Data Security & Breach Response

We offer prompt and efficient data breach response and clear practical guidance in the face of complex regulatory requirements and negative brand reputation.

Our approach

The compromise of confidential customer, patient or employee information can have a serious impact on your company’s reputation and finances and has serious consequences for those whose privacy is violated.

We take the stress out of the situation. Our team helps clients protect their data long before an incident occurs, plan for situations beyond their control and respond quickly and appropriately to data breaches.

We have the systems and assets already in place that make the difference between a scramble and an efficient and compliant response. We manage media responses and coordinate with trusted vendors who provide high-volume breach notification, call center functions, credit monitoring, forensic analysis and remediation efforts. Our team also provides step-by-step navigation of any litigation or government investigation.

The combination of many well-meaning federal and individual state laws means increasingly complex requirements for data security, data breach notification and data destruction/disposal. We clarify your compliance needs, analyze your risk of data breach, evaluate your existing privacy policies and practices, train employees and help you put best-practice procedures into action.

Who we work with

  • Companies at any stage of data theft or loss, whether intentional or accidental, including victims of hacking, disgruntled or careless employees and natural disasters
  • All businesses, organizations and government entities that collect, transmit or store sensitive or personally identifiable information
  • All industries including technology, health care, finance, infrastructure, defense, energy, big data, social media, data storage and professional services
  • Health care providers, business associates and others impacted by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Law firms, accounting firms and other professional advisors working with sensitive client information


  • Recognized by Chambers USA as a nationwide leader in the Field of Privacy Law

Recent experience

  • Provided emergency response and strategy for numerous clients following the theft or loss of large amounts of sensitive information
  • Represented multiple companies in incidents involving misdirected e-mails containing personal information and requiring notification under state law
  • Represented several manufacturers, food service companies and service providers in data breach response
  • Helped a large corporation respond to a hacking incident
  • Helped various companies address the theft of personal information by employees
  • Provide ongoing counseling to various areas of the health care industry, helping with security risk assessments following an unauthorized access, use or disclosure of data and helping determine whether notification is required under state and federal breach notification regulations

Read fine print on cyberthreat coverage

Providence Business News | September 26, 2019

Providence Complex Commercial Disputes partner Steven Richard is quoted in this article about how more Rhode Island businesses are purchasing insurance to protect against the fallout from potential data breaches.

Is a ransomware attack a reportable data breach?

Providence Business News | April 26, 2019

Providence Complex Commercial Disputes partner Steven Richard authored this column about ransomware attacks and how businesses should respond, including considering whether the ransomware attack is reportable or subject to notification requirements.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

European Union law on data protection takes effect

Rochester Business Journal | June 07, 2018

Rochester corporate group partner Jeremy Wolk and associate Jenny Holmes co-wrote this contributed article on the introduction of the General Data Protection Regulation, “a set of tougher rules designed to give European Union citizens more control over their personal data.” The regulation applies to all organizations, regardless of location, that handle the personal data of EU citizens.

Three shady—and all too common—things that digital health startups do to make money

CNBC | November 16, 2017

Los Angeles health care partner Jill Gordon, who this article identifies as a “top lawyer” in the digital health space, provides in-depth commentary regarding the three common practices she’s seen among health technology startups that may violate medical regulations and what companies should be aware of to avoid costly penalties.

Aetna's HIV lapse shows snail mail's privacy pitfalls

Law360 | August 24, 2017

Chicago health care partner Valerie Montague is quoted in this article about how Aetna Inc.’s mailed letters to policy holders regarding prescriptions for HIV drugs violated the Health Insurance Portability and Accountability Act.

What businesses need to know about the Internet of things

WJAR-TV (Providence NBC affiliate) | July 12, 2017

Providence commercial litigation counsel Steven Richard is interviewed in this television segment about what steps companies can take to better secure their data and be less vulnerable to hacking.

Employees' smartphones threaten company security

Rochester Business Journal | January 19, 2017

Chief Information Officer Mike Green and Rochester labor and employment associate Jenny Holmes are quoted in this article about data protection issues surrounding bring your own device policies.

HIPAA spotlight: key stats from a banner year

Law360 | January 16, 2017

This article recaps HIPAA stats and highlights from the past year. Chicago health care partner Valerie Montague is quoted throughout discussing privacy breaches and how health care organizations react.

No immunity from cyberattacks and data breaches in 2016 and beyond

Rochester Business Journal | January 12, 2017

Rochester private equity and investment funds partner Jeremy Wolk and labor and employment associate Jenny Holmes co-authored this column about cyber security. The column provides an overview of the risks and potential legislative changes that could help small businesses and tips for creating a privacy policy.

Back to top