Privacy & Data Security
Against a multitude of business challenges, executives and general counsel continue to cite privacy and data security at the top of their list of risk threats and day-to-day concerns. A shifting regulatory landscape has organizations not only struggling to adequately protect sensitive data but also to understand confusing rules about how consumers’ personal data should be collected, shared, and maintained. Additionally, businesses must ensure consumers are informed of their rights through enhanced privacy notices that meet regulatory approval.
How can we help? Let's talk.
A one-size-fits-all approach to managing and protecting data does not work.
Advances in technology are rapidly impacting how businesses collect, store, employ, share, and dispose of consumer and employee data. But advanced data practices have also caught the attention of state and federal legislators and regulators who are concerned with the lack of data privacy regulation, sparking new laws and legislation such as the California Consumer Privacy Act (CCPA). This growing federal and state oversight makes it difficult for even the most sophisticated businesses to ensure compliance with new and evolving laws. Abroad, comprehensive data protection regulations, including the European Union’s General Data Protection Regulation (GDPR), present additional challenges for businesses that operate multinationally.
Despite these risks, companies are relying more and more on advanced data analytics to leverage the power of information to help grow their business. It is, therefore, critical to have a comprehensive program in place to securely manage individuals’ personally identifiable information while also keeping up to date with emerging privacy laws. We understand that a one-size-fits-all approach to managing and protecting data does not work. Instead, company-specific policies and procedures should be adopted after taking business objectives and corporate culture into account.
Our Privacy team includes Certified Information Privacy Professionals (CIPP/US) who provide practical, implementable, and cost-effective solutions that enable businesses to compete effectively while reducing the risk of using valuable personal data. We help clients understand their regulatory obligations, assess information privacy policies and practices, develop information management and compliance programs, work with regulators to bring concerns to a quick resolution, and defend litigation and enforcement actions related to privacy and data security compliance. We monitor policy developments and enforcement activity daily, helping our clients consider the most current interpretations of the law and enabling them to sidestep potential landmines.
Our team advises on global, federal, and state privacy laws and industry best practices, including:
- Biometric Information Privacy Act (BIPA)
- California Consumer Privacy Act of 2018 (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Canadian Anti-Spam Law (CASL)
- Children’s Online Privacy & Protection Act (COPPA)
- Combating the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- Electronic Communications Privacy Act (ECPA/SCA)
- Fair Credit Reporting Act (FCRA)
- Fair Debt Collection Practices Act (FDCPA)
- Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Red Flags Rule
- Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act or GLBA)
- The European Union’s General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Junk Fax Prevention Act of 2003 (JFPA)
- Telemarketing Sales Rule (TSR)
- Telephone Consumer Protection Act (TCPA)
- Federal and state data protection and breach laws
- Federal and state unfair, deceptive, or abusive acts or practices (UDAAP)
- PCI Compliance
Learn How We Can Help Your Business
Our full range of privacy and data security services includes the following:
Compliance Programs
We help mitigate privacy and data security risks through the design and implementation of practical, cost-effective compliance programs. Among other things, this includes drafting policies and procedures, training executive management and other employees, and establishing robust quality assurance protocols.
Compliance Audits
We regularly conduct on-site and/or virtual compliance audits of our clients’ operations. These audits are typically the best way to assess the organization’s risk exposure and verify that a compliance program is working as designed. Oftentimes, these audits bring to light new business practices that have not been fully vetted from a compliance perspective. By discovering these issues proactively, we’ve successfully helped our clients remediate noncompliant practices before they catch the attention of regulators or plaintiffs’ attorneys.
Defense of Class Action & Individual Lawsuits
We have defended numerous companies against class action and individual lawsuits involving the FDCPA, FCRA, TCPA, and other privacy laws, achieving optimal outcomes for our clients. In many instances, we have obtained voluntary dismissal of the case or settlement on an individual, rather than class-wide, basis.
Data Breach Response
In the hours and days after a data breach has been discovered, businesses need clear and fast counsel regarding their breach response obligations. We advise clients on breach response requirements and best practices, and work with their public relations team and senior leadership to navigate the complex issues that arise in the aftermath of a data breach.
Third-Party Due Diligence & Contract Review
In addition to auditing internal compliance programs, we also help clients reduce external risks by establishing robust due diligence programs for their vendors, dealers, marketing partners, and merger and acquisition targets. Such programs might include pre-contract due diligence measures, contractual requirements/prohibitions, ongoing due diligence protocols, and remediation measures.
State & Federal Investigations
We help clients respond to regulatory inquiries and investigations brought by the FTC, FCC, CFPB, and state attorneys general. We have achieved significant success in resolving investigations without negative findings against our clients or with consent agreements containing little or no monetary penalty.
Regulatory Advocacy
We advocate for clients’ privacy-related interests before the FTC and FCC. This includes filing petitions or comments on behalf of our clients and meeting with regulatory staff and leadership regarding such issues.
How Complex is the Data Privacy and Protection Regulatory Environment?
Our economy is becoming increasingly digital, and businesses are benefiting from more sophisticated data analytics tools. As more personal information is collected from consumers, there is growing concern about what information is being collected and how it is being stored and used. Consumers are demanding better privacy measures and disclosures from businesses.
