Data Privacy & Cybersecurity Compliance

Our Approach

Our team advises companies, boards of directors, and executives on the full spectrum of data privacy and cybersecurity laws and regulations. With detailed requirements at every step—collection, use, disclosure, and security of personal information—we provide practical advice that balances your business needs with your compliance obligations.

Our experience includes:

Developing comprehensive privacy and security policies, including data mapping and inventory, gap assessments, privacy impacts, and privacy-by-design, and assessing existing policies
Advising on cross-border transfers of data
Ensuring compliance with laws and regulations relating to specific subject matter, geographies, and industries, including:
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR)
- Telephone Consumer Protection Act (TCPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Family Educational Rights and Privacy Act (FERPA)
- Biometric Information Protection Act (BIPA)
- Gramm-Leach-Bliley Act (GLBA)
- Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
- Computer Fraud and Abuse Act (CFAA)
- Children’s Online Privacy Protection Act (COPPA)
- Electronic Communication Privacy Act (ECPA)
- Fair Credit Reporting Act (FCRA)
- Fair Debt Collection Practices Act (FDCPA)
Creating vendor management programs
Monitoring new and amended statutes and regulations internationally and nationally
Advising on mergers and acquisitions, private equity investments, licensing, technology transfers, and other corporate transactions

Representative Experience

Compliance Experience

Health care start-ups with their enterprise-wide privacy and security frameworks
Major utility with ongoing privacy and security compliance counsel
Pharmaceutical company with data privacy and security issues, including employee privacy training
Website privacy policies, terms, and conditions of use across numerous industries
Financial services, health care, marketing, retail, and education companies, on TCPA compliance, audits, compliant policies and procedures, and vendor management
Higher education institution on HIPAA and state data privacy laws involving college wellness center, including FERPA and HIPAA compliance
Health care entities with HIPAA compliance programs workforces training
Health systems and hospital/physician arrangements structure themselves as affiliated covered entities or organized health care arrangements under HIPAA
FCRA compliance involving employment privacy issues
CCPA policies, procedures, websites, and employee training
CCPA risk in business models and contractual relationships
International retailer with GDPR compliance processes and procedures for compliance with the CCPA
Professional sports organization on GDPR compliance in its e-commerce websites
Financial institution on CCPA compliance and copycat state regulations
Event management and marketing company on GDPR compliance as a processor, and the CCPA
Advising international businesses on adapting GDPR-compliance measures to incorporate policies and procedures for CCPA compliance
Advising a leading financial institution on compliance with the CCPA’s GLBA exemption
Advised a federal credit union on compliance with the privacy and security provisions of the GLBA
Advised clients in various industries in connection with data processing addendum (DPA) under the GDPR

Transactional/Strategic Counseling Experience

Media companies that suffered a data breach
Investment firms on data privacy and security issues in connection with various investments in the technology and consumer goods industries
Professional sports organization with vendor management, including all privacy and cybersecurity provisions,
Data privacy and cybersecurity due diligence for various corporate transactions
HIPAA-covered entities and business associates regarding data breach requirements and indemnification
health care and health IT companies’ HIPAA business associate agreements, data-related modifications to subscription agreements, and non-disclosure agreements (NDAs)
Data Processing Agreement (DPA) negotiations
Physician practice acquisitions and medical record transfers

Media Clips

NY follows suit: Increased privacy protections for biometric data

Rochester Business Journal | July 16, 2021

Cybersecurity & Privacy deputy leader and Rochester Corporate associate Jenny Holmes contributed this article on New York State’s pending Biometric Privacy Act and New York City’s biometric law, which came into effect earlier this month, and their impact on businesses.

New York’s biometric law will bring hefty fines for noncompliance

Bloomberg Law | June 09, 2021

This article, covering the New York biometric privacy statute set to take effect in July and its impact on businesses, quotes Data Privacy & Cybersecurity deputy team leader and Rochester Corporate associate Jenny Holmes on the 30-day cure period that provides business owners time to fix a violation before they can be sued.

Big questions for BIPA case law in 2021

Cybersecurity Law Report | February 17, 2021

In this article focusing on case law developments around Illinois’ Biometric Information Privacy Act in the year ahead, Chicago Complex Commercial Disputes partner Rich Tilghman is quoted extensively for his outlook on facial and voice recognition cases, extraterritoriality, arbitration defenses, what counts as a BIPA violation, and collected data.

Cybercrime

The JustPod (ABA podcast) | January 06, 2021

Data Privacy & Cybersecurity practice group leader and Los Angeles Government Investigations & White Collar Defense partner Jason Gonzalez is feature as a guest on this podcast episode discussing cybercrimes around the January 6th attack on the Capitol, in addition to technology investigative tools and privacy.

Laying Down the Law with Data Privacy and Cybersecurity

The New IT Podcast | December 02, 2020

Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes appears as a guest in this tech-focused podcast to discuss her outlook and best practices on cloud computing, putting together an incident response plan, and the Privacy Shield.

The Once-and-Future Privacy Shield

Rochester Business Journal | November 06, 2020

Data Privacy & Cybersecurity deputy leader and Rochester associate Jenny Holmes contributed this article analyzing the European Court of Justice’s recent invalidation of the Privacy Shield and its impact on data flows between the US and the EU. This article was co-developed with Los Angeles partner Jason P. Gonzalez and Boston associate Troy K. Lieberman, both from the Data Privacy & Cybersecurity team.

Incident response plans critical for any organization

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Transitioning to cloud-based services: Due diligence is key

Rochester Business Journal | October 23, 2020

Legal guidance a necessity for companies amid coronavirus uncertainty

Rochester Business Journal | September 04, 2020

In this article on the most common COVID-related issues that businesses and companies are seeking legal help for, Data Privacy & Cybersecurity deputy leader Jenny Holmes and Complex Commercial Disputes associate Eric Ferrante, both in Rochester, are quoted for their outlook on cybersecurity best practices, force majeure clauses, and rent concerns from both landlords and tenants.

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

More Changes Ahead for Substance Use Record Sharing Law

Bloomberg Law | July 22, 2020

Biggest Illinois Decisions So Far in 2020: Midyear Report

Law360 | July 16, 2020

This article includes commentary from Chicago Complex Commercial Disputes partners John Ruskusky and Seth Horvath on some of the most noteworthy Illinois decisions thus far in 2020. John discusses a decision related to the Illinois Biometric Information Privacy Act, while Seth comments on a decision regarding parents suing paint makers for children’s lead test costs, as well as a ruling on a record destruction provision in the Chicago police union contract.

California data security law to have widespread impact

Rochester Business Journal | November 29, 2019

Rochester Corporate associate Jenny Holmes talks to the Rochester Business Journal for their special report on the impact of the California Consumer Privacy Act, which goes into effect January 1. Jenny anticipates that companies will have to comply with the strictest state law on the books if Congress does not pass a federal law.

Keep up with laws developing to protect our consumer data

Rochester Business Journal | November 15, 2019

In the latest installment of his monthly column, Rochester Corporate partner Jeremy Wolk analyzes state-level legislation aimed at enhancing consumer privacy rights and protections, similar to the European Union’s General Data Protection Regulation. Rochester Corporate associate Jenny Holmes contributed to the column.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

Show More Show Less

Ideas