Cybersecurity, Data Protection & Privacy


Attorneys in Eckert Seamans’ Cybersecurity, Data Protection & Privacy practice group have a deep understanding of data security and privacy requirements across a variety of industries and sectors, including laws pertaining to consumer products, retail, health care, labor and employment and telecommunications. Our experience allows us to provide our clients with practical, cost-effective, and results-oriented counseling regarding the protection of personal and other sensitive information.

Through the rapid evolution of technology, threats to data security are multiplying. Laws and regulations are changing and expanding, imposing complex and often inconsistent privacy and data protection standards. At the same time, the legal and business risks associated with non-compliance with emerging regulatory requirements have escalated. For these reasons, we invest significant time and resources in counseling clients on laws relating to the collection, use and protection of personal information as well as on mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft or exposure of personal data.

Our clients trust us to guide them through all stages of breach matters, including prevention and compliance, response and notification, government investigations and regulatory response, and, when necessary, litigation.

Breach Prevention and Compliance

Data incidents are a reality for organizations large and small. Working with trusted advisors to develop and implement a data breach prevention strategy is a crucial factor in protecting assets in today’s business world. Attorneys in Eckert Seamans’ Cybersecurity, Data Protection & Privacy group work with clients to implement preventive measures into their daily operations. Our team also conducts privacy or data security audits of existing business practices and assists clients with privacy compliance solutions so they can operate confidently in evolving and complex regulatory environments.

The firm’s Cybersecurity, Data Protection & Privacy team also assists clients with day-to-day business needs relating to data privacy and security, including training employees on privacy and data security practices that comply with consumer protection laws, developing oversight of third-party vendors that handle consumer data, and drafting/negotiation of data privacy contract terms and conditions as well as privacy policies.

Incident Response and Notification

In the event of a security incident, we coordinate the incident response plan and guide clients through the process of conducting internal and third party investigations to collect, preserve, and document evidence in an effort to determine the nature and source of the incident and whether it is a reportable breach under applicable law. We also advise and assist clients with notification obligations, how to deal with the reputational impact of the breach, and reducing the risk of resulting government investigations and/or litigation.

Government Investigations and Regulatory Response

As part of the breach response, our team represents clients in state attorney general or Federal Trade Commission investigations and enforcement actions. We also defend clients in federal and state courts and before regulatory agencies regarding their data security and privacy policies and procedures.

Privacy Regulation and Compliance

The Cybersecurity, Data Protection & Privacy team has developed a thorough understanding of U.S. and European laws regulating the collection and use of personal information, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).  We advise clients concerning their legal data privacy compliance obligations, provide them with contract language for data processing agreements, privacy disclosure statements for websites, and assist them with responding to data subject rights requests. 


In the event that a client’s government or industry-based investigation escalates to litigation or faces a class action, Eckert Seamans’ Cybersecurity, Data Protection & Privacy team is adept at developing focused and cost-effective defense strategies.

Industry Focuses

Consumer Payments and Retail
Attorneys in Eckert Seamans’ Cybersecurity, Data Protection & Privacy group follows the latest trends in payment card industry (PCI) compliance requirements, including revisions in data security standards. Where a breach involves credit card data, we assist clients in dealing with payment card industry fraud cost recovery actions, fines and assessments. Retailers are subject to various state and federal laws regarding the collection, use and disclosure of customer information. We help companies minimize their risk exposure while meeting their legal and contractual obligations.

Health Care (HIPAA and HITECH)
We regularly advise clients on issues related to the privacy and security of health information under the Health Insurance Portability and Accountability Act (HIPAA), including compliance with the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Our attorneys routinely design and implement compliance plans and performs audits for covered entities and business associates. In addition, our team can provide workforce training, perform breach assessment and counsel on risk assessment and documentation.

Human Resources and Workplace Privacy Compliance
We assist with workplace privacy compliance issues concerning the processing and safeguarding of employee personal data, employee monitoring, the implementation of whistle-blowing hotlines, responding to data access requests and conducting background checks. We also provide training to HR management on their obligations when dealing with employee data and practical steps for avoiding security breaches.

Telecommunications Services
We regularly advise clients on privacy issues unique to telecommunications services, including text messaging and email. The team assists telecommunications carriers and broadband service providers in establishing and maintaining policies for the protection of Customer Proprietary Network Information (CPNI), in accordance with the Communications Act and Federal Communications Commission (FCC) rules. In addition, the team counsels educational institutions, pharmaceutical companies, commercial businesses and web-based service providers on a broad range of compliance issues arising under the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act and the Federal Trade Commission (FTC) Telemarketing Sales Rule.

Leisure & Hospitality
Eckert Seamans serves as national data breach response counsel to one of the largest independent hotel management companies in the United States. It can be a challenge for hotels to protect the privacy and security of consumer information. Eckert Seamans understands the unique characteristics of our clients’ leisure and hospitality business, which allows us to provide reliable advice concerning best practices for consumer and employee data privacy & security in these environments. We prepare data privacy policies and data security incident response plans so that our hospitality clients can minimize their risk and be prepared in advance of a breach. We also advise clients on their response and notification obligations in the event of a breach or investigation. Eckert Seamans has handled responses to dozens of data breach incidents within the hospitality industry.

