Practice/Industry Group Overview
Our Privacy and Data Protection Group
The Privacy and Data Protection Group of Edwards Wildman is an inter-disciplinary team of lawyers assembled to address, on a practical basis, local, national and multi-national matters related to data breaches, and privacy and data protection obligations. Our practice -- and several members of our group individually -- were recognized in the 2013 US Legal 500 under the Media, Technology and Telecom: Data Protection and Privacy category. Our group was also recognized in the 2013 Chambers & Partners USA Guide: National Privacy & Data Security. In 2012, the firm was ranked 15th in the Law360 Privacy & Consumer Protection 50, a ranking of the firms with the largest privacy and consumer protection practice groups. The Group consists of lawyers in our US, UK and Hong Kong offices, and includes members from our Litigation, Employment, Financial Services, Healthcare, Retail, Intellectual Property, and Insurance Practice Groups. Our combined experience allows us to provide advice that takes into account the standards and practices of the industries in which our clients operate, as well as laws and regulations of countries on a world-wide basis.
Members of our Privacy and Data Protection Group are well versed in the US state data breach notification laws and regulations, and the U.S. federal requirements set forth in HIPAA, HITECH, PATRIOT Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act amendments, and CAN-SPAM Act, as well as with the EU/US Safe Harbor program and data protection laws worldwide, and other Internet and electronic communications laws and regulations that create special obligations as to personal information created, collected, used and transmitted within the US, and between the US, EU countries and elsewhere. Our clients are often subject to the requirements of multiple jurisdictions. Some clients, particularly those with affiliates or branches in both the US and other countries, or those obtaining, storing or transferring employee, customer or medical information of residents in multiple jurisdictions, have a myriad of, and sometimes conflicting, privacy and data security compliance obligations. Many clients are in industries that impose their own security and disclosure standards; those involved in holding, processing or passing credit card holder information are also subject to the Payment Card Industry Data Security Standards (PCI-DSS). We regularly guide our clients through the challenges the various competing compliance obligations can present. We also closely follow proposals for new data protection laws and regulations in the US, EU and world-wide, and analyze their potential impact on our clients.
Group members have represented and advised numerous companies in addressing these challenges in a wide range of industries, including multi-national conglomerates, universities and other educational institutions, professional and other service firms, life science companies and healthcare entities, on privacy and data protection matters. We have also worked with government regulators on a local, national and international level, as well as represented clients in legal proceedings throughout the US.
Additionally, we advise clients on the implications of cyber attacks resulting in denial of service and breaches of confidential information other than personal information. As agreements relating to transactions, licenses and services arrangements increasingly address data protection issues and include representations, warranties, indemnity arrangements and other provisions concerning data protection and breach response requirements, we also frequently advise clients on the drafting, negotiation and enforcement of acquisition, vendor and other third party agreements.
Members of our group concentrate on the privacy and data protection issues associated with digital and wireless campaigns and commerce. We also assist with online, mobile and digital media, online and mobile marketing (including behavioral advertising), and ownership and potential liability issues related to user-generated content and digital arrangements. We also regularly advise clients on the use of cloud technologies, including the related privacy and data protection issues.
We have been involved in the California ZIP code cases and their progency in other jurisdictions, which present risks to the retail and other industries that collect customer addresses and other data.
We participate in the World Law Group (WLG), an affiliation of nearly 50 large law firms in 65 countries, and a member of our Privacy and Data Protection Group co-chairs the WLG’s well-recognized Privacy Matters Group. As a result, we have access to privacy counsel in countries world-wide, and maintain a tried and true network of counsel that are experienced in addressing data protection issues and breaches.
Our Data Breach Response Team
Our Privacy and Data Protection Group includes a Data Breach Response Team that is on call to assist clients in responding to breaches. We are well aware of the time-sensitive needs of clients faced with a data breach. Our team has extensive experience advising clients on both the immediate and long term issues faced by an entity that experiences a data breach, and works closely with clients’ internal and external response teams, including their forensic investigators and service providers. In addition to advising clients faced with domestic breaches, we regularly advise clients in breach scenarios that have multi-jurisdictional, including multi-country, implications and obligations, and guide them through the challenges such a breach can entail. When appropriate, our Breach Response Team involves members of our other practice groups focused on the client’s particular industry, such as healthcare, financial services, energy, telecommunications or technology, as well as lawyers in other countries whose laws are implicated.