At the same time, legislators and regulators are stepping up their efforts to address the concerns of consumers and provide them with the data protections they need. Stronger scrutiny is being placed on how and what consumer information is collected, stored, processed, and used. In the data privacy world, a distinction is drawn between controllers, who collect the information and want to use it, and processors, who process the information on behalf of controllers. A third party may also be involved in the process as well. For example, if telephone numbers are collected for telemarketing purposes, then to comply with telemarketing regulations, a controller may send the file filled with phone numbers to a third party to scrub the numbers against national and state do-not-call lists. This sharing of information needs to be considered for data privacy and protection issues.
Data privacy and protection law is evolving in the United States and elsewhere. Until recently – except in specific areas, like HIPAA for healthcare – there was no comprehensive privacy law in the United States at the federal or state level. But that has changed as regulators, concerned with the historical lack of data privacy regulation, are augmenting efforts to fill the void. Numerous states have imposed their own stringent privacy laws in recent years, and the federal government is making strides as well.
Data privacy and protection rules are often confusing. But they apply throughout the whole lifecycle of data, and therefore a program needs to be put in place to handle these issues. Businesses need clear, actionable recommendations from counsel so they can use and manage data effectively.
Solid Data Privacy Practices are a Competitive Advantage
There is also increasing pressure from the market. One factor that consumers are weighing more significantly in selecting sellers is whether their data is being treated appropriately. Businesses should expect that going forward, good data privacy and protection practices will become more of a competitive advantage.
Consider the following:
- A 2020 report from Cisco suggests that for every $1 invested in privacy, companies saw a $2.70 return. Additional studies point to improved customer loyalty, improved ROI, and less reliance on outsourced data.
- Salesforce found that 76% of consumers will remain loyal to organizations that provide data security.
- A study published by the Cyber and Privacy Innovation Institute asserts that 64% of Americans would fault the company they trusted with their information before blaming the hacker in the instance of a breach.
- Gartner predicts that by 2024, 40% of consumers will intentionally devalue personal data collected about them via VPNs or opting out of data collection altogether.
To stand out competitively, businesses across all industries must proactively embrace Privacy and Data Security across functions and departments not just as a defensive position, but as a key driver for sales and retention as well.
Let’s talk about how we can help your business manage data privacy effectively.
How Much Harm Could a Data Breach Cause to Your Business?
For most business executives, the prospect of a data breach represents their worst nightmare. A major breach can be catastrophic not only to the bottom line, but to your business’s operations, customer trust, even its survival. Types of harm could include:
- Legal liability and substantial financial penalties
- Damage to brand reputation
- Clients substituting to competitors
- Distracting employees from important work
- Loss of intellectual property
Even a small data breach can trigger significant time and related costs for those who work at the company. Breaches impose obligations to, among many other things, remedy the underlying vulnerability, address future threats, communicate to customers, and mitigate the harm caused to them. Ordinary business is interrupted and distracts employees from revenue-generating work.
Valuable intellectual property that the firm could lose includes competitively advantageous trade secrets. Loss of confidence can occur not only among customers but with investors and vendors. This reputational damage may extend not only to firm leadership but also to the brand itself.
There is also the risk of legal liability, as a data breach can lead to follow-on lawsuits that cause further distraction, cost money to resolve, and more. Potential lawsuits could come not only from private citizens but regulators, too. Experienced counsel can work with your information security team to identify and mitigate potential risks, and in the event of data breach, guide you through a comprehensive response strategy that mitigates the legal, operational, consumer, and public relations impacts of the breach while preserving brand reputation.
Let’s talk about how to prevent data breaches from happening in the first place.
How Should Businesses Prevent and Respond to Data Breaches?
Businesses have data security obligations to prevent and respond to data breaches. The legal frameworks vary depending on the jurisdiction.
But there are a set of best practices that our privacy and data security attorneys recommend. A business can choose to implement different standards based on different frameworks in each jurisdiction where it operates or apply the strictest standard across the board.
How to Prevent Data Breaches
Businesses should establish security measures that adequately protect data. It’s important to work with experienced privacy counsel that can direct comprehensive compliance audits to assess risk exposure of an existing program. A typical audit might include the following components:
- Analysis of documentation including existing privacy policies, information security program, data breach response plan, and business continuity plan
- Interviews with key personnel and vendors
- Assessment of vendor contracts and due diligence reports
- Review of information security reports, including penetration test and SOC 2 reports
Audits should occur regularly. Based on audit results, a remediation plan may be put in place to remedy compliance gaps. You may be surprised at how simple some fixes can be. For example, have someone check that employee login information is difficult to guess, not just easy for the authorized person to remember.
Updating compliance programs involves designing and implementing actionable steps that keep the business moving forward while satisfying legal obligations. Written policies and training sessions are important, as well as scenario planning and quality assurance measures.
Any data you acquire from a third party, or provide to a third party, should be accompanied by due diligence on how they handle their data. You need a reasonable basis to believe that their data privacy and security practices are also compliant with applicable laws.
How to Respond to Data Breaches
When it comes to a data breach, preparation is key. You cannot wait for an incident to occur to begin developing your response plan. You will need to act quickly, so having an established plan in place will facilitate your investigation and containment of the breach, notification of affected parties, and other responsibilities.
Your response plan should cover the entire lifecycle of a data breach event, not just the immediate aftermath. It should ensure that, if followed, the business will be compliant with all applicable data breach response obligations. Your plan should also have an identified list of the key resources and vendors that will be necessary to respond to the breach, including their contact information. This could include a public relations consultant, forensic IT firm, insurance company providing your cyber liability coverage, contact center or customer relations resource to field consumer questions, and of course, your privacy legal counsel.
Want to learn more about developing a data breach response plan? We can help.