Practice/Industry Group Overview
Increasingly, our clients must cope with matters related to data breaches, privacy and obligations imposed by new data protection laws in the US and other countries. The firm has an inter-disciplinary Privacy Group with considerable experience in addressing, on a practical basis, these new statutes and regulations in a number of jurisdictions and countries, and along with our Financial Services Litigation Group and Class Action Group defends such actions.
The state data breach notification acts, HIPAA, PATRIOT Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act amendments, CAN-SPAM Act, E.U./U.S. Safe Harbor program, and other internet and electronic communications laws and regulations create special obligations as to personal information created and transmitted within the US, and to the US from EU countries and elsewhere. Sometimes our clients are subject to more than one of these laws simultaneously. Privacy Group members have represented and advised numerous companies, including multi-nationals, universities, service firms, life science companies and other entities on these matters, and have written and lectured extensively on these subjects, including internationally, and collaborated with government regulators.
Agreements relating to transactions, licenses, and services arrangements increasingly include provisions and reps/warranties concerning one or more of these requirements. Some clients, particularly those with branches in the EU or those obtaining, storing or transferring employee, customer or medical information, have multiple data privacy and data security compliance obligations. Yet other clients have to disclose electronically stored information sometimes sought by the government or third parties in these matters, including in SEC and FCPA investigations.
Engagements and tasks that we have undertaken include:
- Assisting numerous companies in data breach matters, including notices to individuals and state attorney generals, forensic investigations of breaches and interfacing with third party vendors which participate in same;
- Investigating various PCI-DSS compliance on credit card security and assessed claims and actions by affected individuals;
- A team from our Financial Services Litigation Group evaluated the potential exposure associated with suspected credit and debit card fraud at a major retailer. Our client processed credit and debit card transactions for the retailer, which allegedly retained confidential debit card information that was obtained by hackers who made counterfeit cards for use elsewhere. We reviewed the relevant merchant contracts and the applicable network by-laws and regulations regarding potential exposure to issuing banks and the possibility of recovery from the retailer on any damage claims brought by card issuers.
- Assessing the relative merit of an action to recover money paid to debit card holders whose confidential card information was stolen from data files maintained by a major retailer. We analyzed the pertinent contracts as well as the network by-laws and regulations to determine the likelihood that our bank client would be able to recover damages from the retail company or from the merchant bank that processed credit and debit cards for the retailer.
- Drafting Sarbanes-Oxley whistleblower mechanisms, policies and employee notices for large multi-national companies with operations in various EU and other countries to comport with country whistleblower guidelines and registrations with local data protection authorities.
- Constructing EU and other country privacy policies, data protection agreements and procedures in compliance with the EU and other country data protection laws, including those of Britain, Germany, France, Italy, the Netherlands, Belgium, Greece, Czech Republic, Switzerland, Australia, Hong Kong, China and India;
- Developing U.S. Safe Harbor compliance filings and materials for US companies, in EU and other countries, consistent with local data protection laws;
- Assessing HIPAA compliance and HIPAA privacy notice, policy and security rule documents and disclosures along with health care service and business associate contracts;
- Drafting e-mail, Internet and web-based acceptable usage and customer terms and conditions policies;
- Investigating employee misuse of e-mail or Internet access, including pornography, sexual harassment, gambling and other improprieties, and assessing e-mail/Internet filtering software in the workplace;
- Developing employee screening and background investigation programs under the Fair Credit Reporting Act and FACT amendments;
- Analysis and guidance for schools and libraries with respect to the Children’s Internet Protection Act obligations, software and mandatory Internet policies;
- Responding to and defending against government, law enforcement and other third party requests, subpoenas or orders for e-mail and Internet traffic;
- Drafting Gramm-Leach-Bliley privacy notices, privacy policies, and information security programs for financial and other organizations;
- Drafting service and outsourcing agreements with vendors, software and other entities that include terms and conditions, representations and warranties and other references to security programs, Gramm-Leach-Bliley, U.S. Safe Harbor and/or HIPAA compliance;
- Advising on the Telephone Consumer Protection Act of 1991 (TCPA) and the Telemarketing Sales Rule (TSR); and
- Addressing CAN-SPAM Act obligations and creating company policies for unsolicited commercial e-mail.