McDermott Will & Schulte, a global law firm

In addition to spanning geographies and jurisdictions, today's digital ecosystem is increasingly the focus of regulators who are highly sensitive to the complex issues surrounding online behavioral marketing campaigns and other modern uses of consumer data.

Our lawyers work hand-in-hand with client companies to analyze existing consumer data marketing strategies and develop new approaches - ranging from compliant consent or opt-out processes to targeted digital consumer marketing initiatives - that help them achieve core business objectives. We also advise in-house counsel and privacy officers on how to avoid or minimize regulatory scrutiny and alleviate consumer concerns over the collection, processing and storage of data.

Among other activities that may trigger consumer-protection laws in various jurisdictions, we provide counsel on telemarketing, text messaging, email marketing and promotions, and social media. In particular, our lawyers advise clients on the following:

• Development of compliant privacy policies and terms of use
• Compliance with the Telephone Consumer Protection Act requirements for telemarketing and text communications
• Compliance with CAN-SPAM requirements to ensure consumer-sensitive approaches to email marketing and promotions
• Development of processes for managing consumer data in data-driven businesses
• Assessment of data collection practices and procedures, including for merchants at point of sale using credit and debit cards
• Review and updating online and web data collection practices and protocols

Our privacy lawyers are well established in Germany, France, the UK and Italy, and provide sophisticated privacy advice to domestic and multi-national companies and vendors on a wide spectrum of data protection matters. These include global privacy policies, data transfer mechanisms, Privacy Shield assessments, notifications to in-country data protection authorities, GDPR preparation, reviews of new data laws and other compliance steps.

We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data protection authorities in relevant jurisdictions worldwide.

We have particular experience in EU/US Privacy Shield implementation strategies, with template documents and roadmap protocols to lessen the initial management time. Because we have had experience in FTC enforcement actions with Safe Harbor violations, we can assist clients in avoiding costly mistakes and remedying existing ones.

We also provide timely, effective counsel and strategies in response to multi-country cyberattacks and other security breaches affecting personal information.

We routinely advise on the following:

• Organizational compliance requirements in relation to the General Data
• Protection Regulation due to come into force across the European Union in May 2018
• International inter- and multi-company agreements to collect, transfer and use customer, employee and other data (including model clauses and binding corporate rules)
• Assessments and implementation of the new US-EU Privacy Shield for data transfer
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Third party vendor management and contract terms regarding the collection and processing of the personal data in-country and cross-border
• Multinational privacy policies
• Data privacy implications of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act)
• Responses to data subject access requests

We are a leading provider of legal advice regarding regulatory and transactional issues raised by the development and implementation of big-data strategies and platforms. We use a multidisciplinary approach to identify the goals and address the legal needs of clients with valuable data assets. This coordinated methodology distinguishes us from other firms that may view data solely as a regulatory or intellectual property concern.

Our team advises data sources and data aggregators on the myriad data privacy and consumer protection law compliance issues raised by the collection, aggregation and use of personally identifiable information and other data from consumers, customers or other data sources. For example, we routinely help clients implement data strategies consistent with the regulatory requirements and expectations of the Federal Trade Commission (FTC) and other federal and state regulators.

Our team advises data sources in connection with agreements for which the primary purpose is the licensing of rights to aggregate and use data. We also counsel clients on service and other agreements where the vendor requests data rights for secondary data uses, and on the following:

• Research compliance, research program structure, and operational and compliance infrastructure
• Complex research affiliation agreements and arrangements
• Scientific review and research misconduct proceedings and investigations (internal and with government involvement)
• Biobanking and registry development and compliance, including emerging issues involving the future, unspecified use of biospecimens and genomic data
• Development and implementation of data-sharing strategies and platforms to achieve business objectives, particularly in connection with biomedical innovation, health care reform, electronic health record implementation and quality assurance requirements
• Data privacy, data mapping and data use strategies for mobile apps and other mHealth and digital technologies

Our leading employer data privacy practice provides sophisticated advice to domestic and international employers and vendors on a wide spectrum of employee data privacy matters, including employee data protection policies, the international transfer of employee data and employee data subject access rights. We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data privacy authorities in relevant jurisdictions worldwide.

