Overview
Virtually all businesses today collect information relating to their employees, clients, customers, patients, or other parties. Because myriad international, federal, and state privacy laws and regulations cover not only the rights of those parties but also matters of national security and crime prevention, it is not unusual for one business to be subject to overlapping privacy laws and regulations.
Thus, businesses face the challenge of complying with all relevant privacy laws and regulations and ensuring that safeguards are in place to prevent the improper use or disclosure of this information.
Epstein Becker Green’s Privacy, Cybersecurity & Data Asset Management Group helps clients understand and stay compliant with the privacy standards and industry best practices applicable to collecting, using, and transferring their confidential information.
Our Services
Establishing a strong, effective, well-documented privacy program is key to privacy compliance. That's why our services include the following:
- Advising on compliance with privacy-related international, federal, and state laws, rules, and regulations, including, among others, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Computer Fraud and Abuse Act, the EU-U.S. Privacy Shield program, the European Union’s General Data Protection Regulation (GDPR), the Family Education Rights and Privacy Act, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), the Genetic Information and Nondiscrimination Act, the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry Data Security Standard requirements, the Telephone Consumer Protection Act (TCPA), and the Telemarketing Sales Rule
- Helping clients (i) document that appropriate privacy and cybersecurity policies are in place and compliant, (ii) ensure employee training and awareness of the policies and standards, and (iii) develop internal enforcement mechanisms
- Providing counsel on compliance with Federal Trade Commission (FTC) rules, including the ID Theft Red Flags Rule, the Address Discrepancy Rule, and other disclosures and safeguards for online, mobile, and social media information collection, use, and sharing practices
- Updating clients on new developments in privacy laws, regulations, and standards, and reviewing and revising policies, practices, and procedures, where needed, to ensure compliance with those developments
Workplace Privacy Strategies
Ever-changing privacy laws and requirements, along with technological advances, have created new challenges and opportunities for employers. For instance, employers face restrictions on the type of information about employees and job applicants they can collect and utilize to make shrewd business and employment decisions. These restrictions relate to such areas as background checks, employee monitoring, employee biometric information, and the transfer and maintenance of employee data and employee health-related information. Workplace privacy-related issues also arise under the Americans with Disabilities Act, the FCRA, the GDPR, and the FACTA, among other laws.
The Privacy, Cybersecurity & Data Asset Management Group at Epstein Becker Green has the knowledge and experience to effectively guide employers through workplace privacy and cybersecurity complexities.
Our Services
We help employers properly balance privacy considerations with workforce management concerns and employee data collection and protection. Our services in this area include the following:
- Advising employers on international, federal, state, and municipal laws, rules, and requirements relating to the privacy, protection, cybersecurity, and/or use of sensitive employee or job applicant data
- Counseling on the proper methods for the collection, maintenance, disclosure, and transfer of personnel, financial, and health-related information, and helping draft notices and procedures, consent forms, and agreements relating to privacy concerns in the employment relationship
- Reviewing (and revising, where necessary) employers’ current policies and procedures to ensure compliance with laws and requirements relating to the privacy and protection of employee and job applicant data and in anticipation of internal audits and corporate transactions (i.e., mergers, acquisitions, sales, and joint ventures)
- Preparing employee privacy and data protection policies (including policies relating to Internet use, social media, blogging, and acceptable use of company technology) and procedures in accordance with rules relating to workplace monitoring
- Creating training materials and compliance programs for employers and management to ensure that sensitive employee and job applicant data and health-related information are properly collected and managed
- Developing policies and procedures to protect and secure business assets, such as trade secrets and intellectual property, while respecting the rights of departing employees
- Conducting insider threat assessments and developing insider threat programs to protect the privacy and security of information
- Counseling employers on security breach mitigation strategies
Health Data Privacy Strategies
At Epstein Becker Green, we provide daily counsel to clients throughout the health care industry to structure business, clinical, and administrative operations in compliance with health data privacy laws and regulations, including HIPAA and its privacy, security, and breach notification rules; HITECH and its regulations; and federal and state privacy laws regarding mental health and substance use disorder data. We work with our clients to facilitate the development of health data privacy strategies that complement their business strategy.
The members of our Privacy, Cybersecurity & Data Asset Management Group are prolific authors and sought-after lecturers on health information privacy and security topics. They also serve on the advisory boards of publications such as Thompson's Employer’s Guide to HIPAA.
