Data Strategy, Security & Privacy

  • Holland & Knight’s Data Strategy, Security & Privacy Team offers the full range of solutions our clients need to operate in today’s data-driven marketplace. We have the sophisticated capability to understand the nuances of each client’s particular sector and the complicated risks that cybersecurity brings to each of them, an offering few other firms can demonstrate.
  • We deliver pragmatic business-oriented solutions to address legal needs.
  • Our data strategy, security and privacy litigators have defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.
data strategy

Visión General

Our Data Strategy, Security & Privacy Team helps clients capitalize on data and tech capabilities while managing associated risks and incidents that arise. We have advised and represented clients on many of the largest public (and nonpublic) data issues and security incidents in the U.S.

Our practice spans a full spectrum of proactive and reactive services:

  • Counseling and Program Management
  • Government Policy and Regulatory Compliance
  • Litigation and Class Action Defense
  • Incident Response, Crisis Management and Insurance
  • Investigations and Regulatory Enforcement

With dozens of attorneys in our practice, and backed by Holland & Knight's global team of more than 2,200 lawyers and other professionals, we have attorneys in 34 U.S. offices – from California to Florida – and admitted to practice in nearly every U.S. jurisdiction. We pride ourselves on being a diverse team, and believe diversity of thought and perspective enables us to best serve our clients.

Our team is sensitive to unique data, security and privacy needs of different clients and is closely integrated with the firm's other highly knowledgeable attorneys across many industry sectors:

  • Financial Services
  • Healthcare & Life Sciences
  • Retail & Consumer Products
  • Technology & Telecommunications
  • Real Estate & Hospitality
  • Transportation & Infrastructure

We deliver: 1) pragmatic business-oriented solutions to address legal needs, 2) documentation you need for legal compliance and contracting, and 3) strategic representation during an incident, as well as in investigations and litigations that may follow. We do it efficiently, with transparent budgeting and billing.

Counseling and Program Management

Privileged Risk Assessments

Legal exposure often hinges on a lack of preparedness and perceived failure to comply with laws, public representations and contractual obligations. Our team therefore conducts a variety of risk and compliance assessments around data, cybersecurity and privacy, including a review of legal, operational and technical policies and practices in view of applicable laws, industry standards and public norms.

Attorney-client privileged reviews provide a safer environment to assess practices, identify potential gaps and facilitate candid discussions with stakeholders in order to enhance the go-forward posture and further mitigate risk. Some examples of the assessments that we perform include privacy program reviews, cybersecurity program reviews and enterprise risk audits.

Policies and Program Management

A robust set of documentation promotes mature business operations while also evidencing reasonable practices in the event of regulatory investigations or legal disputes. We work with clients on public-facing materials (e.g., website terms of use and privacy policies) as well as their internal cybersecurity, privacy, incident response and employee practices (e.g., acceptable use; social media). We also advise clients on the use of data analytics, machine learning (ML) and artificial intelligence (AI), advertising, marketing, sales and other data utilization opportunities involving personal data.

We assist clients on documenting and operationalizing programs in compliance with a vast spectrum of federal, state and foreign legal obligations including the Federal Trade Commission (FTC), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Children's Online Privacy Protection Act (COPPA), Driver's Privacy Protection Act (DPPA), Video Privacy Protection Act (VPPA), California Online Privacy Protection Act (CalOPPA), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Telephone Consumer Protection Act (TCPA), state privacy and security laws and Payment Card Industry (PCI) standards.

Third-Party Risk Management, Contracting and Deal Support

Vendors and other third-party relationships present one of the largest cyber and privacy risk vectors. Many of the worst incidents in the past decade were attributed to such relationships. Therefore, we advise clients on vendor risk management programs, contract provisions and negotiation strategies to address intellectual property (IP) and data rights, cybersecurity, data privacy and liability/indemnity obligations. Our work includes an array of cloud services, customer-supplier deals, software agreements and data licensing.

We also advise on mergers and acquisitions (M&A) and other corporate transactions with appropriate due diligence support on information technology, IP, cybersecurity and data privacy assessments and recommendations, with appropriate representations and warranties, and, if necessary, advise on other risk mitigation strategies in view of the particular deal economics.

Breach Preparation: Incident Response Planning and Tabletop Exercises

Security incidents are inevitable in today's interconnected world, so it pays to be prepared. That means having an effective Incident Response Plan (IRP) along with a cross-functional team that knows how to use it. We help develop a practical IRP that functions as a playbook for guiding the response team through an incident investigation and key decision points, and also assist in reviewing the plan through a Tabletop Exercise during which the designated response team meets to work through hypothetical scenarios and "test" the IRP – confirming that it meets the organization's needs and effectively addresses roles and responsibilities, communication needs and decision-making tasks.

Cyber Liability Insurance

Transferring cyber and privacy exposure is a core risk management function. We advise clients on suitable cyber insurance terms and coverage amounts to address their enterprise risk tolerance. Our advice helps clients improve policy language and maximize insurance recoveries.

We literally wrote the book on cyber insurance, and have strong relationships with insurance carriers and brokers to strategically collaborate with them to drive the best outcome for clients. See A Buyer's Guide to Cyber Liability Insurance Coverage.

Government Policy and Regulatory Compliance

Holland & Knight is recognized among the top 5 federal lobbying and law firms in Washington, D.C., with a strong bipartisan government affairs team and deep ties across federal legislative and agency bodies. Our firm's D.C.-led Public Policy & Regulation Group represents clients on the public policy, government relationships and legislative front, advising on the evolving – and often conflicting – patchwork of state, local, federal and international regulatory environments as they relate to cybersecurity and data privacy matters across all industry sectors.

