Privacy & Cybersecurity

Our team members have a sophisticated understanding of the legal landscape that affects our clients.

• Analysis and advice regarding compliance with state privacy laws, including CCPA and emerging consumer privacy laws in other states
• Advice regarding collection, use and sharing of data, including through websites, and development of appropriate notices and other disclosures, including online privacy policies and terms of use
• Due diligence and negotiation of representations and warranties in mergers and acquisitions, private equity investments and other business transactions
• Drafting and negotiation of service provider agreements
• Structuring and drafting of documents and disclosures related to e-commerce
• Development of information security programs, and drafting of related policies and procedures, in compliance with applicable laws and regulations, including sector-specific requirements for financial services, insurance, health care, energy, defense and education
• Incident response planning, including development of incident response plans
• Design and delivery of awareness training sessions targeted to C-Suite, incident response teams and all personnel
• Legal advice in responding to, investigating, remediating cybersecurity incidents (including ransomware) and other compromises of personal information and commercially sensitive information
• Defense of litigation and response to regulatory inquiries and enforcement actions related to data breach, and other privacy and security issues
• Advice to insurers concerning cybersecurity policy wordings, and claims and coverage matters

We embrace a team-oriented, client-centric, results-driven approach. We focus on our clients’ business objectives to provide long-term value.

• We work collaboratively with clients to identify and address privacy and cybersecurity issues related to their transactions, service agreements, marketing and other business activities; compliance obligations; litigation and enforcement issues; and cybersecurity preparedness and incident response
• We handle matters efficiently, with the appropriate number and experience of core team members and the ability to involve other attorneys where and when needed, including for specific industry knowledge
• Our team offers practical and innovative solutions
• The diversity of our team is a key part of our success
• We strive to know our clients’ industries, including business needs and goals
• Nationwide attorney coverage, with global capabilities through offices in London and Brussels, and through network member firms around the world

We have handled a variety of privacy and cybersecurity compliance issues, including:

Privacy

• Advice regarding applicability and requirements of various state and federal privacy laws, including CCPA, BIPA and other state laws, GLBA, and HIPAA
• Preparation and delivery of notices and disclosures required by federal and state privacy laws
• Responding to consumer rights to know, delete, access, limit sharing and opt-out of sale of personal information
• Compliance with data transfer requirements, including GDPR
• Drafting of service contracts and data processing agreements to limit use and disclosure of information

Cybersecurity

• Drafting of cybersecurity policies and procedures, including information security programs, vendor cyber risk management policies and related terms for service provider contracts, and cybersecurity addenda to service contracts
• Incident preparedness, including drafting incident response plans, and designing and conducting tabletop exercises
• Compliance with various cybersecurity requirements, including NY DFS Cybersecurity Regulation, HIPAA Security Rule, and other state and federal laws and regulations

Representative Matters

• Advice to global, national and regional financial institutions regarding compliance with emerging legal and regulatory requirements related to the collection, use and protection of information, including the New York DFS Cybersecurity Regulation, the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and Virginia Consumer Data Protection Act (VCDPA)
• Advice to multiple regional financial institutions regarding biometric data collection regulations
• Design and documentation of state privacy law compliance program for national provider of services to consumers, municipalities and businesses
• Advice to multiple financial institutions and insurance companies regarding applicability of and compliance with federal and state privacy requirements
• Drafting of online privacy policies and terms of use for collection of information through websites and mobile apps in all industries

We frequently counsel clients in connection with identifying, prioritizing and addressing potential threats and vulnerabilities as well as in corporate governance issues. We also provide preparedness assistance, including:

• Development of information security programs, and drafting of related policies and procedures, in compliance with applicable laws and regulations, including sector-specific requirements for financial services, insurance, health care, energy, defense and education
• Incident response planning, including development of incident response plans
• Design and delivery of awareness training sessions targeted to C-Suite, incident response teams and all personnel
• Legal advice in responding to, investigating, remediating cybersecurity incidents (including ransomware) and other compromises of personal information and commercially sensitive information

Representative Matters

• Design and implementation of privacy and data protection policies and incident response plans for large insurance company to comply with federal and state laws and requirements of the financial services industry
• Design and facilitation of tabletop exercises for global manufacturing firm and national banking institution, to simulate ransomware and other incidents
• Legal analysis of attempted ransomware attack against distributed electronic health record system, leading to a conclusion of no reportable breach
• Investigation and analysis of vendor breach notice to client health care provider, leading to a conclusion of no reportable breach under HIPAA
• Response to multiple regulatory inquires, and negotiation with state and federal agencies of fines and penalties, following data breach
• Legal and forensic investigation of suspected business email compromise of public school district system
• Response to ransomware attack on managed services provider specializing in offerings for financial services clients
• Analysis of suspected compromise of multiple email and proprietary systems on behalf of restaurant franchisee
• Advice to community health center response to unfounded breach allegation by a patient
• Response to theft of unencrypted laptop from academic medical center, including legal guidance with respect to forensic investigation, and notices to federal and state regulators
• Legal advice to operator of a shared health record system when trusted insider abused system privileges, including investigation, and reporting and notification requirements
• Security awareness training for all personnel, and for select teams, at financial institutions and professional services firms
• Advice to national and local nonprofit organizations on issues related to compromises of donor credit card information, and personal information of employees and other populations

Privacy and cybersecurity requirements vary by industry sector and jurisdiction. Our team brings extensive experience across many industries and jurisdictions to our counselling of clients on the privacy and cybersecurity issues related to their business operations and transactions.

