Today, practically every business that obtains, holds and processes digital information from customers, employees and others has significant legal responsibilities under numerous federal and state privacy and data protection laws.
In today’s business and regulatory climate, businesses are being held accountable for privacy and cybersecurity violations as never before. In fact, personal information can now be viewed as both an increasingly valuable and an increasingly risky business asset. As businesses struggle to keep up with fast-changing data protection laws and face an increasing risk of serious data breaches, we are well positioned to guide our clients in a very complex field. Potential legal hazards can stem from multiple sources, including regulatory agencies, state attorneys general and private litigants.
Joseph Greenwald & Laake’s Data Privacy and Cybersecurity Practice Group is proud to serve as a trusted partner in navigating these hurdles.
Here are some areas where our firm is poised to help:
Effective data privacy and cyber security compliance requires continual reviews and updates by experienced attorneys who understand the scope of these ever-evolving laws and regulations. Our task is to assist our clients in navigating the complex landscape of data privacy regulations. We provide a variety of data privacy and cyber security legal services, including:
- Child Online Privacy Protection Act (COPPA)
- Credit card and credit-related regulations, including Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transaction Act (FACTA), and PCI-DSS standards.
- Employee Privacy
- Foreign privacy data regulations, including EU-US Privacy Shield (formerly Safe Harbor Principles) and EU General Data Protection Regulation (GDPR)
- Health-related regulations, including: HIPAA, HITECH, GINA
- Consumer financial privacy laws, including Gramm-Leach-Bliley Act (GLBA) and Dodd-Frank Act
- Marketing Policies including CAN-SPAM
- State data privacy consumer protection laws
- Unfair or deceptive trade practices under Section 5 of the Federal Trade Commission Act
We recognize that the complex and sometimes conflicting obligations imposed by these laws can be challenging for companies seeking to comply with their privacy and data security obligations. Our lawyers know how to offer practical advice that helps our clients balance compliance needs with the requirements of running a business in a cost-effective manner.
Government Investigations and Enforcement Actions
Businesses that maintain private information are increasingly subject to regulation by state and federal regulators. This government regulation can frequently take the form of a formal investigation, which in many instances can lead to an enforcement action by a government agency.
The Federal Trade Commission (FTC), the HHS Office of Civil Rights (OCR) and the Consumer Financial Protection Bureau (CFPB), among others, have expanded their efforts to regulate the use and protection of private information. State agencies, especially state attorneys general, are also increasingly active in bringing actions against businesses that maintain private information concerning state residents.
Private Data Privacy Litigation
Private lawsuits against companies stemming from data privacy and cyber security breaches have swelled in the last decade. These can take the form of either a single-party lawsuit alleging that a data privacy agreement has been violated, or a class action in which individuals claim to have been financially damaged following a leak of their private information.
The number of such lawsuits is very likely to increase in the future. State legislatures across the country are expanding consumer protection laws to provide individuals with legal relief if their private information has been exposed. Many state legislatures now provide state residents with additional protections that go far beyond what is required under federal laws. Business owners should be particularly wary of focusing exclusively on satisfying federal standards in HIPAA, TCPA, FCRA, and the like, since many states provide their citizens with separate mechanisms to initiate private lawsuits against businesses whose data has been compromised. State contract and tort laws provide private companies with additional ways of bringing lawsuits that might otherwise be unavailable outside the data privacy and cyber security context.
Business owners are frequently required to access or accept confidential information from their partners, vendors or other third parties. Understandably, accepting this confidential information carries with it significant legal responsibilities, particularly if the information is governed by a sector-specific state or federal regulation that dictates how such information should be handled.
Rather than just assume that customers or vendors will comply with applicable federal and state regulations, businesses today are mandating that compliance by contract. Frequently, businesses will seek protections that go well beyond what is legally required. Such requirements are typically included in “data security exhibits” or addendums that make up a part of a larger master contracting document or RFP package. In some fields, notably health care, these addendums take the form of Business Associate Agreements (BAAs) in which private parties seek to contractually outline how each party will comply with the requirements of HIPAA.
Prudent business owners would be well advised to engage legal counsel to review a proposed BAA before signing. Our experienced team of data privacy attorneys will assist you in reviewing such agreements to help you fully understand the scope of what is being agreed to and, where appropriate, negotiating changes in the proposed language. Our experience in this area means that in most cases we can protect your interests without materially delaying the contemplated transaction.