Contributed by Theodore J Kobus III and Kimberly M Wong of Baker & Hostetler LLP
Privacy laws and regulations impact every organization - from data security to data collection and sharing practices. New technologies, combined with the ever-changing legal and regulatory landscape, have caused privacy and data protection to become one of the fastest growing areas of practice in the US and abroad.
Security breaches affect all industries. Attackers seek customer data or trade secrets, target companies for political reasons, or to sabotage critical infrastructure. In 2012, the Privacy Rights Clearinghouse estimated that 27,545,995 records were affected as a result of 680 publicly-known security breaches caused by unintended disclosures, hacking or malware, payment card fraud, persons with legitimate access, or lost or stolen paper documents or devices.
State Data Security Breach Notification Laws
Nearly every US state and territory requires notification to individuals when personal information has been breached. Organizations continue to struggle with variations in the definition of a breach, content requirements for notification letters, involvement of law enforcement and notification timing. During 2012, several states amended their laws to require notification to state attorneys general, which may bring increased scrutiny to data protection practices and compliance with notification laws.
Legislators continue to push for a national standard to preempt the current hodgepodge of state breach notification laws, introducing three federal breach notification laws in 2012. In June 2012, the Data Security and Breach Notification Act of 2012 (S.3333) was introduced, providing several thresholds for breach reporting, Federal Trade Commission enforcement power and fines of up to $500,000 per incident. In September 2012, the Senate Judiciary Committee approved the Data Breach and Notification Act (S. 1408), establishing a national standard for breach notification, and the Personal Data Protection and Breach Accountability Act (S. 1535), instituting data breach notification requirements and recourse for individuals victim of a preventable breach incident. In their current forms, the draft bills are weaker than laws already in effect in many states.
Privacy Litigation and Class Actions
During 2012, privacy class actions continued to trend toward two major categories: (1) actions arising out of a data breach event and (2) actions brought to prosecute an alleged consumer privacy right. Generally, plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information and where only hypothetical or future injury is alleged. There are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing. Nonetheless, the probability of a dismissal for lack of injury or standing remains higher where there is no evidence of identity theft or other use of any compromised information. Plaintiffs have also had some success in avoiding the standing or lack of injury defense by bringing claims under state or federal statutes that permit an award of statutory damages, even where the conduct at issue is unrelated to the statute. A common question in statutory damages cases is whether the named plaintiff must prove an injury to recover statutory damages. In some cases, courts have concluded that a mere violation of the statute is enough to confer standing and no injury is required.
Privacy Regulatory Actions
The FTC continues to hold companies responsible for representations made to consumers regarding the use of their personal information. In 2012, the FTC brought legal action against multiple organizations alleging violations of Section 5 of the FTC Act, alleging failures to fulfill representations made in privacy policies. Another area of interest for the FTC will be compliance with the new requirements of the Children’s Online Privacy Protection Act (COPPA), which applies to businesses that collect information from children under the age of 13. Given the FTC’s history of vigorous COPPA enforcement, FTC enforcement will be even more aggressive now that “collection” is more broadly defined.
Healthcare information is among the most sensitive information an organization can handle. As more healthcare entities move toward electronic health records, use of mobile devices in the clinical setting and sharing of healthcare information in health information exchanges, federal and state agencies are monitoring compliance with obligations to safeguard protected health information (PHI) and electronic protected health information (ePHI) as required under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, which set forth standards to protect the privacy of patient information. OCR investigates complaints throughout the healthcare industry. In 2012, OCR enforcement action resulted in five resolution agreements involving civil monetary penalties ranging from $50,000 to $1.7 million and compliance with stringent corrective action plans. All five resolution agreements were related to data security breaches, including the first settlement arising from a data security breach affecting fewer than 500 individuals.
