Cybersecurity and Data Privacy

Overview

A rapidly-evolving area of law governs the collection, retention, use, sharing and protection of personal data and confidential information. Federal privacy laws target particular industries, such as financial services and healthcare. Broadly applicable state laws, such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and similar laws recently enacted in other states, like Virginia and Colorado, are broad in scope, affecting businesses located in other jurisdictions. Almost every U.S. state has laws governing businesses’ responses to personal data breaches, with detailed (and sometimes inconsistent) timelines and notice requirements. Finally, many U.S. businesses are subject to the European Union General Data Protection Regulation (GDPR), even if they have no physical presence in Europe.

Every business needs to be aware of these laws and understand its obligations under them. Additionally, every business must have a plan to respond to data breaches, the risks of which have increased dramatically as ransomware attacks become more common.

Tannenbaum Helpern’s cybersecurity and data privacy attorneys serve clients in many industries, including:

• Financial Services
• Professional Services (including law firms, accounting firms and consulting firms)
• Real Estate and Construction
• Staffing
• Health and Life Sciences
• Cannabis
• Hospitality

Navigating the complex and ever-changing web of federal, state and foreign privacy and breach notification laws requires experienced legal guidance that cannot be obtained from non-lawyer consulting firms. Moreover, engaging legal counsel to oversee pre-breach risk assessment and planning processes will preserve the attorney-client privilege to the greatest extent possible, which will be very important if your company experiences a data breach – as most companies eventually do. If a company does suffer a data breach, it must engage counsel early on to develop a legal strategy to investigate and remediate the breach, working with IT and security consultants and the company’s accountants, all under the maximum available protection of the attorney-client privilege.

Tannenbaum Helpern assists its clients in a wide range of areas related to data privacy and security, including:

Data Privacy and Security Regulatory Advice

Tannenbaum Helpern’s experienced team of data privacy and cybersecurity attorneys advise on a broad range of privacy and data protection matters, including:

• Developing and implementing effective data privacy policies and procedures
• Complying with U.S. federal and state privacy and data security laws, including:
  • The Federal Trade Commission Act
  • The Gramm-Leach-Bliley Act (GLBA) and accompanying regulations
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The Children’s Online Privacy Protection Act (COPPA)
  • The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • The New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500)
  • The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act), and similar laws recently enacted in Virginia and Colorado
  • Data breach notification laws
• Complying with the GDPR
• Advising on cross-border data transfers

Pre-Incident Planning

No data security program is impenetrable, and vulnerabilities will always exist. Tannenbaum Helpern attorneys help clients plan for the inevitable data incident by developing comprehensive yet user-friendly data breach incident response plans. If your company has already prepared an incident response plan, we can review the plan and suggest any revisions that may be necessary.

We work hand-in-hand with the company’s management, information security and information technology professionals to ensure that the incident response plan covers all of the issues and considerations that must be addressed, including the company’s legal obligations.

Incident Response, Regulatory Investigations and Litigation Defense

After a data security incident does occur, Tannenbaum Helpern attorneys provide comprehensive assistance, including overseeing forensic investigations and crisis management activities, providing legally-required notifications to affected individuals and responding to federal and state regulatory inquiries. And if the need ever arises, we vigorously defend our clients in any post-breach litigation claims and regulatory investigations.

Vendor Agreements and Other Third Party Transactions

Vendor agreements present a latent risk to privacy and data security whenever such vendors receive personal data from a business. It is important to make sure that such vendors provide adequate data security and assume appropriate breach response obligations. Tannenbaum Helpern attorneys counsel clients in connection with vendor contracts and business associate agreements, as well as advising clients on cross-border data transfers.

Data Privacy and Cybersecurity Advice in Transactional Matters

Tannenbaum Helpern attorneys help clients identify privacy and cybersecurity risks that may be lurking in a potential transaction. Our attorneys perform privacy and cybersecurity legal due diligence to assess and address risk in the context of mergers and acquisitions and other transactions, and recommend purchase agreement provisions to reduce risk and provide appropriate protections for the client’s interests.