Sandy Brian Garfinkel
Sandy Garfinkel on Data Breach Response
Sandy Garfinkel of Eckert Seamans' Data Security & Privacy Group discusses the appropriate response to data breaches and the consequences for not responding to a breach correctly.WATCH VIDEO
Sandy Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Sandy works closely with the firm’s business clients concerning all aspects of General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance and enforcement. He works with clients on data security and privacy matters across a variety of industries and sectors, including hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications.
Businesses struggle to stay ahead of the increasing threats to sensitive data and the emerging regulatory requirements, which is why Sandy counsels his clients on laws relating to the collection, use, and protection of personal information as well as mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft, or exposure of personal data. He guides clients through all stages of breach matters, including advance planning and preparation, response and notification, government investigations and regulatory response, and, when necessary, litigation.
Sandy also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. He has deep trial and appellate experience and enjoys a long, consistent track record of producing cost-effective, positive results for his litigation clients.
Data Security and Responding to Data Theft
- Counsels clients in responding to thefts of personal information and electronic data security breaches; has handled in excess of 100 data breach response matters.
- Advises on the application of state laws requiring notification to state agencies and affected individuals and in required forensic investigation.
- Drafts information security policies and data breach response plans.
- Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account.
- Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia.
- Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database.
- Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal.
- Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances.
- Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration.
- Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization.
- Formulating data breach response plan, reviewing internal privacy and security policies, and cyber insurance coverage for multi-state accounting firm.
- Assisted several large clients in developing and implementing CCPA-compliant policies, practices and documents, including website and employee privacy statements, contracts and internal communications.
- Helped numerous clients develop procedures and mechanisms for receiving and responding to individual information rights requests under GDPR and CCPA.
- Represents hotel and resort management companies, owners, and developers in commercial disputes and other issues.
- Advises and represents hospitality industry clients with regard to dealings and disputes between and among hotel owners, managers, franchisors, vendors, and guests.
- Provides legal services relating to compliance with electronic data security laws and industry standards, and in responding to breaches of data security.
- Represents manufacturing enterprises, commercial and residential builders and developers, oil and gas production companies, creative and computer design companies, professional athletes, insurance companies, professional associations, architectural firms, management companies, and communications companies in various types of tort and contract disputes.
- Represents commercial and public sector clients in trial, arbitration, and appellate court practice as well as practice before governmental and administrative tribunals.
- Tries numerous jury and non-jury trials in federal and state courts in various jurisdictions.
- Argues before all Pennsylvania appellate courts and the U.S. Court of Appeals for the Third Circuit.
- Global Alliance of Travel, Tourism & Hospitality Attorneys, Member
- International Association of Privacy Professionals (IAPP)
- Reading is FUNdamental Pittsburgh, elementary school reading mentor
Awards and Recognition:
- Selected for inclusion in Pennsylvania Super Lawyers – 2013, 2014, 2018
News and Insights
- “What You Need to Know About the New Virginia Consumer Data Protection Act,” TDWI, May 7, 2021.
- “Virginia data privacy law presents new challenges for security practitioners,” Security InfoWatch.com, March 25, 2021.
- “Virginia Imposes New Data Protection Requirements on Businesses: Lessons Learned,” Eckert Seamans’ Data Security & Privacy Alert, March 8, 2021.
- “California Privacy Rights Act of 2020 to Appear on November Ballot: Introduces Significant Amendments to CCPA,” Eckert Seamans’ Data Security & Privacy Alert, October 28, 2020.
- “Final Set of CCPA Regulations Approved,” Eckert Seamans’ Data Security & Privacy Alert, October 2020.
- “California AG Modifies Proposed CCPA Regulations,” Eckert Seamans’ Data Security & Privacy Alert, March 2020.
- “COVID-19 and Working Remotely: Data Security & Privacy Challenges,” Eckert Seamans’ Data Security & Privacy Alert, March 22, 2020.
