Data Privacy & Information Security


Managing and protecting data and the associated risk have become an integral part of operating a business. Ulmer & Berne counsels its clients concerning data security risk management, and planning for data breaches. We also conduct post-breach investigations, respond to government inquiries, and defend complex litigation often driven by negative media coverage and public outrage.

Corporate Risk

Data privacy and security are corporate risks and require the attention of directors and the most senior executives within a company. We provide guidance about the fiduciary obligations and potential liabilities of officers and directors in managing risks from breaches of data security and privacy.

Advisory Services

Our attorneys help clients manage existing legal requirements and implement programs to reduce data security obligations throughout the company. Preventative measures include managing the risks arising from the access of third-party vendors to sensitive information. We help clients create an infrastructure to monitor data security risks and structuring a plan of action to address data breaches before they become public relations, regulatory, and litigation problems.

Incident Response

Once a company realizes that a data security breach has occurred, the company must execute its action plan and quickly meet applicable legal obligations. Our attorneys guide clients through the process of responding to data breaches and notifying individuals, law enforcement, regulators, and government bodies about security incidents.

Internal Investigations

Following a data breach, companies must consider the possibility that employee misfeasance or malfeasance facilitated or caused the incident. Our attorneys include skilled investigators who work with forensic computer experts to ascertain the cause of a data breach. Working with forensic experts, we can confidentially and independently assess security breaches, help contain them, and recommend additional protocols to prevent future breaches.

Government Investigations

The Federal Trade Commission and state attorneys general have heightened their interest in data breaches. Our attorneys defend federal and state investigations that often follow a data breach. We work with clients to secure electronic and other tangible records, understand the nature and causes of the data breach, and prepare a cogent and comprehensive response to government questions. Our attorneys work tirelessly during investigations to eliminate the risk of formal government action being taken against our clients.

Litigation

The theft or loss of sensitive personal information or trade secrets can involve litigation to protect corporate assets and defend regulatory, customer, and shareholder claims stemming from a breach. We are experienced in helping clients navigate the seemingly inevitable litigation associated with an inadvertent loss or unauthorized acquisition of sensitive information.

The days of hackers targeting only retailers are long gone. With attacks that can misdirect wire transfers and hold computer systems hostage, hackers can successfully target any industry, particularly those that are behind the curve for cybersecurity. That applies to real estate. According to a recent report prepared by KPMG, 50...

In today’s environment, where cybersecurity threats are becoming more and more pervasive, even small healthcare organizations understand that purporting to have comprehensive data privacy and security policies and procedures in place isn’t enough. Business partners want more. Regulators demand more. They want implementation and efficacy. They want to know that...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed her legal perspective to an article published in WESTLAW Data Privacy – Practitioner Insights. The article spotlights the recent 8th Circuit decision in Kuhns v. Scottrade Inc., a case that explored the level of harm plaintiffs...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy & Information Security group, was published in Manufacturing Business Technology on September 7, 2017. In the article, entitled Cybersecurity 101 For Manufacturers: Why Should You Care?, Ms. Goins details how manufacturing businesses can protect themselves from data and system breaches. From the...

From Ulmer’s Broker Dealer Law Corner Blog By Gregory P. Stein Gregory Stein Ransomware is hot.  And unlike some trends, it is unlikely to be a short-term trend.  Criminals have been able to easily deploy ransomware attacks, which encrypt a users’ data and hold it hostage until the victim pays a...

Ulmer & Berne LLP partner Frances Floriano Goins was named to the Benchmark Top 250 Women in Litigation. Ulmer partners Paul R. Harris and Joshua A. Klarfeld were included in Benchmark’s Under 40 Hot List 2017. Individual recognition for Goins, Harris, and Klarfeld comes on the heels of Ulmer’s department-wide...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Crain’s Cleveland Business article focusing on how, despite the growing reach and impact of cybercrime, many businesses continue to ignore the risks. Despite cybercrime’s pervasiveness, many businesses ignore risks From Crain’s Cleveland Business...

Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Law360 article focusing on an expected wave of cybersecurity-based enforcement from the U.S. Securities and Exchange Commission (SEC). For years, the SEC has encouraged companies to focus on improving their cybersecurity, and has...

ABA-IPL Landslide Webinar Series: Practical Insights on Software Copyright Registration and Enforcement ABA-IPL Landslide® Webinar Series Tuesday, June 20, 2017 1:00 pm – 2:30 pm EST 1.50 General CLE Credit Hours Gregory Stein On June 20, Gregory P. Stein joins a panel of experts to discuss key issues when obtaining...

