Cybersecurity & Privacy Compliance

For many companies, data is one of their most valuable—and most frequently targeted—assets. We understand what’s at stake when you’re building a data privacy plan, and we offer the guidance you need to comply with increasingly strict laws and regulations.

Our Approach

Our team advises companies, boards of directors, and executives on the full spectrum of data privacy and cybersecurity laws and regulations. With detailed requirements at every step—collection, use, disclosure, and security of personal information—we provide practical advice that balances your business needs with your compliance obligations.

Our experience includes:

  • Developing comprehensive privacy and security policies, including data mapping and inventory, gap assessments, privacy impacts, and privacy-by-design, and assessing existing policies
  • Advising on cross-border transfers of data
  • Ensuring compliance with laws and regulations relating to specific subject matter, geographies, and industries, including:
    • California Consumer Privacy Act (CCPA)
    • General Data Protection Regulation (GDPR)
    • Telephone Consumer Protection Act (TCPA)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Health Information Technology for Economic and Clinical Health Act (HITECH)
    • Family Educational Rights and Privacy Act (FERPA)
    • Biometric Information Protection Act (BIPA)
    • Gramm-Leach-Bliley Act (GLBA)
    • Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
    • Computer Fraud and Abuse Act (CFAA)
    • Children’s Online Privacy Protection Act (COPPA)
    • Electronic Communication Privacy Act (ECPA)
    • Fair Credit Reporting Act (FCRA)
    • Fair Debt Collection Practices Act (FDCPA)
  • Creating vendor management programs
  • Monitoring new and amended statutes and regulations internationally and nationally
  • Advising on mergers and acquisitions, private equity investments, licensing, technology transfers, and other corporate transactions

Representative Experience

Compliance Experience

  • Health care start-ups with their enterprise-wide privacy and security frameworks
  • Major utility with ongoing privacy and security compliance counsel
  • Pharmaceutical company with data privacy and security issues, including employee privacy training
  • Website privacy policies, terms, and conditions of use across numerous industries
  • Financial services, health care, marketing, retail, and education companies, on TCPA compliance, audits, compliant policies and procedures, and vendor management
  • Higher education institution on HIPAA and state data privacy laws involving college wellness center, including FERPA and HIPAA compliance
  • Health care entities with HIPAA compliance programs workforces training
  • Health systems and hospital/physician arrangements structure themselves as affiliated covered entities or organized health care arrangements under HIPAA
  • FCRA compliance involving employment privacy issues
  • CCPA policies, procedures, websites, and employee training
  • CCPA risk in business models and contractual relationships
  • International retailer with GDPR compliance processes and procedures for compliance with the CCPA
  • Professional sports organization on GDPR compliance in its e-commerce websites
  • Financial institution on CCPA compliance and copycat state regulations
  • Event management and marketing company on GDPR compliance as a processor, and the CCPA
  • Advising international businesses on adapting GDPR-compliance measures to incorporate policies and procedures for CCPA compliance
  • Advising a leading financial institution on compliance with the CCPA’s GLBA exemption
  • Advised a federal credit union on compliance with the privacy and security provisions of the GLBA
  • Advised clients in various industries in connection with data processing addendum (DPA) under the GDPR

Transactional/Strategic Counseling Experience

  • Media companies that suffered a data breach
  • Investment firms on data privacy and security issues in connection with various investments in the technology and consumer goods industries
  • Professional sports organization with vendor management, including all privacy and cybersecurity provisions,
  • Data privacy and cybersecurity due diligence for various corporate transactions
  • HIPAA-covered entities and business associates regarding data breach requirements and indemnification
  • health care and health IT companies’ HIPAA business associate agreements, data-related modifications to subscription agreements, and non-disclosure agreements (NDAs)
  • Data Processing Agreement (DPA) negotiations
  • Physician practice acquisitions and medical record transfers

Loyalty programs - What you should know about compliance with the CCPA

Rochester Business Journal | May 13, 2022

Rochester Privacy & Technology counsel Jenny Holmes contributed this article, which takes a deep dive into the California Consumer Privacy Act (CCPA), and explains the requirements and risks for businesses that use loyalty programs to incentivize consumers in exchange for their personal information.

