Cybersecurity & Privacy

Managing and protecting data and the associated risk have become an integral part of operating a business. Ulmer & Berne counsels its clients concerning data security risk management, and planning for data breaches. We also conduct post-breach investigations, respond to government inquiries, and defend complex litigation often driven by negative media coverage and public outrage.

Corporate Risk

Data privacy and security are corporate risks and require the attention of directors and the most senior executives within a company. We provide guidance about the fiduciary obligations and potential liabilities of officers and directors in managing risks from breaches of data security and privacy.

Advisory Services & Regulatory Compliance 

Our attorneys help clients navigate the morass of domestic and foreign legal requirements and implement programs to reduce exposure to data security liability. Preventive measures may include reviewing company policies for compliance with applicable regulatory requirements and crafting appropriate privacy policies and third-party contracts, as well as managing risks arising from employees’ use of extra-network devices and third-party vendors’ access to sensitive information. We help clients create an infrastructure to monitor data security risks, train employees, and structure appropriate action plans to address data breaches before they become public relations, regulatory, and litigation problems.

Incident Response

Once a company realizes that a data security breach has occurred, the company must execute its action plan and quickly meet applicable legal obligations. Our attorneys guide clients through the process of responding to cyber incidents and executing appropriate legal and practical notification of individuals, law enforcement, regulators, and government bodies about security incidents.

Internal Investigations

Following a data breach, companies must consider the possibility that employee misfeasance or malfeasance facilitated or caused the incident. Our attorneys include skilled investigators who work with forensic computer experts to ascertain the cause of a data breach. Working with forensic experts, we can confidentially and independently assess security breaches, help contain them, and recommend additional protocols to prevent future breaches.

Government Investigations

The U.S. and foreign regulators from the SEC and the Federal Trade Commission to the European Union, as well as state attorneys general have all heightened their interest in cybersecurity and privacy. Our attorneys counsel clients in regulatory investigations and defend regulatory enforcement actions that often follow a cyber incident. We work with clients to secure electronic and other tangible records, understand the nature and causes of the data breach, and prepare a cogent and comprehensive response to governmental and regulatory inquiries. Our attorneys work tirelessly during investigations to eliminate the risk of formal government action being taken against our clients.


The theft or loss of sensitive personal information or trade secrets can involve litigation to protect corporate assets and defend regulatory, customer, and shareholder claims stemming from a breach. We are experienced in helping clients navigate the seemingly inevitable litigation associated with an inadvertent loss or unauthorized acquisition of sensitive information.

May 1, 2023 – Last week, the Governor of Washington signed a package of legislation aimed at protecting the health care of women in response to the United States Supreme Court’s reversal of Roe vs. Wade. One of the new laws, the Washington My Health, My Data Act, seeks to...

February 8, 2022 – The Illinois Biometric Information Privacy Act (BIPA 740 ILCS 14/1 et seq.) requires employers to notify employees and other individuals before collecting their biometric identifiers such as fingerprints (click here to read our last client alert on BIPA). If the employer fails to provide notice first,...

December 22, 2021 – The Illinois Biometric Information Privacy Act (BIPA 740 ILCS 14/1 et seq.) requires businesses to notify individuals before collecting their biometric identifiers such as fingerprints (click here to read our previous client alert). If the business fails to first provide notice and obtain a waiver, the affected...

July 29, 2021 – Earlier this month, the governor of Colorado signed into law the Colorado Privacy Act (CPA), making Colorado the third state to enact a comprehensive data security law after California in 2018 and Virginia in March 2021. The CPA will become effective on July 1, 2023. The...

June 23, 2021 – Last week, a federal court in Illinois ruled that the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS § 14/1 et seq.) can apply to companies that do not exclusively control consumers’ biometric data, denying an initial motion to dismiss the complaint for failure to state...

March 8, 2021 – In what might prove to be a growing trend, on March 2, 2021, the Governor of Virginia signed into law the comprehensive Consumer Data Protection Act (CDPA), making Virginia the most recent state to enact such a law after California and the more limited Maine Act...

November 13, 2020 – In a notable event on Election Day this November, California voters approved amendments to the California Consumer Privacy Act (CCPA) and enacted a new statute – the California Privacy Rights Act (CPRA). The new statute expands California residents’ rights with respect to how businesses collect and use personal...

