In a world dependent on information technology, networked operations and mobile connections, businesses face an increasing array of cybersecurity and data privacy challenges. Dorsey offers a coordinated worldwide team that can respond immediately with a complete range of services to help you meet these challenges.
Dorsey provides proactive planning and assessment of cyber threats and incident response whether you are a Fortune 100 multinational company or a start-up. We stay on the cutting edge of evolving technologies, regulatory requirements and industry best practices to provide you with comprehensive and practical legal solutions.
Read more about how we can help you stay ahead of the issues.
Today’s maxim is that there are two kinds of companies in cyberspace: “those that know they have been breached and those that don’t.” Dorsey’s experienced team understands the challenging dynamics of breach responses. We can provide:
- An immediate response – literally within hours and even with incomplete and imperfect information – using:
- Live links to breach notification laws in all 48 jurisdictions
- Template notification letters to customers and Attorneys General, incorporating each state’s content, timing and sequencing requirements
- Experienced PCI and vendor relationship issues
- Internal investigations and immediate legal steps required to secure stolen information
- Prompt responses to infringers, scammers and cybersquatters
A coordinated data protection plan is the first critical step necessary to minimize the likelihood of theft or illegal use, expedite investigation if misuse occurs, mitigate the damages and maximize success in potential future litigation. Standards of corporate governance require that directors and executives understand the adequacy of cybersecurity measures and liability protections. Dorsey can help your business:
- Protect intellectual property (patents, copyrights, trademarks and trade secrets) across networks, websites, mobile apps and mobile devices
- Prepare and negotiate key agreements with employees and third parties for licensing, confidentiality, outsourcing and cloud computing
Doing business internationally requires a global data privacy compliance program. Dorsey’s offices in the US, Asia and London work together to advise our multinational clients on the increasing patchwork of national data protection laws affecting companies holding personal data of their clients or employees or transferring personal data across national borders.
The European Union (EU) has been a leader in data protection regulation since the adoption of its Data Protection Directive in 1995. The Directive’s broad generic regulation of personal data has been a model for a number of other countries that have adopted data protection laws. With the adoption of the EU’s General Data Protection Regulation (GDPR), the EU’s approach to data privacy and security has been considerably expanded not only in regard to the obligations of companies holding personal data of EU residents but also the companies which will now be subject to these requirements of EU data protection law.
Any company doing business in any of the EU countries, whether or not they have any physical presence in the EU, should be aware of the substantially greater obligations imposed by the GDPR which automatically will come into force in all 27 EU member countries in May 2018. To comply with the new requirements, companies collecting or holding personal data of EU individuals will need to review and in many cases revise their internal data practices and privacy policies as well as their consent forms and the information provided to employees and customers when personal data is collected. Companies should also review and potentially will have to improve measures to assure the security of personal data.
See the short introduction to the GDPR in the video below:
Data Breach Investigation and Response
- Dorsey recently was approached by a number of California wineries who had been notified by a common vendor that their customer information may have been hacked. We put together a team overnight to provide breach notifications to customers of over 30 wineries for 48 different jurisdictions and to dozens of state Attorneys General within 24 hours of being retained. While the Krebs blog had a head start on us, by the time it “broke the story,” customers had already been notified, and the media ignored the event.
- Dorsey developed immediate response measures for a large agricultural cooperative whose sensitive payroll information of high-level executives had been compromised as well as emergency communication procedures. Within an hour of the incident we assessed the potential scope of disclosure, possible methods for retrieval to minimize potential dissemination of material, and assessed reporting obligations.
- Our cybersecurity team assisted a health care provider with a data breach response involving unauthorized disclosure of PHI by an employee. Our team assessed potential notification requirements, retrieved data from various devices used by the former employee and her family, and developed creative alternatives to address emerging issues not covered by regulatory guidelines.
- Members of Dorsey’s data protection team represented a health care organization in an Office of Civil Rights investigation of potential HIPAA violations following a data breach involving over 38,000 individuals.
- Dorsey represented a human capital management company in a class action lawsuit arising from a third-party hacker. Plaintiffs alleged that because the hacker accessed their personal information, they faced an increased risk of identity theft, and were forced to pay for credit monitoring and identify theft protection. A New Jersey trial court granted Dorsey’s motion to dismiss on the grounds that Plaintiffs lacked standing to sue absent alleged actual misuse of their personal information or actual identity theft. The Third Circuit affirmed.
