Privacy, Cybersecurity and Data Innovation

We regularly advise clients regarding:

Compliance with laws and regulations

• Duties of board members and senior executives under privacy and cybersecurity laws, regulations and recent judicial decisions, including Securities and Exchange Commission (SEC) oversight rules
• The California Consumer Privacy Act and other comprehensive state privacy laws
• Genetic and biometric information laws, such as Illinois’ Biometric Information Privacy Act and Washington’s My Health My Data Act
• Foreign privacy laws, including but not limited to the EU’s General Data Protection Regulation (GDPR), the U.K. GDPR, China’s Personal Information Protection Law, Canada’s Personal Information Protection and Electronic Documents Act and territorial Canadian privacy laws, and the privacy acts of Australia and New Zealand
• The Children’s Online Privacy Protection Act
• Industry-specific requirements regarding privacy and cybersecurity measures
• Corporate privacy and cybersecurity disclosures and reporting

Policies and procedures

• Privacy disclosures, notices, consents, and terms and conditions
• Internal policies and procedures, including written information security plans, vendor management programs and other administrative, technical and physical safeguards
• Data protection impact assessments, risk analyses and mitigations
• Privacy counseling for product innovation or development or changes in data use, including privacy by design and default
• Cyber transactions, e-commerce, advertising and internet marketing, including the Controlling the Assault of Non-Solicited Pornography and Marketing Act, the Telephone Consumer Protection Act, cookie compliance and universal opt-out mechanisms
• Data mapping

Data transactions and due diligence

• Data protection, access, sharing and licensing/terms-of-use arrangements
• Confidentiality agreements for employees, independent contractors and vendors
• Cross-border data transfers, including the EU-U.S. Data Privacy Framework, standard contractual clauses and binding corporate rules
• Security, risk and compliance audits for corporate transactions

Preparation and incident response

• Data breach readiness and prevention, breach management and incident response, law enforcement coordination, breach notification and post-breach recovery
• Cyber insurance coverage and claims handling advice
• Privacy and cybersecurity audits, counseling and training

Litigation and regulatory response

• Regulatory investigations, including by the Department of Justice, Federal Trade Commission, SEC, New York State Department of Financial Services, and other state and federal bodies, as well as by international data protection authorities in Europe and the United Kingdom
• Consumer protection and class action litigation defense related to security incidents, adequate data protection measures, corporate disclosures and eavesdropping or wiretapping laws

In addition, our European office has deep familiarity with, and advises regularly on, cross-border and multinational data security and privacy issues, including:

Data protection across borders

• Implementation of compliance programs, data protection audits and impact assessments for multinational corporations
• Cross-border data transfers (data privacy framework, standard contractual clauses and binding corporate rules)
• Contracts between data controllers and processors under the GDPR
• Trade secrecy, security incidents and notifications to competent authorities (national data protection agencies and EU network and information systems agencies) under EU and U.K. privacy laws
• National and international investigations related to data protection compliance
• French Data Protection Authority procedures, including recommendations, approvals, statements, investigations and sanctions
• Litigation before European and international courts, including, for example, litigation related to the right of access to health data

Intellectual property

• Audits of intellectual property or software licensing and ownership measures
• Internal policies, notably on the use of open source software and chain of title

Employment data

• Employment contracts, policies and procedures, including before employee representative committees
• Implementation of employee and third-party whistleblowing procedures and hotlines

Financial regulation and cybersecurity

• Digital Operational Resilience Act regulation of financial entities’ IT security
• Network and Information Security 2 regulation, which targets sensitive sectors

International corporate compliance, audits and risk assessments

• Security, risk and compliance audits for international corporate transactions
• Assistance with post-audit compliance
• Foreign direct investments and the French blocking statute (la loi “de blocage”)

Many of our lawyers have served in senior positions in government, including as prosecutors and counsel for congressional committees. They have achieved internationally recognized certifications in privacy law, including from the American Bar Association and the International Association of Privacy Professionals. Across the practice and around the globe, the Privacy, Cybersecurity and Data Innovation group applies varied perspectives and draws on the extensive knowledge and experience of our advertising, antitrust, corporate, information governance and e-discovery, insurance, intellectual property and litigation lawyers, among others. We offer practical strategies to help our clients identify and manage legal and reputational risks associated with all data types and practices.