Data Privacy & Cyber Security

The increased use of technology to access, create, transmit, and store data via the internet and on a variety of mobile devices, and the attendant cyber risks for such data, has led to a corresponding need for legal advice on obligations to protect, as well as respond to the unauthorized access of, confidential information.  In addition, the use of social engineering to capitalize on employee loyalty and positions of trust has created significant risks for immediate financial losses as well as for unauthorized access to confidential personal or company information.  Wyatt’s Data Privacy & Security Service Team offers a unique blend of experience to address these risks across multiple economic sectors, public and private, for-profit and not-for-profit. We’ve assisted clients in protecting the confidential information of their customers and employees, as well as their sensitive operational or business information.

Our attorneys are experienced with state and federal laws protecting consumer information as well as laws setting forth security requirements for such information.  All 50 states in the U.S. have a data breach notification law that is implicated when there is unauthorized access to certain personal information of a resident.  Some of these data breach laws also include cybersecurity standards to be followed by those who handle personal information.  In addition, several states have separate consumer privacy laws with data security requirements (see, for example, the California Consumer Privacy Act and similar laws passed in Colorado, Virginia and Utah).  Those who deal with personal information, whether in paper form or electronically, must stay attuned to the evolving protections for the privacy and security of such information. 

Wyatt lawyers regularly assist clients in determining their obligations under state and federal laws to protect and secure personal information as well as in responding to security incidents that may compromise personal information or that place the organization’s financial assets at immediate risk of loss. We assist clients with incident response, writing or updating policies and procedures, reviewing contractual provisions that implicate privacy obligations, and more. We have hands-on experience advising clients in many economic sectors, including healthcare, health insurance and ERISA benefit plans, financial, education, technology, manufacturing, retail, and professional services.

State Data Privacy Resources:

Kentucky Data Breach LawsIndiana Data Breach Laws
Mississippi Data Breach LawsTennessee Data Breach Laws

Additional Wyatt Resources:

Six Tips for First 24-48 Hours of a Security IncidentWyatt Data Incident Response Team

Matters on which our attorneys have assisted clients regarding data privacy and security include:

  • Advising on response and remediation for data security incidents and cyber-related financial fraud, including:
    • engaging and working with forensics consultants
    • advice  on legal obligations under state and federal laws that may be implicated by the incident
    • preparing breach notifications
    • working with media crisis management consultants
    • working with breach notification vendors to distribute individual notifications, set up call centers, and provide identity theft/credit monitoring services
  • Preparing multi-state charts for privacy law and data breach notification obligations tailored to the client’s business or a specific issue
  • Working with government regulators on data breach investigations and audits, including the Office for Civil Rights (OCR) and state attorney generals
  • Working with the Federal Bureau of Investigations (FBI), the Secret Service and international law firms on funds transfer fraud committed by business email compromise or by email spoofing or pretexting
  • Preparing HIPAA Privacy Rule and Security Rule policies and procedures
  • Advising on written security incident response policies and procedures
  • Advising financial institutions on requirements for customer privacy notification and information security
  • Developing website and mobile app privacy policies and terms of use
  • Negotiating and drafting technology agreements involving access, creation, transmission or storage of personal information
  • Drafting and negotiating privacy and cybersecurity related terms in a wide range of business agreements
  • Evaluating the risks involved in sharing information with third parties for marketing, transactional or other business purposes
  • Performing data privacy and security due diligence for mergers, acquisitions and other transactions
  • Advising on the legal requirements for destroying personally identifiable information
  • Advising on a wide variety of workplace issues, including surveillance, confidentiality agreements and termination procedures, among others
  • Litigating invasion of privacy matters


Many privacy protection laws are aimed at consumer protection and carry significant penalties for non-compliance or may lead to financial exposure in the form of government settlements or plaintiff class action lawsuits. Among the privacy laws and regulatory schemes on which we regularly advise clients are the following:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • 21st Century Cures Act Final Rule governing access, exchange, and use of electronic health information and prohibiting “information blocking”
  • Federal Trade Commission (FTC) laws, regulations and guidelines related to privacy, including:
    • FTC Act §5: Unfair and Deceptive Practices
    • Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Red Flags Rule
    • Gramm-Leach-Bliley Act (GLBA)
    • CAN-SPAM Act of 2003
    • Children’s Online Privacy Protection Act (COPPA)
    • Health Breach Notification Rule
  • Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“The CIRCI Act”)
  • State data breach notification laws and regulations, such as the California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • EU-U.S. Privacy Shield Framework
  • Family Educations Rights and Privacy Act (FERPA)
  • PCI Data Security Standards
  • Federal Financial Institutions Examinations Council (FFIEC) cyber security statement
  • Privacy, consumer protection and bank secrecy under USA Patriot Act requirements
  • Telephone Consumer Protection Act (TCPA)
  • Video Privacy Protection Act of 1988