Data Privacy & Cybersecurity

Our approach

Our Data Privacy and Cyber Security team provides counsel on threat prevention and mitigation in the context of your key business drivers: Intellectual Property, Financial/Fiduciary, Regulatory/Compliance, Operational, Growth/Opportunity, Strategy, Human Capital and Reputation/Brand.

We employ an integrated approach focused on 1) preventing attacks through proactive mitigation programs; 2) monitoring and detecting potential cyber risks; and 3) responding to breaches and other adverse events. We customize our Data Privacy and Cyber Security services to your business—size, industry, technologies, stakeholders, and compliance regimes.

Our platform starts with your business needs and “ends” with an intense focus on helping you “get back to business” and drive enterprise value. It’s a comprehensive, business-minded, intelligent approach to managing, mitigating and responding to cyber threats.

Trends we’re watching:

Business leaders (not just IT departments) will be increasingly held directly accountable for data privacy controls and response to breaches.
Incident response plans will need to consider how to instantly email those affected and reset user passwords on a massive scale.
Wearable technologies and internet of things (IoT) will continue to proliferate, expanding the number of access points to and vulnerability of Protected Health Information (PHI) and other sensitive data.
Terms of Service and vendor agreements will increasingly require provisions to mitigate liability and protocol for privacy matters.
Employees will continue to be the biggest threat to cyber security, predominantly through negligence, requiring increased security training programs.
State-level regulations will increase, providing a patch-work of data privacy and breach laws, making compliance increasingly difficult.
Consumers will increasingly reach “data breach fatigue,” taking less action to protect themselves, requiring businesses to re-think their pre- and post-breach communications.
Commercial drone use will continue to proliferate, putting some companies under both aviation and privacy regulations for the first time.

Who we work with

All businesses, organizations and government entities that collect, transmit or store sensitive or personally identifiable information
All industries including technology, health care, finance, infrastructure, defense, energy, big data, social media, data storage and professional services
Companies using mobile apps, websites and social media. Whether communicating with, collecting information from, advertising to or doing business with clients and customers, they and others are impacted by the Telephone Consumer Protection Act (TCPA) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Health care providers, insurance companies, pharmacies, clearinghouses, business associates and others impacted by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule
Those who market goods or services to children under the age of 13 and others impacted by the Children’s Online Privacy Protection Act (COPPA)
All companies that receive and store the personal financial information of their clients and customers, and others impacted by the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) and state data security laws
Law firms, accounting firms and other professional advisors working with sensitive client information
Law enforcement agencies

Recognition

Recognized by Chambers USA as a nationwide leader in the Field of Privacy Law

Representative experience

Defended a client in litigation involving the theft of 1.7 million patient records
Provided emergency response and compliance strategy for clients following the theft or loss of large amounts of sensitive information. Recent examples include:
- A lost laptop containing the personal information of over 11,000 individuals from 31 different states
- Website hacking incident involving the personally identifiable information of over 3,000 individuals
Represented numerous clients in privacy violation investigations by the Office for Civil Rights and state regulatory entities
Provide ongoing privacy and security counsel to a large utility
Counseled a pharmaceuticals company in corporate privacy and security issues and provided worldwide employee privacy training
Built enterprise-wide privacy and security framework for startup companies in the health care industry, municipalities and large corporations
Assisted clients with their applications for “safe harbor” under the Federal Communications Commission (FCC)
Developed and implemented website privacy policies and terms and conditions of use for a variety of clients in diverse industries

Media Clips

How to contact your customers without getting sued

Bloomberg Law | June 11, 2019

San Francisco Complex Commercial Disputes partner Karl Belgum wrote this contributed article explaining that businesses need to perform a self-assessment of the risks of automated customer contact, given the FCC’s failure to clarify the scope of the Telephone Consumer Protection Act.

Attorneys watch cross-border issues

Buffalo Business First | June 10, 2019

In this article, Buffalo Complex Commercial Disputes counsel Ben Dwyer discusses how Canada’s approach to data privacy differs from the United States’, and how that impacts cross-border sharing of consumers’ personal information.

Is a ransomware attack a reportable data breach?

Providence Business News | April 26, 2019

Providence Complex Commercial Disputes partner Steven Richard authored this column about ransomware attacks and how businesses should respond, including considering whether the ransomware attack is reportable or subject to notification requirements.

High court may upend TCPA litigation landscape

Law360 | November 13, 2018

Boston Intellectual Property associate Troy Lieberman is quoted in this article looking at possible FCC changes to the definition of “autodialer” in regard to the Telephone Consumer Protection Act.

State AGs at odds over Google privacy pact at high court

Law360 | September 05, 2018

This article mentions Complex Commercial Disputes partners Chris Mason, Sarah André, Dan Deane and Seth Horvath as counsel for The New York Bar Foundation and The New York State Bar Association in an amicus brief—filed with the United States Supreme Court—in support of the approval by a California District Court, and the Ninth Circuit, of Google’s settlement involving a “cy pres” remedy in a privacy-related case.

