Data Privacy & Cybersecurity
A two-time Advisen “Cyber Law Firm of the Year” winner, the Lewis Brisbois Data Privacy & Cybersecurity Practice is composed of experienced attorneys – including several Certified Information Privacy Professionals (CIPP) – who are highly skilled in managing an array of data security matters. From relatively simple device theft containing proprietary or consumer information, to catastrophic system compromises affecting millions of consumers, Lewis Brisbois’ cybersecurity team has managed responses to thousands of data security incidents in virtually all business sectors. Our extensive experience includes working with the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Moreover, members of our team hold certifications from the International Association of Privacy Professionals (IAPP), including the ANSI-accredited CIPP/US designation, the CIPP/Europe designation, and the Certified Information Privacy Technician (CIPT) designation. Supported by a full-service law firm, the team provides a suite of proactive services, fully managed breach response services, and defensive litigation services when necessary.
Compliance advisory (proactive) services:
- Cyber preparedness assessments
- Incident response planning
- Table top exercises
- Policy and procedure development
- Facilitation of privileged third party services
- Third party contract review
Incident (breach) response services:
- Fully managed breach response
- Facilitation of forensics services
- Consumer and regulatory notification
- Facilitation of consumer remediation services
- Regulatory investigation guidance and defense
- Third party defense
Related News, Publications & Events
Incident Response Services
Incident response management: Having managed responses to thousands of data security incidents in all business sectors the Lewis Brisbois Data Privacy & Cybersecurity Team has extensive experience managing responses to information security incidents. Lewis Brisbois attorneys work closely with cyber insurance brokers and carriers to maximize client access to appropriate resources. The rapid response process involves an initial assessment of the data security problem and facilitation of all legal agreements and services to contain, analyze, investigate, and remediate the incident. This often includes digital forensics, crisis management and communications, consumer notification, and credit monitoring and/or identity protection services. The process also involves an assessment of consumer and regulatory notification obligations, and, if such obligations apply, our attorneys assist in drafting consumer and regulatory notification, and responding to inquiries from the media and regulatory officials.
Data breach-related defensive litigation: Our attorneys have extensive experience representing clients in complex litigation arising from data breach-related matters. Whether it is a third-party demand or a class action complaint, Lewis Brisbois attorneys are particularly well suited to defend clients in all business sectors. Lewis Brisbois has extensive litigation resources covering major markets across the nation, ensuring that clients are well represented in all defensive litigation matters.
Data breach-related affirmative litigation: Clients who fall victim to a data breach often incur harm from third parties. The lawyers in Lewis Brisbois’ Data Privacy & Cybersecurity Practice and its Commercial Litigation Practice guide clients through their options in resolving difficult and complex problems — including the recovery of substantial losses from third parties and the recovery and seizure of private data stolen during a data breach — and provide strong affirmative litigation services when necessary.
Website and mobile application accessibility defensive litigation services: Litigation surrounding website accessibility under Title III of the Americans with Disabilities Act (ADA) has significantly increased in recent years. Perhaps due to uncertainty about pending federal regulations, businesses have been caught off guard when confronted with third party demands or lawsuits. The lawyers in Lewis Brisbois’ Data Privacy & Cybersecurity Practice and its ADA Compliance and Defense Practice guide clients through their obligations under Title III of the ADA and provide strong defensive litigation services when necessary.
Compliance Advisory Services
Data Privacy Assessments
The Lewis Brisbois Compliance Advisory Team has extensive experience assessing the application of state and federal statutes and regulatory frameworks, both domestic and international, to client data privacy practices. Our team works with clients to do the following:
- review the nature of their business model as it pertains to data privacy;
- review the scope of legal jurisdictions applicable to their operations;
- review their data collection, transmission, and storage practices;
- identify the applicable state and federal statutes and regulatory frameworks, like the California Consumer Privacy Act (CCPA), the California Civil Code, the Children’s Online Privacy Protection Act (COPPA), and international data privacy protection frameworks, like the GDPR and PIPEDA; and
- assess compliance with applicable data privacy frameworks.
Our team provides a written assessment of applicable data privacy frameworks to our client data collection, transmission, and storage practices. The assessment includes an identification of measures that must be taken to comply with those frameworks, including data privacy policies, practices, and programs.
Data Privacy Compliance
Our Compliance Advisory Team specializes in identifying data privacy compliance requirements and works with clients to help them develop compliant practices and programs. This often involves assessing the application of state data privacy requirements that emanate from statutes like the CCPA, or from international frameworks like the GDPR and PIPEDA. We work side-by-side with company personnel to develop applicable and functional policies and procedures that comply with these frameworks. We can also serve as the company’s Data Protection Officer (DPO). These efforts will ensure continuity of operations, limit your liability, and allow your organization to represent that it is fully compliant with applicable requirements to ensure it is eligible for continued business opportunities.
