Virtually every business that receives information about customers or employees now has significant legal responsibilities under numerous federal and state privacy and data protection laws. Hackers and whistleblowers reveal privacy law violations with increasing frequency. Customers and employees, as well as regulatory agencies and state attorneys general, hold businesses accountable for privacy and cybersecurity violations. Your business’s financial well-being—not to mention its business reputation—could be at significant risk. Offit Kurman’s Privacy and Data Protection Practice Group is your trusted team member in forming and implementing a privacy and data protection plan.
Privacy and Security Risk Assessment
A privacy and security risk assessment is the foundation of a privacy plan and is fast becoming the standard of care for all businesses. In addition to helping an organization to prevent a data breach, a risk assessment, also known as a privacy impact assessment (PIA), is often the first thing that regulators will seek to examine to determine organizational responsibility. The risk assessment may further provide the primary line of defense for businesses and their directors and officers to breach liability claims. Finally, many businesses do not fully appreciate that, in many cases, they are required by law to conduct and update a risk assessment.
At Offit Kurman, we believe that a proper risk assessment begins with listening to our clients. Each business has unique operations and concerns that present a distinctive set of risks. Once we understand our clients’ needs, we will help create an assessment plan that includes the selection of tools to diagnose your organization’s points of vulnerability, whether sophisticated or “low tech.”
The privacy legal landscape is complex, often varying by state and industry, and changing by the day. Our team will help you identify applicable laws and create a compliance plan to include the development of policies, procedures, best practices, and board governance. Offit Kurman’s attorneys can help you prepare the following, and more:
- Website privacy notices that meet the company’s specific legal obligations
- Specific customer privacy notices (initial, annual, voluntary)
- Cybersecurity breach notifications
- Employment policies and hiring practices
- Employment agreements
- Independent contractor agreements
- Customer complaint procedures
- Employee training
- Company privacy officer appointment
- Data retention/destruction programs
- Third-party disclosure due diligence
- Incoming data due diligence
- Specific notices, consents, and other requirements for information about children under 13
- Foreign privacy law requirements
When faced with a privacy incident, proper corporate governance may require your organization to conduct an internal investigation. On these matters, senior management can look to the Offit Kurman team with confidence. Our lawyers, who have served as regulators, corporate in-house counsel, privacy officers, and law enforcement, not only have years of collective experience in conducting internal investigations but also have advised businesses on creating internal investigation standards.
In recent years regulators have used their authority to enforce privacy and cybersecurity expansively and aggressively. The Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), HHS Office of Civil Rights (OCR), Consumer Financial Protection Bureau and state attorneys general have all begun to flex their cyber enforcement muscle. Our team stands ready, with years of experience in the field, to advise clients on the best approaches to handle government inquiries and represent their interests in responding.
Breach Planning and Response
The moment your business experiences a breach it must think fast: What are the first steps? Who must we notify? What information must we gather? What immediate protections must we put in place? Offit Kurman’s team will help you create your breach plan prior to the event and swiftly respond from the moment of attack.
Lawsuits against businesses for privacy and cybersecurity breaches have ballooned in recent years. These claims, including collective or class actions based on the TCPA, FCRA, HIPAA, and other state and federal laws, can present substantial expense and organizational risk to businesses. Director and officer liability for breaches is also an emerging risk. Offit Kurman’s attorneys are skilled in all aspects of privacy litigation.
Cyber insurance is an important part of a business’ cyber risk management. These policies, which have become ubiquitous in the marketplace, vary drastically in their terms and often provide limited coverage. Legacy policies may offer clients coverage that they did not know they had. Our team is experienced in advising clients regarding cyber insurance and its interplay with other coverage, including under directors’ and officers’ liability policies. We have lawyers that focus on insurance recovery and can help businesses maximize the value of their policies. However, business leaders should understand that cyber insurance is neither a panacea for cyber risk nor a substitute for a properly crafted data protection plan.
How We Do It
Who We Do It For
● Biotech companies
● Financial institutions
● Fintech companies
● Government contractors