Cybersecurity & Data Privacy

Multimedia

Prevention, Preparation & Compliance

Today’s businesses often struggle through the day-to-day demands to keep up with new data privacy laws and regulations and methods to secure data in a constantly changing environment. With the Constangy Cyber Team on your side, you have a team of experienced professionals to provide practical, business-oriented advice about data protection and information security to mitigate the risk posed by increasingly dangerous malicious threats.

We work with clients of all sizes and across all business sectors to assist them in identifying applicable laws and developing strategies to implement cybersecurity programs that safeguard data without compromising business growth. Our team is well-positioned to help clients prioritize compliance tasks, including data governance, incident response planning, policy development, and third-party vendor management. We also help assess information security concerns that arise as businesses grow and expand. We regularly review and update existing policies to reflect established best practices and compliance with applicable laws based on industry, size, and geographic footprint.

What We Do

Below are a few key services provided by our team:

Data Privacy & Security Assessments

Our team conducts comprehensive assessments of applicable laws, cyber preparedness, and data privacy programs. We provide practical and cost-effective recommendations on strategies to improve compliance and reduce risk. As part of a regulatory assessment, our team will:
●Review how data privacy is handled throughout the business model, including the policies, practices, and documentation related to data collection, transmission, and storage
● Assess compliance with applicable laws and identify gaps and opportunities for improvement
● Recommend actions to improve an organization’s compliance posture, mitigate risk, and better protect critical data

Incident Response Preparedness

We advise clients on best practices for responding to cybersecurity incidents, including drafting incident response plans, engaging critical vendors, and providing practical advice on how to mitigate the risk of cybersecurity threats. Our incident response plans are mapped to the National Institute of Standards and Technology (NIST) cybersecurity framework, including Special Publication (SP) 800-61 Rev. 2, and incorporate industry best practices to mitigate risk and limit liability. Our team also facilitates incident response trainings and tabletop exercises. The tabletop exercises involve simulated cybersecurity events that include key personnel and organizational decisions to be made in response to data security incidents.

Data Privacy and Information Security Policies and Procedures

We work with clients to develop and implement data privacy and information security policies and procedures to mitigate risk and limit liability. The policies are tailored to laws, regulations and industry standards applicable to each client. The policies are generally mapped to the NIST cybersecurity framework, including NIST SP 800-53 Rev. 5 “Security and Privacy Controls for Information Systems and Organizations” and SP 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” as well as the Critical Security Controls, which are now managed by the Center for Internet Security.

Marketing Information Policies

Our attorneys work with marketing teams to understand an organization’s data collection and processing activities and whether they are in compliance with applicable data privacy laws, including data subject rights such as the right to “opt out” or otherwise control how individuals’ data is used. We help create and maintain up-to-date policies pertaining to the use of tracking technology and user tracking practices. We also work with clients on strategies for mitigating risk posed by information-sharing practices and third-party providers.

Data Retention & Destruction Policies

Organizations can manage risk and improve compliance through strong document retention and destruction practices. There is a myriad of laws and regulations relating to this specific area of data privacy and cybersecurity. Our attorneys regularly help clients create and implement document retention and destruction policies that focus on complying with regulatory frameworks and limiting potential liability.

Employee Information Policies

Organizations collect and process a vast amount of personal information about their employees. State, federal, and international laws require rigid data protection and disclosures about how private information will be used and disclosed by the organization. With our depth of knowledge of data privacy cybersecurity law, complemented by one of the country’s leading labor and employment law practices, the Constangy Cyber Team can help navigate this complex environment in a way that no other firm can match.

Data Privacy and/or Network Security Awareness Training

The Constangy Cyber Team offers customized training for employees, executives, board members, and information technology/security personnel on network security awareness, including best practices for safeguarding data, recognizing threats, and mitigating data security risks. We create programs that fit each organization’s specific needs and can be delivered in person, via webinar, or through pre-recorded formats. We can tailor training programs to the needs of a full organization or to a specific department, location, or employee role.

Third-Party Contract Review and Management

Contractual obligations with third parties create some of the most significant areas of liability when it comes to information security. This liability is often related to minimum information security standards, incident reporting obligations, the accuracy of representations and warranties, insurance law requirements, and provisions pertaining to indemnification and limitations of liability. The Constangy Cyber Team develops a deep understanding of an organization’s business needs, the complexity of its data privacy and information security requirements, and the legal and practical business relationships that must underly policies and procedures. This involves a review of data shared with business partners and third-party vendors and their information security practices. We develop and revise agreements and develop third-party vendor management systems to manage liability and ensure compliance with information handling and incident notification/management requirements.

