resilience through diligence
Overview
In a world dependent on information technology, networked operations and mobile connections, businesses face an increasing array of cybersecurity and data privacy challenges. Dorsey offers a coordinated worldwide team that helps assess your data flows and guide compliance efforts. When a security incident occurs, Dorsey’s team can respond immediately with a complete range of services to help you meet this challenge. Increasingly, privacy compliance is table stakes in vendor relationships and mergers and acquisitions. Dorsey helps its clients negotiate contracts, draft privacy and security policies, and consider privacy challenges raised by cutting-edge technologies.
Dorsey provides proactive planning and assessment of rapidly-evolving legal requirements and can handle cyber threats and incident response whether you are a Fortune 100 multinational company or a start-up. We stay on the forefront of evolving technologies, regulatory requirements, and industry best practices to provide you with comprehensive and practical legal solutions.
Video: Five Steps to Prepare for a Data Breach
Top Infosec and Privacy Issues
Doing business internationally requires a global data privacy compliance program. Dorsey’s offices in the US, Asia, and the UK work together to advise our clients on the increasingly important international data protection laws and regulations. Companies collecting, storing, and sharing personal information of their customers, users, or employees or transferring personal information across national borders rely on Dorsey to help navigate the technological and legal complexities of doing so.
With the EU’s General Data Protection Regulation (GDPR) the EU’s approach to data privacy and security expanded considerably. This involves not only an expansion of companies’ obligations when they collect, store, and share personal data of people in the EU (or in other countries that adopted GDPR like the UK did after Brexit) but also an expansion of the number of companies subject to these requirements. Any company doing business in any of the EU member states or in the UK, whether or not it has any physical presence in those countries, should be aware of the obligations imposed by the GDPR. To comply with the GDPR’s requirements, companies collecting, storing or sharing personal information need to review and in many cases revise their internal data practices and privacy policies as well as their consent forms, contracts with vendors, and the information provided to employees and customers when personal information is collected. Companies should also review and potentially need to improve measures to assure the security of personal data and to be prepared to respond to a security incident even more rapidly than in the past.
Dorsey’s Cybersecurity, Privacy and Social Media Practice Group has handled numerous types of GDPR and ePrivacy Directive-related advice and drafting, including:
- Data Processing Agreements and Addenda (DPA)
- Advising on Lawful Basis for Processing Data
- Privacy Statements
- Advising on Data Flows and Controls
- Security Policies
- Process Change Management
- Options for Obtaining User Consent When Required
- Preparing to and Responding to Data Subject Requests
- Vendor Management
- Contract Assessment
- Cookie Policies
- Cross-Border Data Transfer Options including Standard Contractual Clauses, Privacy Shield, and Binding Corporate Rules
- Advising on When Data Protection Officer (DPO) Required
- Monitoring Enforcement Activity and Guidance Released by European Data Protection Board (EDPB) and Member State Data Protection Authorities (DPAs)
- Records Retention Requirements and Restrictions
- Incident Response Plans
- Website Policies
- Third Party Security Management Program Development
- Advising on Email, Text and App-Based Marketing Restrictions and Requirements
Dorsey provides a full suite of services related to GDPR compliance and leverages its international team of privacy lawyers to ensure that clients receive the most up-to-date guidance on this hot topic.
See the short introduction to the GDPR in the video below:
A coordinated data protection plan is the first critical step necessary to minimize the likelihood of theft or illegal use, expedite investigation if misuse occurs, mitigate the damages and maximize success in potential future litigation. Standards of corporate governance require that directors and executives understand the adequacy of cybersecurity measures and liability protections. Dorsey can help your business:
- Develop and implement critical data protection policies, procedures and response plans, including cybersecurity assessments, privacy policies, information security programs, identity theft protection programs, website and mobile apps terms of use, social networking policies and username protection
- Protect intellectual property (patents, copyrights, trademarks and trade secrets) across networks, websites, mobile apps and mobile devices
- Prepare and negotiate key agreements with employees and third parties for licensing, confidentiality, outsourcing and cloud computing
Today’s maxim is that there are two kinds of companies in cyberspace: “those that know they have been breached and those that don’t.” Dorsey’s experienced team understands the challenging dynamics of breach responses. We can provide:
- An immediate response – literally within hours and even with incomplete and imperfect information – using:
- Live links to breach notification laws in all 50 jurisdictions
- Template notification letters to customers and Attorneys General, incorporating each state’s content, timing and sequencing requirements
- Experienced PCI and vendor relationship issues
- Internal investigations and immediate legal steps required to secure stolen information
- Prompt responses to infringers, scammers and cybersquatters
Experience
Client Achievements
Data Breach Investigation and Response
- Dorsey recently was approached by a number of California wineries who had been notified by a common vendor that their customer information may have been hacked. We put together a team overnight to provide breach notifications to customers of over 30 wineries for 48 different jurisdictions and to dozens of state Attorneys General within 24 hours of being retained. While the Krebs blog had a head start on us, by the time it “broke the story,” customers had already been notified, and the media ignored the event.
- Dorsey developed immediate response measures for a large agricultural cooperative whose sensitive payroll information of high-level executives had been compromised as well as emergency communication procedures. Within an hour of the incident we assessed the potential scope of disclosure, possible methods for retrieval to minimize potential dissemination of material, and assessed reporting obligations.
