Cybersecurity & Privacy
Managing and protecting data and the associated risk have become an integral part of operating a business. Ulmer & Berne counsels its clients concerning data security risk management, and planning for data breaches. We also conduct post-breach investigations, respond to government inquiries, and defend complex litigation often driven by negative media coverage and public outrage.
Corporate Risk
Data privacy and security are corporate risks and require the attention of directors and the most senior executives within a company. We provide guidance about the fiduciary obligations and potential liabilities of officers and directors in managing risks from breaches of data security and privacy.
Advisory Services & Regulatory Compliance
Our attorneys help clients navigate the morass of domestic and foreign legal requirements and implement programs to reduce exposure to data security liability. Preventive measures may include reviewing company policies for compliance with applicable regulatory requirements and crafting appropriate privacy policies and third-party contracts, as well as managing risks arising from employees’ use of extra-network devices and third-party vendors’ access to sensitive information. We help clients create an infrastructure to monitor data security risks, train employees, and structure appropriate action plans to address data breaches before they become public relations, regulatory, and litigation problems.
Incident Response
Once a company realizes that a data security breach has occurred, the company must execute its action plan and quickly meet applicable legal obligations. Our attorneys guide clients through the process of responding to cyber incidents and executing appropriate legal and practical notification of individuals, law enforcement, regulators, and government bodies about security incidents.
Internal Investigations
Following a data breach, companies must consider the possibility that employee misfeasance or malfeasance facilitated or caused the incident. Our attorneys include skilled investigators who work with forensic computer experts to ascertain the cause of a data breach. Working with forensic experts, we can confidentially and independently assess security breaches, help contain them, and recommend additional protocols to prevent future breaches.
Government Investigations
The U.S. and foreign regulators from the SEC and the Federal Trade Commission to the European Union, as well as state attorneys general have all heightened their interest in cybersecurity and privacy. Our attorneys counsel clients in regulatory investigations and defend regulatory enforcement actions that often follow a cyber incident. We work with clients to secure electronic and other tangible records, understand the nature and causes of the data breach, and prepare a cogent and comprehensive response to governmental and regulatory inquiries. Our attorneys work tirelessly during investigations to eliminate the risk of formal government action being taken against our clients.
Litigation
The theft or loss of sensitive personal information or trade secrets can involve litigation to protect corporate assets and defend regulatory, customer, and shareholder claims stemming from a breach. We are experienced in helping clients navigate the seemingly inevitable litigation associated with an inadvertent loss or unauthorized acquisition of sensitive information.
Washington Enacts First In the Nation Health Data Protection Law
May 1, 2023 – Last week, the Governor of Washington signed a package of legislation aimed at protecting the health care of women in response to the United States Supreme Court’s reversal of Roe vs. Wade. One of the new laws, the Washington My Health, My Data Act, seeks to...
May 01, 2023
Illinois Supreme Court Rules Workers’ Compensation Act Does Not Bar Claims Under BIPA
February 8, 2022 – The Illinois Biometric Information Privacy Act (BIPA 740 ILCS 14/1 et seq.) requires employers to notify employees and other individuals before collecting their biometric identifiers such as fingerprints (click here to read our last client alert on BIPA). If the employer fails to provide notice first,...
February 08, 2022
December 22, 2021 – The Illinois Biometric Information Privacy Act (BIPA 740 ILCS 14/1 et seq.) requires businesses to notify individuals before collecting their biometric identifiers such as fingerprints (click here to read our previous client alert). If the business fails to first provide notice and obtain a waiver, the affected...
December 22, 2021
Colorado Passes New Comprehensive Consumer Data Protection Act
July 29, 2021 – Earlier this month, the governor of Colorado signed into law the Colorado Privacy Act (CPA), making Colorado the third state to enact a comprehensive data security law after California in 2018 and Virginia in March 2021. The CPA will become effective on July 1, 2023. The...
July 29, 2021
Illinois Federal Court Rules Apple May Be “In Possession” of Biometric Data Stored on User Devices
June 23, 2021 – Last week, a federal court in Illinois ruled that the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS § 14/1 et seq.) can apply to companies that do not exclusively control consumers’ biometric data, denying an initial motion to dismiss the complaint for failure to state...
June 23, 2021
Virginia Passes New Consumer Data Protection Act
March 8, 2021 – In what might prove to be a growing trend, on March 2, 2021, the Governor of Virginia signed into law the comprehensive Consumer Data Protection Act (CDPA), making Virginia the most recent state to enact such a law after California and the more limited Maine Act...
March 08, 2021
As California Enacts New Data-Privacy Laws, So May the Nation
November 13, 2020 – In a notable event on Election Day this November, California voters approved amendments to the California Consumer Privacy Act (CCPA) and enacted a new statute – the California Privacy Rights Act (CPRA). The new statute expands California residents’ rights with respect to how businesses collect and use personal...