• Due diligence in mergers and acquisitions, and private equity investments
• Drafting and negotiation of representations and warranties in purchase and investment agreements
• Structuring and drafting of documents and disclosures related to e-commerce
• Drafting and negotiation of service provider agreements
• Preparing and evaluating indemnification and other risk transfer provisions pertaining to privacy and cybersecurity issues in agreements

Representative Matters

• Due diligence of privacy and cybersecurity issues in acquisition of technology platform
• Representation of global financial services company in creation of data lake, including access, use, sharing and data transfer requirements, and data anonymization
• Negotiation of business associate agreements for large health care provider
• Drafting and negotiating of representations and warranties related to privacy and data protection issues in acquisition by private equity firm
• Advice regarding restrictions and requirements for cross-border data transfer in acquisition of EU-based service company
• Drafting of e-commerce disclosures and contracts for online retailer
• Development of text messaging campaign by financial services company
• Drafting of health information technology licenses for health care provider
• Negotiation of cybersecurity requirements for energy company contracts with service providers

Privacy and cyber law can vary by industry sector and jurisdiction. We can develop and implement national litigation strategies to address cyber incidents and privacy claims because of our experience with key laws and regulations, as well as our extensive geographical reach.

We have handled a variety of privacy/cyber issues for our clients, including:

• Telephone Consumer Protection Act (TCPA)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Illinois Biometric Information Privacy Act (BIPA)
• California Invasion of Privacy Act (CIPA) and Wiretap claims
• Health Insurance Portability and Accountability Act (HIPAA)
• Data breaches
• B2B claims

Extensive class action experience across major substantive areas of the law, including:

• Consumer Protection (including federal and state statutes)
• Financial Services
• Business Torts
• Insurance

Regularly represent clients before federal and state agencies, including the state attorneys general

• Includes responses to informal inquiries following data breach notifications as well as formal enforcement actions relating to privacy/cyber compliance issues

Representative Matters

• Representation of large, national insurance company in post-breach regulatory enforcement by NY DFS
• Negotiation of a settlement in favor of research hospital client with state attorney general related to breach
• Response to inquiries from state attorneys general in multiple states concerning timeliness of notification and adequacy of security following compromise of personal information
• Extensive interaction with Office of Civil Rights of the U.S. Department of Health and Human Services following compromise of protected health information at global provider of medical devices
• Response to breach complaint filed against health information network, leading OCR to close its investigation without penalty
• Negotiation of settlement for financial services company to avoid arbitration concerning vendor data breach

The insurance industry is at the heart of privacy and cybersecurity risk management, and Locke Lord is there with you. We can support you in building your business through regulatory compliance, merger and acquisition, and policy wording and product development. We can defend your interests in your evaluation of policyholder claims and represent you when those claims are disputed, including in mediation, litigation and arbitration. Our significant insurance platform is bolstered by our strong background with privacy and cybersecurity preparedness, compliance, incident response, litigation and regulatory enforcement.

Experience

• Enable business strategies, including licensing, acquisition of existing licensed entities and surplus lines advice
• Advise about development of insurance products and wordings addressing privacy and cybersecurity risks
• Support internal client training and education with sessions about claims handling regulations and litigation as well as legal updates about privacy and cybersecurity issues
• Work with insurer clients to assess and negotiate coverage issues for cyber, data, privacy, technology and media risks under standalone cyber policies and cyber endorsements as well as other lines of coverage, including E&O and D&O
• Defend insurers in litigation and arbitration, bringing considerable experience with numerous jurisdictions, lines of coverage, types of claims and policyholder firms

Representative Matters

• Provision of surplus lines advice to P&C insurance company for its plans for a cybersecurity offering
• Representation of cyber MGA in its acquisition of a US-domiciled insurance company
• Consideration of privacy and cybersecurity insurance requirements in proposed transactional and other contractual agreements
• Evaluation of new and revised privacy and cybersecurity policy and endorsement language for several specialty insurers
• Work with insurers on more than 1,300 cyber, data, privacy, technology and media risks claims under standalone cyber policies and cyber endorsements as well as other lines of coverage including E&O and D&O
• Preparation of amicus curiae appellate brief for trade association in BIPA insurance coverage matter

We advise companies with multinational operations on EU and other data protection laws as well as on cross-border data flows and transfers, including in:

• Cloud computing and other information services arrangements
• EU General Data Protection Regulation (GDPR) compliance
• Internal investigations concerning potential fraud, corruption and the Foreign Corrupt Practices Act (FCPA)

We provide counsel and coordination on data protection policies and regulatory compliance issues in the UK and abroad. In addition, our Firm is a member of World Law Group (WLG), a global independent law firm network with more than 18,000 lawyers worldwide. WLG allows us to access the resources required to meet a client’s needs almost anywhere in the world — swiftly, efficiently and cost effectively.