Practice Areas & Industries: Winston & Strawn LLP

Practice/Industry Group Overview

In recent years, legislators and regulators throughout the United States have reacted vigorously to the concerns Americans have expressed regarding the privacy and security of their credit, health, and other personal information.  State and federal legislatures and agencies have proposed and enacted a number of laws and regulations governing the use of information collected by Internet merchants, insurance companies, health providers, financial institutions, and others in an effort to set limits on what types of personal information can be collected and how it can be used.  Winston & Strawn’s privacy practice helps guide clients through the complex and changing landscape of both U.S. and foreign requirements. 

Our attorneys maintain a close watch over the many developments in this area to help our clients stay in compliance with the ever-changing rules governing the privacy and security of personal information.  These include federal and state privacy laws, such as the Deceptive Trade Practices Act, CAN-SPAM, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley financial privacy rules, Fair Credit Reporting Act, USA PATRIOT Act, and Children’s Online Privacy Protection Act (COPPA).

In addition to counseling our clients with respect to these rules and regulations, we regularly publish client briefings and present seminars to help our clients stay informed.  We also have advised clients on how to cope with various international privacy regulations, including the European Union Privacy Directive and Canadian privacy laws.  Some examples of our work in this area include:

• Working with the Department of Health and Human Services for the Office of Civil Rights, the agency charged with the implementation and enforcement of the HIPAA Privacy Rules, and relevant congressional committees on the development of medical privacy legislation and regulation.
• Educating health care providers regarding their obligations.
• Developing privacy compliance policies, procedures, monitoring programs, and reporting plans.
• Advising companies on restructuring existing agreements with service providers.
  Amending group health plan documents to comply with the law and preparing related employee communications, privacy procedures, and forms.
• Training management on the requirements of the law.
• Training employees who work on group health plans regarding the requirements of the law.
• Negotiating privacy provisions in clients’ contracts with third-party administrators.
• Advising financial institutions on GLB compliance and risk management with respect to internal and external transmissions of customer non-public personal information.
• Representing financial institutions whose customer data systems were compromised and where identity theft was a serious threat.  Our attorneys have assisted in the analysis of the scope of the problem, reported the problem to regulators, managed the potential PR fallout, and helped to review existing procedures for modification.
• Advising companies on whether they fall within the broad definition of “financial institution.”
• Counseling banks on how to cope with the theft of customer information.
  Assisting an electricity provider in complying with FCRA limitations on the use of non-public consumer information.
• Advising affiliates on the circumstances in which they may share data.
• Drafting and reviewing policies and procedures governing the disclosure and safeguarding of customer information, oversight of technology service providers, and monitoring of compliance with privacy rules.
• Representing a wireless telecommunications company as national outside counsel for the defense of a FCRA action brought by consumers alleging inaccuracy in reporting account information and identity fraud.  
• Counseling numerous employers on FCRA issues related to background checks on applicants and employee investigations.