Ulmer attorneys Frances Floriano Goins and Michael Davis Hoenig recently updated the Ohio Domestic Privacy Profile for “Bloomberg Law: Privacy & Data Security.” In the update, the attorneys discuss emerging issues including recent legislation like SB 194, which was passed by the Ohio Senate in December 2019 to protect Ohio...

As The Wall Street Journal recently noted, this coming January will mean more than just after-Christmas sales for large retailers (like Gap). Starting January 1, 2020, California’s new data-privacy statute, the California Consumer Privacy Act (CCPA), will take effect. California’s legislature hastily wrote and then passed the CCPA last year...

Ulmer & Berne LLP is pleased to announce that Partner Frances Floriano Goins has been elected to the Board of Directors of Beck Center for the Arts, a nonprofit performing arts and arts education organization dedicated to inspiring and enriching the quality of life for Northeast Ohioans. Beck Center for the Arts...

Ulmer Partner Frances Floriano Goins  recently wrote an article for Bloomberg Law entitled, “INSIGHT: Protecting Broker Dealers from Cyber Threats.” In the article, Goins examines a FINRA report that provides broker dealers with best practices for effective cybersecurity, and warns that it is imperative to implement controls tailored to each...

Ulmer Partner Frances Floriano Goins was recently quoted in Law360’s “Yahoo Breach Deal’s Failure Shows Vagueness Doesn’t Pay.” Goins provided her insight into a U.S. District Judge’s recent refusal to approve a $50 million data breach deal between Yahoo and its users, and the growing scrutiny courts across the country...

Ulmer Partner Frances Floriano Goins was recently quoted in Law360’s “Apple’s Facebook, Google App Bans Shake Up Privacy Fight.” Goins provided her insight into the debate surrounding Apple’s decision to temporarily block Facebook and Google from distributing internal employee apps to consumers after data collection concerns came to light. To...

Ulmer Partner Frances Floriano Goins was recently interviewed for a Global Data Review article entitled, “Facebook could face FTC scrutiny, say privacy lawyers.” Goins provided her insights following The New York Times’ discovery that Facebook has been giving other companies access to users’ personal data and whether this violated Facebook’s...

Representative Experience

  • Advised numerous U.S. companies with overseas operations and/or data collection facilities on GDPR obligations.
  • Drafted and revised privacy and other company policies for dozens of companies to comply with the GDPR.
  • Represented manufacturing client in the investigation of and response to a multi-million dollar banking loss caused by a successful phishing scam, including supervision of security consultants and coordination with the FBI and U.S. Attorneys involved in the investigation.
  • Developed internal enterprise-wide data breach protocol for a large insurance company.
  • Developed information security programs for financial services companies.
  • Advised clients on responding to data breaches involving personal customer information, including a data breach requiring notices in 48 states and other U.S. jurisdictions.
  • Advised broker-dealer clients on the application of SEC Regulation S-P and the Safeguards Rule in connection with inadvertent disclosure of customer data and discovery issues in FINRA arbitrations.
  • Drafted third-party vendor contracts for middle-market company to secure the best possible data protection provisions.
  • Counseled large multi-state CPA firm on data breach response issues including forensic investigation of incident, applicable state notice provisions for 38 states, IRS issues, securing identity theft insurance for affected individuals, and state regulatory matters.
  • Helped a public company analyze and comply with privacy laws in the context of collecting and analyzing large quantities of behavioral data (i.e., Big Data).
  • Assisted a multi-national company in structuring best practices and a speedy response plan to protect against regulatory and litigation fall-out from possible future data privacy incidents.
  • Negotiated many technology contracts involving data privacy and security issues for multiple countries for a multi-national public company.
  • Counseled clients on a variety of issues related to compliance with HIPAA and HITECH, including negotiating agreements with business associates and preparation of HIPAA security and privacy policies.
  • Advised a public company regarding Payment Card Industry Data Security Standards (PCI DSS) issues with respect to the acquisition of a payment processing solution provider.
  • Helped clients comply with the Children’s Online Privacy Protection Act.
  • Successfully defended a web-hosting company in a putative consumer class action litigation resulting from a data breach.
  • Defended a national retailer in a Federal Trade Commission administrative investigation concerning theft of electronically stored credit and debit card data.
  • Organized a statewide response to the theft of a hard drive containing employee names, addresses, and social security numbers.
  • Advised a large public university on disclosure and remediation obligations following a data breach.