McDermott Will & Schulte, a global law firm

In addition to spanning geographies and jurisdictions, today's digital ecosystem is increasingly the focus of regulators who are highly sensitive to the complex issues surrounding online behavioral marketing campaigns and other modern uses of consumer data.

Our lawyers work hand-in-hand with client companies to analyze existing consumer data marketing strategies and develop new approaches - ranging from compliant consent or opt-out processes to targeted digital consumer marketing initiatives - that help them achieve core business objectives. We also advise in-house counsel and privacy officers on how to avoid or minimize regulatory scrutiny and alleviate consumer concerns over the collection, processing and storage of data.

Among other activities that may trigger consumer-protection laws in various jurisdictions, we provide counsel on telemarketing, text messaging, email marketing and promotions, and social media. In particular, our lawyers advise clients on the following:

• Development of compliant privacy policies and terms of use
• Compliance with the Telephone Consumer Protection Act requirements for telemarketing and text communications
• Compliance with CAN-SPAM requirements to ensure consumer-sensitive approaches to email marketing and promotions
• Development of processes for managing consumer data in data-driven businesses
• Assessment of data collection practices and procedures, including for merchants at point of sale using credit and debit cards
• Review and updating online and web data collection practices and protocols

Our privacy lawyers are well established in Germany, France, the UK and Italy, and provide sophisticated privacy advice to domestic and multi-national companies and vendors on a wide spectrum of data protection matters. These include global privacy policies, data transfer mechanisms, Privacy Shield assessments, notifications to in-country data protection authorities, GDPR preparation, reviews of new data laws and other compliance steps.

We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data protection authorities in relevant jurisdictions worldwide.

We have particular experience in EU/US Privacy Shield implementation strategies, with template documents and roadmap protocols to lessen the initial management time. Because we have had experience in FTC enforcement actions with Safe Harbor violations, we can assist clients in avoiding costly mistakes and remedying existing ones.

We also provide timely, effective counsel and strategies in response to multi-country cyberattacks and other security breaches affecting personal information.

We routinely advise on the following:

• Organizational compliance requirements in relation to the General Data
• Protection Regulation due to come into force across the European Union in May 2018
• International inter- and multi-company agreements to collect, transfer and use customer, employee and other data (including model clauses and binding corporate rules)
• Assessments and implementation of the new US-EU Privacy Shield for data transfer
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Third party vendor management and contract terms regarding the collection and processing of the personal data in-country and cross-border
• Multinational privacy policies
• Data privacy implications of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act)
• Responses to data subject access requests

We have guided clients through assessments and responses to hundreds of data breaches, including some of the largest cyber incidents to date as well as more limited exposures of confidential or proprietary information. We have experience in all types of cyber hazards, including state-sponsored attacks, overseas criminal hackers, ransomware, insider threats and system compromises resulting from misconfigurations.

We maintain three incident response teams (IRTs), each focused on a particular type of data that implicates a different legal regime. Our teams are available to respond to client issues seven days per week, at all times.

Our General Data IRT includes lawyers who have been recognized among the nation’s leading practitioners in cyber incident response. This team has handled breaches involving consumer, employee or proprietary information for a diverse range of clients, including technology companies, telecommunications providers, financial service institutions and retailers.

Our Health IRT includes lawyers from our Health Industry Advisory Practice Group, the only such practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. Members of our team possess a deep understanding of health data privacy issues and deliver comprehensive breach response advice to health providers, health technology companies, life sciences companies and others in the health industry.

Our International IRT brings together attorneys from the United States, Europe and Asia and has handled breaches that have involved laws and regulations of more than 100 countries.

