As the use and misuse of data loom ever larger in the strategies and anxieties of businesses in all industry sectors, the need for canny guidance through the privacy and security implications of business operations grows ever more acute. Our Privacy, Cybersecurity, and Data Asset Management group works with companies of all sizes—including those lacking in-house privacy or cyber capabilities—to develop and implement defensible compliance solutions in a pragmatic, cost-effective manner. The firm’s dual concentration on both health law and labor and employment law gives us deep insight into the regulatory problems of each, and exceptional capabilities for solving them.

Proactive Risk Mitigation

Much of our work centers on the constantly evolving compliance obligations our clients face over privacy and security. They rely on us to determine which rules—federal, state, local, and international—govern their operations, and to help institute the policies and procedures that address those rules. We strategically partner with industry-recognized technology consultants to see that reasonable and appropriate best practices and systems are selected and configured to reduce exposure to breaches. We advise our clients on technical controls, such as access management and data monitoring and encryption, and we ensure that their people are properly trained in their use. While these measures may or may not prevent privacy or security incidents from occurring, they can help assure regulators that appropriate steps were taken to minimize the risk.

Protecting Health Care Data

With data assets becoming ever more integral to the business models of health care companies, the need to protect sensitive information must be considered mission-critical. From hospitals, insurers, pharmaceutical companies, and other “bricks and mortar” organizations, to the most tech-forward apps and wearables, we help clients navigate the maze of laws and regulations that affect the gathering, use and disclosure of health-related data. We examine their risks, make them aware of their legal obligations, and defend them in government investigations and private litigation. We also perform due diligence for private equity companies seeking acquisitions in the health field.

Managing Human Resources Data

Across all industries, the privacy and security postures of human resources (HR) departments are under increasing scrutiny by regulators. As predictive analytics and data sharing play a greater role in the hiring and firing practices of HR departments, care must be taken not to run afoul of rules designed to prevent discrimination and bias. Our lawyers provide that care, counseling clients on their legal obligations and advising so that policies and procedures regarding the collection, use, and disclosure of data assets are properly crafted and implemented.

Responding to Security Incidents

The potential effects of data breaches and other security incidents range from merely embarrassing to catastrophic. When such an event occurs, our attorneys act to assess the legal, financial, and reputational consequences to our clients. We help our clients determine who needs to be notified of the incident—whether customers, individuals, vendors, regulators, or media—and in what form the notifications must be delivered. We field follow-on inquiries from regulatory agencies, and we represent our clients in litigation that ensues.

Representative Experience

  • Investigated and evaluated possible data breaches at a health insurer, and carried out ensuing breach response obligations. We quickly mobilized a team of people, made an investigation that included a forensic analysis, reviewed documents, conducted interviews, and compiled facts and data points.
  • Counseled a digital provider of health coaching services on the privacy aspects of data collection and use as well as in its contracts with payors and the companies it acquired as it expanded its service lines.
  • Advised various health care and corporate investment companies on digital health and data asset management strategies and related compliance issues. We advised on data rights issues, data sharing agreements, implementing secure technology, and building robust compliance programs around the data so that our clients could realize the value of data while complying with applicable laws.
  • Structured privacy and contract terms for medical technology device and application companies, and advised on their negotiations with payors.
  • Assisted a health care client with developing trust networks by communicating with partners about how the client is acting as a trusted data steward and how the client achieves robust privacy, security, and compliance practices.
  • Helped a health insurer defeat a data breach class certification motion following the loss of a flash drive containing the personal health information of more than 283,000 individuals.
  • Assisted clients in successfully responding to an inquiry from the U.S. Department of Health and Human Services’ Office for Civil Rights related to a breach of protected health information involving the clients’ vendors.
  • Counseled health care and other clients on the privacy, security, and compliance implications of interoperability and information blocking rules coming from the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology. This work included helping our clients (i) develop compliance programs around data sharing to manage risks and (ii) vet vendors with whom they share data.