The collection, retention, use and protection of personally identifiable or confidential information, including customer data, medical records, employee records and proprietary corporate information, is a convoluted and rapidly changing area of the law. Likewise, reported data breaches and computer intrusions are at an all-time high. Attorneys at Duane Morris regularly handle security breaches and are highly knowledgeable about privacy and security laws—including U.S. federal laws (including HIPAA, GLB, SOX, CAN-SPAM, Do-Not-Call, Computer Fraud and Abuse Act), state (breach notification and related statutes) and legislation in Europe and Asia—and frequently provide clients with compliance and auditing advice on privacy and IT security exposure. We have extensive experience in regulated industries (e.g., healthcare, financial services, telecom, insurance, etc.) and consult on the collection, processing and transmission of data outside the United States and pursuant to the EU General Data Protection Regulation (GDPR).
Attorneys in the firm's Information Technologies and Telecom practice group develop and draft Web privacy policies and corporate IT security and technology policies, conduct compliance training for employees, assist in the legal aspects of IT security audits, and prepare data retention policies and SAS 70 and ISO 27000 reports (including issues involving the security of data in third-party data centers). As class action and related litigation arising from privacy and IT security breaches increases, our lawyers are also well positioned to handle or assist in the litigation of damages actions in these often high-profile cases.
Duane Morris can assist in a wide variety of areas related to data security and privacy:
Navigating the complex regulatory minefield governing data protection is challenging. We rely on our extensive knowledge of federal, state and international laws, as well as current FTC guidance and client advocacy, to provide sound advice regarding privacy and security of consumer data in such industries as healthcare, financial services, telecom, insurance and others. In many of these markets, careful attention must also be given to the provisions of vendor and customer agreements in order to ensure regulatory compliance and to minimize the risk of potentially harmful electronic data breaches.
Policy Development and Enforcement
Members of the IT&T practice group regularly prepare and update an array of IT security policies, including:
- Online and brick-and-mortar privacy and security policies for collecting, handling and protecting sensitive data
- Enterprise data retention and destruction policies
- Internal corporate employee policies for handling and use of confidential company or customer information
- Guidelines and advice regarding protection of competitively sensitive corporate information (e.g., trade secrets, copyrights, proprietary and confidential data, customer information, records data and product/pricing information)
In today's digital age, where a single misplaced laptop or flash drive can land a company in the crosshairs of the plaintiffs' bar, corporations of all sorts must develop internal human resource (HR) policies for employees governing handling and use of information. Attorneys in the practice group have a wealth of experience preparing and training employees on permissible employee usage of IT assets (e.g., laptops, USB drives, camera phones, iPods, PDAs, etc.) and services (e.g., email, instant messaging and SMS/text messaging). Our attorneys also advise clients on identity theft by employees (reportedly 70% of identity theft in the United States occurs internally) and on the scope of employers' rights to monitor and intercept employee communications.
Every corporate sale or vendor agreement, particularly if it involves partnering with another company for some or all of manufacturing or fulfillment, presents a risk to privacy and data security. Where regulatory standards exist, they must be incorporated into (and followed upon implementation of) transactional agreements. Where state-specific requirements, frequently pioneered in California, are at issue, attention must be given to ensuring that deal partners know and adhere to the law despite geographic differences.
mHealth, Telemedicine and Medical Data
Information technology is becoming increasingly entwined with healthcare. From accessing electronic medical records to wireless delivery of test results and treatment information, mobile health (mHealth), telemedicine and health information technology (HIT) issues regarding privacy and data protection continue to grow exponentially in the healthcare space. Duane Morris has a multidisciplinary client team experienced in addressing the legal issues that clients must consider in developing, funding or deploying a product or service that could be considered mHealth or telemedicine, or relies on HIT. The firm also regularly represents providers, such as hospitals, physicians and nursing homes, health plans and payors, vendors and other entities on the privacy and security requirements, including breach responses, under the Health Insurance Portability and Accountability Act (HIPAA) and other laws.
Security Breach, Crisis Management and Litigation
No data security process is impenetrable, and vulnerabilities, whether inadvertent or malicious, will always exist. Hence, when Social Security or credit card numbers are hacked from a corporation's IT system, there is more than one audience for the board of directors to satisfy. Astute directors and CEOs will devote equal attention to three complementary areas: media relations, legal compliance and proactive fixes. While adhering to statutory obligations for customer notice is necessary, it is far from sufficient to ward off or end litigation claims by federal agencies (principally the FTC) and by those whose information has been compromised. At Duane Morris, our IT&T attorneys can assist in each of these endeavors, through and including trial of damages and class action claims.