Data Security & Breach Response

We offer prompt and efficient data breach response and clear practical guidance in the face of complex regulatory requirements and negative brand reputation.

Our approach

The compromise of confidential customer, patient or employee information can have a serious impact on your company’s reputation and finances and has serious consequences for those whose privacy is violated.

We take the stress out of the situation. Our team helps clients protect their data long before an incident occurs, plan for situations beyond their control and respond quickly and appropriately to data breaches.

We have the systems and assets already in place that make the difference between a scramble and an efficient and compliant response. We manage media responses and coordinate with trusted vendors who provide high-volume breach notification, call center functions, credit monitoring, forensic analysis and remediation efforts. Our team also provides step-by-step navigation of any litigation or government investigation.

The combination of many well-meaning federal and individual state laws means increasingly complex requirements for data security, data breach notification and data destruction/disposal. We clarify your compliance needs, analyze your risk of data breach, evaluate your existing privacy policies and practices, train employees and help you put best-practice procedures into action.

Who we work with

  • Companies at any stage of data theft or loss, whether intentional or accidental, including victims of hacking, disgruntled or careless employees and natural disasters
  • All businesses, organizations and government entities that collect, transmit or store sensitive or personally identifiable information
  • All industries including technology, health care, finance, infrastructure, defense, energy, big data, social media, data storage and professional services
  • Health care providers, business associates and others impacted by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Law firms, accounting firms and other professional advisors working with sensitive client information


  • Recognized by Chambers USA as a nationwide leader in the Field of Privacy Law

Recent experience

  • Provided emergency response and strategy for numerous clients following the theft or loss of large amounts of sensitive information
  • Represented multiple companies in incidents involving misdirected e-mails containing personal information and requiring notification under state law
  • Represented several manufacturers, food service companies and service providers in data breach response
  • Helped a large corporation respond to a hacking incident
  • Helped various companies address the theft of personal information by employees
  • Provide ongoing counseling to various areas of the health care industry, helping with security risk assessments following an unauthorized access, use or disclosure of data and helping determine whether notification is required under state and federal breach notification regulations

Corporate spending on cybersecurity continues to increase

Rochester Business Journal | October 25, 2019

Jenny Holmes, Nixon Peabody associate, is quoted in this article about the trend of rising costs for cybersecurity protection.

Read fine print on cyberthreat coverage

Providence Business News | September 26, 2019

Providence Complex Commercial Disputes partner Steven Richard is quoted in this article about how more Rhode Island businesses are purchasing insurance to protect against the fallout from potential data breaches.

Is a ransomware attack a reportable data breach?

Providence Business News | April 26, 2019

Providence Complex Commercial Disputes partner Steven Richard authored this column about ransomware attacks and how businesses should respond, including considering whether the ransomware attack is reportable or subject to notification requirements.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

European Union law on data protection takes effect

Rochester Business Journal | June 07, 2018

Rochester corporate group partner Jeremy Wolk and associate Jenny Holmes co-wrote this contributed article on the introduction of the General Data Protection Regulation, “a set of tougher rules designed to give European Union citizens more control over their personal data.” The regulation applies to all organizations, regardless of location, that handle the personal data of EU citizens.

Back to top