Each of our teams is experienced in handling all phases of a data breach response, including:

• Participation and leadership of incident response teams
• Retention and coordination with forensic, cybersecurity, public-relations, and notification firms
• Notice to affected persons such as consumers and business partners as well as to US federal, state and non-US regulators
• Coordination with US Attorney offices, Federal Bureau of Investigation (FBI), Secret Service, Federal Trade Commission (FTC), Federal
• Communications Commission (FCC), state attorney generals, regulators and other government agencies
• Coordination with auditors, senior executives and boards of directors
• Development of public-relations strategies
• Management of post-breach cyber assessments and remediation counseling
• Responses to governmental investigations
• Defense of class-action and multidistrict litigation

We are a leading provider of legal advice regarding regulatory and transactional issues raised by the development and implementation of big-data strategies and platforms. We use a multidisciplinary approach to identify the goals and address the legal needs of clients with valuable data assets. This coordinated methodology distinguishes us from other firms that may view data solely as a regulatory or intellectual property concern.

Our team advises data sources and data aggregators on the myriad data privacy and consumer protection law compliance issues raised by the collection, aggregation and use of personally identifiable information and other data from consumers, customers or other data sources. For example, we routinely help clients implement data strategies consistent with the regulatory requirements and expectations of the Federal Trade Commission (FTC) and other federal and state regulators.

Our team advises data sources in connection with agreements for which the primary purpose is the licensing of rights to aggregate and use data. We also counsel clients on service and other agreements where the vendor requests data rights for secondary data uses, and on the following:

• Research compliance, research program structure, and operational and compliance infrastructure
• Complex research affiliation agreements and arrangements
• Scientific review and research misconduct proceedings and investigations (internal and with government involvement)
• Biobanking and registry development and compliance, including emerging issues involving the future, unspecified use of biospecimens and genomic data
• Development and implementation of data-sharing strategies and platforms to achieve business objectives, particularly in connection with biomedical innovation, health care reform, electronic health record implementation and quality assurance requirements
• Data privacy, data mapping and data use strategies for mobile apps and other mHealth and digital technologies

Our leading employer data privacy practice provides sophisticated advice to domestic and international employers and vendors on a wide spectrum of employee data privacy matters, including employee data protection policies, the international transfer of employee data and employee data subject access rights. We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data privacy authorities in relevant jurisdictions worldwide.

We have particular experience in the regulation of employee benefit plans, including requirements for the protection of the privacy and security of Social Security Numbers and other employee personal information. We also provide timely, effective counsel in response to cyberattacks and other security breaches affecting employee personal information.

We routinely advise on the following:

• International inter- and multi-company agreements to collect, transfer and use employee data (including model clauses and binding corporate rules)
• Ramifications for employee data transfer of the new EU/US Privacy Shield
• Organizational compliance requirements in relation to the impending EU
• General Data Protection Regulation
• Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
• Separation, where required, of employee data on group servers
• Individual contract terms regarding the collection and processing of the personal data of executives and other employees
• Employee data privacy policies
• Data privacy implications of the implementation of global whistleblowing hotlines (including obligations arising for certain organizations under the
• US Sarbanes-Oxley Act
• Responses to employee data subject access requests

At the forefront of data innovation and what’s next

Whether you are navigating the increasingly complex web of emerging privacy laws, responding to a data incident, unleashing the power of the data you collect, finding ways to safeguard the valuable information you hold or otherwise in need of a data-based “gut check,” our global privacy & cybersecurity team provides the practical guidance to minimize risk and drive your business forward.

Clients turn to our award-winning team for risk-based insights rooted in commercially oriented advice informed by regulatory expertise. Having worked in-house and been seconded to some of the most well-known companies, we understand our clients’ expectations and the need to identify realistic risk priorities and maximize business opportunities. Our team comprises engineers and computer coders, former senior government officials and cybercrime prosecutors. In addition, we helped draft the laws—we contributed to the legislative process to develop the California Privacy Rights Act (CPRA) and served at the European Commission leading deliberations over the General Data Protection Regulation (GDPR) and the e-Privacy regulation. We help you plan and prepare for the full lifecycle of data privacy needs, from proactive privacy and security counseling to incident response and regulatory and civil litigation.