In January 2013, HHS issued sweeping changes in its Final Omnibus Rule modifying the HIPAA Privacy and Security Rules and the HITECH breach notification rules. These changes provide a framework for vigorous enforcement by OCR and include direct liability on business associates for compliance with certain HIPAA Privacy and Security Rule requirements, and a presumption that an impermissible use or disclosure of PHI is a breach. Healthcare entities will continue to see an increase in data breaches and the regulatory and/or litigation activity that follow such incidents. As such, healthcare entities should maintain organization-appropriate incident response plans, policies and procedures for safeguarding PHI and ePHI, breach analysis forms, education and awareness training and materials, vetted vendor lists and contracts, and risk assessments and risk management plans.
Privacy concerns are not limited to consumer protection and identity theft. President Obama has declared that "cyber threat is one of the most serious economic and national security challenges we face as a nation," and that "America's economic prosperity in the 21st century will depend on cybersecurity." In an increasingly interconnected and interdependent world, the threats posed by cyberterrorism, state sponsored industrial espionage or hacktivists such as Anonymous, are real and growing. President Obama's long-awaited cybersecurity executive order issued shortly before his February 2013 State of the Union address aims to confront these threats and challenges. Many industries are affected, including heavily regulated industries that have been identified by the Department of Homeland Security as part of our country’s critical infrastructure and government contractors. The Executive Order focuses on two solutions: (1) enhanced security standards, and (2) improved sharing of information between government agencies and the private sector.
Privacy & Data Security - Nationwide
THE FIRM This established firm's privacy and information management team is well known for its skillful handling of policy and regulatory matters. Lawyers represent clients from a wide range of industries, and have significant expertise in the healthcare field. The team's expertise is illustrated by its recent work for the Utah Department of Health following a high-profile data breach. Other clients include WebMD and Lexis Nexis.
Client Service "Outstanding client service and scope of knowledge."
KEY INDIVIDUALS Christopher Wolf impresses market commentators, who note that he is "truly an international expert in privacy law." Sources appreciate that he "combines deep legal insight with great communication skills and a fine sense for commercial and political realities." He offers expertise in breach notification, compliance and FTC-related matters.
Established practitioner Marcy Wilder is highly regarded by peers. Her practice is focused on the healthcare space, and she took the lead in the aforementioned work for the Utah Department of Health.
THE FIRM Hunton & Williams maintains a stellar privacy and data security practice, representing a host of industry leaders. The team is notable for its expertise in the international sphere and has advised on numerous cross-border data breaches, while lawyers are also highly experienced in the handling of compliance issues. Recent highlights include acting for GE on a range of global privacy and information security issues.
Client Service "Their client service has been excellent. They are responsive almost 24 hours a day, seven days a week."
Commercial Awareness "Hunton & Williams is very strong in all major aspects you look to in counselors: subject matter expertise and experience, ability to give practical advice informed by real-world cases, and an understanding of our particular business and culture."
KEY INDIVIDUALS Peers attest to Lisa Sotto's outstanding reputation in the legal community, noting that she "provides unsurpassed industry and regulatory expertise." She led an international team of lawyers in the aforementioned work for GE.
Aaron Simpson wins plaudits for his practical, business-friendly approach. Those who work with him consider him to be "absolutely outstanding in terms of his knowledge, his accessibility and his willingness to get to know our business." His clients include Estée Lauder, which he advises on global data protection and privacy matters.
Sources say: "With regard to international data privacy and security issues, they have more lawyers who are knowledgeable in this area, more collective experience and better worldwide resources."
KEY INDIVIDUALS Richard Fischer remains a leading figure whom peers regard as "brilliant." He is notable for his expert handling of matters involving clients from the financial industry, but offers experience of a wide range of industries.
Reed Freeman has a commendable breadth of industry knowledge, and is notable for his capable handling of FTC matters.
Global privacy and data security chair Miriam Wugmeister advises high-profile clients on the collection, use, disclosure and transfer of information. Sources attest that she is a "great" attorney and "a real force" in the privacy and data security Bar.
Privacy expert Andrew Smith routinely advises clients from the financial sector. He is well known for his regulatory expertise, and sources describe him as "a thoughtful, sensible legal thinker."