We are now one week into the worldwide cyberattack known as the WannaCry virus, which targets computers running Microsoft Windows operating systems, encrypts their data, and demands ransom payments in Bitcoin currency. Many of the attacks were perpetrated through phishing emails and malicious websites. In response, the SEC Office of...

Gregory P. Stein, Vice Chair of Ulmer’s Data Privacy and Information Security Group, recently co-authored an article published in Landslide, a publication of the American Bar Association’s section of intellectual property. Covering computer program registration basics, how to determine which software versions to register, and an analysis of relevant case law, the article...

Employees of Securities and Exchange Commission (SEC) reporting companies are the targets of a new cyberattack. On March 8, the SEC issued a notice about malicious emails that appear to be sent by the SEC regarding changes to Form 10-K. Those emails often contain attachments with malicious code that can compromise the...

September 16, 2016 The U.S. Sixth Circuit Court of Appeals recently joined a minority of courts in holding that the compromise of personal information through a cyber-hack without actual identity theft is sufficient “injury” to support Article III standing. In Galaria v. Nationwide Mutual Insurance Company, Nos. 15-3386/3387 (6th Cir....

Target Corporation’s (Target) directors and executive officers can breathe a sigh of relief after a Minnesota federal judge dismissed derivative claims brought against them by Target shareholders, stemming from a data breach in 2013 in which hackers stole credit card and other personal information of tens of millions of Target...

“Cyber Security & Risk Management 2016,” Financier Worldwide July 13, 2016

For the third consecutive year, Ulmer & Berne partner Frances Floriano Goins was named to the 2016 edition of the Benchmark Top 250 Women in Litigation. The annual publication is dedicated to honoring the accomplishments of America’s leading female litigators. Based in Cleveland, Ohio, Ms. Goins is one of only...

P.F. Chang’s Bistro, Inc. (PF Chang) suffered a rude awakening when its cyberliability policy failed to cover almost $2 million dollars of fees and assessments stemming from a breach of its credit card processing system. Hackers had compromised approximately 60,000 of PF Chang’s customers’ credit cards. PF Chang had purchased...

Standard contractual clauses, which have quickly become a popular means for transferring personal data from the European Union to the United States following the demise of the Safe Harbor, may suffer the same fate as the Safe Harbor and be found to be an invalid mechanism for legally transferring personal...

The healthcare industry needs to proactively respond to an emerging data security threat. Hackers are not only stealing personal information from healthcare organizations for resale but are also beginning to shut down healthcare organizations’ operations using ransomware. Ransomware is a type of malware that encrypts a victim’s data on its...

Data breaches can have repercussions far beyond the loss of personally identifiable information. They can also include the loss of internal business documents that can damage the hacked company, including documents subject to the attorney-client privilege. That exact scenario affected Avid Dating Life Inc., the operator of Ashley Madison, the...

The Federal Communications Commission (FCC) approved proposed new broadband privacy regulations for broadband providers (i.e., Internet service providers, or “ISPs”) on March 31, 2016. The new regulations followed the FCC’s reclassification of broadband as a “utility” (a classification still under scrutiny in litigation), which the FCC believes requires it to...

“Roundtable: Cyber security” Financier Worldwide Cyber attacks are now the norm. Over the last 12 to 18 months, companies have become ever more vulnerable to assaults on their security, with the frequency and severity of incidents increasing without pause. The question is whether firms are ready to deal with both...

On December 17, 2015 the arrival of a new era in European Union (E.U.) citizens’ data privacy became one step closer when the E.U.’s Civil Rights Committee approved the General Data Protection Regulation (GDPR). Unlike the 1995 EU Data Protection Directive that they replace, which required member states to implement...

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued an opinion that substantially complicates data transfers from the European Union (EU) to the United States. The decision prevents companies from relying on the popular EU/US Safe Harbor Framework. In Schrems v. Data Protection Commissioner, Case...

Target Corp. and Visa Inc. announced a settlement on August 18 requiring Target to pay up to $67 million to reimburse credit-card issuers for costs stemming from Target’s 2013 data breach. By comparison, Target and MasterCard reached a tentative agreement in May 2015 to settle a proposed class action involving...

Ulmer & Berne announces that partner Frances Floriano Goins was selected for inclusion in the 2015 Top 250 Women in Litigation, distributed by Benchmark Litigation, and also has been named a Fellow in The Trial Lawyer Honorary Society of The Litigation Counsel of America. Benchmark’s Top 250 Women in Litigation...