November 13, 2020
Emerging Issues: Ohio Domestic Privacy Profile for Bloomberg Law
Ulmer attorneys Frances Floriano Goins and Michael Davis Hoenig recently updated the Ohio Domestic Privacy Profile for “Bloomberg Law: Privacy & Data Security.” In the update, the attorneys discuss emerging issues including recent legislation like SB 194, which was passed by the Ohio Senate in December 2019 to protect Ohio...
March 03, 2020
The California Consumer Privacy Act Is Coming: Are You Ready?
As The Wall Street Journal recently noted, this coming January will mean more than just after-Christmas sales for large retailers (like Gap). Starting January 1, 2020, California’s new data-privacy statute, the California Consumer Privacy Act (CCPA), will take effect. California’s legislature hastily wrote and then passed the CCPA last year...
October 15, 2019
Frances Floriano Goins Elected to Beck Center for the Arts Board of Directors
Ulmer & Berne LLP is pleased to announce that Partner Frances Floriano Goins has been elected to the Board of Directors of Beck Center for the Arts, a nonprofit performing arts and arts education organization dedicated to inspiring and enriching the quality of life for Northeast Ohioans. Beck Center for the Arts...
July 31, 2019
Protecting Broker Dealers From Cyber Threats
Ulmer Partner Frances Floriano Goins recently wrote an article for Bloomberg Law entitled, “INSIGHT: Protecting Broker Dealers from Cyber Threats.” In the article, Goins examines a FINRA report that provides broker dealers with best practices for effective cybersecurity, and warns that it is imperative to implement controls tailored to each...
February 19, 2019
Yahoo Breach Deal’s Failure Shows Vagueness Doesn’t Pay
Ulmer Partner Frances Floriano Goins was recently quoted in Law360’s “Yahoo Breach Deal’s Failure Shows Vagueness Doesn’t Pay.” Goins provided her insight into a U.S. District Judge’s recent refusal to approve a $50 million data breach deal between Yahoo and its users, and the growing scrutiny courts across the country...
February 12, 2019
Apple’s Facebook, Google App Bans Shake Up Privacy Fight
Ulmer Partner Frances Floriano Goins was recently quoted in Law360’s “Apple’s Facebook, Google App Bans Shake Up Privacy Fight.” Goins provided her insight into the debate surrounding Apple’s decision to temporarily block Facebook and Google from distributing internal employee apps to consumers after data collection concerns came to light. To...
February 04, 2019
Frances Floriano Goins Interviewed in Global Data Review on Possible Facebook FTC Scrutiny
Ulmer Partner Frances Floriano Goins was recently interviewed for a Global Data Review article entitled, “Facebook could face FTC scrutiny, say privacy lawyers.” Goins provided her insights following The New York Times’ discovery that Facebook has been giving other companies access to users’ personal data and whether this violated Facebook’s...
January 03, 2019
Representative Experience
- Advised numerous U.S. companies with overseas operations and/or data collection facilities on GDPR obligations.
- Drafted and revised privacy and other company policies for dozens of companies to comply with the GDPR.
- Represented manufacturing client in the investigation of and response to a multi-million dollar banking loss caused by a successful phishing scam, including supervision of security consultants and coordination with the FBI and U.S. Attorneys involved in the investigation.
- Developed internal enterprise-wide data breach protocol for a large insurance company.
- Developed information security programs for financial services companies.
- Advised clients on responding to data breaches involving personal customer information, including a data breach requiring notices in 48 states and other U.S. jurisdictions.
- Advised broker-dealer clients on the application of SEC Regulation S-P and the Safeguards Rule in connection with inadvertent disclosure of customer data and discovery issues in FINRA arbitrations.
- Drafted third-party vendor contracts for middle-market company to secure the best possible data protection provisions.
- Counseled large multi-state CPA firm on data breach response issues including forensic investigation of incident, applicable state notice provisions for 38 states, IRS issues, securing identity theft insurance for affected individuals, and state regulatory matters.
- Helped a public company analyze and comply with privacy laws in the context of collecting and analyzing large quantities of behavioral data (i.e., Big Data).
- Assisted a multi-national company in structuring best practices and a speedy response plan to protect against regulatory and litigation fall-out from possible future data privacy incidents.
- Negotiated many technology contracts involving data privacy and security issues for multiple countries for a multi-national public company.
- Counseled clients on a variety of issues related to compliance with HIPAA and HITECH, including negotiating agreements with business associates and preparation of HIPAA security and privacy policies.
- Advised a public company regarding Payment Card Industry Data Security Standards (PCI DSS) issues with respect to the acquisition of a payment processing solution provider.
- Helped clients comply with the Children’s Online Privacy Protection Act.
- Successfully defended a web-hosting company in a putative consumer class action litigation resulting from a data breach.
- Defended a national retailer in a Federal Trade Commission administrative investigation concerning theft of electronically stored credit and debit card data.
- Organized a statewide response to the theft of a hard drive containing employee names, addresses, and social security numbers.
- Advised a large public university on disclosure and remediation obligations following a data breach.