Practice Areas

Information Security & Privacy

Evolving information security and privacy matters are at the forefront of issues facing organizations today. Regardless of size, companies, organizations and government entities are at risk for cybersecurity threats, cyberattacks and face escalating legal requirements and potential liabilities. Mitchell Williams has vast experience in helping clients with information security and privacy matters. Our objective is to help our clients mitigate the risks related to information security and privacy matters before or after a security incident.

We represent businesses in the healthcare, financial, insurance, retail, non-profit, professional services, education, marketing, utility, manufacturing, transportation, government and real estate sectors on matters related to information security and privacy laws. We strive to understand our clients’ business and help them exceed their goals with legal strategies that identify problems early, avoid penalties and translate into cost savings.

Our team counsels clients on the obligations of industry-specific international, federal and state data protection laws and requirements. We have extensive knowledge of:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Song Beverly Act and other data use and privacy statues
  • New York Department of Finance Cybersecurity Regulations
  • New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
  • Gramm-Leach-Bliley Act (GLB)
  • Federal Freedom of Information Act (FOIA) and similar state laws
  • Federal Trade Commission Act including "Red Flag Rule"
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Healthcare Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Telephone Consumer Protection Act (TCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Family Educational Rights and Privacy Act (FERPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • U.S. State Laws, including data security and notification laws
  • Securities and Exchange Commission (SEC) cybersecurity disclosure requirements
  • Video Privacy Protection Act (VPPA)

Our experience allows us to bring a comprehensive approach to our clients’ needs to develop sound information management practices. We work to ensure our clients are fully aware of their fiduciary and compliance obligations so they can responsibly manage their information security risks. Our capabilities include:

  • Develop and evaluate comprehensive information security and privacy policies and procedures including information security and privacy policies, acceptable use, access control, change management, business continuity, disaster recovery, records retention, password management, remote access, bring your own device, disposal, clean desk, authentication procedures and encryption.
  • Counsel clients on deploying enterprise-wide data-security and privacy programs and policies for both customer and employee data
  • Guidance to evaluate vendor risk
  • Assist with data mapping exercises
  • Draft and negotiate vendor questionnaires, vendor contracts, business associate and information security agreements
  • Assist with ongoing monitoring and evaluation of vendors
  • Review insurance policies for adequate cybersecurity coverage
  • Prepare responses for third party audits and regulatory examinations
  • Transactional and operational risk analysis including due diligence review for mergers and acquisitions and drafting and negotiating customer and third party agreements

We help our clients develop secure foundations that protect sensitive data and action plans that build trust with their customers. Our service includes:

  • Advise on data-security and privacy issues related to e-commerce, mergers and acquisitions, international data transfers, outsourcing, online marketing, contests and sweepstakes and loyalty programs
  • Create legally compliant consents, privacy notices and privacy policies
  • Address collection and limitation of use concerns
  • Assist with metrics for and evaluation of risk associated with data collection
  • Prepare strategies to respond to individual requests

We assist clients with the development of comprehensive programs to identify gaps and implement measures that effectively and appropriately manage security risks, all protected under attorney-client privilege. Our experience includes:

  • Create and evaluate incident response plans
  • Recommend both strategic and tactical risk remediation measures to close gaps
  • Update clients on evolving threats
  • Assist with simulated exercises
  • Collaborate with law enforcement, notification vendors, forensic investigators, insurance providers and crisis communication professionals

We help clients manage security incidents or data breaches. Our security incident response capabilities included:

  • Direct internal investigations and responses to security incidents
  • Assist with risk of harm evaluation related to security incidents
  • Assist with State Attorney General investigations of security incidents
  • Assist with Office of Civil Rights, Department of Health and Human Services (OCR) investigations of security incidents
  • Prepare materials and strategies for security incident notifications
  • Prepare remediation plans
  • Manage the impact of cybersecurity-related liability or loss