McDermott Will & Schulte, a global law firm

In addition to spanning geographies and jurisdictions, today’s digital ecosystem is increasingly the focus of regulators who are highly sensitive to the complex issues surrounding online behavioral marketing campaigns and other modern uses of consumer data.

Our lawyers work hand-in-hand with client companies to analyze existing consumer data marketing strategies and develop new approaches — ranging from compliant consent or opt-out processes to targeted digital consumer marketing initiatives — that help them achieve core business objectives. We also advise in-house counsel and privacy officers on how to avoid or minimize regulatory scrutiny and alleviate consumer concerns over the collection, processing and storage of data.

Among other activities that may trigger consumer-protection laws in various jurisdictions, we provide counsel on telemarketing, text messaging, email marketing and promotions, and social media. In particular, our lawyers advise clients on the following:

• Development of compliant privacy policies and terms of use
• Compliance with the Telephone Consumer Protection Act requirements for telemarketing and text communications
• Compliance with CAN-SPAM requirements to ensure consumer-sensitive approaches to email marketing and promotions
• Development of processes for managing consumer data in data-driven businesses
• Assessment of data collection practices and procedures, including for merchants at point of sale using credit and debit cards
• Review and updating online and web data collection practices and protocols

Our privacy lawyers are well established in Germany, France, the UK and Italy, and provide sophisticated privacy advice to domestic and multi-national companies and vendors on a wide spectrum of data protection matters. These include global privacy policies, data transfer mechanisms, Privacy Shield assessments, notifications to in-country data protection authorities, General Data Protection Regulation (GDPR) compliance, reviews of new data laws and other compliance steps.

We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data protection authorities in relevant jurisdictions worldwide.

We have particular experience in EU/US Privacy Shield implementation strategies, with template documents and roadmap protocols to lessen the initial management time. Because we have had experience in FTC enforcement actions with Safe Harbor violations, we can assist clients in avoiding costly mistakes and remedying existing ones.

We also provide timely, effective counsel and strategies in response to multi-country cyberattacks and other security breaches affecting personal information.

We routinely advise on the following:

• Organizational compliance requirements in relation to the GDPR
• International inter- and multi-company agreements to collect, transfer and use customer, employee and other data (including model clauses and binding corporate rules)
• Assessments and implementation of the new US-EU Privacy Shield for data transfer
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Third party vendor management and contract terms regarding the collection and processing of the personal data in-country and cross-border
• Multinational privacy policies
• Data privacy implications of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act)
• Responses to data subject access requests

We have guided clients through assessments of and responses to hundreds of data breaches, including some of the largest cyber incidents to date as well as more limited exposures of confidential or proprietary information. We have experience in all types of cyber hazards, including state-sponsored attacks, overseas criminal hackers, ransomware, insider threats and system compromises resulting from misconfigurations.

We maintain three incident response teams (IRTs), each focused on a particular type of data that implicates a different legal regime. Our teams are available to respond to client issues seven days per week, at all times.

Our General Data IRT includes lawyers who have been recognized among the nation’s leading practitioners in cyber incident response. This team has handled breaches involving consumer, employee or proprietary information for a diverse range of clients, including technology companies, telecommunications providers, financial service institutions and retailers.

Our Health IRT includes lawyers from our Health Industry Advisory Practice Group, the only such practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. Members of our team possess a deep understanding of health data privacy issues and deliver comprehensive breach response advice to health providers, health technology companies, life sciences companies and others in the health industry.

Our International IRT brings together attorneys from the United States, Europe and Asia and has handled breaches that have involved laws and regulations of more than 100 countries.

Each of our teams is experienced in handling all phases of a data breach response, including:

• Participation in and leadership of incident response teams
• Retention and coordination with forensic, cybersecurity, public-relations, and notification firms
• Notice to affected persons such as consumers and business partners as well as to US federal, state and non-US regulators
• Coordination with US Attorney offices, Federal Bureau of Investigation (FBI), Secret Service, Federal Trade Commission (FTC), Federal
• Communications Commission (FCC), state attorney generals, regulators and other government agencies
• Coordination with auditors, senior executives and boards of directors
• Development of public-relations strategies
• Management of post-breach cyber assessments and remediation counseling
• Responses to governmental investigations
• Defense of class-action and multidistrict litigation

We are a leading provider of legal advice regarding regulatory and transactional issues raised by the development and implementation of big-data strategies and platforms. We use a multidisciplinary approach to identify the goals and address the legal needs of clients with valuable data assets. This coordinated methodology distinguishes us from other firms that may view data solely as a regulatory or intellectual property concern.

