Cybersecurity and data privacy are top-of-mind risks for all organizations and present enormous challenges for management – from cybersecurity threats to an ever-changing regulatory regime.
Parker Poe stands ready to help its clients navigate this minefield. Our team includes six attorneys who have earned certifications from the International Association of Privacy Professionals (IAPP), which provides the global gold standard for data privacy certifications concerning U.S. and European laws and regulations, including the EU General Data Protection Regulation (GDPR). We also have extensive firsthand experience advising on the full range of cybersecurity and data privacy needs.
We aid clients looking to take a proactive approach to assessing data risks, reviewing regulatory exposure, and developing incident response plans. We advise on data risks in contractual negotiations and mergers and acquisitions. We also stand ready to respond to cybersecurity breaches, including business email compromises and ransomware attacks, and any resulting litigation or investigation risk.
The first step in data protection is to assess the business model of a company and its full range of data practices. This establishes a thorough understanding of the laws and regulations triggered by a company’s operations, the nature of the personal information collected, from what types of users and under what circumstances that data is collected, and how it is used, stored, shared, and maintained.
This is sometimes called a privacy impact assessment or, under GDPR, a data protection impact assessment. Other terms used in this context are data maps, data inventories, and data assessments. These kinds of assessments are also being added to U.S. state laws, though the purpose and scope of them vary by state law.
They all have the same goal: establish a complete and accurate baseline of a company’s data protection practices and the standards to which it will be held. Think of it as the foundation for your data compliance and an investment toward avoiding legal risk.
To make this process as client-friendly as possible, we use custom questionnaires that all relevant data managers can jointly respond to. While that process is underway, we do a detailed review of privacy policies and terms of use to compare with the answers to the questionnaire. The result is a sound preliminary understanding of the legal risks your company’s data practices pose.
Federal and state laws are requiring companies to control their third-party vendors and suppliers by building data protection into their service contracts. Even when not required by statute, best practices dictate that companies exercise control over the personal data and confidential information they share or receive. Since new data privacy laws can subject you to liability based on the data security failures of your suppliers and vendors, companies must undertake data processing due diligence.
The most direct means of controlling third-party data risk is to build data protection requirements right into your contracts. We have reviewed hundreds of these contracts and can pinpoint what parties on each side of the relationship need to include and avoid to manage the sharing of personal data and confidential information. We also help clients who hire vendors establish a vendor management plan.
A privacy policy is the public road map for how your business treats data – regulators, customers, and their attorneys will use it to test a company’s compliance with applicable laws. New data privacy laws have greatly changed what these policies must contain and how often they must be updated. Incomplete or erroneous privacy policies can trigger regulatory fines and lay a foundation for claims and litigation.
But creating a valid and complete privacy policy is only one part of data protection compliance. Businesses must also implement data processes that match the promises made in the policy. We partner with clients to implement sound data management practices, including keeping appropriate records, properly responding to user data requests and establishing data retention best practices. We also help develop terms and conditions that go hand-in-hand with privacy policies.
New categories of sensitive personal information are now triggering data protection assessments that must be available to regulators as part of any compliance investigation. Again, the zone of liability keeps expanding in ways that most are unable to detect and fully understand. We are here to help.
Employees are often the largest risk for data vulnerabilities. This is especially true with the "new normal" that includes working from home. Spear-phishing and other malicious email campaigns, including business email compromises, have led to debilitating ransomware attacks.
We assist clients in developing policies to reduce these vulnerabilities, including the remote use of computers and mobile devices and international travel. We help clients train employees on those policies and common pitfalls. We also diagnose the legal risks inherent in emerging technologies such as fingerprint scanning, facial recognition, and other uses of biometrics.
Employer monitoring of employee practices, whether driving in company vehicles, using the corporate network for social media, using personal devices at work, or deploying closed circuit television all present legal risks that we can assess and help mitigate.
Keeping up with draft privacy laws and regulations is literally a full-time job. From GDPR to the growing patchwork of state laws to pending federal legislation, the data protection landscape is very fluid.
We offer a special monitoring service to keep our clients informed on the latest state, federal, and international developments on data protection. We offer this service on a fixed fee basis as part of a broad working relationship on data protection. In so doing, we monitor specific issues in the context of a client’s business operations so we can keep you abreast of the impact developments will have on your particular business. We can design a custom package that fits your budget.
Some states, insurance companies, and customers now require businesses to have a written information security plan and/or an incident response plan. We’ve seen firsthand how businesses with these plans emerge from a ransomware attack in stronger shape – while spending less money – than those without one.
We can guide you through the process of building an appropriate plan, including assessing your options in an attack and planning out customer notifications, public relations, and the use of forensic investigators.
Businesses are constantly needing to upgrade technology to keep their enterprises secure, and the widespread migration to the cloud has only expanded these challenges. Complicating this picture is the impact of new data privacy laws on cyber risk. The definitions of personal information keep expanding, as do the affirmative duty to keep the data secure. Moreover, the new use of statutory damages has led to hundreds of new lawsuits and class actions.
The simple fact is that ransomware attacks and other cybersecurity breaches are increasing – and every second matters when one occurs. We can be there from start to finish, coordinating with forensic investigators, communicating with federal and state regulators, notifying affected parties, and defending against lawsuits.
We also help clients apply lessons learned from the breach to reduce risks going forward. This last step is particularly important because regulators are using data breach notifications to investigate the broader range of data protection practices.
Finally, our experienced litigation team stands ready to take on any civil claims or regulatory investigation that may result from an incident.
We have deep understanding of technology and data that enhances our ability to resolve disputes for clients, including through litigation for plaintiffs or defendants. We have litigated numerous disputes related to data breaches and information technology infrastructure, including class actions and high-stakes contractual disputes.
For example, we have steered a leading global technology company through a series of litigations and arbitrations stemming from a breach. We have represented clients in highly regulated industries, including an education technology vendor in one of the largest breaches impacting K-12 data. We have also advised companies on disputes with managed service providers (MSPs) and other IT providers.