Privacy & Data Security

In today’s digital economy, data is the bedrock of business – whether it is personal data, customer data, business data, or another category of confidential or sensitive information. Protecting data and using it in a lawful manner are no longer just best practices, they are the new compliance standards and obligations for businesses on main street, Wall Street, and in between.

The Gibbons Privacy & Data Security Team helps clients effectively manage data and the corresponding risks throughout the information life cycle, providing practical advice and strategic solutions for our clients’ data security and privacy challenges. Depending on our client’s needs, we are able to draw on our deep experience in regulatory compliance, litigation, corporate transactions, intellectual property, employment, and insurance coverage (among other disciplines).

Our attorneys have comprehensive data privacy and security experience with the complex framework of local, national, sectoral, and international legal requirements, and have assisted clients with a broad range of issues, including:

Compliance with U.S. federal and state privacy and information management requirements, including the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Gramm-Leach-Bliley Act (GLBA), HIPAA and HI-TECH, the Biometric Information Privacy Act (BIPA), the Fair Credit Reporting Act (FCRA), the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), state and federal breach notification laws, and other federal and state law requirements
Compliance with requirements of the EU General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
Pro-active incident readiness and response planning
Comprehensive counseling, assistance and management of data security incident and breach investigations, response and reporting, including notification and coordination with applicable federal and state law enforcement and regulatory agencies, crafting disclosures and messaging to employees, customers, and third parties, and creating call center FAQs and communications
Advice, counseling, and negotiation of contracts with vendors and other third parties to ensure comprehensive compliance with applicable federal, state, and sectoral privacy and security requirements
Completing comprehensive information management assessments and preparing appropriate internal privacy policies and procedures and external privacy notices and disclosures
E-commerce counseling, including the development, implementation, and updating of jurisdiction-specific and sector-specific e-commerce Terms of Use and Privacy Policies for client websites
Cyber insurance counseling, negotiation, and coverage dispute resolution
Privacy compliance programs and gap analyses, including National Institute of Standards and Technology (NIST) controls and Defense Federal Acquisition Regulation Supplement (DFARS) standards
Response to law enforcement requests for data, including subpoenas, search warrants, national security letters, Foreign Intelligence Surveillance Act (FISA) orders, and 18 U.S.C. § 2703 preservation demands
Trade secrets and confidential information protection
Proactive government affairs counseling on legislative and regulatory proposals impacting clients’ general and sector-specific privacy and security requirements and compliance obligations
Effective and efficient representation in cybersecurity- and privacy-related dispute resolution, litigation, and class actions

Areas of Focus

When a data security incident occurs, and the urge to panic sets in, it is unlikely a company can respond effectively absent preparation. Gibbons has helped clients prepare for possible data security incidents to stem the effects of attempted malicious activities and personnel mistakes. Our attorneys work with clients to maximize the value of incident response plans, table-top exercises, and preparatory law enforcement and vendor engagement as data security best practices.

Despite the best planning and preparation, incidents happen. When they do, Gibbons has the experience to counsel clients from the moment they receive notice of security incidents through conducting internal investigations, retaining privileged forensic vendors, engaging law enforcement, conducting appropriate authority and individual notifications if necessary, and completing post-incident re-evaluations and reassessments. However big or small the data security challenges, Gibbons is a key resource for incident preparation, response, and reporting.

The Gibbons Privacy & Data Security Team has longstanding experience with the Privacy Rule and Security Rule applicable to protected health information and personal health records, including drafting compliance manuals, training personnel, negotiating business associate agreements, and advising on a range of related issues, from corporate transactions involving the transfers of health records and data to drafting hospital access agreements. We have also advised our clients on HIPAA covered entity and business associate data security incidents and served as patient care ombudsman in several hospital bankruptcy proceedings.

The Gibbons Privacy & Data Security Team has assisted clients on a diverse range of privacy issues implicated in the workplace, including implementing BYOD policies, conducting internal investigations, protecting against theft of trade secrets, and handling other workplace privacy or security challenges, from the use of background checks to the creation of social media, corporate communications, and confidentiality policies.

Gibbons has assisted clients with the contractual and corporate obligations under GLBA, HIPAA, GDPR, DFARS, (New York Department of Financial Services) NYDFS, and various state regulations. We have negotiated acquisitions of companies with sensitive data, including protected health information, and helped our clients understand their rights in connection with that information. We have drafted master services agreements and scope of work agreements relative to our clients’ data privacy and security needs and advised on the requisite obligations within such contracts. In addition, we have advised on and negotiated the terms of third-party vendor agreements related to the use of personal information and counseled clients on their flow-down obligations under federal, state, and international laws.