Facilitating Third-Party Technology Projects

To help protect client data, the Constangy Cyber Team can help develop and execute confidential third-party technology engagements such as system vulnerability assessments, system penetration testing, and forensic investigations. We can help identify appropriate vendors, determine the appropriate scope of an engagement, negotiate contracts, provide task and budget oversight, and provide guidance on any required reports to ensure they are accurate and formatted appropriately if they need to be provided for regulatory purposes. These confidential engagements may be subject to the attorney-client privilege and work product doctrine as permitted by applicable law.

Due Diligence for Mergers and Acquisitions

When companies are involved in a merger, acquisition, or sale, it is critical that due diligence be conducted by both sides to ensure that critical data will be protected and that accurate representations and warranties about the security of information systems are included. Our attorneys understand these complex dynamics and advise clients throughout the process.

Data Transfer and Data Processing Agreements

In a globally connected world, sharing data with third parties and across borders can present a unique set of challenges. Data transfer can be particularly complex between the US and the EU and UK, which have particularly stringent security requirements. The Constangy Cyber Team provides guidance on transfer impact assessments and helps develop data transfer agreements to ensure all compliance obligations are met when transferring data from one country to another. We also advise clients on essential provisions that companies should include in Data Processing Agreements to mitigate risk under state, federal, and international laws.

HIPAA Compliance

The Constangy Cyber Team regularly advises covered entities and business associates in the healthcare sector about their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Protected Health Information (PHI) is some of the most highly regulated data an organization can collect about an individual. HIPAA requirements create additional complexity for businesses that process PHI, including documentation of technical, administrative, and physical controls to protect PHI; requirements to conduct periodic risk analyses, contracting protocols, and policies and procedures to demonstrate compliance with applicable provisions of HIPAA. Our team has significant experience with HIPAA compliance and can guide clients through the legal requirements and industry standards required to effectively protect PHI.

Incident Response

In today's interconnected digital world, virtually all companies, their employees, customers, and third-party vendors are targets of cyberattacks. Mitigating the risk of, and preparing to defend against, cyberattacks are core components of any responsible business model. Companies of all sizes, and in all industry sectors, must have a strong team of attorneys available and equipped to immediately come to the rescue when a cybersecurity incident or data breach occurs. The Constangy Cyber Team is the rapid response team that companies need. We are ready to respond at any time and are equipped with experience gained from managing thousands of responses to complex data security incidents impacting organizations of all sizes.

Cybersecurity incidents occur in many ways. Some are caused by human error. Others are carefully orchestrated by increasingly sophisticated criminals whose tactics are constantly evolving. Regardless, the overwhelming majority of cybersecurity incidents involve some combination of data exposure or data loss, operational disruption, reputational damage, financial loss, legal liability, and/or regulatory scrutiny. The Constangy Cyber Team will work proactively to develop programs to better secure information and limit liability, and they will always be available 24/7 to provide a rapid response to any urgent data privacy or security need.

When a cybersecurity incident occurs, organizations have certain legal obligations to investigate and respond within short timelines. The Constangy Cyber Team regularly navigates these obligations and brings unparalleled experience gained through work as government investigators, in-house counsel, outside counsel, privacy officers, regulators, and first responders. We also understand that incident response goes beyond legal compliance and includes stakeholder engagement across many levels.

What We Do

Incident Response Preparedness

Before an incident happens, the Constangy Cyber Team helps organizations proactively develop and implement an incident response plan, integrating regulatory requirements and industry best practices to ensure a strategic response to any data security incident. The plan will include appropriate preparation; the development of the ability to detect and analyze indicators of an incident; the ability to deploy appropriate resources to contain the matter and eradicate malicious software and activity from a network; and processes to recover and review lessons learned in an attempt to prevent anything similar from happening again.

Responding to a Cybersecurity Event

The Constangy rapid response team provides comprehensive legal counsel in response to data breaches. Team members serve as project managers, advising clients throughout the incident response process as they work to contain and assess the nature and scope of the incident, facilitating deployment of appropriate forensics and/or other technical resources, assessing consumer and regulatory notification obligations, and helping clients restore operations. When clients have consumer and regulatory notification obligations, we help them meet those obligations by drafting notification communications and facilitating engagements with notification and consumer remediation service providers. Following an incident, we interface with regulators on behalf of clients who may be subject to state and federal regulatory investigations and other administrative or legal actions. We also interface with law enforcement on behalf of clients in an effort to hold perpetrators of data security incidents accountable. Our goal is to help minimize the impact a data breach may have on our clients’ businesses, including by limiting related legal and/or regulatory liability. In responding to a data privacy and/or security incident, the Constangy Cyber Team will serve as a project manager and identify a strategic plan for an immediate response, utilizing any existing incident response plans and incorporating relevant resources to provide the most effective response. The Team will be prepared to provide the following services:

