Privacy & Data Security

In today’s digital economy, data is the bedrock of business – whether it is personal data, customer data, business data, or another category of confidential or sensitive information. Protecting data and using it in a lawful manner are no longer just best practices, they are the new compliance standards and obligations for businesses on main street, Wall Street, and in between.

The Gibbons Privacy & Data Security Team helps clients effectively manage data and the corresponding risks throughout the information life cycle, providing practical advice and strategic solutions for our clients’ data security and privacy challenges. Depending on our client’s needs, we are able to draw on our deep experience in regulatory compliance, litigation, corporate transactions, intellectual property, employment, and insurance coverage (among other disciplines).

Our attorneys have comprehensive data privacy and security experience with the complex framework of local, national, sectoral, and international legal requirements, and have assisted clients with a broad range of issues, including:

  • Compliance with U.S. federal and state privacy and information management requirements, including the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Gramm-Leach-Bliley Act (GLBA), HIPAA and HI-TECH, the Biometric Information Privacy Act (BIPA), the Fair Credit Reporting Act (FCRA), the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), state and federal breach notification laws, and other federal and state law requirements
  • Compliance with requirements of the EU General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Pro-active incident readiness and response planning
  • Comprehensive counseling, assistance and management of data security incident and breach investigations, response and reporting, including notification and coordination with applicable federal and state law enforcement and regulatory agencies, crafting disclosures and messaging to employees, customers, and third parties, and creating call center FAQs and communications
  • Advice, counseling, and negotiation of contracts with vendors and other third parties to ensure comprehensive compliance with applicable federal, state, and sectoral privacy and security requirements
  • Completing comprehensive information management assessments and preparing appropriate internal privacy policies and procedures and external privacy notices and disclosures
  • E-commerce counseling, including the development, implementation, and updating of jurisdiction-specific and sector-specific e-commerce Terms of Use and Privacy Policies for client websites
  • Cyber insurance counseling, negotiation, and coverage dispute resolution
  • Privacy compliance programs and gap analyses, including National Institute of Standards and Technology (NIST) controls and Defense Federal Acquisition Regulation Supplement (DFARS) standards
  • Response to law enforcement requests for data, including subpoenas, search warrants, national security letters, Foreign Intelligence Surveillance Act (FISA) orders, and 18 U.S.C. § 2703 preservation demands
  • Trade secrets and confidential information protection
  • Proactive government affairs counseling on legislative and regulatory proposals impacting clients’ general and sector-specific privacy and security requirements and compliance obligations
  • Effective and efficient representation in cybersecurity- and privacy-related dispute resolution, litigation, and class actions

Areas of Focus

Incident Readiness, Response, and Reporting

When a data security incident occurs, and the urge to panic sets in, it is unlikely a company can respond effectively absent preparation. Gibbons has helped clients prepare for possible data security incidents to stem the effects of attempted malicious activities and personnel mistakes. Our attorneys work with clients to maximize the value of incident response plans, table-top exercises, and preparatory law enforcement and vendor engagement as data security best practices.

Despite the best planning and preparation, incidents happen. When they do, Gibbons has the experience to counsel clients from the moment they receive notice of security incidents through conducting internal investigations, retaining privileged forensic vendors, engaging law enforcement, conducting appropriate authority and individual notifications if necessary, and completing post-incident re-evaluations and reassessments. However big or small the data security challenges, Gibbons is a key resource for incident preparation, response, and reporting.

Health Information Security, Privacy, and Ombudsman

The Gibbons Privacy & Data Security Team has longstanding experience with the Privacy Rule and Security Rule applicable to protected health information and personal health records, including drafting compliance manuals, training personnel, negotiating business associate agreements, and advising on a range of related issues, from corporate transactions involving the transfers of health records and data to drafting hospital access agreements. We have also advised our clients on HIPAA covered entity and business associate data security incidents and served as patient care ombudsman in several hospital bankruptcy proceedings.

