Cybersecurity and Data Privacy
The Goldberg Segalla Cybersecurity and Data Privacy practice group is a multidisciplinary team of attorneys working across the country to counsel, train, and defend clients facing all conceivable cybersecurity and data-related matters. With verdict-tested trial lawyers, preeminent intellectual property litigators, and leading regulatory attorneys collaborating to provide 360-degree cyber counsel, our team helps industry-leading companies, their executives and IT professionals, and their insurers to:
- Assess and address data security risks and cyber coverage
- Prepare for cyberattacks and data breaches
- Protect business interests by negotiating risk transfer and indemnity provisions in technology contracts
- Create policies and procedures to mitigate risk and minimize liability
- Respond quickly and comprehensively to data security incidents
- Defend against post-breach claims and legal proceedings, as well as legal challenges to data-related business practices
- Navigate regulatory, statutory, and contractual requirements at every level
- Anticipate the future flashpoints that will define the fields of cybersecurity, data privacy, and intellectual property
Click below to review a selection of our representative matters, and read on to learn more about some of our areas of focus.
- Advising companies on how to comply with data privacy regulations
- Monitoring and responding to ransomware and data breach events
- Defending insureds in data breach class actions involving the loss of PII, PHI, and confidential and proprietary information
- Defending insureds, and advising insurers in coverage matters, with regard to claims alleging violations of Illinois’ Biometric Information Protection Act
- Defending insureds, and advising insurers in coverage matters, with regard to claims arising out of website and electronic kiosk ADA non-compliance
- Advising on the development of insurance products insuring cryptocurrencies and initial coin offerings
- Advising clients on the regulatory issues associated with InsureTech products
- Advising clients on cyber risk management issues and availability of coverage for cyber exposures
- Advising an energy industry mutual insurer in the development of property and accidental outage coverage triggered by a cyber event
- Defending clients against third-party claims alleging negligence giving rise to a data breach or other network security issue
- Representing insurers in coverage disputes involving silent cyber coverage under products that were not intended to insure cyber events, including CGL Coverage A and B, Professional E&O, Management Liability, and Crime policies
- Representing insurers in coverage disputes involving first party claims seeking forensic expenses, costs for responding to regulatory investigations, business interruption loss, contingent business interruption loss, and extra expenses
- Representing insurers and defending clients in matters arising out of modular cyber, tech, and media policies
- Represented an insurer in a complicated matter involving an insured law firm that fell victim to a ransomware attack: Rather than call in its outside IT support vendor, with which it had worked successfully for years, the managing partner of the insured firm tried to MacGyver his way through the 24-hour ransomware deadline. He succeeded in acquiring bitcoin and in paying the ransom, but when unlocking the data he mismanaged the task and lost more than a thousand man-hours of ledgers that had been uploaded and stored on a virtual server within the affected device. Our client paid the firm for hardware and software remediation, plus the ransom, and then asserted a subrogation claim against the IT vendor. After gaining a thorough understanding of the involved IT architecture, we were able to demonstrate that the ransomware attack could not confidently be linked to any security flaws resulting from the vendor’s work, and we argued that the firm’s self-help approach was not reasonable. This paved the way for a quick and favorable negotiated resolution.
- Drafting of cyber insurance policies and related endorsements
- Obtained a dismissal on behalf of a domestic insurer in high-profile cyber insurance coverage litigation stemming from the Sony PlayStation data breach
- Negotiating and drafting contracts involving services rendered by technology companies and associated defense and indemnification provisions
- Counseling insurers on the scope of coverage under their cyber insurance policies in relation to the outbreak of class action litigation involving the capture and/or disclosure of personally identifiable information, invasion of privacy claims, and alleged violation of state and federal statutes
- Counseling insurers in drafting language for a new cyber policy to exclude certain types of media liability coverage, drawing on specialty knowledge and extensive industry experience with the types of media risks and intellectual property involved
- Counseled an insurer on coverage for a claim by a former employee for denial of access to the company’s servers, and evaluated the interplay between multiple liability coverages available to this insured, including add-on cyber coverage
Drawing on the combined experience of our Cybersecurity and Data Privacy group as well as our Global Insurance Services group—a renowned insurance and reinsurance team ranked by market leaders and top global publications as one of the world’s largest and best practices serving this market—we have helped leading insurers and reinsurers anticipate and adapt to emerging risks and meet the growing need for new products. We also assist with reevaluating existing products and pricing models.
