Technological innovation now makes it easier than ever for companies and other organizations to collect, track, and process personally identifiable information (“PII”) about employees, consumers, and other individuals. Enterprises of all sizes must be attentive to data protection and take proactive measures to mitigate the risk of loss of the sensitive information within in its control. As illustrated by recent breaches, avoiding these issues is simply not an option for any company. The failure to mitigate data security risk can seriously derail operations for organizations that are not prepared to address the public relations and other business problems resulting from a data breach. The Data Privacy & Security Task Force at Gibbons provides counseling, investigatory, and/or litigation services to address the range of privacy and security issues that affect our clients’ businesses.
The Gibbons Data Privacy & Security Task Force is a multidisciplinary and experienced team. For example, Task Force members were involved in the then-largest cyberhacking investigation ever undertaken by the U.S. Department of Justice. The Task Force focuses in a number of specific areas, including:
- Cloud computing and breach reporting obligations
- Privacy, HIPAA, data security, and related criminal matters in the healthcare arena
- General criminal matters that touch on privacy and data breach issues
- Electronic technology in the securities markets
- E-discovery and information management
- Brand protection, including anti-counterfeiting and trademark enforcement
- Privacy matters and restrictive covenant and misappropriation litigations in the employment area
- Data security technology
To keep clients regularly informed of developments in this quickly evolving arena, the Task Force covers data security and privacy topics extensively on various Gibbons blogs, particularly the IP Law Alert (iplawalert.com), E-Discovery Law Alert (ediscoverylawalert.com), and Employment Law Alert (employmentlawalert.com). Additionally, the firm’s popular, annual “Gibbons E-Discovery Conference” typically contains at least one data security panel and has also included a primary focus on privacy and data security.
The Gibbons Data Privacy & Security Task Force counsels clients on data protection requirements and all aspects of compliance. These include U.S. federal laws like HIPAA, HITECH, and Gramm-Leach-Bliley; state laws requiring information security policies and breach reporting; international laws like the European Union Personal Data Directive for our clients doing business overseas; and emerging industry standards, which have quickly been evolving. We assist clients in developing a privacy and data security infrastructure, establishing concrete policies and workplace procedures to address general privacy and data security compliance with all applicable laws and regulations. We also work with clients in the areas of data sharing, privacy and data security audits, data retention, and payment card data security, among other foundational concerns. Moreover, Task Force members are equipped to help companies create and fill privacy ombudsman roles, if appropriate.
The Task Force also focuses on technology, e-commerce, cloud computing transactions and advice, and software licensing and commercialization, providing counseling, breach management, and litigation services designed to minimize exposure and return businesses to their normal operations. These issues include the risks of cloud computing and certain apps; identity theft risk “red flags” and mitigation; company and employee social networking accounts; online advertising and behavioral marketing; and direct marketing activities. We also advise on unique privacy requirements connected to particular industries, including healthcare and pharmaceuticals; financial services; education; telecommunications; cable and utilities; retail; and mobile/geolocation service providers, among others. In addition, the Task Force can assist clients who deal with children to comply privacy regulations specific to minors.
In the immediate aftermath of a data security breach, the Gibbons Task Force will guide a client through the most important first step, which is notification, particularly if the breach impacts the general public. Companies have a legal responsibility to notify consumers about incidents that have caused their personal information to be acquired by unauthorized persons, but the interests of law enforcement must be balanced with those of consumers. Early notification empowers customers, allowing them time to limit damage by, for example, canceling credit cards and alerting credit bureaus to prevent further fraud, which in turn helps them – and the broader public – retain their trust and confidence in the company. These common sense measures can sometimes help a company avoid litigation, which has the potential to become a major headache for its in-house legal team, as well as a major distraction for the core business of the client.
We also help clients mitigate the risk of federal and state regulatory actions following a breach. Gibbons attorneys have provided advice and counsel to clients on several occasions in connection with investigations by state and federal regulators, particularly the Federal Trade Commission, of data security incidents in which our clients were the victims of computer hackers but faced regulatory scrutiny and potentially huge penalties. We also conduct forensic investigations into the root causes of these incidents and help remediate any problems that are uncovered through the audits.
Data Privacy & Cybersecurity Training
The Gibbons team is well-prepared to defend any litigation resulting from a breach, including complex and high-exposure class action lawsuits. Litigation is our firm’s historic legacy and core strength. Gibbons calls on more than 80 years of litigation experience to serve our clients in privacy and data security litigation, such as contested data breach, class action defense, and consumer protection matters. The firm is lead counsel to a Fortune 50 hotelier that has been locked in litigation with federal regulators over allegations concerning an alleged data breach involving customers’ credit card information. Our Class Action Defense Team has defended retailers in cases involving alleged breaches of customer privacy, relating to credit cards and customers’ PII. The firm has also represented victims of data breaches that have resulted in prosecution against criminal hackers, often convincing prosecutors to preserve the victim’s anonymity during the investigation while also preserving the integrity of the criminal case against the perpetrators.
Gibbons attorneys on the Data Privacy & Security Task Force offer training on all data privacy and cybersecurity topics, in any combination your organization finds most helpful. Specific programs can be crafted to your organization's policies and requirements and several programs of general application in the following areas are also offered:
- Basics of Cybersecurity Compliance and Breach Prevention
- Cybersecurity: Legal and Policy Requirements
- Information Security Foundations and Cyber-Risk Assessment, Analysis, and Mitigation
- Information Security Risk Management Policies and Tools
- Operational Compliance for Protected Health Information (PHI)
These programs are described in more detail in the Gibbons Data Privacy & Cybersecurity Training Manual.