Cybersecurity & Privacy


Managing and protecting data and the associated risk have become an integral part of operating a business. Ulmer & Berne counsels its clients concerning data security risk management, and planning for data breaches. We also conduct post-breach investigations, respond to government inquiries, and defend complex litigation often driven by negative media coverage and public outrage.

Corporate Risk

Data privacy and security are corporate risks and require the attention of directors and the most senior executives within a company. We provide guidance about the fiduciary obligations and potential liabilities of officers and directors in managing risks from breaches of data security and privacy.

Advisory Services & Regulatory Compliance 

Our attorneys help clients navigate the morass of domestic and foreign legal requirements and implement programs to reduce exposure to data security liability. Preventive measures may include reviewing company policies for compliance with applicable regulatory requirements and crafting appropriate privacy policies and third-party contracts, as well as managing risks arising from employees’ use of extra-network devices and third-party vendors’ access to sensitive information. We help clients create an infrastructure to monitor data security risks, train employees, and structure appropriate action plans to address data breaches before they become public relations, regulatory, and litigation problems.

Incident Response

Once a company realizes that a data security breach has occurred, the company must execute its action plan and quickly meet applicable legal obligations. Our attorneys guide clients through the process of responding to cyber incidents and executing appropriate legal and practical notification of individuals, law enforcement, regulators, and government bodies about security incidents.

Internal Investigations

Following a data breach, companies must consider the possibility that employee misfeasance or malfeasance facilitated or caused the incident. Our attorneys include skilled investigators who work with forensic computer experts to ascertain the cause of a data breach. Working with forensic experts, we can confidentially and independently assess security breaches, help contain them, and recommend additional protocols to prevent future breaches.

Government Investigations

The U.S. and foreign regulators from the SEC and the Federal Trade Commission to the European Union, as well as state attorneys general have all heightened their interest in cybersecurity and privacy. Our attorneys counsel clients in regulatory investigations and defend regulatory enforcement actions that often follow a cyber incident. We work with clients to secure electronic and other tangible records, understand the nature and causes of the data breach, and prepare a cogent and comprehensive response to governmental and regulatory inquiries. Our attorneys work tirelessly during investigations to eliminate the risk of formal government action being taken against our clients.

Litigation

The theft or loss of sensitive personal information or trade secrets can involve litigation to protect corporate assets and defend regulatory, customer, and shareholder claims stemming from a breach. We are experienced in helping clients navigate the seemingly inevitable litigation associated with an inadvertent loss or unauthorized acquisition of sensitive information.

For five years in a row, Ulmer & Berne LLP partner Frances Floriano Goins has been recognized as one of the nation’s top female litigators by being named in Benchmark’s Top 250 Women in Litigation. This year Goins is recognized as one of only five female litigators in the state of Ohio to...

Last week, California passed expansive new legislation to regulate the collection, purchase, sale, and processing of personal information of California residents. The California Consumer Privacy Act of 2018 (CPA), effective January 1, 2020, is the first U.S. law to address these issues. Companies that do business with California residents or operate a...

Much like Y2K, the long-awaited and much-feared GDPR compliance drop dead date of May 25th came and went without much ado. This left many of us, both in business and in the legal field, asking, “Now what?” As we await new guidance, precedent, and law informing how the EU’s Genera...

Have you thought about whether your business can, or must, comply with the GDPR? The European Union’s (EU) GDPR (General Data Protection Regulation) becomes enforceable on May 25, 2018. The GDPR covers any entity that collects or processes the personal data of individuals in EU countries (including the UK), no...

The World Trademark Review (WTR) has recognized Ulmer & Berne LLP partners Thomas M. Williams and Michael A. Marrero in its “WTR 1000 – The World’s Leading Trademark Professionals” rankings. WTR is the world’s only independent multimedia publication dedicated exclusively to reporting on trademark issues. This marks the seventh consecutive...

To maintain a lawsuit in federal court, a plaintiff must allege an “injury in fact” caused by the defendant. Many times the injury is obvious; like a broken bone from a car accident or lost profits from a breach of contract. But sometimes the injury is not so obvious. When...

Ulmer attorneys Frances Floriano Goins and Michael Davis Hoenig recently provided expert review of the Ohio Profile and wrote the Risk Environment section of the Ohio Domestic Privacy Profile for Bloomberg Law: Privacy & Data Security.  A new product from Bloomberg BNA, this online publication provides a global view of...

Ulmer Partner Frances Floriano Goins received a 2017 Diversity Award from the Diversity Law Institute (DLI). The presentation was made on November 3 at the 2017 Diversity Law Institute Summit & Awards in Philadelphia. DLI Diversity Awards are given annually to a select number of individuals, law firms and companies...

The days of hackers targeting only retailers are long gone. With attacks that can misdirect wire transfers and hold computer systems hostage, hackers can successfully target any industry, particularly those that are behind the curve for cybersecurity. That applies to real estate. According to a recent report prepared by KPMG, 50...