- A Fortune 500 multi-national corporation turned to Dorsey to assess its privacy and data protect policies and procedures, and completely update them. Our attorneys worked with a multi-dimensional in-house team to determine data collection, flow, retention and destruction; access protocols; EU-data transfers; certification requirements; and ongoing compliance monitoring.
- A Dorsey cybersecurity team analyzed potential privacy and data protection issues associated with a risk management solutions company’s potential acquisition of a mobile app authentication service.
- Dorsey counsels a nationwide retailer on the constantly evolving best practices for structuring communications to customers of its pharmacy operations.
- Dorsey’s privacy group drafted a complex set of website terms for use in 21 countries, with significant user-generated content issues, using its knowledge of international privacy laws to provide insight and practical advocacy.
- Our team assisted a Fortune 100 insurance company in drafting and implementing an internal social networking policy.
- We have deep experience in registering both generic and country code domain names for clients and in counseling clients on managing their domain name portfolios to deter cybersquatters.
- A Native American gaming organization turned to Dorsey for assistance in developing assessment mechanisms to ensure compliance with guidelines and regulations for data and privacy protection and reporting. This project included assessment of applicability of state breach laws to a sovereign tribe, potential waiver consequences associated with voluntary compliance and mechanisms for ongoing assessment and improvement of policies and procedures.
- Dorsey served as general counsel to a public-private Health Information Exchange formed to facilitate the exchange of health information electronically in compliance with HIPAA/HITECH.
- Working with app developers, our privacy compliance professionals have counseled on designing apps in compliance with the FTC’s endorsement guidelines.
- Dorsey has extensive experience with counseling clients on complying with and drafting policies concerning the Digital Millennium Copyright Act, the CAN-SPAM Act, the Communications Decency Act, the Children’s Online Privacy Protection Act, online behavioral advertising principles, and other internet-related laws.
- Dorsey has helped numerous app developers design online advertising platforms and draft user rules in compliance with the FTC’s endorsement guidelines.
- Our Financial Services privacy lawyers develop and audit internal privacy procedures to address both Graham-Leach-Bliley Act compliance and customer expectations for their personal financial information.
- Dorsey Financial Services privacy practitioners also assist in dealing with subpoenas and other legal processes served on clients that trigger Graham-Leach-Bliley issues.
- When two of its former financial advisors refused to return confidential client information, a financial services company hired our cybersecurity litigators to represent it in two different state court actions implicating the Gramm-Leach-Bliley Act. In both matters, the courts granted motions for a temporary restraining order preventing a former financial advisor from using or further disclosing the confidential information. FINRA (Financial Industry Regulatory Authority) arbitration panels subsequently approved the company's requests for a permanent injunction requiring the former advisor to, among other things, return the information.
- A brokerage firm relied on Dorsey’s cybersecurity practitioners to handle a class action suit relating to a database containing certain confidential personal and financial information of approximately 250,000 of the client’s then current and former customers. The database was compromised by a computer hacker who illegally obtained access to the information through a sophisticated network intrusion. Plaintiffs alleged violations of the Fair Credit Reporting Act, breach of contract, violations of the Montana Consumer Protection Act, negligence and negligence per se. After our client filed its motion to dismiss, the parties entered into a class-wide settlement agreement, which was approved by the Court.
Our Cybersecurity, Data Privacy and Social Media lawyers include:
- four certified information privacy professionals (CIPP)
- a member of the Sedona Conference Working Group 11 Drafting Team on Data Security
- a member of the CIPP/US exam development board of the International Association of Privacy Professionals (IAPP)
- a co-chair the IAPP’s Minneapolis KnowledgeNet
- a member of the Internet Committee of the International Trademark Association, Who Is and Privacy Issues Subcommittee
Industries & Practices
- Consumer Financial Services
- Corporate Governance & Compliance
- Health Transactions & Regulations
- Intellectual Property Litigation
- Labor & Employment
- Technology Commerce
- Trademark, Copyright, Advertising & Brand Management