Advising an entity that has sustained a data breach involves providing knowledgeable, thoughtful advice and services under time pressures, assisting the client in identifying appropriate risk reduction strategies, and recognizing the human and financial costs to an entity addressing a breach. Our Data Breach Response Team works closely with clients in addressing data breaches and understands the challenges clients face when a breach occurs.
Our Litigation Team
Our litigation team routinely represents entities that have been the target of investigations and litigation concerning privacy related practices as well as data breaches. When the litigation is a class action, we partner with our class action group which regularly defends class actions throughout the United States. We have represented clients in cases involving ZIP code collection practices in Massachusetts and California claims of invasions of privacy based on companies’ requests for and collection of personal information from customers; and alleged privacy violations pertaining to the Electronic Communications Privacy Act (ECPA) and similar state wiretap laws, the Computer Fraud and Abuse Act (CFAA) and state computer access laws, and state law computer trespass and related claims. We have represented companies in numerous class action alleging violations of the Fair Credit Reporting Act (FCRA) and Fair and Adequate Credit Transactions Act (FACTA), including those alleging improper publication of credit card numbers, accessing of credit reports without a “permissible purpose,” and failure to make required disclosures. We also regularly represent companies in class actions alleging violations of the CAN SPAM Act of 2003 and state fraudulent emails statutes, the Electronic Funds Transfer Act, and the Truth in Lending Act (TILA). We regularly defend companies in litigation alleging violation of various states’ consumer protection laws, and have successfully obtained dismissals.
Our White Paper on Privacy and Data Protection
Our Privacy and Data Protection Group produces a comprehensive paper, “Everyone’s Nightmare: Privacy and Data Breach Risks,” which we regularly update. The paper discusses legal and regulatory data security and breach notification developments, exposures presented by data breaches, recent court decisions, and lines of insurance potentially impacted. Please click HERE to view the most recent edition of the white paper.
Representative engagements of our Privacy and Data Protection Group include:
- Assisting numerous companies in data breach responses, including identifying and evaluating obligations under applicable laws and regulations, drafting notices to individuals and state attorneys general, working with forensic investigators and interfacing with third party vendors involved in the breach;
- Guiding companies that sustain a breach involving information and/or customers in multiple countries on compliance with the obligations imposed by applicable data protection laws, including experience in breaches involving customers in over 20 different countries;
- Investigating PCI-DSS compliance with regard to credit card security and breaches;
- Advising clients with respect to claims and actions by individuals and entities affected by a data breach;
- Representing clients before regulators in the US and UK on data breach matters;
- Working with our Financial Services Practice Group to evaluate the potential exposure associated with suspected credit and debit card fraud;
- Reviewing relevant merchant contracts and the applicable network by-laws and regulations regarding potential exposure to issuing banks, and the possibility of recovery from a retailer on any damage claims brought by card issuers.
- Drafting Sarbanes-Oxley whistleblower mechanisms, policies and employee notices for large multi-national companies with operations in various EU and other countries to comport with country whistleblower guidelines and registrations with local data protection authorities.
- Constructing privacy policies, data protection agreements and procedures in compliance with the data protection laws of the US, EU and other countries, including Great Britain, Germany, France, Italy, the Netherlands, Belgium, Greece, the Czech Republic, Switzerland, Australia, Hong Kong, China and India;
- Developing US Safe Harbor compliance filings and materials for US companies operating in the EU and other countries, consistent with local data protection laws;
- Assessing HITECH and HIPAA compliance and HIPAA privacy notices, policy and security rule documents and disclosures along with health care service and business associate contracts;
- Drafting privacy policies and statements, including e-mail, Internet, social network and web-based acceptable usage and customer terms and conditions policies;
- Investigating employee misuse of e-mail or Internet access;
- Developing employee screening and background investigation programs under the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act (FACTA) amendments;
- Analyzing and providing guidance for schools and libraries with respect to the Children’s Internet Protection Act obligations, software and mandatory Internet policies;
- Drafting Gramm-Leach-Bliley privacy notices, privacy policies and information security programs for financial and other organizations;
- Drafting service and outsourcing agreements, including cloud contracts, with vendors, software and other entities that include terms and conditions, representations and warranties and other references to security programs, Gramm-Leach-Bliley, US Safe Harbor and/or HIPAA compliance;
- Advising on the Telephone Consumer Protection Act of 1991 (TCPA) and the Telemarketing Sales Rule (TSR);
- Addressing Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) obligations and creating company policies for unsolicited commercial e-mail; and
- Responding to and defending against government, law enforcement and other third party requests, subpoenas, orders and other legal proceedings.