In today’s environment, where cybersecurity threats are becoming more and more pervasive, even small health care organizations understand that purporting to have comprehensive data privacy and security policies and procedures in place isn’t enough. Business partners want more. Regulators demand more. They want implementation and efficacy. They want to know...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed her legal perspective to an article published in WESTLAW Data Privacy – Practitioner Insights. The article spotlights the recent 8th Circuit decision in Kuhns v. Scottrade Inc., a case that explored the level of harm plaintiffs...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy & Information Security group, was published in Manufacturing Business Technology on September 7, 2017. In the article, entitled Cybersecurity 101 For Manufacturers: Why Should You Care?, Ms. Goins details how manufacturing businesses can protect themselves from data and system breaches. From the...

From Ulmer’s Broker Dealer Law Corner Blog Ransomware is hot.  And unlike some trends, it is unlikely to be a short-term trend.  Criminals have been able to easily deploy ransomware attacks, which encrypt a users’ data and hold it hostage until the victim pays a ransom, and unlike stealing personal information,...

Ulmer & Berne LLP partner Frances Floriano Goins was named to the Benchmark Top 250 Women in Litigation. Ulmer partners Paul R. Harris and Joshua A. Klarfeld were included in Benchmark’s Under 40 Hot List 2017. Individual recognition for Goins, Harris, and Klarfeld comes on the heels of Ulmer’s department-wide...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Crain’s Cleveland Business article focusing on how, despite the growing reach and impact of cybercrime, many businesses continue to ignore the risks. Despite cybercrime’s pervasiveness, many businesses ignore risks From Crain’s Cleveland Business...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Law360 article focusing on an expected wave of cybersecurity-based enforcement from the U.S. Securities and Exchange Commission (SEC). For years, the SEC has encouraged companies to focus on improving their cybersecurity, and has...

We are now one week into the worldwide cyberattack known as the WannaCry virus, which targets computers running Microsoft Windows operating systems, encrypts their data, and demands ransom payments in Bitcoin currency. Many of the attacks were perpetrated through phishing emails and malicious websites. In response, the SEC Office of...

Employees of Securities and Exchange Commission (SEC) reporting companies are the targets of a new cyberattack. On March 8, the SEC issued a notice about malicious emails that appear to be sent by the SEC regarding changes to Form 10-K. Those emails often contain attachments with malicious code that can compromise the...

September 16, 2016 The U.S. Sixth Circuit Court of Appeals recently joined a minority of courts in holding that the compromise of personal information through a cyber-hack without actual identity theft is sufficient “injury” to support Article III standing. In Galaria v. Nationwide Mutual Insurance Company, Nos. 15-3386/3387 (6th Cir....

Target Corporation’s (Target) directors and executive officers can breathe a sigh of relief after a Minnesota federal judge dismissed derivative claims brought against them by Target shareholders, stemming from a data breach in 2013 in which hackers stole credit card and other personal information of tens of millions of Target...

“Cyber Security & Risk Management 2016,” Financier Worldwide July 13, 2016

For the third consecutive year, Ulmer & Berne partner Frances Floriano Goins was named to the 2016 edition of the Benchmark Top 250 Women in Litigation. The annual publication is dedicated to honoring the accomplishments of America’s leading female litigators. Based in Cleveland, Ohio, Ms. Goins is one of only...

P.F. Chang’s Bistro, Inc. (PF Chang) suffered a rude awakening when its cyberliability policy failed to cover almost $2 million dollars of fees and assessments stemming from a breach of its credit card processing system. Hackers had compromised approximately 60,000 of PF Chang’s customers’ credit cards. PF Chang had purchased...

Standard contractual clauses, which have quickly become a popular means for transferring personal data from the European Union to the United States following the demise of the Safe Harbor, may suffer the same fate as the Safe Harbor and be found to be an invalid mechanism for legally transferring personal...

The health care industry needs to proactively respond to an emerging data security threat. Hackers are not only stealing personal information from health care organizations for resale but are also beginning to shut down health care organizations’ operations using ransomware. Ransomware is a type of malware that encrypts a victim’s...

Data breaches can have repercussions far beyond the loss of personally identifiable information. They can also include the loss of internal business documents that can damage the hacked company, including documents subject to the attorney-client privilege. That exact scenario affected Avid Dating Life Inc., the operator of Ashley Madison, the...

The Federal Communications Commission (FCC) approved proposed new broadband privacy regulations for broadband providers (i.e., Internet service providers, or “ISPs”) on March 31, 2016. The new regulations followed the FCC’s reclassification of broadband as a “utility” (a classification still under scrutiny in litigation), which the FCC believes requires it to...

“Roundtable: Cyber security” Financier Worldwide Cyber attacks are now the norm. Over the last 12 to 18 months, companies have become ever more vulnerable to assaults on their security, with the frequency and severity of incidents increasing without pause. The question is whether firms are ready to deal with both...

On December 17, 2015 the arrival of a new era in European Union (E.U.) citizens’ data privacy became one step closer when the E.U.’s Civil Rights Committee approved the General Data Protection Regulation (GDPR). Unlike the 1995 EU Data Protection Directive that they replace, which required member states to implement...

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued an opinion that substantially complicates data transfers from the European Union (EU) to the United States. The decision prevents companies from relying on the popular EU/US Safe Harbor Framework. In Schrems v. Data Protection Commissioner, Case...