- “New York SHIELD Act Establishes New Breach Notification and Data Protection Requirements,” Eckert Seamans’ Data Security & Privacy Alert, February 2020.
- “California AG Issues Proposed CCPA Regulations, Establishes Comment Period,” Eckert Seamans’ Data Security & Privacy Alert, October 2019.
- “Hospitality cyber threats are alive & well – Lessons from recent incidents,” HospitalityLawyer.com, July 16, 2019.
- “Public Commentary Sought by California Attorney General’s Office Regarding the California Consumer Privacy Act of 2018,” Eckert Seamans’ Data Security & Privacy Alert, January 2019.
- “In Pennsylvania, Employers Have A Legal Duty To Protect Employee Data,” Eckert Seamans’ Data Security & Privacy Alert, November 2018.
- “GDPR IS HERE. ARE YOU READY?” Eckert Seamans’ Data Security & Privacy Alert, February 2018.
- “Circumstances That Could Lead To Accusations of Price Gouging,” Lodging Magazine, November 2017.
- “Data Security Soft Spots: Safeguarding a Property Against Cyber Attacks,” Lodging, the official magazine of the American Hotel and Lodging Association, June 2017.
- “The Unique Challenges of Data Security for the Hotel Industry,” Beazley Breach Response Services Blog, March 23, 2017.
- “Yahoo!’s Data Breach Incidents are Becoming an Extended Tale of Woe for the Company,” Eckert Seamans’ Data Security & Privacy Alert, March 2017.
- “Vizio — privacy concerns with “smart” devices are making the internet of things a focus for U.S. regulators,” Eckert Seamans’ Data Security & Privacy Alert, March 2017.
- “Experian Forecast Predicts Major Data Breach Trends for 2017,” Eckert Seamans’ Data Security & Privacy Alert, January 2017.
- “Trump Administration’s Approach to Cybersecurity Remains Murky,” Eckert Seamans’ Data Security & Privacy Alert, January 2017.
- “Hotel Price Gouging,” HospitalityLawyer.com – Convergence Blog, October 2016.
- “Employees are a soft spot in data security,” HR.BLR.com, April 2016.
- “Long Term Hotel Guests Might Not Be So Easy to Remove,” co-author, Hospitality Lawyer Converge blog, September 2015.
- “Data Breach Response: How to Counsel Your Client,” Lawyers Journal, May 2015.
- “Business Forum: Data Breach Oversaturation — There’s Danger in Complacency,” Pittsburgh Post-Gazette, November 2014.
- “Anatomy of a Hotel Breach,” Hospitality Lawyer Converge blog, June 2014.
- “Manager vs. Owner: Which One Must Respond to a Data Breach?” Hospitality Lawyer, Hospitality Lawyer, August 2011.
- “Legal FAQ: Hotel Data Breaches”, Hospitality World Network, June 2011.
- “Incidents Which Trigger a Legal Obligation to Notify Guests,” Hospitality Upgrade, Spring 2011.
- “Who is tracking your smartphone data during coronavirus pandemic?” Tribune Review, April 16, 2020.
- “How the hotel industry has adapted to GDPR,” Hotel News Now, July 10,2019.
- “GDPR Takes Effect In Two Weeks,” Pittsburgh Business Times, May 11, 2018.
- “Hotel Data Breaches: Can You Protect Business Travelers?” Business Travelers News, February 08, 2016.
- “Tips to keep hotel data hackers at bay,” Hotel News Now, February 10, 2015.
- “China’s Alleged Cyber Attach on Pittsburgh Companies – How Vulnerable is Your Business?” Our Region’s Business with Bill Flanagan, June 2014.
- “SUMMER SCHOOL: What Pennsylvania School Districts Need to Know About ESSER Relief Funds – Lesson 2: Data Security & Privacy,” co-presenter, Eckert Seamans’ Continuing Legal Education Seminar, July 26, 2021. (recording)
- “Cybersecurity & Privacy Issues for Virtual Artists,” panelist, Creating Virtual Content: Logistics & Legalities for Arts Organizations, sponsored by the Pennsylvania Humanities Council and Pennsylvania Council on the Arts, October 14, 2020.
