Privacy and Data Security

Organizations of all sizes and across all industries encounter extraordinary challenges in managing the security of their data — from personally identifiable information, trade secrets, intellectual property, and other confidential information. This critical data must be securely managed in compliance with constantly evolving laws and regulations and in a manner consistent with a company’s best practices. In a dynamic legal landscape, businesses need a legal team that can help mitigate risks and respond to the unexpected.

Taft’s Privacy and Data Security attorneys draw on experience that spans industries, practice areas, and jurisdictions. Our attorneys keep at the forefront of up-and-coming state, federal, and international privacy laws and regulations concerning the collection of personal/sensitive data. We advise clients on data privacy and cybersecurity issues, data security breaches, mergers and acquisitions, joint ventures, marketing programs, consumer protection, outsourcing, compliance and regulatory matters, information management, and information sharing. We help clients plan ahead and ensure the necessary safeguards are in place.

Taft attorneys have experience in a wide range of state, federal, and international regulations and industry best practices, including:

  • Healthcare: HIPAA, HITECH
  • Finance: GLBA, FACTA, FCRA
  • Marketing and Communications: TCPA, TSR, FTC, and CAN-SPAM
  • International: EU GDPR, UK GDPR, PIPEDA
  • Technology: COPPA, CFAA, Stored Communications Act
  • Information Security: NIST, ISO and PCI-DSS

Taft proactively helps its business clients assess their compliance conformance. We identify areas in need of improvement and/or immediate attention, and help our clients implement measures to address and correct them. And when challenges arise, Taft stands ready to assist clients in conducting a timely and methodical response.

The Privacy and Data Security practice serves clients by:

  • Conducting data governance risk assessments, including privacy impact assessments.
  • Developing administrative safeguards, including policies (WISP), procedures, and contracts.
  • Assessing, implementing, and maintaining privacy and data security programs.
  • Conducting awareness training.
  • Defending and prosecuting privacy and data security claims.
  • Responding to regulatory and criminal investigations.
  • Managing incident readiness/response and data breach notification.
  • Developing business continuity and disaster recovery plans.
  • Negotiating cyber insurance coverage and pursuing cyber insurance claims.
  • Resolving transactional disputes.
  • Advising clients concerning the Internet of Things (“IoT”).
  • Counsel clients on compliance with evolving laws and rules.

The world is so immersed in technology that activities in cyberspace have become inseparable from the everyday operations of business, education, government, and the military. Taft’s Privacy and Data Security practice is comprised of an exceptional team of attorneys with experience in multiple legal disciplines, including litigation, government contracts, energy, banking and financial services, technology, intellectual property, labor and employment, and health care who are prepared to address these concerns. Our attorneys counsel clients regarding their data collection, retention, sharing, and security practices.

Many attorneys in our Privacy and Data Security practice have earned prestigious Certified Information Privacy Professional (“CIPP”) Certifications, the preeminent credential in the field, in several important classifications. These certifications ensure that attorneys have knowledge regarding essential privacy concepts and principals and the jurisdictional laws, regulations and enforcement models for handling and transferring data.

Privacy and Data Security attorneys also contribute to the Taft Privacy & Data Security Insights blog and share daily tips and content via our mobile app (Apple IOS and Google Play).

Related Practices

Related Industries

Notable Matters

  • Advise hospitals and physician groups with respect to security audits.
  • Prepare HIPAA/HITECH privacy and security policies and procedures for health care providers and for business associates.
  • Provide HIPAA/HITECH training for health care providers and for business associates.
  • Act as outside counsel to a large academic medical practice providing guidance on HIPAA and HITECH matters, including advising on potential breaches and drafting notice of violations.
  • Draft privacy policies and terms of use for websites and applications.
  • Draft and review agreements involving the access, use and disclosure of personal information to address data privacy and data breach concerns.
  • Conducted a HIPAA risk assessment and risk analysis for a large U.S. healthcare corporation with nationwide operations.
  • Represented a large healthcare provider in a multistate data breach, including coordination with the Office of Civil Rights (HHS) and states attorneys general.
  • Represented a large physician group practice in connection with a data breach HIPAA/HITECH analysis (breach originating with the vendor) and investigation, patient notification and HHS OCR notification.
  • Represented a hospital in connection with a data breach analysis and investigation, HIPAA/HITECH analysis and advice.
  • Successfully represented an industry leading company against a former employee who had electronically transferred trade secrets and other company confidential information prior to leaving to join a competitor.
  • Successfully defended a company accused of misappropriating trade secrets.
  • Drafted policies and provided training to numerous companies related to the human resources aspect of privacy and data security, including bring your own device policies.
  • Drafted policies and provided training to companies relative to implementing reasonable precautions to protect trade secrets and other nonpublic, business sensitive information.
  • Assisted educational institutions when student information may have been improperly disclosed.
  • Assisted companies when employees’ personally identifiable information has been disclosed by a vendor.