Our Services
Because we want to ensure that clients comply with health privacy laws, our Privacy, Cybersecurity & Data Asset Management Group’s services include:
- Advising on the applicability of HIPAA and other federal and state privacy laws to clients
- Providing advice on the use, disclosure, transfer, retention, and destruction of health information
- Advising clients on risk-mitigation options, such as data encryption and access controls
- Developing and implementing recordkeeping, documentation, access, and complaint and disciplinary procedures
- Conducting HIPAA- and HITECH-related educational seminars and training programs
- Developing and implementing a comprehensive privacy and cybersecurity compliance program
- Updating privacy policies and procedures to comply with new developments and requirements
- Advising on HIPAA and other privacy compliance strategies during recruitment and the conduct of clinical trials
- Assisting with developing behavioral health integration strategies that facilitate data-sharing in compliance with 42 CFR Part 2 and other mental health and substance use disorder privacy laws
- Drafting, reviewing, and negotiating business associate agreements and other data protection and data use agreements
Since no compliance program is foolproof, if a privacy violation occurs, we assist the client with remedial measures and incident responses, and we defend the client in any investigations and litigation concerning the violation.
TCPA Compliance Strategies
The TCPA and implementing regulations by the Federal Communications Commission (FCC) impose complex restrictions on business communications. The TCPA protects consumers from unsolicited auto-dialed and prerecorded phone calls, text messages, and faxed advertisements.
Businesses need to understand the scope and magnitude of the TCPA. Even a company with a robust compliance program could face allegations that its call, text, or fax activities violated the TCPA. And just one TCPA violation could have serious legal, insurance, reputational, and financial consequences—recipients of such unsolicited communications can sue for damages of $500 (an amount that a court can treble) for each unlawful call, text, or fax. Not surprisingly, damages for a TCPA violation can quickly run into millions of dollars.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity & Data Asset Management Group knows the nuances of the TCPA and the severe consequences of noncompliance. We provide TCPA counseling to clients of all sizes and various industries—including, among others, health care, financial services, technology, hospitality, retail, communications, and transportation. Our services consist of the following:
- Counseling clients on the TCPA and its accompanying FCC regulations
- Designing and implementing (or revising) marketing and communications programs, as well as existing policies, procedures, and business practices, to minimize risk and ensure compliance with the TCPA and its accompanying FCC regulations, applicable FTC telemarketing rules, and state-specific telemarketing statutes
- Advising health care clients on the interplay between the TCPA and HIPAA
- Revising contracts with third parties and consumers to ensure compliance with the TCPA
- Training personnel on the TCPA’s impact on telemarketing and debt collection
- Monitoring new TCPA-related developments and updating compliance programs as necessary
In addition, we represent clients in TCPA class action lawsuits filed in federal and state courts. We know the complex defenses available under the TCPA and the FCC’s implementing regulations, as well as the bases for defeating class certification. And because we’re sensitive to the limits on a client’s time and resources, we evaluate the prudence of seeking an early resolution of the case (through pretrial motions, an alternative dispute resolution method, or a favorable settlement). When litigation is the better strategy, our litigators are distinctly qualified to provide the superior caliber of services upon which Epstein Becker Green has built its outstanding reputation.
GLBA and Financial Services Industry Compliance Strategies
Since the passage of the GLBA in 1999, securing the privacy and cybersecurity of consumer financial data has become a high priority in the financial services industry. New York State has implemented Cybersecurity Requirements for Financial Services Companies. The National Association of Insurance Commissioners has adopted a model cybersecurity law, which certain states have adopted. The GLBA and its implementing regulations, and these state requirements, specifically require financial and other covered institutions in the United States to create an information security program to ensure the security and confidentiality of customer information, guard against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
However, technological innovations—such as new mobile payment platforms and novel means of analyzing consumer financial data—are creating complex challenges for financial services institutions seeking to comply with the GLBA and other relevant privacy and cybersecurity laws.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity & Data Asset Management Group guides financial services clients through this highly regulated and rapidly changing environment. In addition, services provided by members of the group include:
- Counseling clients on applying the GLBA and existing federal and state privacy and cybersecurity laws to new strategies and emerging technologies
- Reviewing and revising, where necessary, clients’ existing privacy policies and programs, information-sharing procedures, data safeguards, and opt-out notice provisions
- Advising on information security “best practices” for assessing, updating, and managing company policies, procedures, and data protection programs
- Creating training materials and compliance programs for employers and management to help ensure that consumer financial information is properly collected and managed
- Drafting confidentiality and privacy agreements between financial services clients and their business partners or third parties regarding the sharing, management, and protection of financial data
- Updating clients on new changes to the area of financial privacy and data protection, and revising client policies, programs, and practices, where necessary, to conform to those changes
- Representing clients in investigations and administrative proceedings concerning alleged violations of the GLBA and state law
- Representing clients in data breach litigation
GLBA and the Cloud
GLBA’s Financial Privacy Rule requires financial institutions to provide an annual notice to customers explaining how the customers’ data is maintained and shared and the steps taken to protect the data. The GLBA Safeguards Rule also requires institutions to implement an information security program. However, the introduction of “cloud computing” and the use of the services of an outside cloud provider can complicate matters significantly. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption.
