Practice/Industry Group Overview
Whether it is the dependence on laptops and smartphones or sophisticated networks that connect employees of large corporations around the world, technology is a now a significant part of everyone's life. Nearly every day, we hear about sensitive personal information on a lost flash drive or a prying employee poking around someone's medical records. Marshall Dennehey's Privacy and Data Security Practice Group deals with these issues every day and counsels clients through what we now call a data breach.
Data breaches can affect every organization in any industry. Our involvement does not necessarily begin after the data breach occurs because risk management counseling is a key part of our practice. We have experience preparing our clients by writing and amending privacy and security policies and procedures to provide risk management advice and training, all in preparation for the day everyone hopes never arrives—the call about a customer's or employee's data being lost or stolen. This is no longer an IT issue. These issues present challenges to far more departments, including risk management, legal, compliance, IT, IS and customer relations. Organizations are struggling to manage compliance with state, federal and international privacy and data security laws. We have the experience to counsel clients through these crisis events. When the response phase to the data breach concludes, we also have experience defending our clients in lawsuits, class actions and regulatory investigations.
Our team views data breach response as a joint effort with the client where the client's philosophy, brand recognition and customer base must be considered while reconciling compliance with the numerous, and often competing, laws and regulations. We confront the challenges faced by companies in this area daily, and our approach is one that fits the response to the facts rather than a one-size-fits-all approach. Because Marshall Dennehey has substantial litigation experience, we consider each step of the response process, counseling our clients with a focus on how decisions may impact a future defense to litigation or regulatory action. We do not dictate the response but, rather, work with our clients, who know their own businesses best, to consider issues such as credit monitoring, call centers, forensics, notification vendors and crisis management consultants. Due to our experience in litigation matters, our attorneys are able to utilize document management software and teams of paralegals to aid clients to efficiently and timely respond to breaches involving voluminous documents.
Industries We Serve
We have handled over 100 data breaches and privacy claims for health care, educational, banking, financial, retail and technology service providers, and we pride ourselves on our responsiveness. Data breaches can occur any day of the week, requiring immediate attention. These crises do not take weekends off, and neither do we. We are staffed to respond to time-critical situations with 24/7 availability. Every crisis is unique, and there is no standard solution or menu of standard services that is suitable for every situation. Whether it is a breach involving just one individual, or millions, we have counseled clients to respond in a way that is cost effective, compliant with the law and protective of their brand.
In some instances it can be important to work with local law enforcement, the FBI or the Secret Service to help respond to, and investigate, a breach event. Our White Collar Crime Practice Group can assist clients in responding to issues involving grand jury subpoenas, criminal investigations, law enforcement procedures, witness preparation and regulatory audits when there is criminal activity involved. We have developed relationships with Secret Service agents, FBI agents, local law enforcement, district attorneys, attorneys general, the Office for Civil Rights (OCR) and other regulators.
Some data loss events involve the theft or disclosure of trade secrets, or maybe even the violation of a company's social media policy, and we have the experience to work with our clients to tackle those issues. Often, employment issues arise, and we have attorneys who counsel our clients to help them work through the legal challenges they face when confronting employees after a data breach occurs.
Health Care and Pharmacy
Attorneys in our Health Law Practice Group are also members of the Privacy and Data Security Practice Group and help clients prepare for any regulatory fallout following a breach. We have responded to inquiries and investigations by state attorneys general and the Department of Health and Human Services Office for Civil Rights. We have existing relationships with regulators in a number of states and regions, and we routinely communicate with them. We have HIPAA/HITECH experience that includes not only regulatory and compliance, but real-life, substantive experience dealing with data breaches that affect hospitals, medical providers, health plans and service providers for the health care industry. Our Health Law Practice Group has been involved with HIPAA since its enactment. They understand how health care systems work, both on regulatory and administrative levels. This enables our group to provide an experienced team that understands the regulatory, risk management and financial challenges facing the health care industry while providing counsel to prepare for, and respond to, breach events. Risk management is a key area of our practice, and we are prepared to assist our clients in developing the policies and procedures that are not only required by law, but help educate and prepare providers, insurers and business associates on ways they can safeguard protected health information.
We have counseled universities and colleges of all sizes and types, as well as technical institutes and other post-secondary schools. The U.S. Department of Education is increasingly investigating these breaches, and we have represented clients during those investigations. Students use technology more than any group, and we are prepared to counsel educational institutions about the social media challenges they may face following a breach.
Financial and Banking
Financial institutions are a prime target for criminal exploitation ranging from insider theft of sensitive information to highly technical attacks involving malware and trojans. We regularly respond to these types of breaches, including working with the Secret Service in breaches involving foreign nationals. Forensic investigations in this area can be key, and our team of lawyers includes attorneys who have the technical experience, knowledge and background to work with forensic consultants during investigations and comprehend the technical issues.
Retail, Energy, Utility and Service Industries
Whether you are a large retailer, energy company or hotel chain, your customers' trust is important, and we have counseled clients to help reduce the churn rate following a data breach. Additionally, many of these industries face challenges over Payment Card Industry (PCI) compliance. We have not only handled breaches involving these issues, but we have defended litigation matters about PCI compliance and violations of other consumer laws.
Areas of Experience
- Data breach response and notification
- Red Flag Rule compliance and program development
- California data breach laws, including the California Department of Public Health
- The Massachusetts Data Privacy Law
- Massachusetts Written Information Security Program (WISP) development
- Connecticut Insurance Department regulations
- Puerto Rico's Citizen Information on Data Banks Security Act
- International privacy laws, including Mexico's Data Protection Law and Canada's data privacy requirements
- PCI/CISP requirements and other payment card data issues
- Claims and litigation involving point of sale (POS) software and hardware
- IT policies and procedures
- Data retention policies
- Review of Vendor Agreements and Business Associate Agreements
- Investigations and audits by Department of Health and Human Services Office for Civil Rights
- Counseling to respond to U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services (CMS), state Medicaid agencies, state departments of health and insurance and state/professional licensing boards
- Assistance with health care breaches involving Title 10 issues
- Gramm-Leach-Bliley Act (GLBA) requirements
- Defense of class actions involving disclosure of credit card information
- Defense of lawsuits involving privacy breaches (both HIPAA and state-level breaches)
We welcome the opportunity to work with you. Consistent with our firm's proactive approach and philosophy, we also welcome the opportunity to present educational seminars and workshops as a mutually beneficial introduction to one another.