36 Hours: What banks should know about the new reporting requirements for computer security incidents

Banking Law Journal | April 26, 2022

This contributed article by Complex Disputes partners Chris Queenin in Boston and Chris Mason in New York, and Boston partner and Privacy & Technology group leader Jason Kravitz, covers the new federal rule requiring financial institutions to report certain high-risk computer-security incidents within 36 hours after the incident occurs, following a trend of increased federal oversight involving cybersecurity.

NY follows suit: Increased privacy protections for biometric data

Rochester Business Journal | July 16, 2021

Cybersecurity & Privacy deputy leader and Rochester Corporate associate Jenny Holmes contributed this article on New York State’s pending Biometric Privacy Act and New York City’s biometric law, which came into effect earlier this month, and their impact on businesses.

New York’s biometric law will bring hefty fines for noncompliance

Bloomberg Law | June 09, 2021

This article, covering the New York biometric privacy statute set to take effect in July and its impact on businesses, quotes Data Privacy & Cybersecurity deputy team leader and Rochester Corporate associate Jenny Holmes on the 30-day cure period that provides business owners time to fix a violation before they can be sued.

Big questions for BIPA case law in 2021

Cybersecurity Law Report | February 17, 2021

In this article focusing on case law developments around Illinois’ Biometric Information Privacy Act in the year ahead, Chicago Complex Commercial Disputes partner Rich Tilghman is quoted extensively for his outlook on facial and voice recognition cases, extraterritoriality, arbitration defenses, what counts as a BIPA violation, and collected data.


The JustPod (ABA podcast) | January 06, 2021

Data Privacy & Cybersecurity practice group leader and Los Angeles Government Investigations & White Collar Defense partner Jason Gonzalez is feature as a guest on this podcast episode discussing cybercrimes around the January 6th attack on the Capitol, in addition to technology investigative tools and privacy.

Laying Down the Law with Data Privacy and Cybersecurity

The New IT Podcast | December 02, 2020

Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes appears as a guest in this tech-focused podcast to discuss her outlook and best practices on cloud computing, putting together an incident response plan, and the Privacy Shield.

The Once-and-Future Privacy Shield

Rochester Business Journal | November 06, 2020

Data Privacy & Cybersecurity deputy leader and Rochester associate Jenny Holmes contributed this article analyzing the European Court of Justice’s recent invalidation of the Privacy Shield and its impact on data flows between the US and the EU. This article was co-developed with Los Angeles partner Jason P. Gonzalez and Boston associate Troy K. Lieberman, both from the Data Privacy & Cybersecurity team.

Incident response plans critical for any organization

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Transitioning to cloud-based services: Due diligence is key

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Legal guidance a necessity for companies amid coronavirus uncertainty

Rochester Business Journal | September 04, 2020

In this article on the most common COVID-related issues that businesses and companies are seeking legal help for, Data Privacy & Cybersecurity deputy leader Jenny Holmes and Complex Commercial Disputes associate Eric Ferrante, both in Rochester, are quoted for their outlook on cybersecurity best practices, force majeure clauses, and rent concerns from both landlords and tenants.

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

Biggest Illinois Decisions So Far in 2020: Midyear Report

Law360 | July 16, 2020

This article includes commentary from Chicago Complex Commercial Disputes partners John Ruskusky and Seth Horvath on some of the most noteworthy Illinois decisions thus far in 2020. John discusses a decision related to the Illinois Biometric Information Privacy Act, while Seth comments on a decision regarding parents suing paint makers for children’s lead test costs, as well as a ruling on a record destruction provision in the Chicago police union contract.

California data security law to have widespread impact

Rochester Business Journal | November 29, 2019

Rochester Corporate associate Jenny Holmes talks to the Rochester Business Journal for their special report on the impact of the California Consumer Privacy Act, which goes into effect January 1. Jenny anticipates that companies will have to comply with the strictest state law on the books if Congress does not pass a federal law.

Keep up with laws developing to protect our consumer data

Rochester Business Journal | November 15, 2019

In the latest installment of his monthly column, Rochester Corporate partner Jeremy Wolk analyzes state-level legislation aimed at enhancing consumer privacy rights and protections, similar to the European Union’s General Data Protection Regulation. Rochester Corporate associate Jenny Holmes contributed to the column.

Back to top