Our Cyber Risk Coverage group is prepared to assist insurers and reinsurers with:
- Policy wordings and negotiations
- Underwriting guidelines and coverage counsel
- Coverage dispute defense
Representative matters include:
Coverage Opinions and Litigation
- Represented a domestic insurer in high-profile insurance coverage litigation stemming from the Sony PlayStation data breach; we obtained a dismissal of the insurer, who issued a cyber insurance policy to the insured
- Represented insurers in coverage disputes involving silent cyber coverage under products that were not intended to insure cyber events, including CGL Coverage A and B, Professional E&O, Management Liability, and Crime Policies
- Advised insurers in coverage matters arising out of claims alleging violations of Illinois’ Biometric Information Protection Act
- Represented insurers in coverage disputes involving first-party claims seeking forensic expenses, costs for responding to regulatory investigations, business-interruption loss, and extra expenses
New Policy Development and Revision
- Drafted cyber policies and related endorsements
- Advised on the development of cyber products insuring cryptocurrencies and initial coin offerings
- Advised on the regulatory issues associated with InsurTech products
- Advised an energy industry mutual in the development of property and accidental outage coverage triggered by a cyber event
Because businesses collect and employ data at every level, technological vulnerabilities, outdated practices and policies, and human errors create risks at every level, too. Some of these risks include:
- Loss of personally identifiable information—from customers and employees
- Theft of business and trade secrets and other intellectual property
- Attacks on networks and operating systems and resulting business disruption
- Challenges to business practices involving collection and usage of information about customers and the disclosure of those practices
- Exposures stemming from service providers, business partners, and employees
Goldberg Segalla’s Cybersecurity and Data Privacy practice—home to attorneys who are credentialed as Certified Information Privacy Professionals, United States (CIPP/US) by the International Association of Privacy Professionals (IAPP)—is exceptionally positioned to advise clients in virtually any industry on evaluating enterprise-wide risks and updating policies and practices to limit exposure to data breaches, attacks, and other cyber incidents.
Assessing Risks, Maximizing Coverage, and Limiting Liability
We help businesses of all sizes and structures develop policies and procedures to maximize their security and minimize the potential for a data breach; choose the right insurance policies to match their needs and potential risks; and take steps to limit potential liability related to a hacking attack or virus, data security breach, cybercrime, or other data-related incident.
Our services often begin with a comprehensive technology liability audit. Our experienced attorneys will identify risks at every level, translating complex legal, technology, security, and information governance issues into plain English and offer practical advice on eliminating, limiting, or mitigating those risks.
Drawing on the experience and resources of our Global Insurance Services practice group—comprising attorneys who have worked at the cutting-edge of cyber risk policy development and coverage litigation, and regularly offer cyber coverage opinions to the world’s leading insurers—we also review and recommend cyber risk coverage policies to our clients in finance, entertainment and media, life sciences, high-tech manufacturing, and other industries. Comfortable working in this ever-evolving area of insurance coverage, we regularly negotiate or rewrite policies to include our commitment to represent the client in the event of a data breach or other claim.
Data Collection and Privacy Practices and Regulatory Compliance
Our attorneys are deeply versed in the latest regulatory compliance requirements covering data security, breach preparedness and response, and privacy, and we closely watch the judicial decisions and communications from administrative bodies at every level that indicate how the regulatory landscape is shifting.
We frequently conduct regulatory compliance audits, covering state, federal, and international requirements. We advise companies on requirements pertaining to the collection, storage, and destruction of personally identifiable information, and help realign noncompliant policies or practices.
Our regulatory experience includes:
- California Consumer Privacy Act (CCPA)
- California’s Shine the Light Law, Online Privacy Protection Act, and Confidentiality of Medical Information Law, and state-specific data security and breach response laws
- Children’s Online Privacy Protection Act (COPPA)
- Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
- Fair and Accurate Credit Transaction Act (FACTA)
- Federal agency cybersecurity guidelines, including those issued by the FTC, FDA, FCC, and the NIST cybersecurity framework
- Federal Information Security Management Act (FISMA)
- Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
- Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act)
- Telephone Consumer Protection Act (TCPA)
- International data protection laws, including the General Data Protection Regulation (GDPR) and other EU and Latin American requirements
In addition, we assist clients with more complex and industry-specific regulatory requirements, including:
- Auditing multitiered contractual privacy obligations pertaining to third-party online ad-serving companies and instituting policies and procedures for data collection, use, and disclosure
- Compliance with Payment Card Industry Data Security Standards (PCI-DSS) pre-incident and post-data breach obligations
- Conducting due diligence and advising on compliance with privacy and data security laws in the sale and acquisition of company assets, including customer lists and databases containing personally identifiable information
Security Policies and Contracts
We help businesses develop internal, client-facing, and third-party privacy and security policies.
We counsel management on workplace privacy issues, including employee monitoring, whistleblower laws, safeguarding of employees’ personal data, Fair Credit Reporting Act requirements in employee screening and investigations, and faithless servant data-theft litigation.
In addition, our team can assist with contracts, agreements, indemnification clauses, and other vehicles to protect against liability. We develop and negotiate security agreements to ensure vendors defend and indemnify our clients on privacy and security issues, and we have experience with agreements involving cloud service providers, co-location facilities, outsourced services, and other entities.
