The collection, retention, use and protection of personally identifiable or confidential information, including customer data, medical records, employee records and proprietary corporate information, is a convoluted and rapidly changing area of the law. Likewise, reported data breaches and computer intrusions are at an all-time high. Attorneys at Duane Morris regularly handle security breaches and are highly knowledgeable about privacy and security laws—including U.S. federal laws (including HIPAA, GLB, SOX, CAN-SPAM, Do-Not-Call, Computer Fraud and Abuse Act), state (breach notification and related statutes) and legislation in Europe and Asia—and frequently provide clients with compliance and auditing advice on privacy and IT security exposure. We have extensive experience in regulated industries (e.g., healthcare, financial services, telecom, insurance, etc.) and consult on the collection, processing and transmission of data outside the United States and pursuant to the EU General Data Protection Regulation (GDPR).
Attorneys in the firm's Information Technologies and Telecom practice group develop and draft Web privacy policies and corporate IT security and technology policies, conduct compliance training for employees, assist in the legal aspects of IT security audits, and prepare data retention policies and SAS 70 and ISO 27000 reports (including issues involving the security of data in third-party data centers). As class action and related litigation arising from privacy and IT security breaches increases, our lawyers are also well positioned to handle or assist in the litigation of damages actions in these often high-profile cases.
Duane Morris can assist in a wide variety of areas related to data security and privacy:
Regulatory Advice
Navigating the complex regulatory minefield governing data protection is challenging. We rely on our extensive knowledge of federal, state and international laws, as well as current FTC guidance and client advocacy, to provide sound advice regarding privacy and security of consumer data in such industries as healthcare, financial services, telecom, insurance and others. In many of these markets, careful attention must also be given to the provisions of vendor and customer agreements in order to ensure regulatory compliance and to minimize the risk of potentially harmful electronic data breaches.
Policy Development and Enforcement
Members of the IT&T practice group regularly prepare and update an array of IT security policies, including:
- Online and brick-and-mortar privacy and security policies for collecting, handling and protecting sensitive data
- Enterprise data retention and destruction policies
- Internal corporate employee policies for handling and use of confidential company or customer information
- Guidelines and advice regarding protection of competitively sensitive corporate information (e.g., trade secrets, copyrights, proprietary and confidential data, customer information, records data and product/pricing information)
Employee Training
In today's digital age, where a single misplaced laptop or flash drive can land a company in the crosshairs of the plaintiffs' bar, corporations of all sorts must develop internal human resource (HR) policies for employees governing handling and use of information. Attorneys in the practice group have a wealth of experience preparing and training employees on permissible employee usage of IT assets (e.g., laptops, USB drives, camera phones, iPods, PDAs, etc.) and services (e.g., email, instant messaging and SMS/text messaging). Our attorneys also advise clients on identity theft by employees (reportedly 70% of identity theft in the United States occurs internally) and on the scope of employers' rights to monitor and intercept employee communications.
Transactional Safeguards
Every corporate sale or vendor agreement, particularly if it involves partnering with another company for some or all of manufacturing or fulfillment, presents a risk to privacy and data security. Where regulatory standards exist, they must be incorporated into (and followed upon implementation of) transactional agreements. Where state-specific requirements, frequently pioneered in California, are at issue, attention must be given to ensuring that deal partners know and adhere to the law despite geographic differences.
mHealth, Telemedicine and Medical Data
Information technology is becoming increasingly entwined with healthcare. From accessing electronic medical records to wireless delivery of test results and treatment information, mobile health (mHealth), telemedicine and health information technology (HIT) issues regarding privacy and data protection continue to grow exponentially in the healthcare space. Duane Morris has a multidisciplinary client team experienced in addressing the legal issues that clients must consider in developing, funding or deploying a product or service that could be considered mHealth or telemedicine, or relies on HIT. The firm also regularly represents providers, such as hospitals, physicians and nursing homes, health plans and payors, vendors and other entities on the privacy and security requirements, including breach responses, under the Health Insurance Portability and Accountability Act (HIPAA) and other laws.
Security Breach, Crisis Management and Litigation
No data security process is impenetrable, and vulnerabilities, whether inadvertent or malicious, will always exist. Hence, when Social Security or credit card numbers are hacked from a corporation's IT system, there is more than one audience for the board of directors to satisfy. Astute directors and CEOs will devote equal attention to three complementary areas: media relations, legal compliance and proactive fixes. While adhering to statutory obligations for customer notice is necessary, it is far from sufficient to ward off or end litigation claims by federal agencies (principally the FTC) and by those whose information has been compromised. At Duane Morris, our IT&T attorneys can assist in each of these endeavors, through and including trial of damages and class action claims.
For More Information
For more information, please contact Sandra A. Jeskie, Michelle Hon Donovan, John M. Benjamin or any of the group members referenced in the Attorney Listing.
The Data Privacy and Security Landscape: Legal Developments in the United States and Beyond Webinar Series
This series explores the latest developments in this rapidly changing intersection of the law and technology to help companies navigate new and sweeping regulations in the United States and beyond, protect against increasingly sophisticated cybercrimes and safeguard valuable consumer information. Please visit the event page for more information.
Understanding the CCPA 2.0: the California Privacy Rights Act
On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA). The CPRA is sometimes referred to as “CCPA 2.0” because it includes substantial revisions to the California Consumer Privacy Act (CCPA) while adding new privacy and security obligations for covered businesses. This webinar discusses the wide range of implications. Please visit the event page for more information.
The California Consumer Privacy Act of 2018 Webinar Series
Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers an in-depth discussion and analysis of the CCPA, along with timely and practical strategies to prepare your business for compliance with this complex rule. Please visit the event page for more information.