Cybersecurity is no longer a luxury. The consequences of a data breach—lost customer goodwill, reputational damage, financial loss, potential liability for the exposure of consumer or confidential information, and regulatory risk—are too severe to leave to chance. Board members and C-suite executives who don’t want to become the next headline are making cybersecurity and data protection top priorities. No organization can, or should, be without effective data security practices in place—and the right advisors to back them up.
The Patterson Belknap Privacy and Data Security practice provides public and private organizations—including financial services firms, asset managers and funds, retailers, professional sports teams, hospitality, media and technology companies, manufacturers, healthcare and insurance companies, tax-exempt organizations, and law firms—with comprehensive services in this vital area. The Firm’s attorneys combine decades of experience spanning from the public and private sectors, including experienced litigators, corporate advisors and former federal prosecutors with deep experience in all aspects of privacy and data security. The group advises on a broad range of issues including prevention and compliance, risk mitigation, data breach response, special board and committee representation, internal investigations, and litigation. Patterson Belknap also draws on valuable resources, including highly experienced forensic consultants, security professionals, and crisis communications teams that add insight and value on key aspects of cybersecurity matters.
Prevention and Compliance
The starting point for effective cybersecurity risk management is the development, implementation and monitoring of an enterprise-specific data security and compliance program. Our lawyers partner with companies to assist them in developing privacy and data security practices and controls tailored to the specific needs and demands of the organization, which include their relationships with third-party vendors and service providers. Elements of these programs may include:
- Identification of the types and locations of sensitive information maintained by the organization, and then the implementation of technological and business process security controls to control, audit and, where appropriate, restrict access to sensitive data;
- Review and assessment of an organization’s overall data security plan including the establishment of an internal incident response team, defining specific roles and responsibilities, including development of a “playbook” that sets forth specific response protocols in the event of a data breach at the company, its providers or suppliers;
- Review and/or development of policies for updating the communications plan and defining regular policy review to ensure that policies remain current and consistent with sector specific “best practice” including running mock drills and “table-top” exercises;
- Advice on governmental and industry frameworks to assess cybersecurity standards and controls;
- Development of appropriate and effective internal and external monitoring procedures for sensitive information;
- Establish procedures for regular risk assessments and evaluation of cybersecurity threats, including review of third-party contractors, vendors and business partners;
- Counsel on third-party services agreements to ensure that vendors and service providers not only maintain adequate data security and privacy protections, but that legally protected information, including protected health information (PHI) is adequately safeguarded, among other protected information;
- Review of data retention and destruction policies and procedures;
- Development and implementation of employee training on appropriate areas of data security;
- Drafting and advice on organizational privacy policies and procedures, due diligence in commercial and M&A transactions, including assisting in the management and integration of data security findings and periodic compliance review;
- Development and implementation of processes and procedures for the reporting of privacy incidents or complaints; and
- Advice concerning compliance issues and obligations under state and federal law, including under Section 5 of the FTC Act, the U.S. securities laws, Graham-Leach-Bliley Act (GLBA), Health Insurance Portability and Accounting Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act, the Family Education Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), and Controlling the Assault of Non-Solicited Pornography Act (CAN-SPAM), among others.
In a rapidly changing cyber risk landscape, many organizations have turned to cyber insurance to limit the financial risk associated with a data breach. We assist our clients in reviewing and evaluating their cyber insurance coverage, which will often depend on the size of the organization, the industry in which it operates, the sensitivity of the data it collects and maintains, and the nature of cyber threats facing the organization. And, as important, cyber coverage must be evaluated against other coverage maintained by an organization such as D&O and General Liability insurance. We assist our clients in analyzing their coverage and related issues.
Data Breach Response
Once a data breach is discovered, critical decisions must be made quickly. Patterson Belknap works with clients immediately upon the discovery of a breach to assist in implementing and executing an appropriate step-by-step response plan to manage enterprise risk. In these instances, we advise clients – often with the assistance of outside, independent forensic experts – in the following:
- Investigating and confirming the breach;
- Identifying the information revealed, and the method of dissemination;
- Immediately compiling key information for response and reporting documentation;
- Securing and blocking unauthorized access to systems and data;
- Identifying and implementing data breach notification requirements;
- Preserving evidence, and documenting all efforts to mitigate further damage;
- Addressing confidentiality issues;
- Implementing an internal and external crisis communication and public relations plan, if appropriate;
- Assist the company in cooperating with law enforcement;
- Identifying data management weaknesses and implementing remedial work to mitigate legal and regulatory risk; and
- Handle investigations and enforcement actions by regulatory authorities including the FTC, HHS, OCR, FCC and various state attorneys general and financial regulatory authorities.
Special Committee and Board Representation
Boards of directors and corporate officers often turn to Patterson Belknap for strategic advice and representation in high-profile situations including data breaches and the shareholder derivative claims or class action lawsuits that increasingly follow a breach. We also work with corporate counsel and other major law firms when circumstances require that experienced, independent counsel be brought into the matter.
Our team, which draws upon experienced partners from our litigation, white collar and corporate practices, is experienced in counselling boards and special board committees on a number of fronts, including assisting corporate officers and directors in evaluating and responding to such crises. We also provide board- and executive-level education with respect to the growing threat of data breaches, intellectual property and information theft, and cybersecurity. In most cases, our representations of boards, board committees, special litigation committees, individual directors and officers, and the subject of our work in this area, are confidential.
Investigations and Litigation
Our attorneys work closely with clients in internal investigations in the aftermath of a data breach. They also act as liaisons to relevant governing authorities where necessary, and are skilled in handling civil litigations that arise from data breaches. A number of our team members are former government attorneys active in both civil and criminal white collar defense and investigations. For example, while at the U.S. Attorney’s Office, one of our partners successfully prosecuted a systems administrator at a leading investment bank for writing, planting, and disseminating malicious computer code that attacked and took down up to 2,000 servers at the bank, while simultaneously shorting the company’s stock. The former employee was found guilty of computer sabotage and securities fraud, sentenced to more than eight years in prison, and ordered to pay more than $3 million in restitution.
Data breaches can also lead to litigation claims, including derivative claims and class actions in matters where sensitive information has been compromised. Patterson Belknap regularly defends class action litigation nationwide in a variety of areas. As is always our goal, we seek to secure dismissal of these claims at early stages of the litigation.
Frequently, data breaches involve corporate espionage or the theft or misappropriation of trade secrets. Our attorneys have significant experience in this area as well, advising clients on the strengths of such claims and then litigating them. We also defend clients when they are alleged to have engaged in such misconduct.