SHARE
PRINT CONTACT US

Data Privacy & Information Security

Managing and protecting data and the associated risk have become an integral part of operating a business. Ulmer & Berne counsels its clients concerning data security risk management, and planning for data breaches. We also conduct post-breach investigations, respond to government inquiries, and defend complex litigation often driven by negative media coverage and public outrage.

Corporate Risk

Data privacy and security are corporate risks and require the attention of directors and the most senior executives within a company. We provide guidance about the fiduciary obligations and potential liabilities of officers and directors in managing risks from breaches of data security and privacy.

Advisory Services

Our attorneys help clients manage existing legal requirements and implement programs to reduce data security obligations throughout the company. Preventative measures include managing the risks arising from the access of third-party vendors to sensitive information. We help clients create an infrastructure to monitor data security risks and structuring a plan of action to address data breaches before they become public relations, regulatory, and litigation problems.

Incident Response

Once a company realizes that a data security breach has occurred, the company must execute its action plan and quickly meet applicable legal obligations. Our attorneys guide clients through the process of responding to data breaches and notifying individuals, law enforcement, regulators, and government bodies about security incidents.

Internal Investigations

Following a data breach, companies must consider the possibility that employee misfeasance or malfeasance facilitated or caused the incident. Our attorneys include skilled investigators who work with forensic computer experts to ascertain the cause of a data breach. Working with forensic experts, we can confidentially and independently assess security breaches, help contain them, and recommend additional protocols to prevent future breaches.

Government Investigations

The Federal Trade Commission and state attorneys general have heightened their interest in data breaches. Our attorneys defend federal and state investigations that often follow a data breach. We work with clients to secure electronic and other tangible records, understand the nature and causes of the data breach, and prepare a cogent and comprehensive response to government questions. Our attorneys work tirelessly during investigations to eliminate the risk of formal government action being taken against our clients.

Litigation

The theft or loss of sensitive personal information or trade secrets can involve litigation to protect corporate assets and defend regulatory, customer, and shareholder claims stemming from a breach. We are experienced in helping clients navigate the seemingly inevitable litigation associated with an inadvertent loss or unauthorized acquisition of sensitive information.

Goins Quoted in Law360 Cybersecurity Article

Ulmer News Frances Floriano Goins Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Law360 article focusing on an expected wave of cybersecurity-based enforcement from the U.S. Securities and Exchange Commission (SEC). For years, the SEC has encouraged companies to focus on...

Upcoming Webinar: Copyright Challenges in a Fast-Paced World

ABA-IPL Landslide Webinar Series: Practical Insights on Software Copyright Registration and Enforcement ABA-IPL Landslide® Webinar Series Tuesday, June 20, 2017 1:00 pm – 2:30 pm EST 1.50 General CLE Credit Hours Gregory Stein On June 20, Gregory P. Stein joins a panel of experts to discuss key issues when obtaining...

WannaCry Virus Triggers SEC Security Alert To BDs And Investment Management Firms

Ulmer Client Alert Topics: Data Privacy & Information Security; Financial Services By: Frances Floriano Goins We are now one week into the worldwide cyberattack known as the WannaCry virus, which targets computers running Microsoft Windows operating systems, encrypts their data, and demands ransom payments in Bitcoin currency. Many of the...

Practical Insights on Software Copyright Registration

Gregory P. Stein, Vice Chair of Ulmer’s Data Privacy and Information Security Group, recently co-authored an article published in Landslide, a publication of the American Bar Association’s section of intellectual property. Covering computer program registration basics, how to determine which software versions to register, and an analysis of relevant case law, the article...

Beware the 10-K Ruse: Hackers Target SEC Reporting Companies

Ulmer Client Alert Topic: Data Privacy & Information Security By: Frances Floriano Goins, Michael A. Marrero, and Gregory P. Stein Employees of Securities and Exchange Commission (SEC) reporting companies are the targets of a new cyberattack. On March 8, the SEC issued a notice about malicious emails that appear to be...

HIPAA Breach Notification Enforcement Action

Ulmer Client Alert Author: Anne Strassfeld Industry: Health Care Could any of the following happen in your workplace? An unencrypted laptop with patient information is lost or stolen An unauthorized person accesses a computer database with patient information Patient billing records are left in an unsecured trash bin in a...

