Data Security & Privacy

Overview

Attorneys in Eckert Seamans’ Data Security & Privacy practice group have a deep understanding of data security and privacy requirements across a variety of industries and sectors, including laws pertaining to consumer products, retail, health care, labor and employment and telecommunications. Our experience allows us to provide our clients with practical, cost-effective, and results-oriented counseling regarding the protection of personal and other sensitive information.

Through the rapid evolution of technology, threats to data privacy are multiplying. Laws and regulations are changing and expanding, imposing complex and often inconsistent privacy and data protection standards. At the same time, the legal and business risks associated with non-compliance with emerging regulatory requirements have escalated. For these reasons, we invest significant time and resources in counseling clients on laws relating to the collection, use and protection of personal information as well as on mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft or exposure of personal data.

Our clients trust us to guide them through all stages of breach matters, including prevention and compliance, response and notification, government investigations and regulatory response, and, when necessary, litigation.

Breach Prevention and Compliance

Data incidents are a reality for organizations large and small. Working with trusted advisors to develop and implement a data breach prevention strategy is a crucial factor in protecting assets in today’s business world. Attorneys in Eckert Seamans’ Data Security & Privacy group work with clients to implement preventive measures into their daily operations. Our team also conducts privacy or data security audits of existing business practices and assists clients with privacy compliance solutions so they can operate confidently in evolving and complex regulatory environments.

The firm’s Data Security & Privacy team also assists clients with day-to-day business needs relating to data privacy and security, including training employees on privacy and data security practices that comply with consumer protection laws, developing oversight of third-party vendors that handle consumer data, and drafting/negotiation of data privacy contract terms and conditions as well as privacy policies.

Incident Response and Notification

In the event of a breach, we coordinate the data breach response plan and guide clients through the process of conducting internal and third party investigations to collect, preserve, and document evidence in an effort to determine the nature and source of the breach. We also advise and assist clients with notification obligations, how to deal with the reputational impact of the breach, and reducing the risk of resulting government investigations and/or litigation.

Government Investigations and Regulatory Response

As part of the breach response, our team represents clients in state attorney general or Federal Trade Commission investigations and enforcement actions. We also defend clients in federal and state courts and before regulatory agencies regarding their data security and privacy policies and procedures.

Litigation

In the event that a client’s government or industry-based investigation escalates to litigation or faces a class action, Eckert Seamans’ Data Security & Privacy team is adept at developing focused and cost-effective defense strategies.

Industry Focuses

Consumer Payments and Retail
Attorneys in Eckert Seamans’ Data Security and Privacy group follows the latest trends in payment card industry (PCI) compliance requirements, including revisions in data security standards. Where a breach involves credit card data, we assist clients in dealing with payment card industry fraud cost recovery actions, fines and assessments. Retailers are subject to various state and federal laws regarding the collection, use and disclosure of customer information. We help companies minimize their risk exposure while meeting their legal and contractual obligations.

Health Care (HIPAA and HITECH)
We regularly advise clients on issues related to the privacy and security of health information under the Health Insurance Portability and Accountability Act (HIPAA), including compliance with the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Our attorneys routinely design and implement compliance plans and performs audits for covered entities and business associates. In addition, our team can provide workforce training, perform breach assessment and counsel on risk assessment and documentation.

Human Resources and Workplace Privacy Compliance
We assist with workplace privacy compliance issues concerning the processing and safeguarding of employee personal data, employee monitoring, the implementation of whistle-blowing hotlines, responding to data access requests and conducting background checks. We also provide training to HR management on their obligations when dealing with employee data and practical steps for avoiding security breaches.

Telecommunications Services
We regularly advise clients on privacy issues unique to telecommunications services, including text messaging and email. The team assists telecommunications carriers and broadband service providers in establishing and maintaining policies for the protection of Customer Proprietary Network Information (CPNI), in accordance with the Communications Act and Federal Communications Commission (FCC) rules. In addition, the team counsels educational institutions, pharmaceutical companies, commercial businesses and web-based service providers on a broad range of compliance issues arising under the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act and the Federal Trade Commission (FTC) Telemarketing Sales Rule.

