Godfrey & Kahn’s Data Privacy & Cybersecurity Team offers significant experience in the dynamic and ever-evolving area of data privacy and cybersecurity.
As information technology continuously evolves, and the creation, maintenance, and transmission of information by electronic means increasingly becomes a critical component of business, our clients must be proactive in securely obtaining, transmitting, retaining, and discarding confidential and legally protected and regulated electronic information. We understand that federal and state privacy and security laws affect nearly every commercial entity, ranging from healthcare providers to financial institutions and start-up corporations. As national and state standards are developed and implemented, our clients must be confident that they remain in compliance with the various laws, regulations, and standards in the most efficient and cost-effective way possible. We also recognize the threats that our clients face to the integrity of their protected electronic information, from external as well as internal threats.
Our cross-disciplinary Team offers both legal and practical advice on how our clients can properly manage risks related to the protection of their clients’ and customers’ confidential information. We counsel clients on preventative measures, such as adopting policies and procedures to prevent exposure to data breaches and obtaining cyberinsurance to protect against risks. In addition, we help clients conduct internal investigations of possible data breaches and respond appropriately and quickly if a data breach occurs. Our attorneys provide comprehensive knowledge and advice related to the wide range of privacy laws, including the Children’s Online Privacy Protection Act, the Electronic Communications Privacy Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act ("HIPAA"), and the Gramm-Leach-Bliley Act, as well as other federal and state statutes and regulations.
We recognize the diverse and widespread impact of data privacy and cybersecurity requirements and the potential business impact and legal liability for failing to comply. To meet our clients’ needs, we offer a multi-disciplinary approach that harnesses the skills, knowledge, and experience of our firm’s multiple practice groups and specialties.
Godfrey & Kahn is the preeminent Wisconsin firm in terms of bank regulatory compliance, much of which involves privacy and information security issues. Our attorneys are well-versed in such laws as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act of 2003 and the Children’s Online Privacy Protection Act. We advise clients on best practices for complying with such laws, including the best practices for the aggregation, sharing and storage of personal financial information.
In addition, we are familiar with organizing a response to a data breach, which can include sending out notifications to affected individuals or buying identity theft remediation services. We aid clients as they enter into vendor service contracts, and ensure that customer information remains properly protected. Similarly, we provide clients with contract forms for use with their customers which designate and describe the information security procedures the client has in place.
Members of Godfrey & Kahn’s Health Care Practice Group assist both HIPAA Covered Entities and HIPAA Business Associates by drafting or reviewing the HIPAA Business Associate Agreements, preparing HIPAA policies and procedures, assisting with HIPAA breach risk assessments and related obligations and responding to HIPAA complaints from the Office of Civil Rights. Our experience in this area includes:
- Drafting or reviewing numerous HIPAA Business Associate Agreements between Covered Entities and Business Associates
- Drafting or reviewing numerous HIPAA Business Associate Agreements between Business Associates and their subcontractors
- Assisting clients with HIPAA breach risk assessments and related obligations
- Preparing HIPAA privacy policies and procedures, authorization forms and notices of privacy practices.
Insurance & Reinsurance
Attorneys in our Insurance & Reinsurance Practice Group are experienced reviewing existing policies to help clients determine coverage for cybersecurity risks and claims. Additionally, our attorneys stay abreast of developments in cyber insurance and related areas.
Members of Godfrey & Kahn’s Intellectual Property Team work directly with our clients and our other practice groups to provide counseling and mitigation strategies relating to the gathering, maintenance, use, and disposal of clients’ data and information. Our experience in this area includes:
- Counseling clients on protection of private and confidential information relating to their business, including trade secrets and confidential information
- Representing clients whose trade secrets and confidential information have been appropriated by others, including former employees as well as third parties
- Representing clients against whom claims have been made that they have improperly taken trade secrets and/or confidential information of others
- Counseling clients on enforcement of and compliance with the Anti-Cybersquatting Consumer Protection Act and the Digital Millennium Copyright Act
- Counseling clients on the preparation of privacy policies and terms for the use of their web sites
Data privacy and cybersecurity issues have become an increasingly important issue for the SEC and those entities regulated by the SEC (including investment advisers, investment companies and broker-dealers).
