Against a multitude of business challenges, executives and general counsel continue to cite privacy and data security at the top of their list of risk threats and day-to-day concerns. A shifting regulatory landscape has organizations not only struggling to adequately protect sensitive data but also to understand confusing rules about how consumers’ personal data should be collected, shared, and maintained. Additionally, businesses must ensure consumers are informed of their rights through enhanced privacy notices that meet regulatory approval.
How can we help? Let's talk.
Advances in technology are rapidly impacting how businesses collect, store, employ, share, and dispose of consumer and employee data. But advanced data practices have also caught the attention of state and federal legislators and regulators who are concerned with the lack of data privacy regulation, sparking new legislation and state laws such as the California Consumer Privacy Act (CCPA). This growing federal and state oversight makes it difficult for even the most sophisticated businesses to ensure compliance with new and evolving laws. Abroad, comprehensive data protection regulations, including the European Union’s General Data Protection Regulation (GDPR), present additional challenges for businesses that operate multinationally.
Despite these risks, companies are relying more and more on advanced data analytics to leverage the power of information to help grow their business. It is, therefore, critical to have a comprehensive program in place to securely manage individuals’ personally identifiable information while also keeping up to date with emerging privacy laws. We understand that a one-size-fits-all approach to managing and protecting data does not work. Instead, company-specific policies and procedures should be adopted after taking business objectives and corporate culture into account.
How Can We Help? Let's Talk
Our full range of privacy and data security services includes the following:
Compliance Programs
We help mitigate privacy and data security risks through the design and implementation of practical, cost-effective compliance programs. Among other things, this includes drafting policies and procedures, training executive management and other employees, and establishing robust quality assurance protocols.
Compliance Audits
We regularly conduct on-site and/or virtual compliance audits of our clients’ operations. These audits are typically the best way to assess the organization’s risk exposure and verify that a compliance program is working as designed. Oftentimes, these audits bring to light new business practices that have not been fully vetted from a compliance perspective. By discovering these issues proactively, we’ve successfully helped our clients remediate noncompliant practices before they catch the attention of regulators or plaintiffs’ attorneys.
Defense of Class Action & Individual Lawsuits
We have defended numerous companies against class action and individual lawsuits involving the FDCPA, FCRA, TCPA, and other privacy laws, achieving optimal outcomes for our clients. In many instances, we have obtained voluntary dismissal of the case or settlement on an individual, rather than class-wide, basis.
Data Breach Response
In the hours and days after a data breach has been discovered, businesses need clear and fast counsel regarding their breach response obligations. We advise clients on breach response requirements and best practices, and work with their public relations team and senior leadership to navigate the complex issues that arise in the aftermath of a data breach.
Third-Party Due Diligence & Contract Review
In addition to auditing internal compliance programs, we also help clients reduce external risks by establishing robust due diligence programs for their vendors, dealers, marketing partners, and merger and acquisition targets. Such programs might include pre-contract due diligence measures, contractual requirements/prohibitions, ongoing due diligence protocols, and remediation measures.
State & Federal Investigations
We help clients respond to regulatory inquiries and investigations brought by the FTC, FCC, CFPB, and state attorneys general. We have achieved significant success in resolving investigations without negative findings against our clients or with consent agreements containing little or no monetary penalty.
Regulatory Advocacy
We advocate for clients’ privacy-related interests before the FTC and FCC. This includes filing petitions or comments on behalf of our clients and meeting with regulatory staff and leadership regarding such issues.
Our economy is becoming increasingly digital, and businesses are benefiting from more sophisticated data analytics tools. As more personal information is collected from consumers, there is growing concern about what information is being collected and how it is being stored and used. Consumers are demanding better privacy measures and disclosures from businesses.
At the same time, legislators and regulators are stepping up their efforts to address the concerns of consumers and provide them with the data protections they need. Stronger scrutiny is being placed on how and what consumer information is collected, stored, processed, and used. In the data privacy world, a distinction is drawn between controllers, who collect the information and want to use it, and processors, who process the information on behalf of controllers. A third party may also be involved in the process as well. For example, if telephone numbers are collected for telemarketing purposes, then to comply with telemarketing regulations, a controller may send the file filled with phone numbers to a third party to scrub the numbers against national and state do-not-call lists. This sharing of information needs to be considered for data privacy and protection issues.