Leisure & Hospitality
Eckert Seamans serves as national data breach response counsel to one of the largest independent hotel management companies in the United States. It can be a challenge for hotels to protect the privacy and security of consumer information. Eckert Seamans understands the unique characteristics of our clients’ leisure and hospitality business, which allows us to provide reliable advice concerning best practices for consumer and employee data security and privacy in these environments. We prepare data privacy policies and data security incident response plans so that our hospitality clients can minimize their risk and be prepared in advance of a breach. We also advise clients on their response and notification obligations in the event of a breach or investigation. Eckert Seamans has handled responses to dozens of data breach incidents within the hospitality industry.

Education
We understand the laws governing the collection and safeguarding of information concerning students gathered within the context of their educational environments, and we assist our clients in complying with those laws. Eckert Seamans has assisted public school districts and universities in responding to data security incidents.

Insurance
The lawyers at Eckert Seamans are familiar with insurance providers and how they operate. As a result, we are able to provide quality counseling to the insurance industry in data privacy and security matters, including the creation of appropriate policies, planning and preparation for data security incidents, and data breach response.

Financial Services
Banking and financial services have been frequent and at times high-profile targets for data thieves. Eckert Seamans has knowledge of the laws and regulations that control privacy and security of consumer information within the industry. We have assisted banks in preparing data breach response plans and advised them regarding the sufficiency of their cyber insurance coverage.

Representative Matters

  • Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia;
  • Handled all aspects of responding to dozens of data breaches involving both electronically stored information and paper information for large independent hotel management company;
  • Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account;
  • Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database;
  • Provided guidance and assistance to a national online retailer when credit card data maintained within its system was accessed by an unauthorized person;
  • Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal;
  • Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances;
  • Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration;
  • Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization; and
  • Formulating data breach response plan, reviewing internal privacy and security policies and cyber insurance coverage for multi-state accounting firm.

News & Insights

Publications:

The Unique Challenges of Data Security for the Hotel Industry

Employees are a soft spot in data security (HR.BLR.com)

Data Security: Risks, Compliance and How to be Prepared for a Breach

Data Breach Response: How to Counsel Your Client

Business Forum: Data Breach Oversaturation -- There's Danger in Complacency

Anatomy of a Hotel Breach

Manager vs. Owner: Which One Must Respond to a Data Breach?

Legal FAQ: Hotel Data Breaches

Incidents Which Trigger a Legal Obligation to Notify Guests

Legal Updates:

Data Security and Privacy Alert: Yahoo!’s Data Breach Incidents are Becoming an Extended Tale of Woe for the Company

Data Security and Privacy Alert: Vizio -- privacy concerns with “smart” devices are making the internet of things a focus for U.S. regulators

Data Security and Privacy Alert: Trump Administration’s Approach to Cybersecurity Remains Murky

Data Security and Privacy Alert: Experian Forecast Predicts Major Data Breach Trends for 2017

Data Security & Privacy Alert: Third Circuit Upholds FTC's Authority to Police Protection of Consumer Data

Data Security & Privacy Alert: Trial Court Holds That Under Pennsylvania Law, Plaintiffs Cannot Claim Negligence as a Result of a Data Breach

Data Security & Privacy Alert: Personal Data Notification & Protection Act

Data Security & Privacy Alert: In a Departure from Recent Case Law, California District Court Finds Threat of Future Harm Sufficient to Allow a Consumer Class Action in Data Breach Matters

Data Security & Privacy Alert: Delaware Governor Signs Bill That Amends Section 6 of the Delaware Code – Trade and Commerce

Data Security & Privacy Alert: Federal Court Upholds Federal Trade Commission’s Power to Bring Enforcement Actions Against Companies for Failure to Provide Reasonable Data Security

Data Security and Privacy Alert: Data Breach and HIPAA Updates -- March 2014

Massachusetts Corporate Alert: A Key Grace Period Under the Massachusetts Data Security Regulations Expires on March 1, 2012

Media Coverage:

Sandy Garfinkel discusses the protection of business travelers' personal data and breach response (Business Travelers News)

News:

Eckert Seamans attorneys across a number of practices join forces to form Telephone Consumer Protection Act group