Our team advises data sources and data aggregators on the myriad data privacy and consumer protection law compliance issues raised by the collection, aggregation and use of personally identifiable information and other data from consumers, customers or other data sources. For example, we routinely help clients implement data strategies consistent with the regulatory requirements and expectations of the Federal Trade Commission (FTC) and other federal and state regulators.

Our team advises data sources in connection with agreements for which the primary purpose is the licensing of rights to aggregate and use data. We also counsel clients on service and other agreements where the vendor requests data rights for secondary data uses, and on the following:

• Research compliance, research program structure, and operational and compliance infrastructure
• Complex research affiliation agreements and arrangements
• Scientific review and research misconduct proceedings and investigations (internal and with government involvement)
• Biobanking and registry development and compliance, including emerging issues involving the future, unspecified use of biospecimens and genomic data
• Development and implementation of data-sharing strategies and platforms to achieve business objectives, particularly in connection with biomedical innovation, health care reform, electronic health record implementation and quality assurance requirements
• Data privacy, data mapping and data use strategies for mobile apps and other mHealth and digital technologies

Our leading employer data privacy practice provides sophisticated advice to domestic and international employers and vendors on a wide spectrum of employee data privacy matters, including employee data protection policies, the international transfer of employee data and employee data subject access rights. We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data privacy authorities in relevant jurisdictions worldwide.

We have particular experience in the regulation of employee benefit plans, including requirements for the protection of the privacy and security of Social Security Numbers and other employee personal information. We also provide timely, effective counsel in response to cyberattacks and other security breaches affecting employee personal information.

We routinely advise on the following:

• International inter- and multi-company agreements to collect, transfer and use employee data (including model clauses and binding corporate rules)
• Ramifications for employee data transfer of the new EU/US Privacy Shield
• Organizational compliance requirements in relation to the impending EU
• General Data Protection Regulation
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Separation, where required, of employee data on group servers
• Individual contract terms regarding the collection and processing of the personal data of executives and other employees
• Employee data privacy policies
• Data privacy implications of the implementation of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act
• Responses to employee data subject access requests

Data gives businesses the power to make informed decisions and compete more effectively – but collecting, storing, and using data can result in legal and regulatory exposure. Our cybersecurity lawyers help you navigate that risk while supporting the strategic use of data to enhance your business operations.

We advise on all aspects of data, privacy, and cybersecurity, from developing compliance frameworks and implementing defensible security standards to counseling on product development, AI integration, digital marketing, and data monetization strategies. We also help clients navigate cross-border data transfers, incident response and data breach matters, investigations, regulatory scrutiny, and litigation.

Privacy, cybersecurity, and data governance issues touch every part of your business. Our cybersecurity lawyers collaborate across key practice areas including technology, transactions, litigation, employment, investigations, and regulatory to address risk wherever it arises. The team also includes engineers and computer coders, former in-house counsel, and former senior government officials, including cybercrime prosecutors.

Our lawyers helped shape major privacy frameworks – including the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR). We also advise on other evolving state, federal, and international privacy laws, including the California Consumer Privacy Act (CCPA), the e-Privacy regulation, and sector-specific requirements.

We work with you to assess cybersecurity maturity, identify gaps, and develop tailored risk mitigation strategies. When incidents occur, we help you respond to data breaches, ransomware attacks, insider threats, and other cybersecurity incidents with a focus on limiting business disruption and financial exposure. Our cybersecurity lawyers also guide you through sensitive investigations, regulatory scrutiny, litigation, and other disputes that arise from the misuse, loss, or theft of data.