Shortly prior to publication, Andrew Serwin joined the team from Foley & Lardner. Serwin is commended for the strength of his practice. Work highlights at his previous firm include acting on behalf of Spokeo in an FTC matter alleging improprieties following the sale of internet information, and leading in the aforementioned matter for Wyndham Worldwide.
THE FIRM This firm is recognized for the global reach of its privacy and data protection practice. The team provides a broad service that covers the full spectrum of clients' regulatory compliance and breach management needs. Lawyers are equipped to advise a range of industries including healthcare, financial services and social media. Recent clients include NetSuite and Trend Micro.
Commercial Awareness "The lawyers are commercial, easy to deal with and provide sound legal advice."
KEY INDIVIDUALS California-based Lothar Determann is recognized for the international scope of his privacy practice. He represents international technology companies in global compliance issues. Clients include Yelp and AIRBNB.
Peers attest to the caliber of Brian Hengesbaugh's work in the privacy field. Working from the Chicago office, he specializes in breach notification and policy implementation. He has recently represented Priceline.
THE FIRM Covington & Burling's global privacy and data security practice is recognized for its experience in a range of sectors, including healthcare, financial, technology and communications. Over the last twelve months the practice has been retained by market leaders such as Facebook, advising on privacy and data security matters and on compliance with the Children's Online Privacy Protection Act. An impressive client roster also includes Microsoft and SAMSUNG.
Sources say: "They are experienced, trusted advisers. I would recommend the firm wholeheartedly."
KEY INDIVIDUALS Mark Plotkin's practice is focused on compliance and breach handling. He has recently advised a number of financial institutions on regulatory compliance matters, and is noted for his expertise in this area.
The "quite knowledgeable" David Fagan wins plaudits for the strength of his practice. He offers expert advice in the field of breach handling. Recent work highlights include acting for Microsoft on a wide range of issues.
THE FIRM DLA Piper's IP and technology practice houses a team of expert privacy and data security lawyers. The team is best known for its knowledge of new regulatory requirements and its strength in class action defense, with clients benefiting from the firm's international reach. The team has been retained by clients of the caliber of Accenture, Hilton Worldwide and Pfizer, and offers noted strength in the communications, cloud computing and financial services sectors.
KEY INDIVIDUALS James Halpert's "robust, international practice" attracts strong praise from the market, with sources also noting that he is "very well connected in this field, with a lot of information about what's going on." Recent work highlights include acting as general counsel to the State Privacy & Security Coalition.
Peers attest to the deep knowledge that informs Thomas Boyd's advice. He is recognized for his skill in handling privacy-related regulatory issues.
Jennifer Kashatus is highly recommended by market commentators, who value her "encyclopedic knowledge of industry and data protection." She is an experienced adviser on global issues, with one interviewee commenting on her ability to provide "clear and concise strategies, templates and advice to develop and implement a global data privacy program."
Commercial Awareness "They truly appreciate the delicate balance between having a high degree of legal acumen, understanding and preparedness and the need to make smart, efficient and often quick decisions in a real-time business situation."
KEY INDIVIDUALS Practice leader Dana Rosenfeld is singled out as a highly visible force in the market with a practice that encompasses all aspects of privacy and data security. She recently represented Disney in its response to proposed revisions to the Children's Online Privacy Protection Act.
The "outstanding" Alysa Zeltzer Hutnik worked closely with Rosenfeld on the Disney matter. She handles domestic and global privacy, data security and consumer protection issues.
John Heitmann is well known as a privacy and data security expert. Interviewees strongly recommend him, noting that "his knowledge in this field, his responsiveness and his attention to client needs are exemplary." Sources also describe him as "a strong practitioner in providing cutting-edge advice on social media and mobile privacy issues."
