Against a multitude of business challenges, executives and general counsel continue to cite privacy and data security at the top of their list of risk threats and day-to-day concerns. A shifting regulatory landscape has organizations not only struggling to adequately protect sensitive data, but also understand confusing rules about how consumers’ personal data should be collected, shared, and maintained. Additionally, businesses must ensure consumers are informed of their rights through enhanced privacy notices that meet regulatory approval.
Advances in technology are rapidly impacting how businesses collect, store, employ, share, and dispose of consumer and employee data. But advanced data practices have also caught the attention of state and federal legislators and regulators who are concerned with the lack of data privacy regulation, sparking new laws and legislation such as the California Consumer Privacy Act (CCPA). This growing federal and state oversight makes it difficult for even the most sophisticated businesses to ensure compliance with new and evolving laws. Abroad, comprehensive data protection regulations, including the European Union’s General Data Protection Regulation (GDPR), present new challenges for businesses that operate multi-nationally.
Despite these risks, companies are relying more and more on advanced data analytics to leverage the power of information to help grow their business. It is therefore critical to have a comprehensive program in place to securely manage individuals’ personally identifiable information while also keeping up to date with emerging privacy laws. We understand that a one-size-fits-all approach to managing and protecting data does not work. Instead, company-specific policies and procedures should be adopted after taking business objectives and corporate culture into account.
Our Privacy team includes Certified Information Privacy Professionals (CIPP/US) who provide practical, implementable, and cost-effective solutions that enable businesses to effectively compete while reducing the risk of using valuable personal data. We help clients understand their regulatory obligations, assess information privacy policies and practices, develop information management and compliance programs, work with regulators to bring concerns to quick resolution, and defend litigation and enforcement actions related to privacy and data security compliance. We monitor policy developments and enforcement activity daily, helping our clients consider the most current interpretations of the law and enabling them to sidestep potential landmines.
Our team advises on global, federal, and state privacy laws and industry best practices, including:
- California Consumer Privacy Act of 2018 (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Canadian Anti-Spam Law (CASL)
- Children’s Online Privacy & Protection Act (COPPA)
- Combating the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- Electronic Communications Privacy Act (ECPA/SCA)
- Fair Credit Reporting Act (FCRA)
- Fair Debt Collection Practices Act (FDCPA)
- Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Red Flags Rule
- Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act or GLBA)
- The European Union’s General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Junk Fax Prevention Act of 2003 (JFPA)
- Telemarketing Sales Rule (TSR)
- Telephone Consumer Protection Act (TCPA)
- Federal and state data protection and breach laws
- Federal and state unfair, deceptive, or abusive acts or practices (UDAAP)
- PCI Compliance
Our full range of privacy and data security services includes the following:
- Compliance Programs. We help mitigate privacy and data security risks through the design and implementation of practical, cost-effective compliance programs. Among other things, this includes drafting policies and procedures, training executive management and other employees, and establishing robust quality assurance protocols.
- Compliance Audits. Unlike many law firms – even those with a privacy practice – we regularly conduct on-site compliance audits of our clients’ operations. Such audits are typically the best way to assess the organization’s risk exposure and verify that a compliance program is working as designed. Often times, these audits bring to light new business practices that have not been fully vetted from a compliance perspective. By discovering these issues proactively, we’ve successfully helped our clients remediate noncompliant practices before they catch the attention of regulators or plaintiffs’ attorneys.
- Defense of Class Action and Individual Lawsuits. We have defended numerous companies against class action and individual lawsuits involving the FDCPA, FCRA, TCPA and other privacy laws, achieving optimal outcomes for our clients. In many instances, we have obtained voluntary dismissal of the case or settlement on an individual, rather than class-wide, basis.
- Data Breach Response. In the hours and days after a data breach has been discovered, businesses need clear and fast counsel regarding their breach response obligations. We advise clients on breach response requirements and best practices, and work with their public relations team and senior leadership to navigate the complex issues that arise in the aftermath of a data breach.
- Third Party Due Diligence and Contract Review. In addition to auditing internal compliance programs, we also help clients reduce external risks by establishing robust due diligence programs for their vendors, dealers, marketing partners, and/or merger and acquisition targets. Such programs might include pre-contract due diligence measures, contractual requirements/prohibitions, ongoing due diligence protocols, and remediation measures.
- State and Federal Investigations. We help clients respond to regulatory inquiries and investigations brought by the FTC, FCC, CFPB, and state attorneys general. We have achieved significant success in resolving investigations without negative findings against our clients or with consent agreements containing little or no monetary penalty.
- Regulatory Advocacy.We advocate for clients’ privacy-related interests before the FTC and FCC. This includes filing petitions or comments on behalf of our clients and meeting with regulatory staff and leadership regarding such issues.