Crowell & Moring's Privacy & Cybersecurity Group guides clients through the myriad federal, state, and international laws governing the collection, use, transfer, and protection of data. We provide practical advice that permits our clients to address privacy and cybersecurity issues in a manner appropriate to their business needs and to the risks that they face.
We use an enterprise-wide approach to counsel our clients. Our experience cuts across multiple industries and involves nearly every practice group in the firm. We integrate Crowell & Moring's intellectual property, corporate, insurance, white collar, trade secrets, health care, energy, transportation, and government contracts capabilities to address the privacy, cybersecurity, and other risks faced by our clients. We use our deep knowledge of our clients' business needs and the industries in which they operate to help them develop effective and practical privacy and cybersecurity policies, procedures, and strategies.
All businesses are susceptible to cyberattacks and to other internal and external threats to their data and systems. Retailers, government contractors, critical infrastructure companies, manufacturers, financial services companies, and educational institutions are increasingly being targeted because of the business, financial, and personal data that they possess and because of the significant public impact of disrupting their business operations. On the front end of our integrated approach to risk mitigation, we counsel and train companies on strengthening their cyber defenses, developing and implementing global privacy and data protection programs, complying with applicable laws, and incorporating government standards and industry best practices into their risk management program. On the back end, we have extensive experience in responding to and managing the crises that can arise when a privacy or data security incident occurs or when a privacy or security vulnerability is made public. We routinely deal with federal and state enforcement agencies and defend clients against class actions arising from incidents involving personal information. We also have extensive experience addressing global privacy issues.
Risk Assessment and Compliance
Often the best way for a business to reduce the risk of cyber attack and data breach is to prepare for it. We have broad experience in helping businesses across many sectors assess their cyber risks and threats and develop legally compliant mitigation policies and procedures. As part of our enterprise-wide approach to counseling clients, we work with the company's resources, including leveraging existing compliance reviews and assessments, to identify compliance requirements and best practices that efficiently and effectively protect data, networks, and systems. When appropriate, we work with technical consultants through a relationship that helps maintain confidentiality and privilege.
Key elements of the legal services that we provide to assist our clients in conducting a comprehensive and privileged risk assessment and compliance review include assessing and classifying client data; identifying required and recommended data and network safeguards; evaluating organizational governance of information, people, and policies; reviewing training requirements and content for compliance with existing standards; assessing accountability, including the auditing process, risk reporting, and enforcement activities; and reviewing contractual and other components of vendor management. We assist clients in enhancing and, as appropriate, developing or revising privacy and cybersecurity policies and procedures, including governance frameworks, incident response plans, vendor management agreements, and insider threat policies, and annual and role-based training.
Crowell & Moring represents clients that have experienced security breaches involving personal information, trade secrets, and other proprietary information and clients that are alleged to have security or privacy vulnerabilities in their products or services. In these crisis situations, we are on the ground with our clients until the issues are resolved, from the initial internal investigation stage through the communication, government enforcement, and follow-on litigation stages.
Despite the prevalence of privacy and data security incidents, particularly cyber intrusions, incidents are not inevitably catastrophic for a business. Rather, advance preparation, proper crisis management, timely remedial action, accurate assessments of harm, and, when appropriate, effective communications including notification of government and affected individuals, can significantly mitigate the business impact of privacy and data security incidents.
We handle all aspects of crisis management for privacy and data security incidents, including:
- Assisting with the legal and risk management decision about whether and when to provide notification and, if so the nature and extent of the notification required; we have developed detailed outlines and spreadsheets of the various requirements of and differences between the many state security breach laws to make this a quick and effective process.
- Drafting notifications to individuals and regulators.
- Preparing statements for external sources, e.g., media and law enforcement.
- Assisting with communications to other required agencies, such as consumer reporting agencies.
- Preparing statements, e-mail notices, and personalized correspondence with employees affected by security incidents.
- Advising clients on both legal requirements and best practices with respect to post-incident assistance to those affected (e.g., credit monitoring, insurance, etc.).
- Addressing criminal, employment, contract, and other legal issues arising from incidents involving the conduct of an employee, vendor, or business partner.
- Defending against state and federal regulatory investigations.
- Defending against state attorneys general lawsuits.
- Defending individual and class action lawsuits arising from data and privacy breaches.
- Responding to individual complaints regarding privacy and data security.
- Conducting a "lessons learned" analysis of the incident and, where appropriate, recommending additional privacy, data security, and other measures to reduce the risk of future similar incidents.
The ability to transfer customer data, marketing data, and other information around the globe creates both opportunities and risks for companies that have customers, suppliers, employees, and shareholders in multiple countries. As the ability to transfer data internationally has grown, so too has the number of countries and regions with privacy and data protection laws. In addition to our extensive experience with U.S. federal and state privacy laws, we have a wealth of experience regarding global privacy and data security issues.
Crowell & Moring uses its U.S. and international resources to provide our clients with international compliance strategies and solutions. For example, our European practice focuses on current and proposed EU privacy and data security laws, and is experienced in conducting data protection audits, dealing with government authorities, and implementing and maintaining annual registrations of data practices. Our affiliate, C&M International, is deeply involved with the privacy laws of Pacific Rim nations, including South Korea and China.
Our team regularly addresses the legal and practical issues that arise when clients are required to comply, simultaneously, with multiple federal, state, and international privacy and data security requirements (e.g., FTC standards, state security breach notification laws, MA regulations, SSN restrictions, NV encryption standards, CA privacy disclosures, EU data transfer requirements). We counsel clients on securing and working with data about consumers, employees, and customers; developing internet privacy statements; developing contracts for cross-border transfers of data; and coordinating privacy and data security laws and requirements with employment, contract, and other laws.
We have counseled and defended clients in a variety of industries regarding issues in numerous legal frameworks and standards, some of which are noted below:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act
- Computer Fraud and Abuse Act
- Data protection authority notifications
- CAN-SPAM Act
- Telephone Consumer Protection Act (TCPA)
- Fair Credit Reporting Act (FCRA)
- Fair and Accurate Credit Transactions Act (FACTA)
- Federal Trade Commission Act (FTC Act)
- EU Data Protection Directive
- EU E-Commerce Directive