Information Security & Data Breach Response
Information security is one of the greatest challenges companies face today. We help our clients succeed with solutions that are legally sophisticated, technically savvy, and operationally practical.
Will You Be Ready if a Breach Occurs?
Our Information Security & Data Breach Response Team provides resources to help you develop your information security and incident response programs. For a more customized approach, contact a member of our team.
24/7 Breach Response Team
Assistance with assessing and responding to security incidents designed to limit legal liability, preserve system assets, and protect your business reputation.
Information security is one of the great challenges companies face today. We help our clients succeed with solutions that are legally sophisticated, technically savvy, and operationally practical.
Overview
Legal Expertise
We don't dabble in information security law—we live it every day. From broadly applicable data breach and security laws to technical, sector-specific requirements, our legal advice is shaped by years of experience focused on information security.
Technical Savvy
Understanding our clients' technology is essential to our practice. We believe that only by engaging with complex technical issues can an attorney truly understand the legal risks and challenges that technology creates. Where other attorneys throw up their hands, our team digs in.
Practical Approach
We deliver actionable legal guidance tailored to your organization. We can help you turn esoteric legal requirements into concrete policies and practices that support both your compliance needs and business goals. We'll help you evaluate your legal risks and develop solutions that make both legal and business sense.
Areas of Practice
Our lawyers have advised clients on hundreds of data security incidents and data breaches.
We sharpen our clients' incident response skills through a variety of innovative service offerings.
We help our clients develop information security programs that comply with applicable security laws while supporting business and operational needs.
We untangle complex information security laws, regulations, standards and frameworks and assess our clients' compliance obligations.
We advise our clients on the information security and data strategy aspects of complex commercial and corporate transactions.
24/7 Breach Response Team
Assistance with assessing and responding to security incidents designed to limit legal liability, preserve system assets, and protect your business reputation.
State-By-State Data + Privacy Laws
Complex Incident and Breach Response
Our lawyers have advised clients on hundreds of data security incidents and data breaches, from enterprise ransomware attacks, sophisticated state-sponsored campaigns and supply chain attacks to multi-million-dollar business email compromises and insider threats. Representative matters include:
- An enterprise ransomware attack against a consumer products company involving significant disruptions to the client's B2B operations and compromise of personal data
- Multiple high-profile attacks against communications platforms and service providers aimed at compromising cryptocurrency wallets and online accounts
- An insider threat matter involving a high-ranking company employee who accessed client data and provided it to an extortionist
- Successful resolution of investigations by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of a reported breach, which had the potential to result in millions of dollars in civil monetary penalties
- Representation of numerous clients in investigations and inquiries by state attorneys general following reported data breaches
- Breaches of Customer Proprietary Network Information (CPNI) for multiple major telecommunications providers
- A breach of a financial institution's ecommerce website, resulting in the compromise of significant amounts of customer data under the Gramm-Leach-Bliley Act (GLBA) and personal information under numerous state data breach laws
- Multiple high-profile ransomware and state-sponsored attacks involving software supply chain compromises
- A physical break-in at a medical facility resulting in the theft of servers processing protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and personal information under numerous state data breach laws
- A business email compromise and related fraudulent activity resulting in a loss of more than $10 million
- Misconfiguration of a cloud-based file storage system, resulting in inadvertent disclosure of sensitive personal information of at-risk individuals
- Compromise of a hospital's email system, resulting in unauthorized access to PHI
- A spear phishing campaign against a publishing company that compromised personal information of U.S. and EU residents
- Representation of an investment advisor in an investigation by the Financial Industry Regulatory Authority (FINRA) following a business email compromise
Incident and Breach Readiness
Security incidents are inevitable. We help our clients prepare to respond effectively through a variety of assessments, exercises, and other deliverables. Representative matters include:
- Delivering an incident response tabletop exercise for the board of directors and senior management of an energy utility
- Delivering tabletop exercises for incident response teams at clients in the technology, cloud computing, consumer products, energy, financial services, and aerospace industries
- Drafting and advising on incident response plans (IRPs) and legal playbooks
- Assessing the cyber incident and data breach reporting obligations under state and federal laws for critical infrastructure operators and companies in the healthcare, financial services, and telecommunications sectors
- Developing business continuity and disaster recovery plans in the event of a ransomware attack or other significant business disruption
Security Program Development
We help our clients develop information security programs that comply with applicable security laws while supporting business and operational needs. Our attorneys frequently coordinate with our stable of cybersecurity experts and other partners to deliver assessments, policies and other deliverables that seamlessly blend legal and technical expertise. Our services include:
- Conducting risk assessments for HIPAA covered entities and business associates to comply with the HIPAA Security Rule, and for financial institutions to comply with the requirements of the GLBA Safeguards Rule and New York Department of Financial Services' (NYDFS) Cybersecurity Regulation
- Drafting and advising on comprehensive information security policies and protocols for clients in the cloud computing, health care, financial services, and consumer products industries
- Advising on bring your own device (BYOD), remote work, and distributed workforce policies
- Advising a technology provider on development and implementation of an enterprise-wide information classification scheme
- Developing a multi-level, risk-based vendor and supply chain risk management program to evaluate third-party security risks and address those risks through appropriate diligence, oversight, and contractual terms
Security Compliance
We advise on compliance with an array of information security laws, regulations, standards, and frameworks. Representative matters include:
- Advising numerous GLBA-regulated financial institutions, including banks, credit unions, and non-bank financial institutions, on compliance with GLBA data security requirements, including those related to risk assessment, continuous monitoring, multifactor authentication, remote access, and encryption
- Working closely with several major cloud service providers, software developers, and others to navigate data security and incident notification requirements for government contractors, including under the Federal Risk Management Program (FedRAMP), StateRAMP, the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS)
- Counseling media organizations and cybersecurity companies on the provisions of antihacking laws, including the federal Computer Fraud and Abuse Act (CFAA), and related risks
Advising internet service providers on DMCA compliance and responses to law enforcement warrants, wiretaps, pen/trap orders, and administrative and trial/grand jury subpoenas Advising merchants, payment processors, financial institutions, and technology service providers on the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and related standards - Developing financial disclosure controls to assist publicly traded companies in complying with SEC guidance on disclosing material cybersecurity incidents
- Representing a foreign-owned media company in dealings with the Committee on Foreign Investment in the United States (CFIUS), including by developing a comprehensive information security program to address CFIUS national security concerns
- Advising a major technology services provider on compliance with major cybersecurity frameworks and related representations in customer-facing materials
Transactional Counseling
Working closely with DWT's technology, financial services, and corporate and business transactions practice groups, we advise our clients on the information security and data strategy aspects of complex commercial and corporate transactions. Representative matters include:
- Performing due diligence on numerous M&A target entities, including those in the fintech, payments, adtech, cloud computing, software, and cryptocurrency spaces
- Drafting data processing and data security addenda and related terms for complex commercial transactions, including for cloud and telecommunications services companies
- Advise on data security aspects of complex, multi-party fintech, payment processing and bank partnership arrangements
