Modern business practices and consumer expectations demand attention to privacy and data security. Businesses depend on the use of personal information for core operations, however, numerous and often-complicated privacy laws impose limitations and obligations on the collection, use, disclosure, and protection of information and data.
Buchalter’s Privacy and Data Security attorneys help clients navigate local, state, federal, and international privacy and data security laws. We address multi-state and multi-national compliance issues and industry-specific self-regulatory frameworks. We advise on privacy issues across a broad range of industries and contexts – from website review and planning, to data collection, storage, use, and disclosure, to privacy compliance program planning, to data breach notification requirements and defense of resulting claims. We guide clients through data breaches, hacks, investigations, penalties, and litigation.
Our Privacy and Data Security team includes attorneys from multiple practice areas who address privacy and security concerns across the spectrum of industries and business operations. In addition to providing specific privacy and data security advice, our attorneys recognize and handle our clients’ privacy and security needs in litigation, health care, intellectual property, finance, corporate, and employment matters.
We provide timely, strategic, and practical advice to protect our clients and their data in all areas of privacy and data security.
Privacy and Data Security Laws
Privacy laws affect all businesses. Privacy and data security concerns and obligations have shifted to the forefront, as privacy fears and data breaches garner headlines, and headlines drive an increase in legislative and regulatory oversight. Privacy and security issues are often outside a business’s core operations, and even the most sophisticated organizations may struggle to keep pace with the fast-changing multi-jurisdictional legislative and regulatory environment.
Buchalter’s attorneys advise clients regarding the collection, use, retention, destruction, transfer, storage, and disclosure of private information. We assist companies in developing privacy policies and designing and implementing compliant systems and operations. We have extensive experience with matters relating to consumer personal data, transactional due diligence, technology transactions involving personal data, regulatory investigations and security breaches, privacy impact assessments, privacy compliance audits, implementation of privacy by design principles, and data subject requests, as described in more detail below.
We advise our clients regarding the following laws and best practice frameworks:
- Asia-Pacific Economic Co-operative Privacy Framework
|
- Children’s Online Privacy Protection Act (COPPA)
|
- Gramm-Leach-Bliley Act (GLBA)
|
- California Comprehensive Computer Data Access and Fraud Act
|
- Computer Fraud and Abuse Act
|
- Health Insurance Portability and Accountability Act (HIPAA)
|
- California Confidentiality of Medical Information Act (CMIA)
|
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
|
- Song-Beverly Credit Card Act
|
- California Consumer Privacy Act (effective January 1, 2020)
|
- E.U. General Data Protection Regulation (GDPR)
|
- Section 5 of the Federal Trade Commission Act
|
- California Financial Information Privacy Act
|
- E.U.–U.S. & Swiss-U.S. Privacy Shield
|
- Telephone Consumer Protection Act (TCPA)
|
- California Online Privacy Protection Act (CalOPPA)
|
- Fair Credit Reporting Act (FCRA)
|
|
- California Shine The Light Law
|
- Family Educational Rights and Privacy Act (FERPA)
|
|
We also counsel business on the privacy aspects of:
|
|
|
- Privacy Compliance Programs
|
|
|
- End-User License Agreements
|
- Privacy Impact Assessments
|
|
|
- Gaming/Mobile Applications
|
- Privacy Policies, Statements, and Notices
|
- Consumer Rights and Opt-Out
|
- GLBA Nonpublic Personal Information
|
|
|
|
- Information Security Policies
|
- Protected Health Information (PHI) and ePHI
|
- Data Breach Investigation, Response, Reporting, and Defense
|
|
|
- Data Processing Agreements
|
|
|
- Data Subject Response Plans
|
- Privacy by Design Negative Assurances
|
|
Compliance
With increased consumer awareness of data protection, regulatory scrutiny by the Federal Trade Commission and state attorneys general, and a groundswell of new state laws, consumer privacy cannot be an afterthought. Privacy and data security are critical at every stage of business operations and growth.
Buchalter’s privacy compliance practice helps clients identify how they process personal information and which laws and regulations apply to their business. We counsel clients on what information they may ask for, store, sell, or share, and what rights consumers have regarding personal data, including “opt-out” rights to certain uses of personal data. We evaluate and negotiate vendor relationships involving the transfer of data, help clients develop and modify internal procedures that govern use of personal information, and help clients develop and implement internal privacy compliance and periodic audit programs.
Data Breach
Cyberattacks, hacks, data breaches, and other unauthorized releases of secure or private information may launch a wave of international, state and federal reporting obligations, enforcement actions, and civil lawsuits.
