Data Security & Privacy

Companies face significant challenges as sensitive information is increasingly maintained electronically. Shook, Hardy & Bacon has a practice group dedicated entirely to data security and data privacy legal issues. The group helps our clients implement proactive and reactive solutions to minimize the risks associated with the collection, use, storage, and disposal of sensitive information such as personally identifiable information, financial information, protected health information, payment card information, and trade secret/proprietary information.

As companies increasingly store this information electronically, they are more susceptible than ever to experiencing a data breach, and because electronic information often transcends state, federal, and international borders, the laws that govern data protection are complex. Breaches can include intentional acts (e.g., cyber attacks, “inside jobs,” theft), employee negligence (lost mobile devices and flash drives, misdirected emails), and service provider breaches. Whether a data breach is caused by a sophisticated intruder or a lost employee hard drive, such an event can expose a company to significant liability under numerous domestic and foreign laws, industry standards, and government regulations.

SHB helps our clients proactively adopt administrative, technical and physical safeguards to minimize the risk of a breach. Examples of these safeguards include:

undertaking an initial risk assessment of the information collected and stored, and security measures already in existence;
drafting policies and procedures that govern the collection, use, storage, and disposal of sensitive information;
implementing controls on the access and sharing of information;
training our clients’ employees about their obligations and best practices to keep information secure; and
drafting contractual provisions that ensure vendors are securely handling shared sensitive information and limiting liability should a vendor experience a breach.

Should our clients suspect a data breach, SHB’s reactive services include:

determining whether our clients have experienced a breach and the legal obligations that accompany the breach;
notifying affected third parties and regulatory authorities as required by law;
liaising with law enforcement during the investigation stage of a breach;
communicating with state and federal regulatory authorities throughout the breach response phase; and
representing our clients in regulatory investigations, administrative proceedings and civil lawsuits that may follow from a significant breach.

Our group includes Certified Information Privacy Professionals, accredited by the International Association of Privacy Professionals. The members of this group regularly present and write about data security and privacy issues, and clients of the group receive Alerts that are tailored to the security and privacy concerns of their specific industry.