Project Management & Coordination

● Maintaining a 24/7 rapid response telephone and email hotline, monitored by team members, to provide an immediate response to any cybersecurity incident
● Conducting initial assessments of cybersecurity incidents to identify resources needed to respond to and investigate the incident and to limit potential legal liability
● Developing and leading a strategic response designed to efficiently contain, remediate, and address cybersecurity incidents, in part by facilitating the deployment of necessary resources, including digital forensics firms, data mining/document review vendors, consumer remediation/notification vendors, and public relations firms
● Coordinating with cyber insurance carriers, as appropriate, to obtain prior approval of vendor statements of work and provide information necessary for coverage evaluation
● Assessing consumer and/or regulatory notification obligations and drafting notification communications for client review, facilitating notification and consumer remediation services including credit monitoring, and managing the notification process
● Facilitating deployment of public relations services, as necessary
● Interfacing with law enforcement, as necessary
● Interfacing with regulators, as necessary
● Facilitating defensive litigation services, as necessary

Regulatory & Legal Response

● Assessing consumer and/or regulatory notification obligations
● Drafting consumer and regulatory notification materials
● Facilitating the provision of notification and consumer remediation services
● Interfacing with state and federal regulators, as well as law enforcement
● Managing third party claims and potential litigation; director and officer liability; product/supplier liability; and employee disciplinary action
● Providing counsel during formal inquiries, investigations, and litigation

Communications Response

●Identifying internal and external messaging needs and coordinating with in-house communications professionals and public relations agencies
●Drafting consumer and regulatory notification materials, press statements, and other necessary communications

Investigations & Litigation

Cybersecurity incidents, including data breaches, occur on a daily basis. Organizations responding to these events must consider the risk that litigation and/or regulatory action will follow. Indeed, litigation and regulatory action following data breaches are increasing exponentially, creating a major risk for all compromised entities. Litigation is no longer a remote possibility, rather it is a probability.

Consumers, patients, employees, and/or other individuals whose information is impacted by a data breach now often become plaintiffs in single-plaintiff and class action litigation involving a myriad of federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), the Fair Credit Reporting Act (FCRA), and state laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Illinois Biometric Information Protection Act (BIPA), among others. In the wake of a data breach, plaintiffs’ counsel race to the courthouse in an effort to be the first to file associated claims. Compromised entities need highly skilled litigators who understand complex technology to defend against these claims.

Companies can also pursue litigation against parties whose actions contribute to a data breach by filing a variety of claims including, for example, negligence, breach of contract, theft of intellectual property, misappropriation of trade secrets, and/or other claims implicating errors and omissions or criminal misconduct. Companies can, with the assistance of best-in class litigators, ultimately seek to recover substantial losses from third parties whose actions contribute to data breaches.

Compromised entities must also contend with investigations from federal and state regulatory agencies following data breaches. These investigations can drag on for months, or even years, and involve costly and time-consuming requests for documents and information. They can also result in difficult negotiations with regulators and the potential for significant fines and penalties.

Constangy attorneys have extensive experience representing clients in the many types of complex litigation and regulatory actions arising from data breach-related matters. Our litigation team will defend clients vigorously – in the courts and before government agencies – when doing so is consistent with their internal business objectives. But, as valued business partners, we also recognize that an early resolution is often more desirable, and we have a proven track record of evaluating and using alternative methods of dispute resolution to achieve those favored results.

Class Action Representation

Large, complex class actions can quickly become “bet-the-company” scenarios and are one of the greatest threats facing organizations today. While the costs alone can be staggering, high profile cases can also have a significant impact on an organization’s reputation, morale, and operations. Constangy offers a team of experienced, highly skilled litigators who understand the potential legal and business ramifications resulting from a data breach class action and can develop and execute an effective defense strategy to protect our clients’ interests. Constangy's Class Action practice group brings to the defense of complex, multi-plaintiff lawsuits an elite group of strategists with an unparalleled depth of experience and particular strengths in:
● Containing the impact of high-profile, multi-plaintiff litigation
● Identifying whether early mediation and/or settlement is an appropriate option
●Identifying whether early motions to dismiss may be dispositive or facilitate early resolution and substantially reduce the cost of discovery and litigation
● Designing and implementing creative defense strategies to defeat the class aspects of the case
● Exploring suitable means for resolving complex cases on terms acceptable to our clients through the use of mediation and other forms of alternative dispute resolution; and
● Working with insurance carriers to keep them regularly updated on status of matter, and ensure prior approval for litigation expenses and settlement offers
● Incorporating key defense experts (forensic experts, statisticians, etc.) into the defense plan
● Structuring litigation with an eye toward maximizing success on appeal where issues of first impression are critical and the client’s long-term strategic interests make seeking to establish or change controlling law a cost-effective tactic
● Planning and operating within a litigation budget