Data Privacy & Cybersecurity

The continued evolution of technology to access, create, transmit, and store data via the internet, on prem, and in the cloud, on a variety of IT devices, and the attendant cyber risks, warrants an increased focus on the confidentiality, integrity and availability of confidential information and the security of operational technology (OT). Threat actors are leveraging AI to bolster tactics and techniques to gain access to confidential data or to interrupt OT for extortion purposes. In view of the risks, you need a legal team who can guide you through the myriad aspects of cybersecurity standards, data privacy laws, breach response, government enforcement, and any ensuing litigation.

Wyatt brings together a unique blend of data privacy and cybersecurity experience from our corporate, intellectual property, software, litigation, financial services, and healthcare teams. We have experience in addressing the legal risks to data and IT/OT across multiple economic sectors whether public or private, for-profit or not-for-profit. We regularly review and assist clients with their OT and IT security policies and procedures and disaster preparedness plans. Members of Wyatt’s Software Team draft, review, and negotiate technology agreements that may implicate data privacy or IT/OT cybersecurity. Wyatt attorneys with experience in security incidents are also engaged to assist with M&A due diligence into data privacy and IT/OT cybersecurity.

Our attorneys are experienced with the ever-growing patchwork of state, federal and international laws designed to safeguard the privacy of personal information. All 50 states in the U.S. have laws setting forth specific notification requirements for data controllers and data processors in the event of unauthorized access to personal information. Many states also set forth cybersecurity standards to be followed by those who handle personal information. In addition, multiple states (such as California, Kentucky, Indiana, and Tennessee, among others) and countries (the GDPR in EU and UK) have comprehensive privacy laws.

Wyatt lawyers regularly assist clients in determining their obligations under applicable privacy laws in the event of a security incident that may compromise the privacy of personal information or place the organization’s financial assets at risk of loss. We have an Incident Response Team to assist clients with security incidents. Our attorneys write and update data privacy and security policies and procedures to comply with applicable laws.

We have hands-on experience advising clients in many economic and industry sectors: HIPAA-covered entities (healthcare providers and group health plans), financial institutions, education, manufacturing, retail, software, and professional services.

Data Privacy and Cybersecurity Blog: Wyatt HITECH Law blog. This blog was created in 2009 and named after the HITECH Act of 2009, which amended HIPAA and incented healthcare providers to adopt electronic health records. The blog’s focus shifted over the last decade to cover significant legal developments in data privacy and cybersecurity impacting any industry sector.

Data Breach Resources Available on the Blog:

Six Tips for First 24-48 Hours of a Security Incident

Wyatt Data Incident Response Team

Representative Matters: Our attorneys have assisted clients on a wide range of data privacy and security matters, including the following:

• Advising on security incident response and remediation, including:
  • engaging and working with forensics consultants
  • advising on legal obligations under applicable laws
    preparing breach notifications
  • engaging media crisis management consultants
  • engaging breach notification vendors to distribute individual notifications, set up call centers, and provide identity theft/credit monitoring services
  • reporting the incident to law enforcement
  • reporting the incident government regulators as may be required by law
• Preparing multi-state data privacy law charts tailored to a client’s business or a specific issue
• Working with government regulators on data breach investigations and audits
• Working with the Federal Bureau of Investigations (FBI), the Secret Service, and international law firms on international fraudulent funds transfers resulting from bad actor phishing, spoofing, pretexting, etc.
• Preparing or updating healthcare provider HIPAA privacy and security policies and procedures
• Advising educational institutions on FERPA, HIPAA, and GLBA compliance
• Advising financial institutions on customer privacy notification and information security requirements
• Advising on the extraterritorial application of the GDPR to U.S. organizations
• Developing website and mobile app privacy policies and terms of use
• Negotiating and drafting software technology agreements involving access, creation, transmission or storage of personal information or the security of company IT/OT
• Advising on proposed information sharing arrangements between clients and third parties for marketing, transactional or other business purposes
• Performing data privacy and cybersecurity due diligence for mergers, acquisitions and other transactions
• Advising on the legal requirements for destroying personally identifiable information
• Advising on a wide variety of workplace issues, including surveillance, confidentiality agreements and termination procedures related to data privacy
• Defending data breach and privacy class action lawsuits

DATA PRIVACY & SECURITY LAWS

Privacy protection laws are aimed at consumer protection and some of these laws carry significant penalties for non-compliance or may lead to financial exposure in the form of government settlements or plaintiff class action lawsuits. Among the privacy laws and regulatory schemes on which we regularly advise clients are the following:

• Health Insurance Portability and Accountability Act (HIPAA)
• 21st Century Cures Act Final Rule governing access, exchange, and use of electronic health information and prohibiting “information blocking”
• State privacy laws, including comprehensive consumer data protection laws (e.g., California’s CCPA, CPRA, and CIPA, the Kentucky Consumer Data Protection Act (KCDPA)
• Federal Trade Commission (FTC) laws, regulations and guidelines related to privacy, including:
  • FTC Act Section 5: Unfair and Deceptive Practices
  • Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Red Flags Rule
  • Gramm-Leach-Bliley Act (GLBA)
  • CAN-SPAM Act of 2003
  • Children’s Online Privacy Protection Act (COPPA)
  • Health Breach Notification Rule
• The Privacy Act of 1974
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• State data breach notification laws and regulations, such as the California Consumer Privacy Act (CCPA)
• General Data Protection Regulation (GDPR)
• EU-U.S. Data Privacy Framework
• Family Educations Rights and Privacy Act (FERPA)
• Cybersecurity standards including the NIST Cybersecurity Framework, PCI-DSS, SOC II, HHS 405d, ISO 27001
• Federal Financial Institutions Examinations Council (FFIEC) cyber security statement and assessment
• Privacy, consumer protection and bank secrecy provisions of the USA Patriot Act
• Telephone Consumer Protection Act (TCPA)
• CAN-SPAM Act of 2003
• Video Privacy Protection Act of 1988
• Federal Freedom of Information Act (FOIA) and similar state laws