In today's digital world, where data has become a key asset for conducting business, companies continue to face greater privacy and cybersecurity risks.
Our Privacy & Cybersecurity team helps clients navigate the rapidly evolving, increasingly complex privacy and security law landscape in the United States, the EU, and around the world. Our cross-disciplinary practice draws on the extensive knowledge and experience of lawyers in our Employment, Employee Benefits, Insurance, Bankruptcy, Intellectual Property, and Litigation practices. Our targeted counsel is relevant to companies across diverse industries, such as health care, retail, professional services, communications, financial services, advertising, and entertainment.
Our deep knowledge, combined with our transactional experience, provides our clients with exceptionally effective counsel. Our team is equally well versed in FTC regulations and investigations, data breach preparation, response and remediation, and the defense of class action litigation resulting from information security and privacy law violations.
Today, U.S. companies must carefully consider privacy and data security laws when conducting business with entities and individuals located in foreign jurisdictions. We routinely counsel clients on their responsibilities when their business operations extend beyond U.S. borders, including compliance with the EU's new General Data Protection Regulation (GDPR), which became effective in May 2018.
Mary J. Hildebrand contributes to Law360’s roundup of 2020 predictions for privacy and cybersecurity law by thought leaders in the field. She says that recent data protection laws like California's Consumer Privacy Act and the EU’s GDPR, where “companies' ability to use and disclose data is … determined by the nature of the rights granted to them by the user or owner of the data,” contribute to the growing trend of viewing data as a “separate asset class with a new and rapidly emerging legal framework around it.” (subscription required to access article)
Mary J. Hildebrand CIPP/US/E, partner and Chair of Lowenstein’s Privacy & Cybersecurity group, comments in TechRepublic on the risk of ransomware to startup and midsize healthcare companies, observing that there is no “one-size-fits-all” solution. "For every organization that adamantly refuses to cooperate, there is another one that weighs the relative costs of non-compliance in terms of interrupted healthcare, costs, expenses and reputational risk, against the amount demanded, and decides to wire the funds," she says.
In a second TechRepublic article on the subject, she addresses disclosure requirements under HIPPA when ePHI (electronically protected health information) is compromised. "OCR argues that ePHI was acquired during the encryption process, unless the covered entity that was attacked can prove otherwise," she says. "As any healthcare organization that has wrestled with this issue can tell you, this is a high bar to meet." Hildebrand recommends being prepared with a disaster recovery plan that “includes data back-ups, applications, infrastructure/cloud capacity, and appropriately skilled staff,” and keeping messages to employees and patients “brief, factual, and timely.”
Mary J. Hildebrand is featured in an article on TVNewsCheckspotlighting her presentation at the conference Media Outlook 2020, which expanded upon an article written by Hildebrand and Carly S. Penner for the Media Financial Management Association’s magazine, The Financial Manager. Hildebrand explains how the United States differs from Europe and certain other countries in that it does not have a set of federal laws addressing privacy and cybersecurity generally and that federal laws here are industry-specific. Although the Federal Trade Commission is the de facto regulator of many online activities, including privacy and security standards, companies must now consider 50 different state data breach laws, plus Guam, Puerto Rico, and the Virgin Islands. California and Nevada have also adopted comprehensive data protection laws, and more states are considering similar legislation. Hildebrand recommends that businesses focus on five issues in the coming year:
New state laws, like California’s CCPA and Nevada’s new data protection law;
Creating a formal written incident response plan in case of a data breach, including appropriate training and cyber insurance;
Understanding sales and marketing departments’ collection, use, and sharing/sale of personal information; and
Developing an inventory of personal information collected, used, and shared across the organization.
Mary J. Hildebrand, Chair of the Privacy & Cybersecurity group, is quoted in Compliance Week in an article on how state laws are filling in the federal privacy data void and why New York State's privacy legislation is important. She says it puts “more companies at issue since it includes far more companies under its jurisdiction. State law also allows private causes of action for violating the New York Privacy Act, although New York might make the individual litigant prove damages.” Hildebrand adds that “[c]ompanies seeking to comply [with the New York Privacy Act] will be confronted by complexity and entirely new (and ill-defined) concepts such as ‘data fiduciary’ and ‘privacy risk’ … [and that] in any merger or acquisition that involves the transfer of personal data associated with a New York state resident, affirmative consent to the transfer must be obtained from each New York resident before the transfer is permitted to occur.”
The Hedge Fund Law Report conducts an in-depth interview with Peter D. Greene regarding the GDPR’s impact on private funds’ use of alternative data. Issues addressed include how the GDPR might affect how funds buy and use alternative data; how the GDPR may impact funds’ internal generation or gathering of alternative data; funds’ due diligence in data vendor selection; and immediate steps funds can take to ensure GDPR compliance.
The Buffalo Law Journal notes Lowenstein Sandler as counsel to a company discussing its General Data Protection Regulation (GDPR) compliance efforts. The article quotes Mary J. Hildebrand, who notes many companies’ confusion as to whether and why GDPR applies to them. Hildebrand explains that GDPR has expanded the definition of personal data, that it applies depending on where data is processed (not just on where it “sits”), and that GDPR compliance obligations will involve careful judgment calls.
In a three-part article, the Hedge Fund Law Report quotes Peter D. Greene and Benjamin Kozinn regarding fund managers’ collection (often through vendors) and use of big data, liability risks associated with acquisition and use of material nonpublic information, and data privacy issues surrounding access to and use of personally identifiable information.