Data privacy and security affects nearly every enterprise and is an area in which the number of compliance hurdles, the size of the regulatory penalties and the incidence of class action litigation are growing. In fact, personal data is an increasingly complex asset, one that requires strategic risk management to meet the challenges and opportunities presented by today's global information economy. A comprehensive approach to protecting data is essential for businesses that wish to minimize exposure to liability and maintain customer relationships and loyalty.
In this environment of increasing regulation, attention and focus — not to mention dramatic advances in technology — companies need to know not only where risks lie, but also how they can continue to use, share and collect information in a way that will allow them to grow their businesses.
Holland & Knight does not take a negative approach to compliance, telling companies only what they can’t do. Although risk identification is critical, we also suggest proactive steps businesses can take.
Our team regularly provides the full range of data privacy and security services to a variety of industry sectors, including financial services, retail, education, government contracts, information technology, healthcare, insurance, aviation and travel services, hospitality, e-commerce, communications and content providers.
In the United States, state and federal regulators have highlighted information security and data privacy as a fundamental consumer protection issue. Holland & Knight has a wealth of experience in the consumer protection area, including:
- FTC reports and guidance
- Electronic Communications Privacy Act (ECPA)
- Computer Fraud and Abuse Act (CFAA)
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Section 5 of the Federal Trade Commission Act (unfair and deceptive practices)
- Uniform Electronic Transactions Act (UETA)
- Electronic Signatures in Global and National Commerce Act (ESIGN)
- CAN-SPAM and telemarketing restrictions
- Patriot Act and national security-related privacy issues
- state privacy and data breach notification laws
- pending federal and state legislation
Multinational and e-commerce companies must be especially rigorous regarding data compliance because they deal with cross-border data flow. Full implementation by member states of the European Union Data Protection Directive (EUDPD) has created a complex network of privacy and data protection regulation, for example. And countries outside the European Union have developed or are considering drawing up their own privacy regimes.
Organizations contemplating multinational and e-commerce undertakings must understand and comply with privacy and data protection requirements for all countries where data is collected, processed and stored. This requires reconciling the laws of more than one country. Holland & Knight's international offices and global network of local counsel and multilingual attorneys can assist with this, as well as with your other international compliance requirements.
The Full Range of Services You Need
Our data privacy and security lawyers understand that a holistic approach is necessary when developing and implementing a data compliance plan that furthers your enterprise-wide objectives. Using our in-house Data Privacy Testing Lab – likely the only such lab at an Am Law 100 law firm – Holland & Knight also helps businesses head off privacy and security issues by testing company websites, apps, devices and network-aware products and providing both legal and technical advice. Our team can assist you with:
- privacy-related class action litigation defense
- FTC inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations
- state attorneys general inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations
- technical website and mobile app privacy reviews and compliance
- cloud computing and data transfer
- data breach response, mitigation and preparedness
- strategic advice and counsel on local, national and international privacy and data protection and data transfer laws
- integration with comprehensive corporate compliance programs
- internal investigations
- crisis management
- drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and Bring Your Own Device policies, codes of conduct, vendor white lists and internal policies on Internet tracking
- legislative drafting, advocacy, congressional investigations and testimony
- enterprise-wide risk management
- on-site privacy and data security training
- independent auditing services
- security, encryption and authentication
We focus on helping companies conduct business in a way that is compliant with existing laws and develops compliance frameworks. Our team — which includes attorneys and professionals with in-depth knowledge of technology and the ways in which businesses operate and create profit in an online, mobile world — offers clients involvement in several strategic initiatives:
Data Breach Response
Holland & Knight understands the havoc a data breach can cause. Rather than provide our clients with narrow legal advice in this area, we offer thorough guidance from a highly knowledgeable, multi-disciplinary team – one that addresses the full range of legal, technological, public policy and public relations challenges that arise. This includes working closely with clients on preparedness – conducting simulation exercises, providing media training and developing an effective information incident response policy – as well as handling every step involved in responding to a breach and the aftermath. We have extensive experience handling inquiries and investigations from regulators, aggressively defending class action suits, advising on insurance issues, assisting with crisis management and public relations, undertaking public policy advocacy and handling congressional inquiries.
Mobile App Audits
We do not rely solely on questionnaires or information provided by developers and marketing departments when reviewing mobile apps. Instead, we get under the hood and put privacy to the test. We use a hands-on approach to find out: (1) the information being transmitted by your app over the Internet to advertisers, analytics companies and data aggregators, (2) whether your app shares unique device identifiers with third parties, (3) whether your app exposes users to unexpected social network tracking, and (4) whether your app is protecting usernames, account numbers and passwords as they are transmitted over the network. We then provide guidance on tracking issues as well as draft pre-download and in-app disclosures.
Marketing and Analytics
Data analytics and marketing is crucial to the success of a business. Our team helps companies do both in a way that is compliant with privacy laws and best practices. We help manage vendor contracts to make sure your that vendors adhere to your privacy standards and your interests are protected.
Geofencing / Location Data Use
Companies have begun to appreciate the power of passive, on-site device tracking to provide information relating to the number unique customers, rack interest and campaign success. This type of tracking typically involves the capture of Wi-Fi network traffic from customers’ mobile devices as they physically visit and navigate stores. The deployment of such tracking platforms carries with it privacy concerns and requires close attention to state and federal privacy laws. The pre-deployment of such technologies also requires a review of the technology itself and planned disclosures; this ensures that minimally invasive techniques are used and that they are appropriately disclosed. We help you to use location data in a way that addresses current privacy concerns and complies with legal constraints.
SSL/TLS, Code-Signing and Certificate Authorities
We review your online trust architecture to ensure that trusted third parties are vetted for questionable business practices and track record issues. We can also assist in drafting or revising the legal documents that relate to your Public Key Infrastructure (PKI) platform.
Privacy By Design
We help companies with "privacy by design" - integrating privacy and information security considerations into business models and new products, services and technology development cycles. Our team assists businesses that are engaged in developing innovative information products and services and new uses for data assets.
Plain Language Drafting
Given new agency mandates for “clear and prominent” notice of information practices, it makes sense for companies to supplement legal analysis with tested and approved communications advice. We partner with court-approved practitioners to help companies draft "plain language" disclosures that are “clearer, shorter, and more standardized, to enable better comprehension and comparison of privacy practices,” as mandated by the FTC.
With the FTC's focus and concern about how companies use data to make decisions about individuals and the agency's pledge to focus on the data broker industry, compliance with and awareness of the Fair Credit Reporting Act has become all the more important. Given the vast amounts of consumer information available through a variety of sources, and companies making use of that information on a daily basis, businesses need to understand what their obligations are based on their use of that data. In addition to FTC scrutiny, given the statutory penalties available under the FCRA along with substantial compliance obligations, the class action plaintiffs' bar continues to go after companies for violations. We can help navigate this minefield.
Companies continue to move to the cloud and given cost savings, rightly so. But risks and privacy issues abound. We help companies design the right cloud computing structure by evaluating the options available from a risk standpoint and negotiating terms with the cloud provider. Making sure the transfer of data is done in accordance with the appropriate privacy framework and ensuring adequate protections are available is crucial before moving forward into the cloud.