Information Security & Privacy

Evolving information security and privacy matters are at the forefront of issues facing companies today. Businesses, organizations and government entities, regardless of size, are at risk for cybersecurity threats, cyberattacks and face escalating legal requirements and potential liabilities.

Our Mitchell Williams information security and privacy team of lawyers is vastly credentialed with two Certified Information Privacy Professional/Europe, two Certified Information Privacy Professional/US, a former United States Department of Justice attorney and former in-house counsel. We combine our expertise, extensive experience and business knowledge to help our clients mitigate the risks related to information security and privacy matters before, during or after an information security incident.

We represent clients in the healthcare, financial, insurance, retail, non-profit, professional services, education, marketing, utility, manufacturing, transportation, government and real estate sectors on matters related to information security and privacy laws. We strive to understand our clients’ business and help them exceed their goals with legal strategies that identify problems early, avoid penalties and translate into cost savings.

Our team counsels clients on the obligations of industry-specific international, federal and state data protection laws and requirements. We have extensive knowledge of:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Song Beverly Act and other data use and privacy statues
  • New York Department of Finance Cybersecurity Regulations
  • New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
  • Gramm-Leach-Bliley Act (GLB)
  • Federal Freedom of Information Act (FOIA) and similar state laws
  • Federal Trade Commission Act including "Red Flag Rule"
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Healthcare Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Telephone Consumer Protection Act (TCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Family Educational Rights and Privacy Act (FERPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • U.S. State Laws, including data security and notification laws
  • Securities and Exchange Commission (SEC) cybersecurity disclosure requirements
  • Video Privacy Protection Act (VPPA)

Our experience allows us to bring a comprehensive approach to our clients’ needs to develop sound information management practices. We work to ensure our clients are fully aware of their fiduciary and compliance obligations so they can responsibly manage their information security risks. Our capabilities include:

  • Develop and evaluate comprehensive information security and privacy policies and procedures including information security and privacy policies, acceptable use, access control, change management, business continuity, disaster recovery, records retention, password management, remote access, bring your own device, disposal, clean desk, authentication procedures and encryption.
  • Counsel clients on deploying enterprise-wide data-security and privacy programs and policies for both customer and employee data
  • Guidance to evaluate vendor risk
  • Assist with data mapping exercises
  • Draft and negotiate vendor questionnaires, vendor contracts, business associate and information security agreements
  • Assist with ongoing monitoring and evaluation of vendors
  • Review insurance policies for adequate cybersecurity coverage
  • Prepare responses for third party audits and regulatory examinations
  • Transactional and operational risk analysis including due diligence review for mergers and acquisitions and drafting and negotiating customer and third party agreements

We help our clients develop secure foundations that protect sensitive data and action plans that build trust with their customers. Our service includes:

  • Advise on data-security and privacy issues related to e-commerce, mergers and acquisitions, international data transfers, outsourcing, online marketing, contests and sweepstakes and loyalty programs
  • Create legally compliant consents, privacy notices and privacy policies
  • Address collection and limitation of use concerns
  • Assist with metrics for and evaluation of risk associated with data collection
  • Prepare strategies to respond to individual requests

We assist clients with the development of comprehensive programs to identify gaps and implement measures that effectively and appropriately manage security risks, all protected under attorney-client privilege. Our experience includes:

  • Create and evaluate incident response plans
  • Recommend both strategic and tactical risk remediation measures to close gaps
  • Update clients on evolving threats
  • Assist with simulated exercises
  • Collaborate with law enforcement, notification vendors, forensic investigators, insurance providers and crisis communication professionals

We help clients manage security incidents or data breaches. Our security incident response capabilities include:

  • Direct internal investigations and responses to security incidents
  • Assist with risk of harm evaluation related to security incidents
  • Defend clients in investigations of security incidents by State Attorneys General
  • Defend covered entity clients in investigations of security incidents by the Office of Civil Rights, Department of Health and Human Services (OCR)  
  • Prepare materials and strategies for security incident notifications
  • Prepare remediation plans
  • Manage the impact of cybersecurity-related liability or loss