Information governance is a requirement for virtually all institutions, regardless of size or business. The Gibbons Privacy & Data Security Team brings a unique cross-disciplinary approach to helping our clients assess and mitigate risk, create privacy and security compliance programs, and build cultures of information governance. We have counseled our clients—including marketing, defense contracting, SEC-regulated, cloud services, and HIPAA-covered entities—through the web of US and international laws, including various state regulatory schemes, federal defense contractor requirements, and GDPR compliance issues. If a company has an enterprise-level privacy or data security issue, the Gibbons Privacy & Data Security Team has the high-level proficiency to address those concerns and confront those challenges.

Gibbons has the experience to defend virtually any litigation resulting from an incident or breach, including complex and high-exposure class action lawsuits. Litigation is our firm’s historic legacy and core strength. Gibbons calls on more than 80 years of litigation experience to serve our clients in privacy and data security litigation, including contested data breach, class action defense, and consumer protection matters. Gibbons served as counsel to a Fortune 50 hotelier that was locked in litigation with federal regulators over allegations concerning an alleged data breach involving customers’ credit card information. Our Class Action Defense Team has defended retailers in cases involving alleged breaches of privacy relating to customers’ Payment Card Industry (PCI) data and personally identifiable information (PII). The firm has also represented victims of data breaches that have resulted in prosecution against criminal hackers, often convincing prosecutors to preserve the victims’ anonymity during the investigations while also preserving the integrity of the criminal cases against the perpetrators.

As a top-ranked lawyer-lobbying firm by revenue in New Jersey, Gibbons is recognized as having its finger on the pulse of state and federal legislatures and decision-makers. This allows us to spot trends and leverage our relationships to advocate for clients’ data privacy and security policy interests. Gibbons attorneys have served as part of a variety of federal and state government institutions and worked alongside policymakers in Trenton and Washington, D.C. With this experience, we are able to serve our clients through legislative and regulatory analysis, lobbying, and issue advocacy. With the ever-evolving landscape of state and federal regulatory initiatives and continuing technology developments—including the Internet of Things, Artificial Intelligence, big data, drones, and blockchain—Gibbons lawyer-lobbyists have the credibility and competence to advocate to advance our clients’ privacy and security interests.

Gibbons has worked with our clients — whether new to cyber insurance or with an existing policy in place — to develop comprehensive risk-mitigation solutions in this ever-evolving insurance market to fit the needs of their specific business. In order to maximize the availability of cyber insurance coverage, our attorneys have completed insurance program reviews, negotiated manuscript policy terms and conditions, and, when a potential claim has arisen, provided claims- related counseling and negotiation. Our practical advice and guidance at each step incorporate our knowledge of recent coverage trends and emerging case law, as well as in-depth experience with traditional commercial policies and principles of policy interpretation.

Results may vary depending on your particular facts and legal circumstances.

Security Incident and Breach Counseling

Served as data breach counsel for a public company client in two separate security incidents triggering notification and regulatory reporting obligations, both nationally and internationally
Advised a public company client regarding its rights and obligations arising out of a security incident at a third-party benefits provider resulting in the unauthorized disclosure of various personal information (PI) and personal health information (PHI) of current and former employees and their dependents
Served as data breach counsel responsible for investigation and response activities for a national real estate management company, including notification to federal and state law enforcement and regulatory authorities, messaging for notification to affected third parties, employees, and stakeholders, parameters for credit monitoring services, and preparation of call center FAQs
Served as data breach counsel leading the incident investigation and response activities for a regional healthcare provider, which included working with the forensics team, analyzing and coordinating notification requirements for all 50 states and other jurisdictions, and interacting with law enforcement and federal authorities at the Office for Civil Rights
Served as data breach counsel for an international relocation service in connection with security incident investigation and response activities arising out of a phishing scam exposing passport and other personal information from an international client
Served as data breach counsel for an international manufacturing company in connection with notification obligations as a result of a phishing incident that compromised the personal information of global contacts
Served as data breach counsel for a regional healthcare organization in connection with a lost laptop incident. After conducting a comprehensive investigation, we concluded that the incident did not constitute a breach of HIPAA or any other applicable statute or regulation and recommended additional security practices and procedures to prevent similar incidents
Served as data breach counsel for a separate regional healthcare organization in connection with a lost laptop incident. This investigation revealed that there was a breach of the HIPAA privacy and security rules, and, as a result, we analyzed and coordinated compliance with the applicable notification requirements.