September 16, 2016 The U.S. Sixth Circuit Court of Appeals recently joined a minority of courts in holding that the compromise of personal information through a cyber-hack without actual identity theft is sufficient “injury” to support Article III standing. In Galaria v. Nationwide Mutual Insurance Company, Nos. 15-3386/3387 (6th Cir....

Target’s Directors and Officers Dismissed from Data Breach Lawsuit

Target Corporation’s (Target) directors and executive officers can breathe a sigh of relief after a Minnesota federal judge dismissed derivative claims brought against them by Target shareholders, stemming from a data breach in 2013 in which hackers stole credit card and other personal information of tens of millions of Target...

Goins Featured in Financier Worldwide

“Cyber Security & Risk Management 2016,” Financier Worldwide July 13, 2016

Goins Named to Benchmark’s Top 250 Women in Litigation

For the third consecutive year, Ulmer & Berne partner Frances Floriano Goins was named to the 2016 edition of the Benchmark Top 250 Women in Litigation. The annual publication is dedicated to honoring the accomplishments of America’s leading female litigators. Based in Cleveland, Ohio, Ms. Goins is one of only...

The Multi-Million Dollar Hole in PF Chang’s Cyberliability Insurance

P.F. Chang’s Bistro, Inc. (PF Chang) suffered a rude awakening when its cyberliability policy failed to cover almost $2 million dollars of fees and assessments stemming from a breach of its credit card processing system. Hackers had compromised approximately 60,000 of PF Chang’s customers’ credit cards. PF Chang had purchased...

New Attack on EU/US Data Transfers Challenges the Validity of Standard Contractual Clauses

Standard contractual clauses, which have quickly become a popular means for transferring personal data from the European Union to the United States following the demise of the Safe Harbor, may suffer the same fate as the Safe Harbor and be found to be an invalid mechanism for legally transferring personal...

Ransomware in Healthcare: The Emerging Threat

The healthcare industry needs to proactively respond to an emerging data security threat. Hackers are not only stealing personal information from healthcare organizations for resale but are also beginning to shut down healthcare organizations’ operations using ransomware. Ransomware is a type of malware that encrypts a victim’s data on its...

Collateral Damage: A Lesson from Ashley Madison on Preserving Attorney-Client Privilege and Protecting Corporate Documents

Data breaches can have repercussions far beyond the loss of personally identifiable information. They can also include the loss of internal business documents that can damage the hacked company, including documents subject to the attorney-client privilege. That exact scenario affected Avid Dating Life Inc., the operator of Ashley Madison, the...

The Federal Communications Commission (FCC) approved proposed new broadband privacy regulations for broadband providers (i.e., Internet service providers, or “ISPs”) on March 31, 2016. The new regulations followed the FCC’s reclassification of broadband as a “utility” (a classification still under scrutiny in litigation), which the FCC believes requires it to...

“Roundtable: Cyber security” Financier Worldwide Cyber attacks are now the norm. Over the last 12 to 18 months, companies have become ever more vulnerable to assaults on their security, with the frequency and severity of incidents increasing without pause. The question is whether firms are ready to deal with both...

On December 17, 2015 the arrival of a new era in European Union (E.U.) citizens’ data privacy became one step closer when the E.U.’s Civil Rights Committee approved the General Data Protection Regulation (GDPR). Unlike the 1995 EU Data Protection Directive that they replace, which required member states to implement...

October 2015 – On October 6, 2015, the Court of Justice of the European Union (CJEU) issued an opinion that substantially complicates data transfers from the European Union (EU) to the United States. The decision prevents companies from relying on the popular EU/US Safe Harbor Framework. In Schrems v. Data...

August 2015 – Target Corp. and Visa Inc. announced a settlement on August 18 requiring Target to pay up to $67 million to reimburse credit-card issuers for costs stemming from Target’s 2013 data breach. By comparison, Target and MasterCard reached a tentative agreement in May 2015 to settle a proposed...

Ulmer & Berne announces that partner Frances Floriano Goins was selected for inclusion in the 2015 Top 250 Women in Litigation, distributed by Benchmark Litigation, and also has been named a Fellow in The Trial Lawyer Honorary Society of The Litigation Counsel of America. Benchmark’s Top 250 Women in Litigation...

