Data Privacy & Cybersecurity Compliance

• Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes, and regulations, including consumer privacy requirements; employee data privacy notices and policies; data breach preparation and response; data subject requests; digital marketing and targeted advertising; medical data, clinical trials, and healthcare privacy laws; vendor management and data processing agreements; international data transfers and localizations; written information security plans; WCAG compliance; and biometric data processing.
• Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data events, including ransomware attacks and other incidents involving the unauthorized access, acquisition, or disclosure of personal data or confidential information.
• Drafted online terms and conditions and privacy policies for domestic and global companies.
• Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
• Assisted government contractors with adhering to the NIST standards and other federal regulations and rules on the safeguarding of controlled unclassified information.
• Assisted organizations in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive data.
• Advised clients on a broad range of data protection laws, including the FTC Act, GLBA, HIPAA, CAN-SPAM, TCPA, COPPA, CFAA, ECPA, CCPA, CPRA, VCDPA, BIPA, and other privacy legislation.

California Consumer Privacy Act (CCPA)

• Performed data mapping to identify whether an organization’s data processing activities implicate California residents and the CCPA.
• Assessed and identified the current state of an organization’s policies and procedures to determine its compliance with the CCPA.
• Drafted privacy notices and statements to address the CCPA’s notice requirement, including drafting website privacy policies, employee privacy statements, and job candidate privacy notices.
• Drafted new, or supplement existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
• Identified whether an organization “sells” personal information within the meaning of the CCPA, and, if so, developed mechanisms for customers to “opt in” or “opt out” of the sale of their personal information.
• Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
• Identified whether an organization offers financial incentives related to data processing and, if so, ensured such incentives align with the CCPA’s anti-discrimination requirements.
• Drafted new, or reviewed existing, data incident response plans to ensure they align with California’s legal requirements and best practices.

Data Breach Response Matters

• Assisted managed service provider respond to Conti ransomware attack that targeted third-party client’s IT environment, including by issuing litigation hold, engaging Digital Forensics and Incident Response (DFIR) vendor, analyzing export control laws related to use of DFIR vendor’s proprietary software, and drafting litigation risk assessment.
• Assisted consumer goods company investigate and respond to data breach arising from unauthorized access to, and exfiltration of, customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
• Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
• Represented defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the case without adverse action to client.
• Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, partnering with European Union counsel to facilitate notifications to supervisory authorities pursuant to the European Union (EU) General Data Protection Regulation and EU Member State law.
• Counseled healthcare business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information and drafted formal data breach notification communications and reports.
• Advised private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data and invoking the “good faith” exception within certain U.S. state data breach notification laws.
• Assisted global manufacturing company with response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafting, preparing and submitting voluntary disclosures to federal department arising from the same.
• Assisted employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
• Assisted supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.

The General Data Protection Regulation (GDPR)

• Appointed by state attorney general to assist public university assess its compliance with the GDPR and UK Data Protection Act 2018, and retain and lead local counsel with respect to the same.
• Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
• Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
• Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
• Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
• Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
• Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
• Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
• Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
• Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.

M&A Due Diligence & Cybersecurity Risk

• Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
• Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
• Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
• Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.

Health & Medical Data Privacy

• Appointed by state attorney general to counsel public university undertaking clinical trials in the European Union and the United Kingdom with respect to its legal obligations under data protection and pharmaceutical regulations and directives and, in conjunction with local counsel, develop and implement data protection and clinical trials compliance checklist.
• Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
• Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
• Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
• Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
• Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.

Third Party IT Contracting

• Drafted and negotiated a wide range of technology and data protection agreements and statements of work, including end user license agreements for software and embedded technology solutions; master service agreements with IT services providers; contracts and statements of work for cloud storage, penetration testing and vulnerability scanning, and managed IT services; and, personal data processing, transfer, and security agreements.
• Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.