Our attorneys work with clients to identify and develop necessary data privacy policies pertaining to data collection, employment, online marketing, and sector specific requirements. Data collection is a critical aspect of many business models, and regulation of data collection practices is constantly increasing. We help businesses navigate the ever-evolving privacy regulatory landscape by ensuring that their data privacy policies comport with that landscape. This process involves the following:
- completion of a data privacy questionnaire pertaining to client data collection, use, transmission, and storage practices to guide the policy development/revision process;
- interviews and consultation with key personnel to assist with completing the questionnaire and validating privacy practices;
- a review of the legal bases for client data collection, use, transmission, or storage;
- a review of applicable data privacy laws, including the CCPA, the California Civil Code, the COPPA, and the GDPR;
- a review of client website user tracking practices and those of third-party providers;
- a review of client information sharing practices;
- a review of client customer rights; and
Data Privacy Program Development and Governance
Our attorneys understands that privacy compliance is not covered by policies alone. We work with our clients to determine how to operationalize the privacy requirements they face, so that our clients have the systems and processes in place to ensure compliance with notice obligations, data subject access and deletion request response timeframes, proper assessment of applicable exceptions and exemptions to related privacy regimes, and other privacy compliance demands.
Data Privacy Training
Our Compliance Advisory Team shares its data privacy expertise through training that can be delivered in a variety of formats, including live webinar sessions, onsite sessions, or pre-recorded “on-demand" training sessions. Our team helps clients identify and prioritize their training needs, develop customized training to educate employees about data privacy requirements, and develop customized presentations for boards and executives about data privacy requirements, while addressing the business case for any necessary revision in business practices.
Data Retention Policies
The data explosion caused by the advent of electronically created and stored information has made the management of data a critical need for business processes, regulatory compliance, and data security. Focused data retention and destruction policies are an important component of information security and information management systems. Our attorneys regularly assist clients in developing document retention and destruction policies to limit liability and comply with regulatory frameworks.
Data Transfer Agreements
The Schrems rulings, decisions by European Data Protection Authorities, and recent revisions to the EU’s Standard Contractual Clauses have all made transfer of information between Europe and the rest of the world more complicated. Our attorneys can assist with conducting transfer impact assessments and developing data transfer agreements to ensure that trans-Atlantic data transfers clear any adequacy hurdles that they may otherwise face, while also clarifying the data protection and privacy obligations of all parties.
HIPAA requires the completion of an annual Security Risk Assessment to ensure compliance with all aspects of HIPAA’s regulatory requirements. It involves a thorough and accurate audit of administrative, physical, and technical safeguards to identify vulnerabilities and risks to the security of protected health information (PHI). Our attorneys share their expertise by helping clients identify potential risks to the security of PHI, ensure compliance with documentation requirements, and develop a risk management plan to facilitate continuous improvement with the protection of PHI. This proces includes the following:
- a HIPAA risk analysis questionnaire, mapped to 45 C.F.R. §§ 164.302 – 318, to guide the assessment process;
- a review of the client’s relevant documentation, including policies and procedures, as well as business associate agreements;
- interviews and consultation with key personnel to assist with completing the questionnaire and assessing potential risk; and
- drafting of a comprehensive report, a risk profile, HIPAA administrative and privacy policies, and a risk management plan addressing HIPAA compliance, suggested improvements, and continuous security of PHI.
Information Security Assessments
The Lewis Brisbois Compliance Advisory Team works with clients in all business sectors to assess their cyber preparedness. Our attorneys have extensive knowledge of the critical security controls required by regulators to be enabled in information security systems, and we work with information technology and security personnel to enhance their organizational security posture and reduce information system vulnerabilities. Our information security assessments are usually based upon the National Institute of Standards and Technology (NIST) framework and mapped to a pertinent Special Publication (SP), such as the NIST SP 800-53 Rev. 5 “Security and Privacy Controls for Information Systems and Organizations” and SP 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” as well as the Critical Security Controls, which are now managed by the Center for Internet Security. This process includes the following:
- an information security assessment questionnaire, mapped to the appropriate NIST framework, to guide the assessment process;
- a review of the client’s information security program and practices, and relevant documentation, including policies and procedures;
- interviews and consultation with key personnel to assist with completing the questionnaire and assessing the client security posture; and
- drafting of a comprehensive report identifying the applicable security controls, gaps in implementation of any security controls, and recommendations for implementation of relevant security controls and improvement in the enterprise security posture.