- Our cybersecurity team assisted a health care provider with a data breach response involving unauthorized disclosure of PHI by an employee. Our team assessed potential notification requirements, retrieved data from various devices used by the former employee and her family, and developed creative alternatives to address emerging issues not covered by regulatory guidelines.
- Members of Dorsey’s data protection team represented a health care organization in an Office of Civil Rights investigation of potential HIPAA violations following a data breach involving over 38,000 individuals.
- Dorsey represented a human capital management company in a class action lawsuit arising from a third-party hacker. Plaintiffs alleged that because the hacker accessed their personal information, they faced an increased risk of identity theft, and were forced to pay for credit monitoring and identify theft protection. A New Jersey trial court granted Dorsey’s motion to dismiss on the grounds that Plaintiffs lacked standing to sue absent alleged actual misuse of their personal information or actual identity theft. The Third Circuit affirmed.
Proactive Prevention
- A Fortune 500 multi-national corporation turned to Dorsey to assess its privacy and data protect policies and procedures, and completely update them. Our attorneys worked with a multi-dimensional in-house team to determine data collection, flow, retention and destruction; access protocols; EU-data transfers; certification requirements; and ongoing compliance monitoring.
- A Dorsey cybersecurity team analyzed potential privacy and data protection issues associated with a risk management solutions company’s potential acquisition of a mobile app authentication service.
- Dorsey counsels a nationwide retailer on the constantly evolving best practices for structuring communications to customers of its pharmacy operations.
- Dorsey’s privacy group drafted a complex set of website terms for use in 21 countries, with significant user-generated content issues, using its knowledge of international privacy laws to provide insight and practical advocacy.
- Our team assisted a Fortune 100 insurance company in drafting and implementing an internal social networking policy.
- Dorsey regularly advises clients with European online presence on how they can benefit from immunity from liability in relation to user-generated content under the eCommerce Directive and on the pit-falls presented by the Privacy in Electronic Communications legislation in relation to matters, such as the use of cookies in websites and the challenges of targeted advertising.
- We have deep experience in registering both generic and country code domain names for clients and in counseling clients on managing their domain name portfolios to deter cybersquatters.
Compliance
- A Native American gaming organization turned to Dorsey for assistance in developing assessment mechanisms to ensure compliance with guidelines and regulations for data and privacy protection and reporting. This project included assessment of applicability of state breach laws to a sovereign tribe, potential waiver consequences associated with voluntary compliance and mechanisms for ongoing assessment and improvement of policies and procedures.
- Dorsey served as general counsel to a public-private Health Information Exchange formed to facilitate the exchange of health information electronically in compliance with HIPAA/HITECH.
- Working with app developers, our privacy compliance professionals have counseled on designing apps in compliance with the FTC’s endorsement guidelines.
- Dorsey has extensive experience with counseling clients on complying with and drafting policies concerning the Digital Millennium Copyright Act, the CAN-SPAM Act, the Communications Decency Act, the Children’s Online Privacy Protection Act, online behavioral advertising principles, and other internet-related laws.
- Dorsey has helped numerous app developers design online advertising platforms and draft user rules in compliance with the FTC’s endorsement guidelines.
- Our Financial Services privacy lawyers develop and audit internal privacy procedures to address both Graham-Leach-Bliley Act compliance and customer expectations for their personal financial information.
- Dorsey Financial Services privacy practitioners also assist in dealing with subpoenas and other legal processes served on clients that trigger Graham-Leach-Bliley issues.
- When two of its former financial advisors refused to return confidential client information, a financial services company hired our cybersecurity litigators to represent it in two different state court actions implicating the Gramm-Leach-Bliley Act. In both matters, the courts granted motions for a temporary restraining order preventing a former financial advisor from using or further disclosing the confidential information. FINRA (Financial Industry Regulatory Authority) arbitration panels subsequently approved the company's requests for a permanent injunction requiring the former advisor to, among other things, return the information.
- A brokerage firm relied on Dorsey’s cybersecurity practitioners to handle a class action suit relating to a database containing certain confidential personal and financial information of approximately 250,000 of the client’s then current and former customers. The database was compromised by a computer hacker who illegally obtained access to the information through a sophisticated network intrusion. Plaintiffs alleged violations of the Fair Credit Reporting Act, breach of contract, violations of the Montana Consumer Protection Act, negligence and negligence per se. After our client filed its motion to dismiss, the parties entered into a class-wide settlement agreement, which was approved by the Court.
Accolades
Our Cybersecurity, Data Privacy and Social Media lawyers include:
- four certified information privacy professionals (CIPP)
- a member of the Sedona Conference Working Group 11 Drafting Team on Data Security
- a member of the CIPP/US exam development board of the International Association of Privacy Professionals (IAPP)
- a co-chair the IAPP’s Minneapolis KnowledgeNet
- a member of the Internet Committee of the International Trademark Association, Who Is and Privacy Issues Subcommittee
Industries & Practices
Consumer Financial Services
Explore This Practice View client achievements related to this practice View resources related to this practiceCorporate Governance & Compliance
Explore This Practice View client achievements related to this practice View resources related to this practiceHealthcare Transactions & Regulations
Explore This Practice View client achievements related to this practice View resources related to this practiceIntellectual Property Litigation
Explore This Practice View client achievements related to this practice View resources related to this practice- Consumer Financial Services
- Corporate Governance & Compliance
- Healthcare Transactions & Regulations
- Intellectual Property Litigation
- Labor & Employment
- Technology Commerce
- Trademark & Copyright
