Patterson Belknap’s Privacy and Data Security practice provides public and private organizations with comprehensive services in this vital area, including data security incident response, internal investigations, enforcement, litigation, and prevention and compliance. The team’s attorneys combine decades of experience spanning the public and private sectors, including experienced litigators, formal federal prosecutors, and corporate advisors with deep experience in all aspects of privacy and data security.  

In order to help our clients navigate civil litigation and regulatory and enforcement risks related to data security, the Privacy and Data Security group is integrated with the Firm’s White Collar Defense and Investigations and Class Action Litigation practices. We regularly advise a broad range of clients, including financial services firms, asset managers and funds, retailers, professional sports teams, hospitality companies, media and technology companies, manufacturers, healthcare and insurance companies, tax-exempt organizations, and legal service providers and law firms. Our team also draws on valuable external resources and relationships, including top forensic consultants, data security professionals, and crisis communications teams, allowing us to provide the most comprehensive advice and representation. Our team also authors the Data Security Law Blog, which provides the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Data Security Incident Response, Enforcement and Litigation

When a data security incident is discovered, critical decisions must be made quickly. Patterson Belknap works with clients to assist in planning and executing an appropriate step-by-step response to manage enterprise and legal risk. We advise clients in the following:

  • Investigating and determining the nature and scope of the incident;
  • Identifying the systems and information impacted;
  • Securing and preventing unauthorized access to systems and data;
  • Identifying and implementing data breach notification requirements, if necessary;
  • Preserving evidence and documenting efforts to mitigate further damage;
  • Addressing confidentiality and attorney-client privilege issues;
  • Implementing an internal and external crisis communication and public relations strategy, if appropriate;
  • Assessing potential regulatory and litigation risk;
  • Assisting the company in working with law enforcement, and responding to requests or claims from clients and private litigants;
  • Identifying data management weaknesses and implementing remedial work to mitigate legal and regulatory risk; and
  • Running investigations and responding to enforcement actions brought by regulatory authorities including the Federal Trade Commission (FTC), U.S. Department of Health and Human Services (HHS), HHS’s Office for Civil Rights (OCR), Federal Communications Commission (FCC), New York State’s Department of Financial Services (DFS) and various state attorneys general and financial regulatory authorities.

Data security incidents can also lead to litigation claims, including class actions, especially in matters where sensitive information has been compromised. Patterson Belknap regularly defends class action litigation nationwide in a variety of areas. Our attorneys also have significant experience advising clients on the strengths of derivative claims and claims involving corporate espionage or the theft or misappropriation of trade secrets and then litigating them.

Prevention and Compliance

In addition to helping clients respond to data security incidents, we work with clients to develop, implement, and monitor data security and compliance practices and controls. We create tailored policies specific to the needs and demands of the organization and industry, which include their relationships with regulators, third-party vendors and service providers, clients, and business partners. Elements of these programs may include:

  • Identifying the types and locations of sensitive information maintained by the organization, and implementing technological and business process security controls to safeguard sensitive data;
  • Establishing or assessing an organization’s overall data security plan, including establishing an incident response plan and team and conducting “table-top” exercises;
  • Reviewing third-party service agreements to ensure that vendors and service providers maintain adequate data security and privacy protections;
  • Reviewing or implementing data retention and destruction policies and procedures; and
  • Providing advice concerning compliance issues and obligations under state and federal law, including under the New York Department of Financial Services Cybersecurity Regulation, Section 5 of the FTC Act, the U.S. securities laws, the SEC’s identity-theft red-flag rule, Graham-Leach-Bliley Act (GLBA), Health Insurance Portability and Accounting Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act, the Family Education Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography Act (CAN-SPAM), the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), and the California Consumer Privacy Act (CCPA), among others.