Information Security Policy Development/Revision
Our team helps clients review existing information security policies and procedures, recommends revisions to existing policies and procedures, and drafts policies and procedures if none exists. These policies are usually mapped to the NIST framework, such as the NIST SP 800-53 Rev. 5 “Security and Privacy Controls for Information Systems and Organizations” and SP 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” as well as the Critical Security Controls, which are now managed by the Center for Internet Security.
Incident Response Planning
The Lewis Brisbois Compliance Advisory Team works with clients in all business sectors to develop and draft incident response plans. The policies are usually mapped to the NIST SP 800-61 Rev. 2 “Computer Security Incident Handling Guide” and incorporate best practices in incident response. The planning process includes the identification and involvement of key stakeholders, the facilitation of acquisition of cyber liability insurance, the facilitation and execution of master service agreements with incident response service providers (digital forensics services, consumer notification/call center services, credit monitoring/identity protection services, etc.), and introductions to appropriate law enforcement personnel. We recognize that preparation is a critical phase in the incident response life cycle, and after managing responses to thousands of data security incidents, our team is well versed in helping clients prepare for all types of data security incidents.
We help clients test their incident response plans by facilitating enterprise-wide digital crisis response exercises. We encourage these exercises to be cross-functional and involve key stakeholders throughout the organization. These exercises help clients identify and “experience” roles and responsibilities in responding to a data security incident before an actual crisis occurs. Our attorneys recognize that “experiencing” a data security incident before it actually occurs accelerates an organization’s ability to effectively contain and remediate an incident. The exercises also help to identify and resolve gaps in incident response plans and to enhance an organization’s enterprise security posture.
Information Security Awareness Training
Our team works with clients to identify their information security training needs and develops customized training to meet those needs. The training can be delivered in a variety of formats, including live webinar sessions, onsite sessions, or pre-recorded “on-demand" training sessions. This training is usually recommended to cover current online trends that may affect the client, with suggested measures to mitigate the risk of those threats. The training is usually tailored to the type of events that will likely affect the client’s data, customers, and employees. The training may be cross-functional and provide guidance to an entire business enterprise, or it may focus on the specific responsibilities, threats, and risks to employee populations, executives, or boards.
Third Party Contract Review and Management
One of the largest areas of liability resulting from data security events derives from contractual obligations. Our team works closely with clients to understand their unique circumstances, the nature and complexity of their client relationships, and the purpose of their service providers. Our attorneys help clients review agreements with their clients to identify and assess data privacy and security obligations, to recommend revisions to limit liability, and to develop systems to manage the liability. Our attorneys also review agreements with service providers, including third-party technology service providers, to identify and assess liabilities that may arise from data security incidents. Keeping our clients’ business goals in mind, we suggest revisions to client contracts that typically involve data handling and notification requirements resulting from data privacy and/or security events. We also craft narrowly tailored service provider agreements designed to mitigate potential exposure arising from data security incidents. This involves a review of provisions to accomplish the following:
- define a client’s relationship with the service provider;
- require the service provider to adhere to delineated information security practices molded to the specific service offering;
- establish expectations as to when, how, and under what circumstances a service provider must report a potential or suspected data security incident, and preserve the client’s right to conduct an independent forensic investigation;
- incorporate optimal indemnification and limitation of liability language to shift liability and defense exposure to the service provider;
- leverage a service provider’s insurance coverage;
- incorporate warranties that hold the service provider accountable for rendering services in accordance with the agreement and applicable law;
- apply a favorable choice of law provision governing disputes under the contract; and
- avoid potential pitfalls such as waivers of subrogation that may preclude our clients or their insurers from recovering damages attributable to a service provider’s conduct.
Managing liabilities associated with service providers has never been more important, with the evolution of technology and online threats creating an increasingly dangerous digital environment. The risks and liabilities can be mitigated, however, with due diligence and good service provider contract management.
Facilitation Of Third-Party Technology Projects
Our team facilitates confidential third-party technology engagements to protect communication and reporting about them with the attorney-client privilege and the work product doctrine to the extent permitted by law. These projects may involve system vulnerability assessments, system penetration testing, and forensics investigations. Our attorneys help clients identify an appropriate vendor, determine the appropriate scope, facilitate and execute pertinent contracts, oversee the various projects to ensure they remain within scope and budget, and review and edit preliminary reports to ensure they are accurate and in a format acceptable for regulators should they need to be produced.
Mergers and Acquisition Information Security Due Diligence
Information systems are an increasingly important part of any merger, acquisition, or sale. For buyers, it is critical that due diligence be conducted to avoid the purchase of a data breach. For sellers, it is critical to ensure that representations and warranties about the security of information systems are accurate. Our attorneys understand these dynamics and regularly work with clients to conduct the due diligence necessary to guide them through the merger, acquisition, or sale process.