Data Privacy and Cybersecurity

As more classified information is stored in the digital realm – including financial and health care data, retail client information, trade secrets and other intellectual property, and institutional knowledge – networks become greater targets for thieves, competitors, and hackers.

In addition to external threats, data breaches may be caused by employees acting innocently or maliciously. Without proper planning, the effects of a breach can be devastating, subjecting victims to regulatory penalties, litigation, and severe reputational harm.

Lewis Roca has extensive experience navigating the cybersecurity and data privacy issues associated with regulated industries and general business operations. Our lawyers successfully protect and defend clients’ most confidential data, relying on our technical training in electrical engineering and computer science as well as certifications from professional privacy organizations. We routinely review and follow the multitude of cybersecurity and data privacy laws at the federal and state level in the United States in addition to those pursuant to key international regulations.

Our Approach

Our team deploys a law-led approach to cybersecurity threats and data breaches. Our focus is on working with clients to protect themselves on the front end to mitigate loss and disruption. Our pre-breach services include interdisciplinary solutions to help clients manage everything from core business assets to cyber vulnerabilities. By identifying areas of weakness in systems and processes, clients can implement solutions and deter many potential threats and crises.

Competitive advantages are created by companies investing in their security solutions. At the same time, companies need to ensure they are abreast of rapidly evolving cybersecurity laws and regulations from government and regulatory bodies at every level, including the international level. Our team sits at this intersection and has the tools and experience to provide comprehensive counsel. We are experienced at pre-breach coaching and help clients manage technical controls by calculating risk-reducing measures that include exposure reduction.

Risk Assessment

Our pre-breach services include interdisciplinary solutions to help clients manage everything from core business assets to cyber vulnerabilities. By identifying areas of weakness in systems and processes, clients can implement solutions and deter potential threats and crises.

Data Policies and Practices

C-Suite Advisory Services

Leadership matters before, during, and after a data breach. Our data privacy and cybersecurity team provides organizations with educational workshops, breach coaching, and policy development assistance to help them understand how to plan and deal with cybersecurity threats.

IP Asset Protection

In an instant, a cyberattack can change the course of a company’s growth and revenue. Our IP lawyers provide a nuts-to-bolts review to protect clients’ intellectual property, including:

• Establishing a trade secrets policy
• Establishing and verifying trade secret protection strategies
• Implementing a trade secrets audit
• Restricting physical and electronic access to trade secrets
• Segregating and organizing trade secrets

Tabletop Exercises

Every organization is different. We develop tailored incident response plans ahead of cyber incidents, including tabletop exercises, penetration testing, and war gaming.

Compliance

Our lawyers have substantial experience navigating the data privacy and cybersecurity issues associated with regulated industries and general business operations. We review and follow the multitude of cybersecurity and data privacy laws at the federal and state level in the United States as well as key international regulations, including:

• Bank Secrecy Act and anti-money laundering rules
• Cable Act
• CAN-SPAM Act
• Children’s Online Privacy Protection Act
• Communications Assistance for Law Enforcement Act
• EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
• Fair Credit Reporting Act
• Federal and state unfair and deceptive practices laws
• Federal Right to Financial Privacy Act
• Federal Trade Commission Act
• General Data Protection Regulation
• Gramm-Leach-Bliley Act provisions on privacy and security of customer information
• Health Insurance Portability and Accountability Act and the HITECH Act
• IRS information disclosure rules
• State data breach notification statutes and other data security laws
• Telecommunications Act
• USA Freedom Act
• USA PATRIOT Act
• Video Privacy Protection Act
  
  

Incident Response and Litigation

Crisis Management

We assist organizations during and after cyber incidents. In addition to helping clients understand and navigate regulatory issues and public relations, we work to improve cybersecurity programs going forward.

Breach Coaching

In the event of a breach crisis, prompt advice and law-based coaching are critical to ensure that the entire incident response team is protecting the client’s interests. Our team serves as the breach coach, orchestrating all facets of the client’s processes and response and adding value by incorporating attorney-client privilege throughout.

Cybersecurity and Cyberliability

Our services for clients in this area include:

• Conducting computer information systems audits and assessments of threats and vulnerability to unauthorized access (hacking), viruses, data loss, or theft
• Counseling clients in cost-effective approaches to protecting their systems from cybersecurity and cyberliability risks
• Counseling clients in compliance of information systems with state and federal laws and regulations (Gramm-Leach-Bliley Act, HIPAA, etc.)
• Litigation of cybersecurity and cyberliability claims
  
  

Application and Website Agreements

We routinely counsel website operators, application developers, and online service providers regarding terms of service, end user license agreements, and privacy policies, which represent important legal documents for online businesses.

Terms and conditions (T&C) and end user license agreements (EULA) represent contracts between operators and their users. By clearly establishing each party’s rights and obligations in connection with the use of a particular website or application, operators can effectively limit and create a defense against liability.

Privacy Policies

Privacy policies are one of the most important documents for online operators. A privacy policy provides specific information to users about the type of information the operator collects and how it will be used. Privacy policies not only provide users with information about data collection, protection, and sharing practices, but also enable operators to comply with privacy laws. Failing to adopt or abide by a privacy policy could leave companies open to lawsuits and even criminal action. In addition to preparing these legal documents, we monitor legal developments that can impact enforceability and work with clients to ensure their protection in an ever-changing legal landscape.