Privacy & Data Security

Laws recently enacted in California and around the globe embody broad new concepts of privacy for the digital age, just as data has become one of the most valuable business assets, and more regulations are on the horizon.  Now, companies of all stripes and sizes must weigh the benefits of innovative data collection, use and sharing against significant and evolving regulatory and litigation risk.  Stradling’s cross-disciplinary Privacy & Data Security practice group has a distinguished track record of helping clients navigate all aspects of this dynamic environment.

Turning Compliance and Risk Management Into Assets

We pride ourselves on devising practical ways to apply ambiguous, overlapping, and untested compliance requirements, which are rife in this evolving area of the law.  The California Consumer Privacy Act (CCPA), effective January 1, 2020, has made the Golden State the de facto U.S. capital of data privacy regulation.  Sector-specific federal privacy laws continue to drive the compliance needs of healthcare providers and financial institutions, but CCPA can still apply to a substantial portion of their operations. 

For businesses with a global reach, understanding the fundamental differences between CCPA and its foreign counterparts, including the European Union’s General Data Protection Regulation (GDPR), is key.  We’ve counseled many companies on designing compliance programs tailored to their needs by defining applicable legal frameworks; completing comprehensive data mapping and risk assessment; preparing new privacy notices, policies and procedures; developing resources for responding to data subject requests and maintaining required records; updating relevant customer and vendor agreements; and operationalizing a culture of data minimization, security and privacy-by-design that can serve as a critical foundation for decades to come. 

In addition to helping companies design and launch compliance programs, we also serve as outside data privacy counsel for a number of clients who need a trusted expert for ongoing compliance and risk management needs.  For example, we represent both businesses (data controllers) and service providers (data processors) in negotiating data processing agreements, indemnity terms and risk allocations appropriate to the nature of particular transactions, data processing arrangements, and applicable regulatory frameworks. Our services include:

  • Compliance counseling and risk assessment
  • Privacy and security policy design
  • Customer and vendor contracting
  • Incident response
  • Government investigations
  • Consumer, commercial and shareholder data breach litigation

While we counsel Fortune 500 companies who have already been subject to industry-specific federal privacy legislation, we take great pride in giving practical advice to growing businesses for whom data privacy concerns are relatively new. We are adept at helping clients map the flow of personal data through their organizations, which is a critical first step in identifying applicable data privacy laws and designing realistic compliance roadmaps.

Seasoned Advocates in Commercial Litigation & Class Action Defense

Our team of trial lawyers boasts the rare distinction of having successfully litigated the question of what constitutes reasonable data security all the way through trial.  The CCPA has made that question, and related litigation exposure, more relevant to a broad swath of businesses by giving consumers the right to sue for statutory damages in the event of a data breach.  We’ve also successfully defended companies in high-stakes consumer class actions alleging invasion of privacy, misuse of personal data, and violations of various consumer protection and unfair competition laws.  Our unique blend of litigation experience, combined with our deep practice in applying CCPA requirements and constantly-evolving data security standards, is a vital asset for helping companies minimize liability in this new era of consumer privacy protections.

In recent years, data security incidents have also given rise to more commercial disputes between consumer-facing businesses and the service providers they rely upon to store, transmit or protect personal information or other sensitive data.  We’ve experienced this first hand, representing both businesses and service providers in connection with claims for breach of contract, negligence, and similar claims stemming from such incidents.

Enforcement Defense & Investigations

The Federal Trade Commission, through its broad power to police unfair and deceptive trade practices, and state regulators have been, and will continue to be for the foreseeable future, the most active enforcers of laws that protect consumer privacy and require businesses to employ reasonable data security measures.  In some jurisdictions, such as California, authorities can pursue substantial monetary penalties for violations, even for first-time offenders. 

Our team has represented companies in many investigations, including data privacy/security investigations, by the FTC and the attorneys general of dozens of states, including California, New York, Pennsylvania, Wisconsin, Minnesota, Indiana and Vermont.  Our submissions on behalf of clients have frequently convinced regulators to end their investigations without pursuing enforcement action.  We also have experience representing companies in inquiries by congressional committees considering new privacy legislation or conducting regulatory oversight in the wake of high-profile incidents.

Effective Incidence Response

There is no such thing as perfect data security, but many regulators and media outlets seem to forget that maxim after a cyberattack or other security incident occurs.  Effective incident response puts legal counsel at the helm of a rapid and focused forensic investigation, legal analysis and public relations response that balances the need to minimize legal exposure and mitigate reputational harm with the obligation to keep customers, regulators, consumers and other stakeholders informed under overlapping state data breach notification laws and myriad contractual obligations.  We have years of experience in that role, and are comfortable coordinating with insurance carriers, IT professionals, cyber forensic investigators, and PR consultants to manage this unique type of crisis.