At Epstein Becker Green, we advise clients on cloud computing and other attractive and inexpensive storage technologies. We help our clients evaluate the risks of storing information in the cloud and then identify legal solutions—such as creating policies and procedures to ensure compliance with the GLBA’s Financial Privacy and Safeguards Rules and managing cloud providers—so that our clients can take advantage of these cost-saving technologies.
Privacy and Security Due Diligence
Any company—especially an entity in a highly regulated industry (such as financial services, health care, hospitality, retail, technology, and telecommunications)—seeking to sell, acquire, or merge with another company needs to carefully consider the privacy and cybersecurity concerns related to the sensitive business and personal data flowing through the target company. A thorough review of a target’s privacy and cybersecurity compliance programs is, therefore, a must before entering into any transaction. Compliance costs and litigation can significantly affect the value of a company, necessitating a careful assessment of any target’s potential liabilities or compliance costs that are likely to be passed on after the transaction.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity & Data Asset Management Group undertakes privacy and cybersecurity due diligence reviews and provides support capabilities to clients in the context of sales, acquisitions, mergers, and joint ventures. We help clients understand what data is being stored by the target and if it is protected; whether the target has put in place proper response and remediation processes and policies; and what, if any, disclosures are needed. Given our deep and longstanding experience in privacy and cybersecurity, we advise clients concerning potential liabilities and vulnerabilities in the target’s information security and data privacy practices.
Specifically, our due diligence reviews typically include the following components:
- a review of the target company’s privacy and cybersecurity policies, including compliance with relevant international, federal, and state laws and regulations
- an examination of the target company’s protocols, procedures, controls, or other implementation directives to ensure that the adopted policies are properly integrated into the target’s business practices
- an examination of the target company’s network security, risk assessments, and other cybersecurity safeguards to protect against unlawful disclosures of sensitive data
- verification that the target company has entered into appropriate data use agreements with any entity with which it has shared sensitive data, and a review of the content and implementation of those agreements
- a review of the target company’s regulatory history, including if it has been (or is currently) the subject of a government investigation regarding privacy and cybersecurity, as well as the manner in which the investigation was resolved
- an investigation into whether the target company has been (or is) the subject of private litigation relating to a violation of applicable privacy laws
In addition, Epstein Becker Green stays involved throughout the transactional process to ensure that sensitive data is transferred in accordance with all relevant laws, rules, and regulations. We identify, evaluate, and calculate risk to our client and then develop representations, warranties, indemnities, and other contractual provisions and protections. We also negotiate licenses, service contracts, and supplier and other agreements to safeguard confidential information and shift or mitigate that risk.