Managing the legal and regulatory exposure associated with data use has become more complex as technologies advance and cyber threats become more sophisticated. We help you mitigate data, privacy, and cybersecurity risk through integrated strategies designed to protect your business, advance innovation, and support growth.

Our attorneys are experienced in advising corporate counsel and companies’ IT security teams on the complexity of security requirements and evolving best practices. We help clients manage privacy and cybersecurity risks in nearly all aspects of their operations. We have hands-on experience advising on the most challenging issues, including:

Incident Response Preparedness and After-Action Remediation

Our attorneys have extensive experience in the development and implementation of cyber incident response plans and data-breach response procedures. We regularly help identify gaps after a security incident and assess and construct tailored remediation plans and protocols.

Risk Management in M&A Transactions

We work with our M&A clients to assess the cybersecurity risks of proposed transactions and to structure deal terms to mitigate that risk. We conduct legal due diligence that may include a review of the client’s privacy and cybersecurity policies, and provide advice on a range of legal issues, including steps that may be taken to mitigate privacy and cybersecurity risk in connection with the transaction. Where appropriate, we partner with leading cybersecurity risk firms to conduct cybersecurity due diligence on potential target companies. This due diligence can include assessing deficiencies in technical controls, establishing benchmarks against best practices and providing recommendations for improvements.

Risk Management for Benefit Plans

We advise benefit plans on the management of cyber risks. Our work often includes a review of the plan’s privacy and cybersecurity policies, an assessment of legal responsibility for losses, recommendations on training policies to reinforce data security, and advising the client on measures to reduce cyber risk. Where appropriate, we partner with leading cybersecurity risk firms to conduct technical assessments of the plan’s systems.

Privacy/Cybersecurity Compliance Programs

We build privacy and data security programs for clients facing the intricacies of collecting, storing, processing, transmitting and disposing of data, and have particular depth assisting multinational organizations. We assist in developing strategies in the data collection arena and assess compliance in notices, privacy policies and backend processes. We regularly perform audits of existing policies, procedures and systems to identify compliance gaps. Following the completion of these audits, we recommend business-minded solutions and help companies implement internal and external controls that can fill those compliance gaps. With our clients’ business objectives in mind, we engage in strategic planning to help them maximize the value and use of consumer data for the benefit of the company. We also draft internally and externally facing privacy and information security policies.

International Privacy Compliance

We advise global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals. We regularly assist clients with international data transfer mechanisms, including the EU/US Privacy Shield, responses to global data breaches, and compliance with the EU’s data protection laws and General Data Protection Regulation and other non-US privacy laws.

The collection, use and disclosure of personal data trigger a range of privacy and cybersecurity laws and regulations, all of which are enforced by aggressive plaintiffs’ lawyers and government agencies. The retention of sensitive proprietary information pertaining to business partners also implicates a range of legal obligations, and exposure of such information often results in litigation and strained business relationships.

Our lawyers have handled hundreds of data breaches and draw on this experience to routinely represent clients in litigation and governmental investigations arising out of large, complex data breaches, including major incidents involving millions of personal, financial or patient records. We have also represented clients in complex class actions in courts around the country and in governmental investigations by the US Federal Trade Commission (FTC), Office for Civil Rights (OCR) and Federal Communications Commission (FCC), and by state attorneys general. We have also advised clients in disputes with vendors and business partners over losses arising out of cyber incidents.

We are the health-industry market leader with respect to handling responses to OCR investigations. Our lawyers have unparalleled experience negotiating resolution agreements with OCR on behalf of health clients, including major academic medical centers, health plans and provider networks.

We have litigated some of the most important privacy cases in recent years and have obtained landmark rulings, including the US Supreme Court’s 2015 ruling in Gobeille v. Liberty Mutual. We have defended clients in scores of federal and state cases across the country, including dozens of class actions involving claims under federal and state privacy laws, the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Fair Debt Collection Practices Act, and unfair and deceptive practices statutes, as well as numerous common-law privacy and security claims. We have also represented companies in data collection matters, disputes and class actions involving personal information acquired at point of sale using credit and debit cards in a number of states, including Song Beverly and other state statutes.