THE FIRM Perkins Coie is highly regarded for its work in the retail and e-commerce sectors. The firm's Electronic Communications Privacy Act practice attracts industry leaders that value the team's cross-border expertise. Lawyers recently represented Twitter in privacy-related litigation, and also represented Google in litigation and regulatory matters stemming from the company's Street View service.
KEY INDIVIDUALS Albert Gidari is highly rated in the market for his ability to navigate through complex issues. The last year saw take the lead in the Google matter described above.
Michael Sussmann offers a breadth of privacy-related expertise, specializing in regulatory issues, compliance, internet security and electronic surveillance. He has advised a range of industry leaders on compliance with the Electronic Communications Privacy Act.
THE FIRM Sidley Austin's privacy, data security and information law practice is shaped by a team of interdisciplinary lawyers who have wide-ranging expertise on a global scale. The breadth of knowledge on offer includes cyber-security, data protection and health-related privacy matters. Clients are drawn predominantly from the healthcare, financial, telecommunications and media sectors.
Client Service "Sidley is highly capable, and very responsive and client-friendly. They combine deep and technical knowledge of the law with a sense of the need for its practical application."
KEY INDIVIDUALS Peers applaud the highly respected Alan Raul, describing him as a true "ambassador" for the privacy sector. He is particularly active in data breach and cyber-security matters and related litigation.
Edward McNicholas wins praise for his "depth of experience and ability to bring technology issues together to provide information we can act on." The FTC specialist continues to be involved in a wide range of privacy matters.
THE FIRM Venable remains a firm of choice for regulatory matters in the privacy and data security arena. The team is highly experienced in the defense of enforcement actions and the formation of privacy policies, while market commentators attest to the caliber of its bench and the quality work handled by the practice. Key clients include Experian and Reed Elsevier.
Sources say: "They are really good when it comes to this space."
KEY INDIVIDUALS Stuart Ingis has "unparalleled domain knowledge, great business judgment and an extensive network of contacts in the public and private sectors," according to impressed sources. He recently advised the Association of National Advertisers on the implementation of privacy principles for online behavioral advertising.
Emilio Cividanes receives warm praise from the market, with clients remarking that he is "passionate about supporting us and what we do, proficient in making cases and knowledgeable about how the process works."
THE FIRM Wiley Rein is best known for its specialist knowledge of healthcare privacy and data security issues. The team offers expert advice in a range of areas including the formation of security policies and the handling of data breach events. Industry leaders such as PwC, Dell and the Blue Cross Blue Shield Association look to the group to guide them through business-critical issues.
Sources say: "I would give them extremely high marks in all categories, including prompt response time."
KEY INDIVIDUALS Privacy chair Kirk Nahra is recognized for his focus on healthcare-related matters. Sources consider him to be "highly knowledgeable and sensitive to both costs and delivering results on time," and remark that he is in "the top echelon" of data privacy lawyers.
THE FIRM This firm's privacy and security practice is characterized by its international expertise, with lawyers regularly handling data protection matters in Asia, Latin America and the EU. The team also provides experienced counsel on cyber-risk, breach management, regulatory compliance and privacy litigation. Members of the practice are regularly retained by blue-chip clients such as UPS and Experian.
KEY INDIVIDUALS David Keating concentrates his practice on guiding clients through the impact of pending and enacted legislation at national and EU level. His clients include UPS, for which he acts as global privacy counsel.
Paul Martino handles complex data protection compliance initiatives on a global scale. Recent work highlights include advising the National Retail Federation on a variety of public policy and federal legislative issues.
THE FIRM Arnold & Porter has a solid reputation in the privacy and data security sphere. Lawyers offer a range of experience that includes healthcare-related matters, EU Directive compliance, breach management and national security issues. Clients include market leaders from the financial sector, communications and pharmaceutical industries.
KEY INDIVIDUALS Established practitioner Ronald Lee remains a respected member of the legal community. He has recently represented a number of clients in connection with national security and electronic surveillance restrictions.
Nancy Perkins is highly regarded for her specialist regulatory knowledge in the privacy space. She has recently advised several substantial pharmaceutical and biotech companies on EU data protection laws.