Target Corp. and Visa Inc. announced a settlement on August 18 requiring Target to pay up to $67 million to reimburse credit-card issuers for costs stemming from Target’s 2013 data breach. By comparison, Target and MasterCard reached a tentative agreement in May 2015 to settle a proposed class action involving...

Ulmer & Berne announces that partner Frances Floriano Goins was selected for inclusion in the 2015 Top 250 Women in Litigation, distributed by Benchmark Litigation, and also has been named a Fellow in The Trial Lawyer Honorary Society of The Litigation Counsel of America. Benchmark’s Top 250 Women in Litigation...

On May 18, 2015 the Connecticut Supreme Court released an opinion denying a contractor, Recall Total Information Management, Inc. (Recall), and its subcontractor, Executive Logistics Services, LLC (Executive Logistics), insurance coverage for liabilities stemming from a breach caused by the subcontractor’s loss of computer backup tapes. The tapes included the...

“FCC Won’t Give Broadband Cos. A Free Pass On Privacy Risks” Law360 May 29, 2015

On April 28, 2015, the SEC Division of Investment Management issued an Investment Management Guidance Update identifying cybersecurity as an important concern for investment companies and registered advisers. To prevent, detect, and respond to cybersecurity threats, the SEC recommends that these entities conduct periodic risk assessments, design a cybersecurity strategy...

On April 22 and 23, 2015, the U.S. House of Representatives passed H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National Cybersecurity Protection Advancement (NCPA) Act of 2015. The bills are intended to improve national cybersecurity by establishing a legal framework that encourages companies to share...

On February 3, 2015, the Securities and Exchange Commission released a report (the “Summary”) detailing the results of its examination of the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers. The Summary illuminates many areas of cybersecurity programs that may merit additional attention and improvement for broker-dealers...

Ulmer & Berne LLP has been ranked within the top 10 percent of all law firms by The BTI Consulting Group, one of the nation’s leading legal industry research firms, in their recently published 2015 BTI Litigation Outlook report. The firm was selected as a “Litigation Powerhouse” and is named...

California is increasing its requirements for companies to disclose their information-collection practices in privacy policies. Since 2003, the California Online Privacy Protection Act of 2003 (“CalOPPA”) has required operators of commercial websites and online services (e.g., a mobile application) that collect personally identifiable information from residents of California to conspicuously...

A new cybersecurity framework, developed to assist companies that are part of the critical infrastructure of the United States, can be a valuable tool for any company to manage and reduce its cybersecurity risk. In recognition of the importance of many industries to the national and economic security of the...

May 2013 – On April 19, 2013 the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) jointly published final rules mandating that certain “financial institutions” and “creditors” must implement programs to detect, prevent, and mitigate identity theft (the “Red Flag Rules”). The SEC’s rules are applicable to...

Representative Experience

  • Advised numerous U.S. companies with overseas operations and/or data collection facilities on GDPR obligations.
  • Drafted and revised privacy and other company policies for dozens of companies to comply with the GDPR.
  • Represented manufacturing client in the investigation of and response to a multi-million dollar banking loss caused by a successful phishing scam, including supervision of security consultants and coordination with the FBI and U.S. Attorneys involved in the investigation.
  • Developed internal enterprise-wide data breach protocol for a large insurance company.
  • Developed information security programs for financial services companies.
  • Advised clients on responding to data breaches involving personal customer information, including a data breach requiring notices in 48 states and other U.S. jurisdictions.
  • Advised broker-dealer clients on the application of SEC Regulation S-P and the Safeguards Rule in connection with inadvertent disclosure of customer data and discovery issues in FINRA arbitrations.
  • Drafted third-party vendor contracts for middle-market company to secure the best possible data protection provisions.
  • Counseled large multi-state CPA firm on data breach response issues including forensic investigation of incident, applicable state notice provisions for 38 states, IRS issues, securing identity theft insurance for affected individuals, and state regulatory matters.
  • Helped a public company analyze and comply with privacy laws in the context of collecting and analyzing large quantities of behavioral data (i.e., Big Data).
  • Assisted a multi-national company in structuring best practices and a speedy response plan to protect against regulatory and litigation fall-out from possible future data privacy incidents.
  • Negotiated many technology contracts involving data privacy and security issues for multiple countries for a multi-national public company.
  • Counseled clients on a variety of issues related to compliance with HIPAA and HITECH, including negotiating agreements with business associates and preparation of HIPAA security and privacy policies.
  • Advised a public company regarding Payment Card Industry Data Security Standards (PCI DSS) issues with respect to the acquisition of a payment processing solution provider.
  • Helped clients comply with the Children’s Online Privacy Protection Act.
  • Successfully defended a web-hosting company in a putative consumer class action litigation resulting from a data breach.
  • Defended a national retailer in a Federal Trade Commission administrative investigation concerning theft of electronically stored credit and debit card data.
  • Organized a statewide response to the theft of a hard drive containing employee names, addresses, and social security numbers.
  • Advised a large public university on disclosure and remediation obligations following a data breach.