Data Privacy & Security

Wyatt’s Data Privacy & Security Service Area offers a unique blend of experience across many industries to address companies’ obligations to protect the privacy of their clients, patients, employees, and others.  New privacy protection laws, technological advances and rapidly evolving cyber risks are affecting nearly all businesses and organizations. 

Wyatt’s Data Privacy & Security lawyers have extensive experience with all aspects of this area of the law.  We help clients evaluate and improve data privacy and security policies and procedures, conduct training, work with regulators, prepare for external audits, respond to breaches, and draft and review contracts.  We also have litigators well-versed in this area of the law.

Our lawyers help businesses and organizations understand and comply with state, federal and international laws pertaining to privacy and information security.  Our Service Area members have hands-on experience advising clients in many industries, including health care, banking, insurance, education, information technology, and retail.

Our attorneys regularly assist clients with:

  • Response and remediation for data security incidents, including hiring and working with forensics consultants, analyzing the incident, working with regulators and government investigators, notification, call center, ID and credit monitoring, and arranging for services
  • Office for Civil Right (OCR) audits and data breach investigations
  • Complying with HIPAA requirements to protect patient information held by health care providers and business associates
  • Complying with financial institution requirements for customer privacy notification and information security
  • Preparing website policies, such as Privacy Policy, Disclaimers, Cookies Policy, Terms of Use, Terms of Service, etc.
  • Litigating matters such as domain name infringement; theft of trade secrets and customer lists; invasion of privacy and defamation; and illegal downloading of music and movies
  • Negotiating and drafting agreements for Internet and network security
  • Negotiating and drafting contracts involving digital signatures
  • Developing and monitoring records management systems
  • Evaluating the risks involved in sharing information with third parties for marketing, transactional or other business purposes
  • Advising on the legal requirements for destroying personally identifiable information
  • Advising on a wide variety of workplace issues, including surveillance, confidentiality agreements and termination procedures, among others
  • Establishing secure private networks
  • Negotiating and drafting vendor contracts

Many privacy-protection laws are aimed at consumer protection and carry significant penalties for non-compliance or may lead to financial exposure in the form of government settlements or plaintiff class action lawsuits.  We regularly advise clients on compliance with state and federal laws and enforcement agency guidances related to consumer information privacy, including the following:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Federal Trade Commission (FTC) laws, regulations and guidelines related to privacy, including
    • FTC Act §5: Unfair and Deceptive Practices
    • Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Red Flags Rule
    • Gramm-Leach-Bliley Act (GLBA)
    • CAN-SPAM Act of 2003
    • Children’s Online Privacy Protection Act (COPPA)
    • Personal Health Breach Notice Rule
  • State data breach notification laws and regulations
  • EU-U.S. Privacy Shield Framework
  • U.S. Patriot Act
  • Family Educations Rights and Privacy Act (FERPA)
  • Video Privacy Protection Act of 2015
  • Telephone Consumer Protection Act (TCPA)
  • PCI Data Security Standards
  • Federal Financial Institutions Examination Council (FFIEC) cyber security statements

A few of our noteworthy data security incident experiences include:

  • Ransomware attacks that required forensic investigation to assess what computer files among thousands may have been accessed
  • Stolen and misplaced mobile devices involving thousands of records with personal information
  • Phishing emails that spoof a trusted source and potentially disclose employee personal information
  • Business email account compromise (BEC) potentially disclosing sensitive business and personal information
  • Misconfigured appliances potentially allowing access and disclosure of sensitive information to unauthorized third parties
  • A data security incident requiring computer-assisted triage and thousands of records to meet a five-day, over-a-holiday weekend deadline