- “Price Gouging,” Virtual Hospitality Law Conference hosted by HospitalityLawyer.com, June 30, 2020.
- “COVID-19 Data Security Issues,” Virtual Hospitality Law Conference hosted by HospitalityLawyer.com, June 30, 2020.
- “Price gouging,” Hospitality Lawyer COVID-19 Conference Call Series, May 11, 2020.
- “Cyber security challenges with a remote work force,” Hospitality Lawyer COVID-19 Conference Call Series, March 30, 2020.
- “Hotel Owners & COVID-19: Price Gouging Laws,” co-presented for the Asian American Hotel Owners Association, March 30, 2020.
- “Cyber Law Update: GDPR and CCPA,”presenter, Eckert Seamans’ Continuing Legal Education Seminar, August 2019.
- “Cyber Law Update,” presented for the 2019 Cyber Law and Privacy Symposium, Hosted by Carnegie Mellon University, May 2019.
- “Autonomous Vehicles: Legal Issues to Consider,” co-presenter, Eckert Seamans’ Continuing Legal Education Seminar, August 2018.
- “GDPR: The Impact on Data Privacy for U.S. Companies,” presented at the Pittsburgh Compliance Roundtable, June 2018.
- “The Unique Challenges of Data Security for the Hotel Industry,” presenter, 2018 Hospitality Law Conference, Houston, TX, April 2018.
- “Risk Transfer: Trends That Protect Your Firm’s Assets,” panelist at the Private Directors Association conference, Locking the Cyber Security Door: What Private Company Leaders Should Do Now, in Chicago, November 2017.
- “The Unique Challenges of Data Security for the Hospitality Industry,” co-presenter at Hospitality Law Conference, April 24, 2017.
- “The Current State of the Law: Data Privacy and Security,” presenter, Data Privacy & Security Update, March 2017.
- “The Defense, The Response, and The Future,” presenter at Eckert Seamans’ Data Privacy and Security Forum, October 2016.
- “Response to Data Breaches,” Identity Theft, Pennsylvania Bar Institute (PBI) Continuing Legal Education (CLE) program, March 2016.“Employees Are a Soft Spot in Data Security and Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
- “Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
- “Data Security: Risks, Compliance and How to Be Prepared for a Breach,” Eckert Seamans’ CLE, September 2015.
- “The Data Breach Reality: Preparing for the Inevitable,” PBI CLE , July 29, 2015.
- “The Data Breach Reality: Preparing for the Inevitable,” co-presenter, June 15, 2015.
- “The Data Breach Reality,” co-presenter at the Consortium of Universities of the Washington Metropolitan Area, 2015 Consortium Day, June 5, 2015.
- “Data Breaches – Privacy and Liability,” co-presenter, Allegheny County Bar Association 2015 e-Discovery Symposium, April 17, 2015.
- “Anatomy of a Hospitality Data Breach,” Hospitality Law Conference, February 10, 2015.
- “The Data Breach Reality: What To Do When (Not If) You’re a Victim of a Cyber Attack,” Eckert Seamans’ CLE, August 2014.
- “Protect My Data: Protection of Confidential Employee Information Under the Health Insurance Portability and Accountability Act,” co-presenter, Eckert Seamans Human Resources Forum, May 2014.
- “Data Breach Response, State Laws Governing Data Breach Notification, and Federal Trade Commission Enforcement Actions,” PBI CLE, January 2014.
- “Understanding and Managing the Challenges of Data Privacy Breaches in the U.S. and the E.U.,” a webcast presentation to the Association of Corporate Counsel, May 2012.
- “Responding to Data Breaches,” PBI CLE, October 2011.
- “Cyber Wars: Do You Know How to Respond if Your Data is Attacked?” presented at Eckert Seamans’ CLE, August 2011.
Sandy is an avid amateur photographer and musician (blues harmonica).