In April 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a risk alert detailing its initiative to examine over 50 registered broker-dealers and investment advisers. The risk alert included a copy of a sample document request list that OCIE may use in conducting examinations regarding cybersecurity preparedness. The SEC also identified cybersecurity as one of its 2015 examination priorities—the Staff intends to continue evaluating cybersecurity compliance and controls of registered broker-dealers and investment advisers during its examinations.
In February 2015, OCIE published a follow-up risk alert that included summary observations from its examination of 57 registered broker-dealers and 49 registered investment advisers. OCIE provided some initial observations regarding written policies, periodic risk assessments, cybersecurity incidents and best practices. In January 2016, OCIE published its Examination Priorities list and indicated that it will advance its cybersecurity efforts, which will include testing and assessments of firms’ implementation of procedures and controls. In May 2016, FINRA published a small firm cybersecurity checklist to assist broker-dealers in establishing a cybersecurity program.
Our Investment Management team advises its investment management clients on data privacy and cybersecurity issues, such as developing and implementing privacy and information security policies and procedures.
Members of Godfrey & Kahn’s Litigation Team work directly with our clients and our other practice groups to provide our clients with regulatory compliance counseling, pre-litigation risk assessment and mitigation strategies, and representation in litigation relating to the gathering, maintenance, use, and disposal of customers’ data and information. Our experience in this area includes:
- Counseling clients on compliance with HIPAA’s privacy requirements and, when necessary, defending clients sued for alleged violations of HIPAA or invasion of privacy.
- Representing clients sued as defendants or served with significant third-party discovery in class-action Telephone Consumer Protection Act lawsuits.
- Counseling clients in the financial services industry on potential liability for practices relating to the handling of customers’ protected information.
- Prosecuting claims and pursuing discovery relating to the destruction of electronically stored information, including working with experts to conduct forensic examinations of computers, e-mail servers, and network servers
White Collar Defense & Investigations
Attorneys from the Godfrey & Kahn White Collar Defense & Investigations Team work closely with attorneys on our other teams, our clients, and their consultants to address our clients’ data privacy and cybersecurity needs at every stage.
To help secure our clients’ data, systems, and communications, we can assist clients with devising compliance programs to help thwart breaches by both internal and external threats, and protocols to help a business respond promptly in the event of a breach. In the unfortunate event that a data breach does occur, our experienced team can coordinate an incident response involving an array of professionals from various fields and assist our clients with statutory notice requirements. We have assisted a wide array of clients (such as resorts, online retailers, and travel agencies) in responding to data breaches.
When appropriate, our team will conduct an internal investigation to determine the extent of the problem, who was responsible, and what should be done in response. If the breach leads to litigation by alleged victims of the breach, we have experience in the nuances of how procedures and protocols adopted before the incident occurred can play out as viable defenses.
The response to a cybersecurity incident also may include coordination with law enforcement. Our team includes attorneys and former federal prosecutors adept at serving as a liaison and advocate for our client with federal prosecutors and agents.
Assisted merchants, including an operator of resorts, on-line retailer, and travel agency in investigations to determine the source and scope of data security breaches involving the theft of customers’ personal information, completing statutory notice requirements, and interfacing with law enforcement agencies investigating the breaches.
Represented financial institution in litigation initiated by loan modification company where financial institution froze merchant’s accounts after determining that merchant was engaged in pattern and practice of fraudulently charging its customers’ credit cards for services it did not provide.
Provided counsel to a specialty insurer to determine its obligations in a number of states when its auditor lost a non-encrypted thumb drive containing policyholder personal information.
Worked with insurer to assess notification requirements when UPS lost a box containing a significant amount of confidential policyholder information.
Represented a group of Wisconsin residents in an action filed in the U.S. District Court for the Eastern District of Wisconsin challenging the state legislative districts adopted by the Wisconsin legislature. We engaged in significant post-judgment ESI discovery, including forensic analysis of computer hard drives, networks, and servers.
Provide counsel to clients on compliance with HIPAA’s privacy requirements and, when necessary, defend clients sued for alleged violations of HIPAA or invasion of privacy.
Telephone Consumer Protection Act (TCPA) class-action litigation. Served as counsel to defendants and third-parties involved in individual and class-action Telephone Consumer Protection Act lawsuits filed in federal courts.
Lead counsel for the world’s largest online marketplace for finding and managing family care in a wrongful death lawsuit that involves significant computer and network forensic examination and analysis and legal issues relating to protection of personally identifiable information.