On the Pulse...MDWC&G Security and Data Security Practice Group
Whether it is the dependence on laptops and smartphones or sophisticated networks that connect employees of large corporations around the world, technology is a now a significant part of everyone's life. Nearly every day we hear about sensitive personal information on a lost flash drive or a prying employee poking around someone's medical records. Marshall Dennehey's Privacy and Data Security practice group deals with these issues every day and counsels clients through what we now call a data breach.
Industries We Serve
Data breaches can affect every organization in any industry. We have handled over 100 data breaches and privacy claims for health care, educational, banking, financial, retail and technology service providers, and we pride ourselves on our responsiveness. Data breaches can happen any day of the week, requiring immediate attention. These crises don't take weekends off, and neither do we. We are staffed to respond to time-critical situations with 24/7 availability. Every crisis is unique, and there is no standard solution or a menu of standard services that is suitable for every situation. Whether it is a breach involving just one individual, or millions, we have counseled clients to respond in a way that is cost effective, compliant with the law and protective of their brand. In some instances it can be important to work with local law enforcement, the FBI or the Secret Service to help respond to, and investigate, a breach event. Our White Collar Crime practice group can assist clients in responding to issues involving grand jury subpoenas, criminal investigations, law enforcement procedures, witness preparation and regulatory audits when there is criminal activity involved. We have developed relationships with Secret Service agents, FBI agents, local law enforcement, District Attorneys, Attorneys General, the Office for Civil Rights (OCR) and other regulators.
Some data loss events involve the theft or disclosure of trade secrets, or maybe even the violation of a company's social media policy, and we have the experience to work with our clients to tackle those issues. Often, employment issues arise, and we have attorneys who counsel our clients to help them work through the legal challenges they face when confronting employees after a data breach occurs.
Health Care and Pharmacy
The attorneys in our Health Law practice group are also members of the Privacy and Data Security practice group and help clients prepare for any regulatory fallout following a breach. We have responded to inquiries and investigations by state Attorneys General and the Department of Health and Human Services Office for Civil Rights. We have existing relationships with regulators in a number of states and regions, and we routinely communicate with them. We have HIPAA/HITECH experience that includes not only regulatory and compliance, but real-life, substantive experience dealing with data breaches that affect hospitals, medical providers, health plans and service providers for the health care industry. Our Health Law practice group has been involved with HIPAA since its enactment. They understand how health care systems work - both on a regulatory level and administratively. This enables our group to provide an experienced team that understands the regulatory, risk management and financial challenges facing the health care industry while providing counsel to prepare for, and respond to, breach events. Risk management is a key area of our practice, and we are prepared to assist our clients in developing the policies and procedures that are not only required by law, but will help educate and prepare providers, insurers and business associates on ways they can help safeguard protected health information.
Education
We have counseled universities and colleges of all sizes and type, as well as technical institutes and other post-secondary schools. The U.S. Department of Education is increasingly investigating these breaches, and we have represented clients during those investigations. Students use technology more than any group, and we are prepared to counsel educational institutions about the social media challenges they may face following a breach.
Financial and Banking
Financial institutions are a prime target for criminal exploitation, which ranges from insider theft of sensitive information to highly technical attacks involving malware and Trojans. We regularly respond to these types of breaches, including working with the Secret Service in breaches involving foreign nationals. Forensic investigations in this area can be key, and our team of lawyers includes attorneys who have the technical experience, knowledge and background to work with forensic consultants during investigations and comprehend the technical issues.
Retail, Energy, Utility and Service Industries
Whether you are a large retailer, energy company or a hotel chain, your customers' trust is important, and we have counseled clients to help reduce the churn rate following a data breach. Additionally, many of these industries face challenges over Payment Card Industry (PCI) compliance. We have not only handled breaches involving these issues, but we have defended litigation matters about PCI compliance and violations of other consumer laws.
Our experienced team views data breach response as a joint effort with the client where the client's philosophy, brand recognition and customer base must be considered while reconciling compliance with the numerous, and often competing, laws and regulations. We confront the challenges faced by companies in this area daily, and our approach is one that fits the response to the facts rather than a one-size-fits-all approach to formulating a response. Because Marshall Dennehey has substantial litigation expertise, we consider each step of the response process, counseling our clients with a focus on how decisions may impact a future defense to litigation or regulatory action. We do not dictate the response but, rather, work with our clients, who know their own businesses best, to consider issues such as credit monitoring, call centers, forensics, notification vendors and crisis management consultants. Due to our experience in litigation matters, our attorneys are able to utilize document management software and teams of paralegals to aid clients to efficiently and timely respond to breaches involving voluminous documents.
Our involvement does not necessarily begin after the data breach occurs because risk management counseling is a key part of our practice. We have experience preparing our clients by writing and amending privacy and security policies and procedures to provide risk management advice and training-all in preparation for the day everyone hopes never arrives-the call about a customer's or employee's data being lost or stolen. This is no longer an IT issue. These issues present challenges to far more departments, including risk management, legal, compliance, IT, IS and customer relations. Organizations are struggling to manage compliance with state, federal and international privacy and data security laws, and we have the experience to counsel clients through these crisis events. When the response phase to the data breach concludes, we have experience defending our clients in lawsuits, class actions and regulatory investigations.
*Ted is a shareholder in our Philadelphia, Pennsylvania, office and can be reached at 215.575.2713 or tjkobus@mdwcg.com
Defense Digest, Vol. 17, No. 3, September 2011