.
  • Conducting a gap analysis, identifying which requirements are being satisfied and fulfilled by existing technology tools and processes.
  • Identifying and implementing new tools and processes necessary to remain compliant with the Information Blocking Rules.
  • Creating information blocking monitoring systems.
  • Developing internal education and communication materials.
  • Counseled an academic medical center on international data protection regulations that apply to a global disease surveillance platform involving data from dozens of countries

    We counseled an academic medical center on international data protection regulations that apply to a global disease surveillance platform involving...
    Read More
    Client Type: Nonprofit
  • We advise professional sports organizations, including NFL and MLS franchises, with respect to intellectual property licensing and enforcement matters, events and entertainment agreements, major sponsorship and technology agreements, registration, protection and enforcement of trademarks, trademark and copyright clearance issues, domain name issues, website and mobile app privacy policies and data collection practices (including responses to potential data breaches), as well as legal compliance in connection with fan rewards marketing programs.

    We advise professional sports organizations, including NFL and MLS franchises, with respect to intellectual property licensing and enforcement matters, events...
    Read More
    Client Type: Private Company
  • We advise a multinational specialty manufacturing and technology company in all domestic and international privacy and data protection matters, including assistance in implementing a privacy compliance program and drafting license and services agreements, including data use and rights terms, and data access and deletion request response procedures.

    We advise a multinational specialty manufacturing and technology company in all domestic and international privacy and data protection matters, including...
    Read More
    Client Type: Private Company
  • We advise a leading U.S. provider of senior care and assisted living communities with respect to state privacy law, PCI...
    Read More
    Client Type: Public Company
  • We serve as lead outside counsel for a global Fortune 500 media company negotiating data protection and privacy agreements and contractual terms, including for engagements of ad tech, security infrastructure, financial services, and clinical healthcare service providers, as well as advising on U.S. and international security and privacy regulations and self-regulatory framework compliance.

    We serve as lead outside counsel for a global Fortune 500 media company negotiating data protection and privacy agreements and...
    Read More
    Client Type: Public Company
  • We advise a Fortune 100 healthcare company on both HIPAA and non-healthcare regulatory privacy legal compliance, including assistance with consent management, data usage rights, and enterprise-wide multi-disciplinary design of a patient communications system.

    We advise a Fortune 100 healthcare company on both HIPAA and non-healthcare regulatory privacy legal compliance, including assistance with consent...
    Read More
    Client Type: Public Company
  • We advise a global retailer on privacy, security and data protection compliance matters, including with respect to U.S. state and...
    Read More
    Client Type: Public Company
  • We provide ongoing counseling and assistance with U.S. and international data protection and privacy legal and regulatory compliance matters and contract negotiation for an international nonprofit association in a highly regulated industry, including updates and revisions to multiple privacy notices and policies for various audiences and stakeholders, negotiation of data protection, privacy and data rights terms in client and supplier agreements, implementation of data transfer mechanisms, and counseling with respect to information security and data management practices.

    We provide ongoing counseling and assistance with U.S. and international data protection and privacy legal and regulatory compliance matters and...
    Read More
    Client Type: Nonprofit
  • We provide ongoing counseling and advice for a publicly-traded health and wellness company  regarding privacy and data protection compliance matters with respect to state and federal privacy laws, including the California Consumer Privacy Act (CCPA), including mergers and acquisitions compliance diligence, and assistance with development of an effective data governance and privacy compliance program.

    We provide ongoing counseling and advice for a publicly-traded health and wellness company  regarding privacy and data protection compliance matters...
    Read More
    Client Type: Public Company
  • We provide ongoing counseling and assistance with data protection and privacy legal and regulatory compliance matters for a multinational wellness company, including developing and updating privacy notices and security policies, advising on data governance across the organization, drafting and implementing data access and deletion request response procedures and programs, and negotiating vendor agreements, including privacy, security and data protection terms.

    We provide ongoing counseling and assistance with data protection and privacy legal and regulatory compliance matters for a multinational wellness...
    Read More
    Client Type: Private Company
Richard W. Arnholt
Member
Ryan R. Baker
Member
Jaime L. Barwig
Member
Michael A. Brady
Member
Robert L. Brewer
Member
Emily A. Burrows
Member
Stefanie P. Carter
Associate
Stefanie Colletier
Associate
Alexandria Wood Davenport
Associate
Jeff H. Gibson
Member
Chelsea L. Harrison
Associate
Elizabeth Harwood
Associate
Johnathan D. Holbrook
Associate
Ashleigh Karnell
Associate
Anthony J. McFarland
Member
Paige Waldrop Mills
Member
Jacquelyn Papish
Associate
Lisa S. Rivera
Member
Emily  C. Snyder
Associate
T. Stephen C. Taylor
Member
Shelley R. Thomas
Member
Nesrin Garan Tift
Member
Janelle D. Waack
Member
Kathryn Hannen Walker
Member
Elizabeth S. Warren
Member
Caitlin Wilkinson
Associate