Data has become the bedrock of business—whether it is personal data, customer data, business data, or another category of sensitive information. Protecting data and using it in a lawful manner are not just best practices; they are becoming new business standards and required compliance obligations for most businesses on main street, Wall Street, and in between. The Gibbons Privacy & Data Security Team understands the implications of this evolving landscape, which is why our clients come to us for practical advice and solutions for their privacy and data security challenges.
Founded on the principle that information privacy, security, and governance are core business functions that can impact virtually all aspects of a company’s operations, the Gibbons Privacy & Data Security Team takes a multidisciplinary approach to data challenges. Depending on our client’s needs, we are able to draw on our deep experience in compliance, litigation, corporate transactions, intellectual property, and employment (among others disciplines), along with our particular experience in industries including healthcare, higher education, biotechnology and pharmaceutical, financial services, media, and technology.
Gibbons attorneys have comprehensive data privacy and security experience and have assisted clients with a broad range of privacy and security issues, including:
- Information security plans, based on compliance obligations under FTC Act, Section 5; various state-based written information security program requirements; Gramm-Leach-Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA) of 1996; and Health Information Technology for Economic and Clinical Health (HITECH) Act
- General Data Protection Regulation (GDPR) compliance
- Incident response plan development and administration
- Data security incident and breach investigations and reporting
- Cyber insurance counseling, negotiation, and procurement
- Privacy policies and procedures
- Privacy compliance programs and gap analyses, including National Institute of Standards and Technology (NIST) controls and Defense Federal Acquisition Regulation Supplement (DFARS) standards
- Response to law enforcement requests for data, including subpoenas, search warrants, national security letters, Foreign Intelligence Surveillance Act (FISA) orders, and 18 USC 2703 preservation demands
- HIPAA ombudsman services
- E-commerce counseling
- Email marketing regulations, including the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003
- Trade secrets and confidential information protection
- Social media use and email monitoring, including Stored Communications Act and Electronic Communications Privacy Act
- Fair Credit Reporting Act for background check and hiring
- Bring Your Own Device (BYOD) policies and procedures
Areas of Focus
Incident Readiness, Response, and Reporting
When a data security incident occurs, and the urge to panic sets in, it is unlikely a company can respond effectively absent preparation. Gibbons has helped clients prepare for possible data security incidents to stem the effects of attempted malicious activities and personnel mistakes. Our attorneys work with clients to maximize the value of incident response plans, table-top exercises, and preparatory law enforcement and vendor engagement as data security best practices.
Despite the best planning and preparation, incidents happen. When they do, Gibbons has the experience to counsel clients from the moment they receive notice of security incidents through conducting internal investigations, retaining privileged forensic vendors, engaging law enforcement, conducting appropriate authority and individual notifications if necessary, and completing post-incident re-evaluations and reassessments. However big or small the data security challenges, Gibbons is a go-to resource for incident preparation, response, and reporting.
Health Information Security, Privacy, and Ombudsman
The Gibbons Privacy & Data Security Team has longstanding experience with the Privacy Rule and Security Rule applicable to protected health information and personal health records, including drafting compliance manuals, training personnel, negotiating business associate agreements, and advising on a range of related issues, from corporate transactions involving the transfers of health records and data to drafting hospital access agreements. We have also advised our clients on HIPAA covered entity and business associate data security incidents and served as patient care ombudsman in several hospital bankruptcy proceedings.
Workplace Privacy and Security
The Gibbons Privacy & Data Security Team has assisted clients on a diverse range of privacy issues implicated in the workplace, including implementing BYOD policies, conducting internal investigations, protecting against theft of trade secrets, and handling other workplace privacy or security challenges, from the use of background checks to the creation of social media, corporate communications, and confidentiality policies.
Privacy and Data Security in Contracts and Corporate Transactions
Gibbons has assisted clients with the contractual and corporate obligations under GLBA, HIPAA, GDPR, DFARS, (New York Department of Financial Services) NYDFS, and various state regulations. We have negotiated acquisitions of companies with sensitive data, including protected health information, and helped our clients understand their rights in connection with that information. We have drafted master services agreements and scope of work agreements relative to our clients’ data privacy and security needs and advised on the requisite obligations within such contracts. In addition, we have advised on and negotiated the terms of third-party vendor agreements related to the use of personal information and counseled clients on their flow-down obligations under federal, state, and international laws.
Enterprise Information Governance, Regulatory Compliance, and Risk Management
Information governance is a requirement for virtually all institutions, regardless of size or business. The Gibbons Privacy & Data Security Team brings a unique cross-disciplinary approach to helping our clients assess and mitigate risk, create privacy and security compliance programs, and build cultures of information governance. We have counseled our clients—including marketing, defense contracting, SEC-regulated, cloud services, and HIPAA-covered entities—through the web of US and international laws, including various state regulatory schemes, federal defense contractor requirements, and GDPR compliance issues. If a company has an enterprise-level privacy or data security issue, the Gibbons Privacy & Data Security Team has the high-level proficiency to address those concerns and confront those challenges.
Gibbons has the experience to defend virtually any litigation resulting from an incident or breach, including complex and high-exposure class action lawsuits. Litigation is our firm’s historic legacy and core strength. Gibbons calls on more than 80 years of litigation experience to serve our clients in privacy and data security litigation, including contested data breach, class action defense, and consumer protection matters. Gibbons served as counsel to a Fortune 50 hotelier that was locked in litigation with federal regulators over allegations concerning an alleged data breach involving customers’ credit card information. Our Class Action Defense Team has defended retailers in cases involving alleged breaches of privacy relating to customers’ Payment Card Industry (PCI) data and personally identifiable information (PII). The firm has also represented victims of data breaches that have resulted in prosecution against criminal hackers, often convincing prosecutors to preserve the victims’ anonymity during the investigations while also preserving the integrity of the criminal cases against the perpetrators.
Government Affairs Counseling
As the premier lawyer-lobbying firm in New Jersey, Gibbons is recognized as having its finger on the pulse of state and federal legislatures and decision-makers. This allows us to spot trends and leverage our relationships to advocate for clients’ data privacy and security policy interests. Gibbons attorneys have served as part of a variety of federal and state government institutions and worked alongside policymakers in Trenton and Washington, D.C. With this experience, we are able to serve our clients through legislative and regulatory analysis, lobbying, and issue advocacy. With the ever-evolving landscape of state and federal regulatory initiatives and continuing technology developments—including the Internet of Things, Artificial Intelligence, big data, drones, and blockchain—Gibbons lawyer-lobbyists have the credibility and competence to advocate to advance our clients’ privacy and security interests.
Cyber Insurance Coverage
Gibbons has worked with our clients — whether new to cyber insurance or with an existing policy in place — to develop comprehensive risk-mitigation solutions in this ever-evolving insurance market to fit the needs of their specific business. In order maximize the availability of cyber insurance coverage, our attorneys have completed insurance program reviews, negotiated manuscript policy terms and conditions, and, when a potential claim has arisen, provided claims- related counseling and negotiation. Our practical advice and guidance at each step incorporate our knowledge of recent coverage trends and emerging case law, as well as in-depth experience with traditional commercial policies and principles of policy interpretation.