Data Breach Protocols and Crisis Coaching
We work with management, IT professionals, and in-house counsel to help our clients develop and train computer security incident response teams (CSIRTs). This includes conducting tabletop exercises and war games and teaching CSIRTs how to administer broader incident response training programs for other employees.
With our cutting-edge crisis coaching, our clients are prepared to act quickly and decisively, preserving digital evidence, meeting changing and immensely complex notification requirements, and managing public relations to minimize reputational harm and help restore confidence in the company.
Along with securing digital transactions, blockchain technology integration within existing security protocols reduces numerous cybersecurity risks—including significantly reducing the effectiveness of DDOS attacks. Blockchain-based solutions can help maintain uniformity, consistency, and accuracy of data; minimize manual intervention into systems and human errors; and simply compliance.
Attorneys collaborating across our Cybersecurity and Complex Transactions groups draw on cutting-edge technical knowledge and deep business backgrounds to advise clients across all industries adopting and adapting to blockchain. We have helped numerous clients make the best strategic use of this new technology while appraising and avoiding its unique risks.
Committed to providing clients with dynamic, adaptable, and cost-efficient legal service, we are equally capable of working as an auxiliary to a client’s CSIRT and in-house counsel or taking the lead and managing every aspect of a cyber-incident response. This is why clients of all sizes and across industries make Goldberg Segalla their first call after discovering a breach or other cybersecurity incident.
Breach Response and Crisis Management
As trial lawyers, we understand that every decision made before an incident and during a data breach response—from the first call through closing the incident—can dramatically impact potential liability and the course of future litigation. Our comprehensive cyber crisis-management services include:
- Coordination of the forensic investigation
- Evidence preservation
- Working with law enforcement
- Advising on multi-state notification requirements
- Advising on HIPAA notification requirements
- Responding to Office for Civil Rights (OCR) investigations and other regulatory and administrative inquiries
Post-Breach Regulatory Compliance
In addition to compliance with regulations pertaining to general data collection and privacy, we also guide clients through the intensely complicated regulatory demands triggered when a breach occurs. These include:
- Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA)
- Gramm-Leach-Bliley and Dodd-Frank Acts
- Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act
- New European Union data protection laws including the General Data Protection Regulation (GDPR)
- Disclosure guidelines imposed and enforced by the Securities and Exchange Commission (SEC) as well as multiple state and international insurance industry regulatory authorities
Policy Reassessment and Public Relations
It is impossible to predict and prevent every breach. However, businesses and institutions that respond well to breaches can emerge even stronger after the recovery.
Our post-breach services include working with management, public relations teams, and outside consultants to develop and execute a media and public relations plan that minimizes reputational harm and restores confidence in the company while maintaining compliance with applicable regulatory requirements.
We also help clients seize on the post-breach opportunity to strengthen data protections, running comprehensive post-breach cybersecurity audits and recommending changes to policies, procedures, and response plans as needed.
Even the strongest and most effective response to a cybersecurity incident leaves open the possibility of costly lawsuits. While companies can take significant steps to limit liability and cut off avenues of plaintiffs’ attacks, they may still need the representation of a proven trial team with deep experience in the evolving legal issues unique to cybersecurity and data protection.
As a firm founded by trial lawyers, we bring to each matter the savvy and successful track record of our Commercial Litigation, Product Liability, Professional Liability, Global Insurance Services, and other litigation teams. We also bring extensive experience litigating other matters involving technology, including both prosecuting and defending business-to-business litigation involving website use, data transfer, and data storage issues.
Representative matters include:
- Defended insureds against third-party claims alleging negligence giving rise to a data breach or other network security issue
- Represented insurers and defended insureds in matters arising out of modular cyber, tech, and media policies
- Advised insurers and defended insureds in claims arising out of alleged website ADA non-compliance
- Advised insureds with regard to ADA compliance for interactive technology such as kiosks pertaining both to structure (e.g. height, accessibility) and visual/audible impairments
Class Action Defense
Our Class Action Litigation practice group has successfully defended Fortune 500 companies as lead counsel in national and state-wide class actions, including high-risk, multimillion-dollar litigation. Representative matters include:
- Represented a telephone company in actions challenging the company’s use of fax communications as violative of the Junk Fax Prevention Act
- Represented a health care company against a class action lawsuit alleging a data breach of personal health information
- Represented numerous retailers, hospitality and other clients in putative class action lawsuits brought pursuant to the Telephone Consumer Protection Act
- Represented a cellular telephone company in individual and putative class actions challenging the company’s debt collection practices under the Telephone Consumer Protection Act
- Defended insureds in data breach class actions involving the loss of PII, PHI, and confidential and proprietary information
Showing 0 of 0 results
May 1, 2020
February 18, 2020
November 6, 2019
October 14, 2019