Privacy & Data Security

The McNees Privacy & Data Security team develops programs to bring organizations into compliance with U.S. and International privacy regulations as well as limit the risk of data security breaches, and helps clients respond quickly and effectively to mitigate financial and reputational harm following cyberattacks and other data exposure events.

Businesses and institutions have a vital responsibility to protect data from hacking and other security threats. Every organization that collects and stores personal information belonging to customers, employees, or other individuals must implement appropriate policies and protections to ensure the privacy of those stakeholders.

Attacks by hackers and other data breaches pose a tremendous risk to businesses today. A single data breach can ruin corporate reputations and business relationships and can create substantial liabilities. Entities collecting and maintaining personal information must be prepared to respond quickly, and in compliance with state, federal, and where applicable, international laws, to address any potential data breach.

McNees has assembled a collaborative team of attorneys with the varied skills needed in order to develop and implement practical solutions to privacy threats across many industries. The group’s leader, Devin Chwastyk, has earned the designation of Certified Information Privacy Professional (CIPP/US) from the International Association of Privacy Professionals, which accredits lawyers and other professionals, and its co-leader, Sandy Garfinkel, has handled hundreds of data breach incidents and has counseled corporate clients from virtually every industry concerning data security and privacy best practices and compliance. Our cybersecurity lawyers help manage risk by advising clients how to protect data and prepare as fully as possible to respond in the event of a breach.

As legal leaders in this practice area, group members frequently publish articles, offer podcasts, and present seminars to clients and business groups on data security topics.

The Privacy & Data Security Group offers knowledgeable and experienced representation in all aspects of data security, including:

• Creation of data security policies, written information security programs (WISPs) and data breach response plans required for compliance with state and federal laws;
• Compliance with specialized data security requirements across industries, including:
  • HIPAA compliance for hospitals, doctors, and other health care providers;
  • Gramm-Leach-Bliley and other mandates applicable to banks, credit unions, and other financial institutions;
  • Fair Credit Reporting Act (FCRA) limitations on lenders and debt collectors
  • Utility industry PUC data incident reporting and notification requirements, and
  • Payment Card Industry Data Security Standards (PCI-DSS) compliance for businesses that accept credit card transactions.
• Analysis of rapidly-developing state, national, and international data privacy laws, including GDPR compliance and US/EU standards for cross-border data transfers;
• Counseling concerning compliance by businesses and organizations with US state consumer privacy laws (such as California’s CCPA) and regulations, including assistance in responding to statutory information rights requests from consumers;
• Data breach prevention strategies, training, and war-game simulations for corporate response teams;
• Data security for local government entities;
• Cybersecurity for lawyers and law firms;
• Navigation of the interrelationship between employment law and data security, such as:
  • Compliance with HIPAA privacy rules and HITECH security audits
  • Meeting ADA standards for reasonable accommodations in website design and mobile applications;
• Advice on safeguarding funds and financial data from online threats;
• Cybersecurity due diligence in corporate mergers and other transactions;
• Negotiation of contracts with third-party information vendors, including cloud storage and other document management services;
• Data breach litigation, including:
  • Defense of businesses in Federal Trade Commission and Federal Communications Commission enforcement  actions regarding consumer privacy;
  • Defense of businesses in class action lawsuits arising from alleged privacy violations.