Incident Response, Crisis Management and Insurance

We have consulted on more than a thousand actual or suspected incidents of loss, theft or misuse of data or information systems to date. We serve as trusted allies and coaches to clients experiencing a data breach or privacy incident, or building resiliency to prevent, detect or quickly respond to one. We advise on the full range of legal, technical and reputational challenges that arise in such events.

We are well versed in, and routinely navigate, the relevant demands of public law (e.g., GLBA, HIPAA, U.S. Department of Defense (DoD) requirements for contractors, U.S. Securities and Exchange Commission (SEC) guidance, state breach law) as well as private law (e.g., PCI Data Security Standard (DSS) and card brand rules) in these emergency circumstances. We have counseled on breaches involving dozens of corporate counterparties, incidents involving information about tens of millions of persons, intrusions that compromised the integrity of medical records, and on breaches impacting consumers and regulators globally. 

In all of this, we work closely with a client's other trusted third parties, including forensic investigators, crisis management and public relations teams, and cyber insurance carriers. Every step of the response and recovery is carefully and strategically executed to ensure the best possible outcome.

Investigations and Regulatory Enforcement

Our team has significant experience working closely with – and, where needed, in opposition to – the leading cybersecurity and privacy regulators. Our team has represented clients in significant matters before the FTC, U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), SEC, U.S. Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), U.S. Department of Justice (DOJ), Consumer Financial Protection Bureau (CFPB), Secret Service, FBI, state attorneys general and other state regulators, including insurance and banking regulators.

Our firm's government affairs practice regularly assists clients in connecting with, and presenting cases to, government agencies, staffers and Congress. We have assisted clients and trade organizations in response to inquiries on cyber risk, data breaches and privacy issues before all levels of government.

Litigation and Class Action Defense

In 2022, Chambers USA ranked practice leader Mark Melodia as one of the top privacy and data security litigators in the country. Our seasoned team of data privacy and cybersecurity litigators has defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.

Class actions are a common and challenging consequence of privacy and data security incidents, and increasingly extend to even mainstream data collection and usage practices, including the latest trend of the use of state anti-wiretap laws as a vehicle to sue software developers and businesses for the use of ubiquitous cookies, pixels and other website software, such as session replay technology. We have a team of nationally recognized litigators who defend clients in privacy class actions based on a wide variety of alleged claims, including breach of contract, breach of warranty, fraudulent representations, negligence, breach of state privacy and security laws, breach of state consumer fraud laws, the Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act (CFAA), as well as the DPPA, VPPA and TCPA, to name a few. In so doing, we often work closely and collaboratively with carriers providing coverage.

Estudios de Caso


Congressional Activity on the Development of Quantum Computer Technology
Government Contracts 2023 Year in Review: What Happened and What It Means
sound waves
Día Internacional de la Protección de los Datos Personales
Impact of the CMMC Proposed Rule on Government Contractors
sound waves
Navigating Information Blocking Regulations in Healthcare Transactions
Cybersecurity and CUI in Government Contracts: What's New and What's Next?
Podcast - The Role of Managed Service Providers with Stuart Itkin
sound waves
Small Business Contracting: A Year in Review
Podcast - The When, Where, Why and How of CMMC with Fernando Machado
Podcast - Data Privacy and Tracking Technology Compliance
Artificial Intelligence: Breaking Down the New Biden Administration Executive Order
SEC's New Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
Podcast: Discussing the Implications of Healthcare Privacy Violations
Podcast - The State of Contractor Cybersecurity with Katie Arrington
Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield
Episode Still Image
Podcast - Artificial Intelligence in Healthcare and How to Comply with HIPAA and State Privacy Laws
RP Ep. 5 Still
Podcast - Navigating the TikTok Ban: Implications for Government Contractors
RP - The Impact of Cybersecurity Compliance on Corporate Transactions Still
Podcast - The Impact of Cybersecurity Compliance on Corporate Transactions
sound waves
What Do Policymakers Think About When They Think About Blockchain?
sound waves
Nothing From the Government Comes Without Gobs of Documentation
Podcast - What Do the Newly Released CMMC 2.1 Documents Mean?
A Lo Legal En Par Minutos Inteligencia Artificial Still
Podcast - Inteligencia artificial
Regulatory Phishing Ep. 2 Still
Podcast - Third-Party Assessments and NIST SP 800-171
Podcast - Insights on the FTC's Approach to Digital Health Companies
Regulatory Phishing Ep. 1 Still
Podcast - Overview of Cybersecurity in Government Contracts
sound waves
All About Quantum
Cybersecurity still
Podcast - SEC's Oversight on Cybersecurity Requirements
sound waves
An Update on a Contractor Cybersecurity Rule VA Imposed This Year
Clearly Conspicuous Ep. 7 Still
Podcast - How the FTC Shapes Privacy and Data Security Standards
Government Contracts and Cybersecurity Compliance Still
Government Contracts and Cybersecurity Compliance
Practical Compliance with Opt-Out Requirements Under State Privacy Laws
Practical Compliance with Opt-Out Requirements Under State Privacy Laws
Eric Crusius Government Matters Still
Working to Protect Sensitive Cyber Information
Quantum Computing: Tomorrow's Risks and Today's Opportunities
Quantum Computing: Tomorrow's Risks and Today's Opportunities
GocCon Giants Podcast Still
Administration and Regulation Changes in Government Contracting
sound waves
Takin' Care of Business
sound waves
Changes Coming to CMMC; The Cryptocurrency Threat Landscape; Getting Ready for a CR