Cybersecurity and benefits plans: The next front in the ongoing battle to protect personal information

Confero | June 30, 2018

Rochester Corporate group associate Jenny Holmes contributed this article to the quarterly magazine for Westminster Consulting, discussing why benefit plans are inviting targets for would-be data thieves, and what plan administrators need to do to protect personal data.

European Union law on data protection takes effect

Rochester Business Journal | June 07, 2018

Rochester corporate group partner Jeremy Wolk and associate Jenny Holmes co-wrote this contributed article on the introduction of the General Data Protection Regulation, “a set of tougher rules designed to give European Union citizens more control over their personal data.” The regulation applies to all organizations, regardless of location, that handle the personal data of EU citizens.

DC Circuit Delivers Relief, but Not Clarity, with TCPA Ruling

Law360 | March 15, 2018

Boston IP litigation associate Troy Lieberman is quoted in this article explaining how the DC Circuit Court’s ruling on the FCC’s telemarketing rules will provide some relief for businesses.

PREVIEWS FROM THE INDUSTRY: Hospital Operations

Modern Healthcare | December 31, 2017

In this round-up of health care industry predictions for 2018, Chicago health care partner Valerie Montague provides an outlook on the future of cybersecurity in health care.

Three shady—and all too common—things that digital health startups do to make money

CNBC | November 16, 2017

Los Angeles health care partner Jill Gordon, who this article identifies as a “top lawyer” in the digital health space, provides in-depth commentary regarding the three common practices she’s seen among health technology startups that may violate medical regulations and what companies should be aware of to avoid costly penalties.

Aetna's HIV lapse shows snail mail's privacy pitfalls

Law360 | August 24, 2017

Chicago health care partner Valerie Montague is quoted in this article about how Aetna Inc.’s mailed letters to policy holders regarding prescriptions for HIV drugs violated the Health Insurance Portability and Accountability Act.

Improper robocall consent revocation lets Kohl’s off the rack

Bloomberg BNA | August 17, 2017

In an article about a class action complaint against Kohl’s Department Stores, Boston IP litigation associate and TCPA team co-leader Troy Lieberman is quoted on opt-out mechanisms for consumers.

What businesses need to know about the Internet of things

WJAR-TV (Providence NBC affiliate) | July 12, 2017

Providence commercial litigation counsel Steven Richard is interviewed in this television segment about what steps companies can take to better secure their data and be less vulnerable to hacking.

Failure to respond dooms robocall lawsuit against tech university

Bloomberg BNA | June 04, 2017

Manchester commercial litigation partner Dan Deane is quoted in this article about a matter involving a Telephone Consumer Protection Act (TCPA) case against Colorado Technical University.

The uncertain future of the TCPA in the Trump era

Bloomberg Law | May 07, 2017

Manchester commercial litigation partner Dan Deane and New York City commercial litigation associate Paul Williamson contributed this article addressing the ways in which the Trump administration may affect the TCPA.

Read fine print on learning apps, experts warn

Education Week | March 27, 2017

Chicago IP litigation associate Jason Kunze is quoted in this article about safeguarding student data privacy in online educational apps.

Before acquiring a firm, check its cybersecurity setup

Rochester Business Journal | March 16, 2017

Rochester private equity and investment funds partner Jeremy Wolk and labor and employment associate Jenny Holmes co-authored this column about cybersecurity due diligence.

Cyberthreats looming

Providence Business News | March 16, 2017

Providence commercial litigation counsel Steven Richard authored this column about the types of evolving cyber threats facing businesses and consumers.

Employees' smartphones threaten company security

Rochester Business Journal | January 19, 2017

Chief Information Officer Mike Green and Rochester labor and employment associate Jenny Holmes are quoted in this article about data protection issues surrounding bring your own device policies.

HIPAA spotlight: key stats from a banner year

Law360 | January 16, 2017

This article recaps HIPAA stats and highlights from the past year. Chicago health care partner Valerie Montague is quoted throughout discussing privacy breaches and how health care organizations react.

No immunity from cyberattacks and data breaches in 2016 and beyond

Rochester Business Journal | January 12, 2017

Rochester private equity and investment funds partner Jeremy Wolk and labor and employment associate Jenny Holmes co-authored this column about cyber security. The column provides an overview of the risks and potential legislative changes that could help small businesses and tips for creating a privacy policy.

Limited privacy of donor information in New York

Rochester Business Journal | October 16, 2016

Rochester Private Equity & Investment Funds partner Jeremy Wolk and Washington DC M&A and Corporate Transactions partner Mike Cooney authored this column about privacy issues surrounding charitable donors in New York.

Show More Show Less

Ideas