Workplace Privacy and Security

The Gibbons Privacy & Data Security Team has assisted clients on a diverse range of privacy issues implicated in the workplace, including implementing BYOD policies, conducting internal investigations, protecting against theft of trade secrets, and handling other workplace privacy or security challenges, from the use of background checks to the creation of social media, corporate communications, and confidentiality policies.

Privacy and Data Security in Contracts and Corporate Transactions

Gibbons has assisted clients with the contractual and corporate obligations under GLBA, HIPAA, GDPR, DFARS, (New York Department of Financial Services) NYDFS, and various state regulations. We have negotiated acquisitions of companies with sensitive data, including protected health information, and helped our clients understand their rights in connection with that information. We have drafted master services agreements and scope of work agreements relative to our clients’ data privacy and security needs and advised on the requisite obligations within such contracts. In addition, we have advised on and negotiated the terms of third-party vendor agreements related to the use of personal information and counseled clients on their flow-down obligations under federal, state, and international laws.

Enterprise Information Governance, Regulatory Compliance, and Risk Management

Information governance is a requirement for virtually all institutions, regardless of size or business. The Gibbons Privacy & Data Security Team brings a unique cross-disciplinary approach to helping our clients assess and mitigate risk, create privacy and security compliance programs, and build cultures of information governance. We have counseled our clients—including marketing, defense contracting, SEC-regulated, cloud services, and HIPAA-covered entities—through the web of US and international laws, including various state regulatory schemes, federal defense contractor requirements, and GDPR compliance issues. If a company has an enterprise-level privacy or data security issue, the Gibbons Privacy & Data Security Team has the high-level proficiency to address those concerns and confront those challenges.


Gibbons has the experience to defend virtually any litigation resulting from an incident or breach, including complex and high-exposure class action lawsuits. Litigation is our firm’s historic legacy and core strength. Gibbons calls on more than 80 years of litigation experience to serve our clients in privacy and data security litigation, including contested data breach, class action defense, and consumer protection matters. Gibbons served as counsel to a Fortune 50 hotelier that was locked in litigation with federal regulators over allegations concerning an alleged data breach involving customers’ credit card information. Our Class Action Defense Team has defended retailers in cases involving alleged breaches of privacy relating to customers’ Payment Card Industry (PCI) data and personally identifiable information (PII). The firm has also represented victims of data breaches that have resulted in prosecution against criminal hackers, often convincing prosecutors to preserve the victims’ anonymity during the investigations while also preserving the integrity of the criminal cases against the perpetrators.

Government Affairs Counseling

As a top-ranked lawyer-lobbying firm by revenue in New Jersey, Gibbons is recognized as having its finger on the pulse of state and federal legislatures and decision-makers. This allows us to spot trends and leverage our relationships to advocate for clients’ data privacy and security policy interests. Gibbons attorneys have served as part of a variety of federal and state government institutions and worked alongside policymakers in Trenton and Washington, D.C. With this experience, we are able to serve our clients through legislative and regulatory analysis, lobbying, and issue advocacy. With the ever-evolving landscape of state and federal regulatory initiatives and continuing technology developments—including the Internet of Things, Artificial Intelligence, big data, drones, and blockchain—Gibbons lawyer-lobbyists have the credibility and competence to advocate to advance our clients’ privacy and security interests.

Cyber Insurance Coverage

Gibbons has worked with our clients — whether new to cyber insurance or with an existing policy in place — to develop comprehensive risk-mitigation solutions in this ever-evolving insurance market to fit the needs of their specific business. In order to maximize the availability of cyber insurance coverage, our attorneys have completed insurance program reviews, negotiated manuscript policy terms and conditions, and, when a potential claim has arisen, provided claims- related counseling and negotiation. Our practical advice and guidance at each step incorporate our knowledge of recent coverage trends and emerging case law, as well as in-depth experience with traditional commercial policies and principles of policy interpretation.