June 2015 – This client alert highlights a few noteworthy updates regarding HIPAA Privacy and Security Rule compliance and enforcement activity. HIPAA Enforcement Highlights.  The U.S. Department of Health and Human Services (DHHS) recently issued updated HIPAA Enforcement Highlights, which provide useful information to organizations as they work to bolster...

June 2015 – On May 18, 2015 the Connecticut Supreme Court released an opinion denying a contractor, Recall Total Information Management, Inc. (Recall), and its subcontractor, Executive Logistics Services, LLC (Executive Logistics), insurance coverage for liabilities stemming from a breach caused by the subcontractor’s loss of computer backup tapes. The...

“FCC Won’t Give Broadband Cos. A Free Pass On Privacy Risks” Law360 May 29, 2015

May 2015 – On April 28, 2015, the SEC Division of Investment Management issued an Investment Management Guidance Update identifying cybersecurity as an important concern for investment companies and registered advisers. To prevent, detect, and respond to cybersecurity threats, the SEC recommends that these entities conduct periodic risk assessments, design...

April 2015 – On April 22 and 23, 2015, the U.S. House of Representatives passed H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National Cybersecurity Protection Advancement (NCPA) Act of 2015. The bills are intended to improve national cybersecurity by establishing a legal framework that encourages...

February 2015 – On February 3, 2015, the Securities and Exchange Commission released a report (the “Summary”) detailing the results of its examination of the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers. The Summary illuminates many areas of cybersecurity programs that may merit additional attention and...

Ulmer & Berne LLP has been ranked within the top 10 percent of all law firms by The BTI Consulting Group, one of the nation’s leading legal industry research firms, in their recently published 2015 BTI Litigation Outlook report. The firm was selected as a “Litigation Powerhouse” and is named...

July 2014 – California is increasing its requirements for companies to disclose their information-collection practices in privacy policies. Since 2003, the California Online Privacy Protection Act of 2003 (“CalOPPA”) has required operators of commercial websites and online services (e.g., a mobile application) that collect personally identifiable information from residents of...

February 2014 – A new cybersecurity framework, developed to assist companies that are part of the critical infrastructure of the United States, can be a valuable tool for any company to manage and reduce its cybersecurity risk. In recognition of the importance of many industries to the national and economic...

May 2013 – On April 19, 2013 the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) jointly published final rules mandating that certain “financial institutions” and “creditors” must implement programs to detect, prevent, and mitigate identity theft (the “Red Flag Rules”). The SEC’s rules are applicable to...

Representative Experience

  • Represented manufacturing client in the investigation of and response to a multi-million dollar banking loss caused by a successful phishing scam, including supervision of security consultants and coordination with the FBI and U.S. Attorneys involved in the investigation.
  • Developed internal enterprise wide data breach protocol for a large insurance company.
  • Developed information security programs for financial services companies.
  • Advised clients on responding to data breaches involving personal customer information, including a data breach requiring notice in 50 states and other U.S. jurisdictions.
  • Advised clients on the theft of trade secrets, including in litigation for temporary and permanent injunctions and the return of trade secrets.
  • Helped a public company comply with privacy laws in the context of collecting and analyzing large quantities of behavioral data (i.e., Big Data).
  • Assisted a multi-national company in structuring best practices and a speedy response plan to protect against regulatory and litigation fall-out from inadvertent future possible data privacy breaches.
  • Negotiated many technology contracts that involve data privacy and security issues for multiple countries for a multi-national public company.
  • Counseled clients on a variety of issues related to compliance with HIPAA and HITECH, including negotiating agreements with business associates and preparation of HIPAA security and privacy policies.
  • Advised a public company regarding Payment Card Industry Data Security Standards (PCI DSS) issues with respect to the acquisition of a payment processing solution provider.
  • Helped clients comply with the Children’s Online Privacy Protection Act.
  • Developed and implemented policies to help companies identify and protect their trade secrets.
  • Successfully defended a web-hosting company in a putative consumer class action litigation resulting from a data breach.
  • Defended a national retailer in a Federal Trade Commission administrative investigation concerning theft of electronically stored credit and debit card data.
  • Organized a statewide response to the theft of a hard drive containing employee names, addresses and social security numbers.
  • Advised a large public university concerning disclosure and remediation obligations following a data breach.