THE FIRM BakerHostetler's privacy and data security team has won considerable praise for its handling of security breaches and privacy-related risks. Recent matters include defending Eisenhower Medical Center with respect to a putative class action stemming from a data breach complaint. Other clients include QVC and Farm Credit Council Services.
Client Service "The team looks to get the job done in a manner that is in the best interests of the client, in a professional and cost-effective manner, which is exactly what we look for in counsel."
Commercial Awareness "It has a very strong team and we look for it to be our go-to firm on these issues given its deep capability, its dedicated service to clients and its commercial awareness."
KEY INDIVIDUALS The "excellent" Theodore Kobus is widely regarded as "an expert and a leader in the field." He has taken the lead role in the aforementioned matter for the Eisenhower Medical Center.
THE FIRM Edwards Wildman Palmer's privacy and data protection practice is shaped by a multidisciplinary approach incorporating litigation, IP, insurance and compliance expertise. The firm recently assisted Kia Motors with privacy and security issues relating to the launch of its UVO2 vehicle navigation system. Other clients include Thomson Reuters and Myspace.
Client Service "Client service has always been excellent."
KEY INDIVIDUALS Thomas Smedinghoff is an authority on information law and electronic business. Over the last twelve months he has counseled a number of clients, including Thomson Reuters and Lexis Nexis, in connection with online identity management.
THE FIRM Foley & Lardner is considered a firm of choice for privacy and data security issues. The team structures international privacy programs and gives regulatory compliance advice to industry leaders such as eBay, Qualcomm and Playdom. Recent matters include representing Wyndham Worldwide in a class action alleging the improper recording of telephone calls.
KEY INDIVIDUALS Peter McLaughlin is a key contact.
THE FIRM Gibson, Dunn & Crutcher enjoys a solid reputation in the privacy space. The IT and data privacy practice handles a variety of complex class action litigation, and advises on compliance programs and investigations. Key work highlights include representing Facebook in a significant FTC investigation.
KEY INDIVIDUALS Sean Royall is a key contact.
THE FIRM Highly regarded boutique InfoLawGroup LLP is noted for its strength in the privacy and data security space. Lawyers regularly guide clients through privacy and data security concerns relating to corporate and outsourcing transactions, assist with respect to data breach management and advise on the development of compliance programs. The firm is retained by BrightTag to act as outside privacy counsel.
Commercial Awareness "The firm is able to strike a balance between legal responsibility and practical business advice."
KEY INDIVIDUALS Justine Gottshall is a key contact.
THE FIRM McDermott Will & Emery maintains an impressive global privacy and data security practice from its Los Angeles, Boston and Chicago offices. Lawyers regularly advise on privacy policies and the data security aspects of transactions that include M&A, data purchase and data licensing. The team has recently advised a number of industry leaders on electronic data strategic partnerships and the development of privacy and security infrastructures.
KEY INDIVIDUALS Daniel Gottlieb is a key contact.
Commercial Awareness "They have subject matter expertise, understand the commercial aspects of the business and follow through consistently."
KEY INDIVIDUALS Melodi Gates comes highly recommended by interviewees, who note her outstanding responsiveness. She "is highly capable, service-minded and prompt, and understands all commercial issues in this area."
THE FIRM Pillsbury provides clients with the full spectrum of privacy and data security advice. The team advises clients from a range of sectors including healthcare, finance and hospitality. Members of the team continue to represent Blackhawk Network and Dun & Bradstreet.
KEY INDIVIDUALS Practice head Deborah Thoren-Peden maintains an active practice and is recognized for her representation of financial services clients. She continues to advise Netspend on privacy, regulatory and compliance matters.
THE FIRM Proskauer's respected privacy and data security practice is supported by the firm's wider corporate and litigation expertise. Clients are drawn from a wide range of sectors including telecommunications, financial services and media, while the firm's global footprint enables it to operate seamlessly with offices overseas.