We have particular experience in the regulation of employee benefit plans, including requirements for the protection of the privacy and security of Social Security Numbers and other employee personal information. We also provide timely, effective counsel in response to cyberattacks and other security breaches affecting employee personal information.

We routinely advise on the following:

• International inter- and multi-company agreements to collect, transfer and use employee data (including model clauses and binding corporate rules)
• Ramifications for employee data transfer of the new EU/US Privacy Shield
• Organizational compliance requirements in relation to the impending EU
• General Data Protection Regulation
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Separation, where required, of employee data on group servers
• Individual contract terms regarding the collection and processing of the personal data of executives and other employees
• Employee data privacy policies
• Data privacy implications of the implementation of global whistleblowing hotlines (including obligations arising for certain organizations under the
• US Sarbanes-Oxley Act
• Responses to employee data subject access requests

At the forefront of data innovation and what’s next

Whether you are navigating the increasingly complex web of emerging privacy laws, responding to a data incident, unleashing the power of the data you collect, finding ways to safeguard the valuable information you hold or otherwise in need of a data-based “gut check,” our global privacy & cybersecurity team provides the practical guidance to minimize risk and drive your business forward.

Clients turn to our award-winning team for risk-based insights rooted in commercially oriented advice informed by regulatory expertise. Having worked in-house and been seconded to some of the most well-known companies, we understand our clients’ expectations and the need to identify realistic risk priorities and maximize business opportunities. Our team comprises engineers and computer coders, former senior government officials and cybercrime prosecutors. In addition, we helped draft the laws—we contributed to the legislative process to develop the California Privacy Rights Act (CPRA) and served at the European Commission leading deliberations over the General Data Protection Regulation (GDPR) and the e-Privacy regulation. We help you plan and prepare for the full lifecycle of data privacy needs, from proactive privacy and security counseling to incident response and regulatory and civil litigation.

Corporations across a wide range of industries partner with us to solve their most complex challenges, including:

• Developing global “soup to nuts” privacy and cybersecurity compliance programs
• Navigating evolving state and international privacy laws and sector-specific cybersecurity requirements
• Addressing the increased scrutiny and attention on privacy and cybersecurity from regulators, plaintiffs’ bar, vendors, insurers, customers and consumers
• Implementing “reasonable” cybersecurity and privacy standards that survive regulatory oversight and litigation
• Combatting increasingly sophisticated threat actors
• Developing scalable frameworks for evaluating vendors and corporate acquisition targets
• Developing data collection, monetization and digital marketing strategies
• Counseling on product development
• Advising on the cross-border transfer of personal data
• Maintaining attorney-client privilege and work product protections for internal investigations
• Deploying efficient and effective templates and resources

We are the premier firm for the healthcare sector and the only health law practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. We provide sophisticated counsel to clients on the gamut of healthcare data privacy and security issues and regularly develop comprehensive health information privacy and security compliance programs for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH Act) and related state laws.

We routinely conduct, develop or provide health-related:

• Customized privacy, security and incident-response policies
• Day-to-day compliance counseling
• Privacy compliance audits and security risk assessments
• Compliance training
• Privacy and security incident response guidance
• Data and health information technology license agreements
• A cornerstone of our health information privacy and security compliance practice is our suite of template HIPAA Materials.

Our lawyers have helped companies successfully resolve all aspects of countless security breaches and other privacy incidents, including hundreds of matters involving protected health information (PHI) under HIPAA. From cyberattacks and malicious insiders to lost laptops, unsecured data and mailing mishaps, we have handled the full spectrum of PHI incidents. We also regularly negotiate settlements and resolution agreements with the HHS Office for Civil Rights (OCR) arising out of complaint investigations and security breach reports, including serving as lead counsel in connection with multiple OCR investigations of breach matters affecting 500 or more individuals.