Read less
Focus Areas
Trending Issues
Experience
Contacts
- Member of the Firm
- Member of the Firm
- General Counsel / Chief Privacy Officer
Media
Events
Upcoming Events
Past Events
- June 17 and 21, 2024
- Spring 2024
Insights
Insights
- PublicationsThe Challenge of AI Governance: The Blessing and the Curse of Safeguarding Personal Data2 minute read
- BlogsVideo: New DOL Guidance - ERISA Plan Cybersecurity Update - Employment Law This Week3 minute read
- Media CoverageBBA Spotlight Series: Get to Know Emerging Leaders in Boston Law–Marylana Saadeh Helou8 minute read
- Media CoverageBrian Cesaratto Quoted in “New Jersey Legislation to Watch: A Midyear Report”3 minute read
- Media CoverageDennis Sapien-Pangindian Quoted in “Info Blocking ‘Disincentives’ Rule Brings Penalties; Data-Sharing ...2 minute read
- Firm Announcements
Elizabeth Scarola Named to the 2024 Florida Rising Stars List
7 minute read - PublicationsPart 2, Part Deux: New Rules for SUD Information Sharing2 minute read
- PublicationsMajor Updates to Substance Use Disorder Treatment Confidentiality Requirements Increase Alignment with HIPAA but Raise ...2 minute read
- PublicationsUSA: Children's Privacy Updates2 minute read
- Firm AnnouncementsEpstein Becker Green Again Earns ISO 27001 and 27017 Certifications, Highest Accreditation for Data Security and Client ...3 minute read
- Firm AnnouncementsEpstein Becker Green Fuels West Coast Momentum with Six-Attorney Health Care Team6 minute read
- Media CoverageAdam Forman Joins NRF Summit to Discuss Risks of AI Misuse in Retail Industry2 minute read
- Blogs
Privacy Officer's Roadmap: Data Breach and Ransomware Defense – Speaking of Litigation Video Podcast
42 minute read - Media CoverageAlaap Shah Quoted in “Don’t Worry, You (Probably) Won’t Have to Deal with ONC: Algorithm Transparency Rule May Have ...2 minute read
- Media CoverageAlaap Shah Quoted in “2024 Outlook: The Cybersecurity Trends Health System Leaders Need to Know”3 minute read
- PublicationsUSA: Future of Cybersecurity Law and Regulation2 minute read
- Firm AnnouncementsEpstein Becker Green Announces 2024 Promotions6 minute read
- Media CoverageAlaap Shah Featured in “You Gotta Get the Data Right! Talking EMPI”2 minute read
- Media CoverageBrian Cesaratto Quoted in “Best Practices for Detecting and Managing Fraud”3 minute read
- Publications#WorkforceWednesday: “No Robot Bosses Act,” NJ Unemployment Compensation, California Enforces CCPA/CPRA3 minute read
- BlogsThe California Attorney General and the California Privacy Protection Agency Are Accelerating Enforcement on CCPA/CPRA ...6 minute read
- PublicationsEuropean Commission Adopts an Adequacy Decision for a New EU-U.S. Data Privacy Framework6 minute read
- BlogsNevada Joins Washington and Connecticut to Protect Consumer Health Data Privacy6 minute read
- Media CoverageAlaap Shah Quoted in "New Health App Rule Would Better Protect Users – and So Can You"2 minute read
- Media CoverageAlaap Shah Featured in AHLA Podcast, “Health Care Data Governance: How to Build a Culture of Compliance”2 minute read
- BlogsFTC Signals Increased Scrutiny of Technology Sector Through Establishing the Office of Technology4 minute read
- BlogsFTC Brings Enforcement Action Under FTC Act and Health Breach Notification Rule Based on GoodRx’s Use of Advertising ...5 minute read
- BlogsCalifornia Privacy Protection Agency Board Adopts and Approves CCPA Regulations and Discusses Preliminary Rulemaking for ...3 minute read
- Media CoverageLisa Pierce Reisz Featured in “Epstein Becker Brings On Health Care Atty in Ohio”2 minute read
- Firm AnnouncementsHealth Care Attorney Lisa Pierce Reisz Joins Epstein Becker Green in Columbus4 minute read
- Media CoverageElizabeth Scarola Featured in “People on the Move”1 minute read
- Firm AnnouncementsEpstein Becker Green Announces 2023 PromotionsOctober 28, 20225 minute read
- Firm Announcements
Elizabeth Scarola Named to the 2022 Florida Rising Stars List
6 minute read - Media Coverage
Alaap Shah Featured in AHLA Connections Magazine: Member Spotlight
3 minute read - PublicationsUSA: Security Considerations for VPNs2 minute read
- Media CoverageAlaap Shah Quoted in “HHS Guidance Addresses HIPAA and Emergency Protective Orders”3 minute read
- PublicationsUSA: Privacy and Cybersecurity Considerations for Contactless Payment Solutions4 minute read
- Media CoverageRobert Travisano Quoted in “Businesses Face Growing Risk of Cyberattacks, Financial Loss”2 minute read
- Firm Announcements
Epstein Becker Green’s Brian Cesaratto and Francesco DeLuca Named 2022 BTI Client Service All-Stars
3 minute read - Media CoverageThe Ransomware Plague Continues, but the Response Model Is Changing2 minute read
- Media CoverageGary Herschman Discusses Private Equity Driving Consolidation Across Orthopedic Healthcare in Q&A with Dana Jacoby ...2 minute read