Practice/Industry Group Overview
Sutherland helps clients navigate the increasingly complex framework of laws governing the collection, use, transfer, disclosure and security of personal information.
Advances in information technology now provide unprecedented ways to collect and use personal information, but these advances also created new risks to the privacy and security of the information. Both domestically and internationally, governments recognized some of these risks and created complex, overlapping and sometimes conflicting laws that restrict the collection, use, retention and disclosure of personal information and impose requirements for securing that information.
Sutherland’s Privacy and Data Security Team helps clients manage the obligations and risks of gathering, maintaining, processing and transferring personal information. Our attorneys advise companies on regulatory compliance, particularly in the financial services and energy industries. Our hands-on business experience managing information technology risk allows us to provide practical, business-focused counsel on all aspects of information policy, security, storage and management.
We advise on a range of privacy and data security matters, including information security program development and assessment, data breach response and investigation, privacy policies and notices, online privacy issues and data collection technologies, and electronic communications. Our clients have access to the full resources of our firm to protect their interests and build their businesses.
A practical approach. We understand that if a legal approach does not meet a client’s business needs, it is not a solution. This practical approach is why some of the nation’s most dynamic and successful companies rely on Sutherland for privacy and data security counsel.
We understand business. Our understanding of businesses and the marketplace helps clients meet their strategic business objectives—whether developing new Internet services or mobile applications, initiating business in a new state or country, preparing for or managing a data breach crisis, or defending enforcement actions.
We understand technology. Our team includes a former senior security consultant and chief information officer at an international energy company, and a former senior regulator who was involved in privacy examinations, enforcement and rulemaking. We offer uniquely informed advice and counsel on bridging the gap between legal requirements and technological implementation.
We understand the regulators. Sutherland’s attorneys include experienced professionals who previously served on regulatory bodies. We offer advice and counsel on regulatory actions, including examinations, enforcement and policy. We participate in industry task forces on data security and keep abreast of regulatory and legislative activity.
We focus on industries we understand well. Sutherland has broad and deep experience with energy and financial services and serves the privacy and data security needs of these industries both domestically and globally.
We are experienced advisers, crisis managers and privacy litigators. We help clients investigate and respond to suspected data breaches and electronic fraud and provide practical advice on planning for these possibilities. Our attorneys interface with law enforcement and regulatory agencies at local, state and national levels. Our privacy team has the knowledge and experience to provide strategic business and technology advice during a crisis.
Nuts and Bolts
Data Security Program Development – Guide clients through the discovery, construction, communication and evolution phases of privacy and data security program development, including the following types of advice regarding online and electronic privacy.
- Collaborate with clients to develop comprehensive information security programs
- Develop privacy and data security policies, procedures and notices
- Assist energy clients in developing policies and procedures compliant with the critical infrastructure protection requirements of the North American Electric Reliability Corporation (NERC) Reliability Standards
- Advise clients on the regulation of e-mail, text message, fax and telephonic communications including telephone sales rules, Do Not Call registries, the CAN-SPAM Act and similar rules and laws
- Address online data collection technologies, including required notices and opt-out provisions
- Advise on consumer tracking, behavioral advertising and related disclosures
- Assist with mobile application data collection, including the use of geo-location data
- Aid financial services clients in developing end-to-end encryption, tokenization, EMV/Chip and PIN technology, and dynamic authentication measures such as dynamic CVV and Magneprint technology to deter data breach
- File patents on novel authentication and encryption techniques and methodologies that protect financial transaction databases and prevent access to other financial information
- Assist clients with payment card industry data security standards (PCI-DSS)
- Conduct privacy and data security assessments
- Help clients prepare for audits and provide counsel in audits to confirm compliance with NERC critical infrastructure protection requirements
Data Breach Response and Crisis Management – Assist and advise on crisis responses to potential security breaches. In this context, we:
- Investigate suspected network intrusions and lost data device incidents
- Assist with customer notification and response
- Advise on compliance with state and national breach notification laws in multiple jurisdictions
- Assist with public relations, call center and investor relations communications
- Assist with negotiating insurance coverage terms and conditions and claims coverage matters
Financial Privacy – Advise insurance, financial services, payment card and credit reporting industries concerning federal, state and foreign compliance obligations under:
- Fair Credit Reporting Act
- Fair and Accurate Credit Transactions Act
- Gramm-Leach-Bliley Act and state financial privacy laws, and related FTC and CFPB privacy and safeguards rules
- Regulation P
- Regulation S-P
Regulatory Enforcement Response – Advise and defend clients in connection with privacy-related regulatory investigations and enforcement actions under:
- Gramm-Leach-Bliley Act, including Regulation P, Regulation S-P, and the FTC’s and CFPB’s privacy and safeguards rules
- Fair Credit Reporting Act, including the Fair and Accurate Credit Transactions Act
- North American Electric Reliability Corporation (NERC) Reliability Standards on critical infrastructure protection
- HIPAA and state medical privacy laws
- Standards of e-discovery as they pertain to privacy raised in the context of litigation
Sutherland advises electronic commerce company on privacy issues in e-commerce acquisition.
Sutherland defends broker-dealer in FINRA data privacy investigation.
Sutherland represented a broker-dealer in a FINRA investigation and settlement involving personal information of tens of thousands of customers where the broker-dealer allegedly violated Regulation S-P and FINRA supervisory requirements.
Sutherland advises insurer on HIPAA in claim privacy breach.
An adjuster sent a partially completed claims form to a claimant who had requested the form without using the required encryption e-mail. Sutherland advised regarding HIPAA requirements.