We understand the laws governing the collection and safeguarding of information concerning students gathered within the context of their educational environments, and we assist our clients in complying with those laws. Eckert Seamans has assisted public school districts and universities in responding to data security incidents.

The lawyers at Eckert Seamans are familiar with insurance providers and how they operate. As a result, we are able to provide quality counseling to the insurance industry in data privacy and security matters, including the creation of appropriate policies, planning and preparation for data security incidents, and data breach response.

Financial Services
Banking and financial services have been frequent and at times high-profile targets for data thieves. Eckert Seamans has knowledge of the laws and regulations that control privacy and security of consumer information within the industry. We have assisted banks in preparing data breach response plans and advised them regarding the sufficiency of their cyber insurance coverage.

Representative Matters

  • Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia;
  • Handled all aspects of responding to dozens of data breaches involving both electronically stored information and paper information for large independent hotel management company;
  • Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account;
  • Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database;
  • Provided guidance and assistance to a national online retailer when credit card data maintained within its system was accessed by an unauthorized person;
  • Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal;
  • Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances;
  • Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration;
  • Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization; and
  • Formulating data breach response plan, reviewing internal privacy and security policies and cyber insurance coverage for multi-state accounting firm.

News & Insights


Manager vs. Owner: Which One Must Respond to a Data Breach?

Legal Updates:

State Privacy Bingo

New Privacy Civil Litigation Trends in the United States

Proposed SEC Cybersecurity Risk Governance Rules for Public Companies

The New Colorado and California Privacy Regulations Are Finalized: How Do They Compare?

A Double-Edged Sword: The Benefits and Risks of AI in Business

Final NYC Rules on the Use of Automated Employment Decision Tools Published - Enforcement Delayed until July 5, 2023

U.S. Department of Treasury Report Highlights Pitfalls of Using Cloud Platforms

Massachusetts Gaming Commission Issues Emergency Privacy and Security Regulations on the Gaming and Sports Betting Industry

Joint Cybersecurity Advisory issued by FBI, FDA OCI, and USDA Warns Food & Agriculture Sector About Increase in Business Email Compromise Scams to Divert Shipments of Food Products

New HIPAA Guidance Regarding Website and Other Tracking Technologies

Pennsylvania Amends its Breach of Personal Information Notification Act

DHS’s Cybersecurity and Infrastructure Security Agency Seeking Guidance on Critical Infrastructure Cyber Reporting

FBI Tips to Protect Against Cyber Threats to Medical Devices

Connecticut's New Consumer Privacy Law: What Businesses Should Know

Utah’s New Consumer Privacy Law: What Businesses Should Know

Cybersecurity and Privacy: What Companies Need to Know for 2022

Virginia Imposes New Data Protection Requirements on Businesses: Lessons Learned

California Privacy Rights Act of 2020 to Appear on November Ballot: Introduces Significant Amendments to CCPA

Final Set of CCPA Regulations Approved

California AG Modifies Proposed CCPA Regulations

Updated Joint Guidance on the Application of FERPA and HIPAA to Student Health Records

California AG Issues Proposed CCPA Regulations, Establishes Comment Period


The Current State of the Law

Data Security & Privacy Alert: Third Circuit Upholds FTC's Authority to Police Protection of Consumer Data

Data Security & Privacy Alert: Trial Court Holds That Under Pennsylvania Law, Plaintiffs Cannot Claim Negligence as a Result of a Data Breach

Data Security & Privacy Alert: Personal Data Notification & Protection Act

Data Security & Privacy Alert: In a Departure from Recent Case Law, California District Court Finds Threat of Future Harm Sufficient to Allow a Consumer Class Action in Data Breach Matters

Data Security & Privacy Alert: Delaware Governor Signs Bill That Amends Section 6 of the Delaware Code – Trade and Commerce

Data Security & Privacy Alert: Federal Court Upholds Federal Trade Commission’s Power to Bring Enforcement Actions Against Companies for Failure to Provide Reasonable Data Security

Data Security and Privacy Alert: Data Breach and HIPAA Updates -- March 2014

Massachusetts Corporate Alert: A Key Grace Period Under the Massachusetts Data Security Regulations Expires on March 1, 2012


Eckert Seamans Strengthens Cybersecurity, Data Protection, & Privacy Practice with Addition of Senior Attorney Elizabeth Wilson

Eckert Seamans Strengthens Data Privacy & Security Practice With Addition of Laura Decker

Eckert Seamans’ Matthew Meade named to lead group charged with drafting new model data breach notification law

Eckert Seamans expands Data Security & Privacy Group with addition of noted industry authority Matthew H. Meade

Eckert Seamans attorneys across a number of practices join forces to form Telephone Consumer Protection Act group