Corporations across a wide range of industries partner with us to solve their most complex challenges, including:

• Developing global “soup to nuts” privacy and cybersecurity compliance programs
• Navigating evolving state and international privacy laws and sector-specific cybersecurity requirements
• Addressing the increased scrutiny and attention on privacy and cybersecurity from regulators, plaintiffs’ bar, vendors, insurers, customers and consumers
• Implementing “reasonable” cybersecurity and privacy standards that survive regulatory oversight and litigation
• Combatting increasingly sophisticated threat actors
• Developing scalable frameworks for evaluating vendors and corporate acquisition targets
• Developing data collection, monetization and digital marketing strategies
• Counseling on product development
• Advising on the cross-border transfer of personal data
• Maintaining attorney-client privilege and work product protections for internal investigations
• Deploying efficient and effective templates and resources

We are the premier firm for the healthcare sector and the only health law practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. We provide sophisticated counsel to clients on the gamut of healthcare data privacy and security issues and regularly develop comprehensive health information privacy and security compliance programs for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH Act) and related state laws.

We routinely conduct, develop or provide health-related:

• Customized privacy, security and incident-response policies
• Day-to-day compliance counseling
• Privacy compliance audits and security risk assessments
• Compliance training
• Privacy and security incident response guidance
• Data and health information technology license agreements
• A cornerstone of our health information privacy and security compliance practice is our suite of template HIPAA Materials.

Our lawyers have helped companies successfully resolve all aspects of countless security breaches and other privacy incidents, including hundreds of matters involving protected health information (PHI) under HIPAA. From cyberattacks and malicious insiders to lost laptops, unsecured data and mailing mishaps, we have handled the full spectrum of PHI incidents. We also regularly negotiate settlements and resolution agreements with the HHS Office for Civil Rights (OCR) arising out of complaint investigations and security breach reports, including serving as lead counsel in connection with multiple OCR investigations of breach matters affecting 500 or more individuals.

We are at the forefront of the design, negotiation and implementation of license agreements and other collaborations among health industry stakeholders for the development and deployment of big-data strategies and cutting-edge health IT. Our team provides seamless advice to clients’ privacy and IT professionals by combining our deep understanding of privacy and security laws and our practical experience in the acquisition and implementation of electronic health record (EHR) systems, enterprise-resource planning systems, data-warehouse technology and other IT systems.

The collection, use and disclosure of personal data trigger a range of privacy and cybersecurity laws and regulations, all of which are enforced by aggressive plaintiffs’ lawyers and government agencies. The retention of sensitive proprietary information pertaining to business partners also implicates a range of legal obligations, and exposure of such information often results in litigation and strained business relationships.

Our lawyers have handled hundreds of data breaches and draw on this experience to routinely represent clients in litigation and governmental investigations arising out of large, complex data breaches, including major incidents involving millions of personal, financial or patient records. We have also represented clients in complex class actions in courts around the country and in governmental investigations by the US Federal Trade Commission (FTC), Office for Civil Rights (OCR) and Federal Communications Commission (FCC), and by state attorneys general. We have also advised clients in disputes with vendors and business partners over losses arising out of cyber incidents.

We are the health-industry market leader with respect to handling responses to OCR investigations. Our lawyers have unparalleled experience negotiating resolution agreements with OCR on behalf of health clients, including major academic medical centers, health plans and provider networks.

We have litigated some of the most important privacy cases in recent years and have obtained landmark rulings, including the US Supreme Court’s 2015 ruling in Gobeille v. Liberty Mutual. We have defended clients in scores of federal and state cases across the country, including dozens of class actions involving claims under federal and state privacy laws, the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Fair Debt Collection Practices Act, and unfair and deceptive practices statutes, as well as numerous common-law privacy and security claims. We have also represented companies in data collection matters, disputes and class actions involving personal information acquired at point of sale using credit and debit cards in a number of states, including Song Beverly and other state statutes.