Buchalter’s attorneys have in-depth experience handling data breach incidents. For example, the former Chair of our Litigation Practice, while Executive Vice President and Head of Global Litigation at Sony Pictures Entertainment Inc., oversaw the defense of the class action litigation following Sony Pictures’ cyberattack.
In the wake of a suspected or confirmed data breach, we guide clients through risk assessments, investigations, determination of whether a breach occurred, whether a breach is reportable to government agencies, notification, mitigation and reporting requirements to those affected by a breach, and related litigation.
Litigation & Dispute Resolution
Buchalter’s litigators represent clients across industries and regions in privacy and data security disputes.
Cybersecurity
Our cybersecurity practice represents clients in investigations, negotiations, settlements and corrective actions, lawsuits, arbitrations, and other proceedings relating to claims stemming from data breaches and cybersecurity incidents.
Telephone Consumer Protection Act
We have in-depth experience with the Telephone Consumer Protection Act, having both defended clients in TCPA litigation and drafted notices and responses to enforcement actions for the Federal Communications Commission. The TCPA, enacted in 1991, was intended to safeguard consumer privacy with strict solicitation rules, including consumer consent requirements. Now, the TCPA covers various and diverse telecommunication platforms, including text messaging, instant messaging, robo-dialing, advancements in automated dialing, and facsimile transmissions, in addition to actual telephone calls.
Understanding and counseling on TCPA compliance factors and corresponding state regulations is critical to avoid consumer complaints and potentially devastating TCPA penalties.
Employment
In the course of employment-related disputes and litigation, we address the consequences of unauthorized use of confidential information, including an employee’s misappropriation or misuse of customer lists, data, or other proprietary information, the resulting consumer notice requirements, and subsequent dispute resolution and litigation.
E-Commerce
Collection and processing of data for retail and marketing purposes requires careful consideration of applicable laws. We assist websites and data owners and their affiliates in negotiation and review of third-party processor and cloud-based service provider agreements. We draft terms of use and privacy statements for websites and mobile applications and negotiate web development agreements. Our experience also includes counseling regarding website and accessibility requirements under the Americans with Disabilities Act.
Health Care
We advise clients in the health care industry regarding the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and other state-specific privacy laws. We work with HIPAA “covered entities” – health care providers and health plans – and their “business associates” – business partners who may create, use, or disclose protected information in the course of doing business. We draft HIPAA privacy policies and notices of privacy policy, compliance plans, and business associate agreements. We assist with risk assessments in the event of a breach of protected health information and walk through notifying federal and state officials and affected individuals, when necessary. We ensure corporate health care transactions and agreements address the parties’ applicable privacy and security obligations.
Our health care attorneys also counsel clients regarding privacy and security requirements related to the use and disclosure of protected health information (including electronic protected health information, or ePHI), the collection of data through mobile applications, remote monitoring systems, and other health care-related operations, and the rights of patients and others to access protected health information.
Corporate Transactions
Data is a valuable asset. However, privacy laws may restrict when and how certain data can be legally transferred in a merger, acquisition, sale, or joint venture, and how the data may be used.
Our extensive corporate experience includes transactional due diligence involving privacy issues and technology transactions involving personal data. We advise on the privacy and security aspects of mergers and acquisitions and the transfer and protection of data in transactions.
Financial Services
Banking and other financial institutions have long been highly regulated in the United States. The Gramm-Leach-Bliley Act (GLBA) provides a general framework for the confidentiality of records in the financial services sector, along with other laws such as the Fair Credit Reporting Act and Fair, Accurate Credit Transactions Act, and Dodd-Frank Wall Street Reform and Consumer Protection Act. Privacy laws of general applicability like the California Consumer Protection Act often broadly define data subject to such laws. While such laws may exclude data subject to industry-specific privacy laws, such as GLBA, the broad definition often sweeps in data excluded from these industry-specific privacy laws, resulting in a financial and other institutions being subject to different privacy laws for different data. In addition, regulators may have their own privacy and data security rules for institutions under their supervision. Our attorneys are familiar with all of the above and experienced in advising clients on compliance matters and the handling of data security breaches.
Education
Federal law protects the privacy of students and their parents and imposes obligations and restrictions on educational institutions that receive direct or indirect funding from the federal government. These institutions and their business partners face limitations on the use and sharing of information such as grades, class lists, disciplinary records, student financial records, and payroll records for student-employees.
Our attorneys regularly advise and counsel district, charter and private school operators regarding the establishment of systems and protocols to ensure compliance with FERPA and other state-mandated privacy laws and regulations including disclosure of special education needs and the disciplinary history of students.
