Cybersecurity and Privacy Compliance, and Data Management
Our team has substantial experience developing and counseling clients on novel and complex privacy compliance matters across a range of industries and jurisdictions. We help clients navigate an ever-changing, and at times conflicting, privacy regulatory landscape with business-focused and pragmatic strategies designed to minimize risk and potential liability. We have extensive experience counseling clients on state, federal and international privacy regulatory regimes, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and its successor the Consumer Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), federal and state wiretap laws, the Computer Fraud and Abuse Act (CFAA), state data protection laws (e.g., New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act and its Department of Financial Services cyber rule), data breach notification laws and obligations, and the Telephone Consumer Protection Act (TCPA).
- Program development and implementation. Advise on developing, improving and implementing corporate privacy programs and related compliance obligations, including developing, managing and analyzing data mapping and inventories, and project management and consulting for program initiatives.
- Privacy and data protection policies and procedures. Develop, update and counsel on internal corporate privacy policies and procedures, such as data classification, the handling of data subject rights requests, the preparation of privacy impact assessments and data protection impact assessments, and internal escalation and reporting mechanisms regarding privacy risks.
- Privacy disclosures and controls. Develop and counsel regarding public-facing privacy notices and disclosures, including strategies related to user controls, choices and consent mechanisms.
- Data transfer and storage. Advise on data retention and destruction obligations and complex cross-border data transfer requirements and strategies.
- Government and regulatory requests. Counsel and assist in responding to regulatory examinations as well as government and regulatory requests and subpoenas, including disclosures pursuant to the ECPA, SCA and related state wiretap statutes.