Privacy and Security Compliance Counseling

Currently advising a public company on e-commerce operations, policies, and procedures for over 40 different e-commerce websites, including review, analysis, and compliance counseling for data collection, use, storage, and destruction practices in the U.S. and Canada

Retained by a public company client to provide legal and compliance advice in connection with an internal audit and forensic review of certain e-commerce operations, policies, and practices, including attorney-client privilege issues
Served as patient care ombudsman in two separate healthcare provider bankruptcies to review, analyze, and evaluate each debtor’s compliance with applicable statutes and regulations to ensure compliance with HIPAA security and privacy rules as well as the rigorous protections accorded mental health and substance abuse treatment data by state and federal law
Developed and implemented a data privacy and security program for a national marine construction company. Because the client has government contracts that include the DFARS 252.204.7012 and the NIST SP 800-171 standards, we conducted a gap analysis of the client’s practices, drafted a written information security program and incident response plan, developed a program for improving DFARS compliance, drafted policies for the publicly-facing website, and prepared intercompany operating agreements to permit the transfer of processed personal data among subsidiary and affiliate companies.
Represented an international data analytics company to assess and evaluate compliance with applicable U.S.-based privacy and security statutes and regulations in anticipation of a public offering of securities on foreign securities exchange
Served as counsel for an international communications technology manufacturer, providing advice and counseling on state and federal privacy and data security compliance obligations regarding a global launch of cloud-based testing and monitoring products and services
Represented a large direct sales client that utilizes a large independent contractor sales force, providing enterprise-wide counseling on data privacy and security issues, including drafting a written information security program for both company personnel and the independent contractor sales force, counseling on data protection issues for off-shore call centers, and negotiating the data protection provisions of the contract for the call centers

International Compliance Counseling

Conducted a European Union GDPR gap analysis for a U.S.-based international marketing and speakers bureau company that markets to EU companies and EU residents. After interviewing key stakeholders and personnel and reviewing existing policies, practices, and procedures, we advised the company on compliance obligations and drafted the company’s terms of use, privacy policy, cookie policy, gated content disclosures, incident response plan, and information security program.
Provided advice and counseling on GDPR compliance for a U.S.-based colocation and cloud services provider with EU-based operations and personnel, including the development of a strategic compliance program for data centers in different countries, and coordinating the production of electronic information in response to a federal grand jury subpoena issued as part of a Special Counsel investigation.

Third Party Contract Counseling

Advised a global pharmaceutical company concerning Master Agreement with payment processor, including terms and conditions for privacy and security compliance and scope of indemnification for data security incidents. Following implementation of the Master Agreement in the U.S., we assisted with the replication and revision of the terms and conditions appropriate for “roll out” of services in 18 different countries globally.
Frequently counsel and structure data sharing agreements for nonprofit medical research and rehabilltation foundation with medical device manufacturers
Drafted master services agreements and other terms of use for Europe-based e-commerce client, all addressing complex data privacy issues for use with U.S.-based on-line merchants and the client’s U.S. end-user customers

Internal/Forensic Investigation

Served as data breach counsel for national retail chain to resolve hacking incident, which included coordinating both forensic investigation and separate internal investigation, ensuring compliance with applicable security and privacy regulations (including notice requirements), interfacing with U.S. Attorneys’ Office and Secret Service in connection with their investigation, and producing documents and information to law enforcement
Served as data breach counsel to national market research firm to conduct internal investigation of unauthorized access to confidential and proprietary market data and to facilitate and coordinate with separate investigation by United States Securities and Exchange Commission
Advised a university client regarding its eligibility to participate in the U.S.-EU Privacy Shield for the secure transfer of data from the EU to the U.S., which included interfacing with the U.S. Department of Commerce, providing an eligibility assessment for the Privacy Shield, and counseling on alternativ5e methods available for the lawful cross-border transfer of data

Litigation

Currently serving as defense counsel in class action against a public company client seeking damages alleged as a result of a security incident that compromised personal information
Served as counsel to a national hotelier in extended litigation with federal regulators over allegations concerning an alleged data breach involving customers’ credit card information
Served as class action defense counsel for certain retailers in cases involving alleged breaches of privacy and security relating to customers’ Payment Card Industry (PCI) data and personally identifiable information (PII)