This client alert highlights a few noteworthy updates regarding HIPAA Privacy and Security Rule compliance and enforcement activity. HIPAA Enforcement Highlights.  The U.S. Department of Health and Human Services (DHHS) recently issued updated HIPAA Enforcement Highlights, which provide useful information to organizations as they work to bolster their HIPAA compliance...

On May 18, 2015 the Connecticut Supreme Court released an opinion denying a contractor, Recall Total Information Management, Inc. (Recall), and its subcontractor, Executive Logistics Services, LLC (Executive Logistics), insurance coverage for liabilities stemming from a breach caused by the subcontractor’s loss of computer backup tapes. The tapes included the...

“FCC Won’t Give Broadband Cos. A Free Pass On Privacy Risks” Law360 May 29, 2015

On April 28, 2015, the SEC Division of Investment Management issued an Investment Management Guidance Update identifying cybersecurity as an important concern for investment companies and registered advisers. To prevent, detect, and respond to cybersecurity threats, the SEC recommends that these entities conduct periodic risk assessments, design a cybersecurity strategy...

On April 22 and 23, 2015, the U.S. House of Representatives passed H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National Cybersecurity Protection Advancement (NCPA) Act of 2015. The bills are intended to improve national cybersecurity by establishing a legal framework that encourages companies to share...

On February 3, 2015, the Securities and Exchange Commission released a report (the “Summary”) detailing the results of its examination of the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers. The Summary illuminates many areas of cybersecurity programs that may merit additional attention and improvement for broker-dealers...

Ulmer & Berne LLP has been ranked within the top 10 percent of all law firms by The BTI Consulting Group, one of the nation’s leading legal industry research firms, in their recently published 2015 BTI Litigation Outlook report. The firm was selected as a “Litigation Powerhouse” and is named...

California is increasing its requirements for companies to disclose their information-collection practices in privacy policies. Since 2003, the California Online Privacy Protection Act of 2003 (“CalOPPA”) has required operators of commercial websites and online services (e.g., a mobile application) that collect personally identifiable information from residents of California to conspicuously...

A new cybersecurity framework, developed to assist companies that are part of the critical infrastructure of the United States, can be a valuable tool for any company to manage and reduce its cybersecurity risk. In recognition of the importance of many industries to the national and economic security of the...

May 2013 – On April 19, 2013 the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) jointly published final rules mandating that certain “financial institutions” and “creditors” must implement programs to detect, prevent, and mitigate identity theft (the “Red Flag Rules”). The SEC’s rules are applicable to...

Representative Experience

  • Represented manufacturing client in the investigation of and response to a multi-million dollar banking loss caused by a successful phishing scam, including supervision of security consultants and coordination with the FBI and U.S. Attorneys involved in the investigation.
  • Developed internal enterprise wide data breach protocol for a large insurance company.
  • Developed information security programs for financial services companies.
  • Advised clients on responding to data breaches involving personal customer information, including a data breach requiring notice in 50 states and other U.S. jurisdictions.
  • Advised clients on the theft of trade secrets, including in litigation for temporary and permanent injunctions and the return of trade secrets.
  • Helped a public company comply with privacy laws in the context of collecting and analyzing large quantities of behavioral data (i.e., Big Data).
  • Assisted a multi-national company in structuring best practices and a speedy response plan to protect against regulatory and litigation fall-out from inadvertent future possible data privacy breaches.
  • Negotiated many technology contracts that involve data privacy and security issues for multiple countries for a multi-national public company.
  • Counseled clients on a variety of issues related to compliance with HIPAA and HITECH, including negotiating agreements with business associates and preparation of HIPAA security and privacy policies.
  • Advised a public company regarding Payment Card Industry Data Security Standards (PCI DSS) issues with respect to the acquisition of a payment processing solution provider.
  • Helped clients comply with the Children’s Online Privacy Protection Act.
  • Developed and implemented policies to help companies identify and protect their trade secrets.
  • Successfully defended a web-hosting company in a putative consumer class action litigation resulting from a data breach.
  • Defended a national retailer in a Federal Trade Commission administrative investigation concerning theft of electronically stored credit and debit card data.
  • Organized a statewide response to the theft of a hard drive containing employee names, addresses and social security numbers.
  • Advised a large public university concerning disclosure and remediation obligations following a data breach.