Data privacy and protection law is evolving in the United States and elsewhere. Until recently – except in specific areas, like HIPAA for healthcare – there was no comprehensive privacy law in the United States at the federal or state level. But that has changed as regulators, concerned with the historical lack of data privacy regulation, are augmenting efforts to fill the void. Numerous states have imposed their own stringent privacy laws in recent years, and the federal government is making strides as well.
Data privacy and protection rules are often confusing. But they apply throughout the whole lifecycle of data, and therefore a program needs to be put in place to handle these issues. Businesses need clear, actionable recommendations from counsel so they can use and manage data effectively.
There is also increasing pressure from the market. One factor that consumers are weighing more significantly in selecting sellers is whether their data is being treated appropriately. Businesses should expect that going forward, good data privacy and protection practices will become more of a competitive advantage.
Consider the following:
To stand out competitively, businesses across all industries must proactively embrace Privacy and Data Security across functions and departments not just as a defensive position, but as a key driver for sales and retention as well.
Let’s talk about how we can help your business manage data privacy effectively.
For most business executives, the prospect of a data breach represents their worst nightmare. A major breach can be catastrophic not only to the bottom line, but to your business’s operations, customer trust, even its survival. Types of harm could include:
Even a small data breach can trigger significant time and related costs for those who work at the company. Breaches impose obligations to, among many other things, remedy the underlying vulnerability, address future threats, communicate to customers, and mitigate the harm caused to them. Ordinary business is interrupted and distracts employees from revenue-generating work.
Valuable intellectual property that the firm could lose includes competitively advantageous trade secrets. Loss of confidence can occur not only among customers but with investors and vendors. This reputational damage may extend not only to firm leadership but also to the brand itself.
There is also the risk of legal liability, as a data breach can lead to follow-on lawsuits that cause further distraction, cost money to resolve, and more. Potential lawsuits could come not only from private citizens but regulators, too. Experienced counsel can work with your information security team to identify and mitigate potential risks, and in the event of data breach, guide you through a comprehensive response strategy that mitigates the legal, operational, consumer, and public relations impacts of the breach while preserving brand reputation.
Let’s talk about how to prevent data breaches from happening in the first place.
Businesses have data security obligations to prevent and respond to data breaches. The legal frameworks vary depending on the jurisdiction.
But there are a set of best practices that our privacy and data security attorneys recommend. A business can choose to implement different standards based on different frameworks in each jurisdiction where it operates or apply the strictest standard across the board.
Businesses should establish security measures that adequately protect data. It’s important to work with experienced privacy counsel that can direct comprehensive compliance audits to assess risk exposure of an existing program. A typical audit might include the following components:
Audits should occur regularly. Based on audit results, a remediation plan may be put in place to remedy compliance gaps. You may be surprised at how simple some fixes can be. For example, have someone check that employee login information is difficult to guess, not just easy for the authorized person to remember.
Updating compliance programs involves designing and implementing actionable steps that keep the business moving forward while satisfying legal obligations. Written policies and training sessions are important, as well as scenario planning and quality assurance measures.
Any data you acquire from a third party, or provide to a third party, should be accompanied by due diligence on how they handle their data. You need a reasonable basis to believe that their data privacy and security practices are also compliant with applicable laws.
When it comes to a data breach, preparation is key. You cannot wait for an incident to occur to begin developing your response plan. You will need to act quickly, so having an established plan in place will facilitate your investigation and containment of the breach, notification of affected parties, and other responsibilities.
Your response plan should cover the entire lifecycle of a data breach event, not just the immediate aftermath. It should ensure that, if followed, the business will be compliant with all applicable data breach response obligations. Your plan should also have an identified list of the key resources and vendors that will be necessary to respond to the breach, including their contact information. This could include a public relations consultant, forensic IT firm, insurance company providing your cyber liability coverage, contact center or customer relations resource to field consumer questions, and of course, your privacy legal counsel.
Want to learn more about developing a data breach response plan? We can help.
On October 1, 2025, the Maryland Online Data Privacy Act (MODPA) became effective, joining the growing list of states with comprehensive consumer data privacy laws. With enforcement beginning April 1,
In a sharply worded opinion, U.S. District Judge Vince Chhabria recently granted summary judgment in favor of the Eating Recovery Center (ERC) in a privacy lawsuit that has reignited debate
