Practical – Advice You Can Implement
Compliance obligations can be unclear, contradictory (if you are subject to multiple standards), or even at odds with the security needs of your organization. We break through the maze of obligations to provide pragmatic guidance that your legal and IT teams can understand and implement to make sure your organization is both secure and compliant. Let us be your trusted advisors and help make this process clear, actionable, and measurable.
Business-First – Guidance at an Operational Level
The continued success of your business is our primary concern. We know information technology and can translate legal obligations into language your technologists can understand. We help you focus on running your business by providing actionable step-by-step legal advice that you can implement when confronted with a data breach, regulatory investigation, compliance obligation, or third-party audit.
Creative – Innovative Security-by-Design Counseling
We love a new challenge and rolling up our sleeves to help companies integrate security into new (and existing) products and business ventures. We live and breathe technology, and we stay on top of the latest security guidelines and legal trends in this space, so we are excited and prepared to help you launch your 'next big thing.'
24/7 Breach Response Team
Assistance with assessing and responding to security incidents designed to limit legal liability, preserve system assets, and protect your business reputation.
Privacy & Security Law Blog
Summary of U.S. State Breach Notification Statutes
- Represent telecommunications conglomerate in various information security matters, as well as investigating and responding to various incidents, some of which resulted in the disclosure of consumer information and required consumer and governmental notifications.
- Advised e-commerce companies on incident response plan for information security incidents and data breaches.
- Provided counsel on compliance with HIPAA and other health information privacy and security laws, including successfully resolution of investigation by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) of a reported breach, which had the potential to result in millions of dollars in civil monetary penalties. Facilitated the client’s response and OCR closed its investigation without financial penalty or settlement.
- Assisted consumer products company investigate ransomware attack on website collecting personal information from European residents. Developed forensic evidence necessary to determine that personal information was not put at risk.
- Conducted incident response for medical services provider addressing a breach in a recently acquired asset. Guided medical services provider through analyzing network of acquired company, remediating security incident, and properly securing its own network from potential impact from acquired company.
- Conducted incident response for publisher that was victim of spear phishing campaign that compromised personal information of US and EU residents. Coordinated forensic investigation, breach notification, and regulator communication.
- Conducted incident response for software developer that was the subject of a ransomware attack. Assisted in payment of ransom and decryption of data, law enforcement coordination, transition to new network structure, and other remediation activities.
- Advised book publisher that mailed information to incorrect contractors. Coordinated breach notification, identity theft monitoring, and regulator communication.
- Identified spear phishing attack on a nonprofit client that suspected an employee was committing fraud and guided client through remediation.
- Advised religious institution that suffered an attack from a disgruntled employee. Drafted demand letter and recovered stolen data.
- Advised restaurant client on data misuse by franchise, including addressing data ownership issues not directly addressed in franchise agreement.
- Served as data breach counsel to a regional health plan for a series of potential data breaches that could have affected tens of thousands of the plan’s members, including analysing the breach notification obligations under HIPAA, the federal notification law, and the laws of all 50 states and a couple of territories. Also developed multiple notifications to individuals, government regulators, and consumer reporting agencies to meet all these requirements.