We are at the forefront of the design, negotiation and implementation of license agreements and other collaborations among health industry stakeholders for the development and deployment of big-data strategies and cutting-edge health IT. Our team provides seamless advice to clients’ privacy and IT professionals by combining our deep understanding of privacy and security laws and our practical experience in the acquisition and implementation of electronic health record (EHR) systems, enterprise-resource planning systems, data-warehouse technology and other IT systems.

Our attorneys are experienced in advising corporate counsel and companies’ IT security teams on the complexity of security requirements and evolving best practices. We help clients manage privacy and cybersecurity risks in nearly all aspects of their operations. We have hands-on experience advising on the most challenges issues, including:

Incident response preparedness and after-action remediation

Our attorneys have extensive experience in the development and implementation of cyber incident response plans and data-breach response procedures. We regularly help identify gaps after a security incident and assess and construct tailored remediation plans and protocols.

Risk management in M&A transactions

We work with our M&A clients to assess the cybersecurity risks of proposed transactions and to structure deal terms to mitigate that risk. We conduct legal due diligence that may include a review of the client’s privacy and cybersecurity policies, and provide advice on a range of legal issues, including steps that may be taken to mitigate privacy and cybersecurity risk in connection with the transaction. Where appropriate, we partner with leading cybersecurity risk firms to conduct cybersecurity due diligence on potential target companies. This due diligence can include assessing deficiencies in technical controls, establishing benchmarks against best practices and providing recommendations for improvements.

Risk management for benefit plans

We advise benefit plans on the management of cyber risks. Our work often includes a review of the plan’s privacy and cybersecurity policies, an assessment of legal responsibility for losses, recommendations on training policies to reinforce data security, and advising the client on measures to reduce cyber risk. Where appropriate, we partner with leading cybersecurity risk firms to conduct technical assessments of the plan’s systems.

Privacy/cybersecurity compliance programs

We build privacy and data security programs for clients facing the intricacies of collecting, storing, processing, transmitting and disposing of data, and have particular depth assisting multinational organizations. We assist in developing strategies in the data collection arena and assess compliance in notices, privacy policies and backend processes. We regularly perform audits of existing policies, procedures and systems to identify compliance gaps. Following the completion of these audits, we recommend business-minded solutions and help companies implement internal and external controls that can fill those compliance gaps. With our clients’ business objectives in mind, we engage in strategic planning to help them maximize the value and use of consumer data for the benefit of the company. We also draft internally and externally facing privacy and information security policies.

International privacy compliance

We advise global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals. We regularly assist clients with international data transfer mechanisms, including the EU/US Privacy Shield, responses to global data breaches, and compliance with the EU’s data protection laws and General Data Protection Regulation and other non-US privacy laws.

The collection, use and disclosure of personal data trigger a range of privacy and cybersecurity laws and regulations, all of which are enforced by aggressive plaintiffs’ lawyers and government agencies. The retention of sensitive proprietary information pertaining to business partners also implicates a range of legal obligations, and exposure of such information often results in litigation and strained business relationships.

Our lawyers have handled hundreds of data breaches and draw on this experience to routinely represent clients in litigation and governmental investigations arising out of large, complex data breaches, including major incidents involving millions of personal, financial or patient records. We have also represented clients in complex class actions in courts around the country and in governmental investigations by the US Federal Trade Commission (FTC), Office for Civil Rights (OCR) and Federal Communications Commission (FCC), and by state attorneys general. We have also advised clients in disputes with vendors and business partners over losses arising out of cyber incidents.

We are the health-industry market leader with respect to handling responses to OCR investigations. Our lawyers have unparalleled experience negotiating resolution agreements with OCR on behalf of health clients, including major academic medical centers, health plans and provider networks.

We have litigated some of the most important privacy cases in recent years and have obtained landmark rulings, including the US Supreme Court’s 2015 ruling in Gobeille v. Liberty Mutual. We have defended clients in scores of federal and state cases across the country, including dozens of class actions involving claims under federal and state privacy laws, the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Fair Debt Collection Practices Act, and unfair and deceptive practices statutes, as well as numerous common-law privacy and security claims. We have also represented companies in data collection matters, disputes and class actions involving personal information acquired at point of sale using credit and debit cards in a number of states, including Song Beverly and other state statutes.