Commercial Awareness "They are very knowledgeable about the substantive law but also very aware of the commercial settings and the need to serve the specific client."
Client Service "I would rate Proskauer extremely highly in terms of client service."
KEY INDIVIDUALS Highly specialized practitioner Kristen Mathews is widely praised by market observers. Interviewees value her ability to "take the specific circumstances of an individual client and formulate a policy and statement that work both from the legal perspective and for the particular commercial situation."
THE FIRM This firm is best known for its handling of large-scale data security breaches, advising clients across a wide range of industries. The team also guides clients through regulatory compliance issues, offering both transactional and litigation expertise. Clients include Sony Computer Entertainment America and The Blackstone Group.
KEY INDIVIDUALS Douglas Meal is "not only an excellent lawyer, he is also a very smart businessperson," say sources, while he is also noted for his "reputation for getting results." He specializes in payment card breaches.
THE FIRM WilmerHale's communications, privacy and internet law group advises clients on regulatory compliance, security breach management and investigations. The team has specialist knowledge on the application of the Electronic Communications Privacy Act. The group has recently represented Verizon and the International Franchise Association.
KEY INDIVIDUALS Jonathan Nuechterlein is a key contact.
THE FIRM ZwillGen is a highly respected boutique commended for its technical expertise and prowess in litigation matters surrounding data security and privacy issues. Clients are drawn from a range of industries including the technology and media sectors.
KEY INDIVIDUALS Marc Zwillinger is respected for his knowledgeable, practical approach. He offers a wealth of expertise in regulatory compliance, with clients benefiting from his breadth of industry experience.
Randy Sabett recently joined Cooley LLP from ZwillGen PLLC. Sabett's practice is centered on data breach policy and management and privacy-related legislation.
Peers consider Joseph DeMarco of DeVore & DeMarco LLP to be "the real deal." Interviewees value his ability to condense complex legal terminology into business-focused advice. He recently advised Sotheby's on a range of privacy and security-related issues.
Ian Ballon of Greenberg Traurig, LLP maintains his active practice. He is a well-known litigator with a strong reputation in the privacy and data security field. Clients include leading technology and social media companies.
Françoise Gilbert of IT Law Group has an excellent reputation among peers as a pioneer in the field. She is notable for her European expertise and as a result attracts an impressive international clientele. Peers attest to the strength of her practice.
Ieuan Jolly of Loeb & Loeb LLP is noteworthy for the international scope of his experience. Recent work highlights include advising SC Johnson on global privacy strategy.
Cynthia Larose of Mintz Levin Cohn Ferris Glovsky and Popeo PC impresses sources with her "comprehensive knowledge of this complex and evolving area, as well as her ability to apply that knowledge in a meaningful way for our lines of business." She provides privacy and information management services to clients from a range of sectors, including energy and media.
Linn Freedman of Nixon Peabody LLP specializes in healthcare-related matters, with particular expertise in compliance and data breaches. Commentators describe her as "prompt, effective, personable and very much on top of the substantive area of law."
Margaret Eisenhauer of Privacy & Information Management Services—Margaret P. Eisenhauer, P.C. is recognized for her established presence in the legal community. Clients benefit from her commendable knowledge of data management and compliance-related issues.
Practice leader Mark Melodia of Reed Smith LLP is widely regarded as a "very skilled lawyer." He is known for his expertise in the field of litigation, most notably putative class actions. He has recently represented Macy's and JC Penney in a number of flash cookie class action litigations.
Michael Vatis of Steptoe & Johnson LLP is a respected member of the legal community. Areas of expertise include international breach management and compliance issues.
Benita Kahn of Vorys, Sater, Seymour and Pease LLP is "very knowledgeable in the area and also takes the time to understand the business concerns or aspects behind the issue," say sources.
Lydia Parnes of Wilson Sonsini Goodrich & Rosati offers a wealth of data security enforcement and data breach expertise. She recently advised Evidon on compliance issues.