For More Information
Privacy Service Areas
- CAN-SPAM Act compliance
- Children's privacy / COPPA Compliance
- Consumer credit issues (FCRA)
- Corporate investigations conduct
- Credit card compliance (PCI and DSS)
- Data breach investigation and remediation
- Data privacy class-action defense
- Data security encryption requirements
- Disposal of personal information
- Document retention and security
- Employee privacy
- EU Data privacy and data transfers to and from the EU
- FACTA "red flag" and identity theft policies
- Gramm-Leach-Bliley and financial institution data issues
- HIPAA and health privacy
- Identity theft prevention and assistance
- Internet privacy policies
- Invasion of privacy litigation and avoidance training
- IP rights and patents for privacy technologies
- IT and Outsourcing contract review
- Privacy Act and government use of social security numbers
- Privacy audits
- Retail and consumer data privacy
- Stored Communications Act
- Telemarketing and Do Not Call lists
- Telephone record protections
- Video Privacy Protection Act
- Wire-tapping liability
Domestic and international companies face complex challenges involving privacy and data security law at virtually every level of operations, from human resources and competitive intelligence to marketing and customer service. With industry-specific command of a full spectrum of privacy and data-flow concerns, Morgan Lewis lawyers customize privacy solutions and policies to meet each client's business needs.
A practical approach with the big picture in mind allows our clients to minimize risk while pursuing the collection, storage, and security of data for a wide variety of legitimate purposes—among them, customer service and product improvements or compliance with HR policies and financial reporting requirements. When disputes or litigation are under way or unavoidable, trial-ready attorneys versed in privacy matters focus on efficient resolutions to the client's best advantage.
Privacy and Data Security Audits and Counseling
We believe the most important step a company can take to both advance its business objectives and minimize risk involving the handling of private data is to fully assess its strategic needs—and its current methods—for collecting, using, storing, and securing information about customers, employees, and other individuals.
Morgan Lewis conducts such privacy audits with a threefold goal of ensuring that clients:
- Meet their data needs ethically, legally, and as cost-effectively as possible
- Have a contingency plan in place for prompt, effective management of any possible data-breach emergency.
At least 44 states and several foreign countries have data-breach notification laws requiring businesses to communicate suspected unauthorized disclosure of personally identifiable information in the event of such a breach.
Morgan Lewis has performed countless audits and policy reviews, some involving global assessments of data-protection compliance procedures and reviews of international transfer mechanisms.
The firm's Privacy services include keeping clients as up to date as possible on the constantly evolving legal landscape of data privacy and security. Morgan Lewis routinely issues eNews Alerts and LawFlashes detailing the latest legal, regulatory, and enforcement developments and their implications.
Industry- and Region-Specific Matters
Morgan Lewis attorneys handle a comprehensive array of privacy matters—from the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley compliance to Federal Trade Commission and Office of Civil Rights investigations and eCommerce issues—for clients operating in the United States, Europe, South America, and Asia, across a range of industries, including:
- Healthcare and insurance
- Life sciences
- Food and flavoring
- Financial services and broker-dealer
- Real estate
- Technology and the Internet
- Energy and environmental
- Government agencies
With increasing public focus on privacy issues and corporate responsibility, Morgan Lewis is particularly focused on taking all possible measures to steer clients clear of, or efficiently and effectively resolve, privacy-related litigation.
Among other matters, the firm has represented clients in litigation involving:
- Corporate investigations conduct
- Data breaches
- Data privacy class action defense
- Disposal of personal information
- Employer group health privacy
- Violations of FACTA
Data Breach Incidents
More than 251 million records containing sensitive personal information have been involved in security breaches in the United States since January 2005, according to the Privacy Rights Clearinghouse-and 44 states and several foreign countries now have data-breach notification requirements.
Morgan Lewis has guided clients through the complex process of compliance and damage control in more than 100 data-breach incidents, determining whether notification is required, conducting the notification, containing exposure, and implementing remedial measures.
We have advised retail, healthcare, technology, and eCommerce clients regarding data breaches involving notification laws as well as FACTA violations, licensing, regulatory and code-of-conduct issues, and acquisition agreements.
In addition to existing state and international privacy laws, the recently enacted federal stimulus plan (the American Recovery and Reinvestment Act of 2009, or ARRA) includes wide-reaching data-breach notification provisions affecting entities whose data activities are subject to the HIPAA.
Morgan Lewis is particularly focused on providing clients the strategic insight and agency relationships they need to prepare for or respond efficiently to regulatory scrutiny in this area. The firm's stable of government alumni include attorneys formerly with the Federal Trade Commission, the U.S. Department of Justice, many state enforcement agencies, and a number of district attorney offices across the country.
Since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, Morgan Lewis has represented some of the nation's largest insurers, employers, health plans, healthcare providers, clearinghouses, and associates of such entities in related compliance matters.
We provide guidance on the intricacies of HIPAA's privacy and security provisions and can customize form or model documents to meet each client's particular needs. We also review and revise clients' HIPAA compliance plans, the goal being to ensure adequacy of standards on security, administrative, and technical requirements; and on business associate agreements, authorization forms, notice of privacy policies, and related documents.
In addition, Morgan Lewis:
- Offers HIPAA training and performs routine audits to ensure compliance
- Counsels on everyday issues regarding the use and disclosure of information
- Assists with other healthcare information privacy issues under state and international laws
Morgan Lewis lawyers have worked on HIPAA matters for clients across many industries, including pharmaceutical, medical device and healthcare industries, financial services, technology, and transportation.
Because outsourcing a particular business process does not absolve a company of its related privacy obligations—and because outsourced services often are performed in other countries or by multiple sources—a company may be subject to numerous, varying, and conflicting privacy laws, or perhaps no privacy requirements at all.
Morgan Lewis regularly advises clients across numerous industries—food and beverage, energy, entertainment, financial, pharmaceutical, biotech, medical device, insurance, and manufacturing—about the various privacy issues involved with industry-specific processes and industry-specific matters, one example of the impact of the Gramm-Leach-Bliley Act of 1999 and Regulation S-P on the firm's financial industry clients.
Morgan Lewis's Global Outsourcing group includes lawyers in eight offices spanning the North American, European, and Asia-Pacific markets. The firm's privacy-related representations in this area have involved such matters as:
- Finance and accounting agreements
- Anti-corruption and anti-money laundering policies
- Back-office outsourcing transactions
- Voice and data services contracts
- Telecom and network services transactions
- Development and maintenance agreements
- Outsourcing of certain clinical and regulatory functions
Employee Privacy/Employer Compliance
Morgan Lewis's Labor and Employment attorneys advise clients on a variety of privacy and security issues relating to employee and employer privacy, including the preparation of privacy and security policies; regulatory compliance; enforcement of privacy- and security-related statutes and regulations, data protection, and security; cross-border transfers and compliance with EU privacy legislation applicable to employee information website protection; HIPAA privacy; security breach incidents and mitigation strategies; and the available options for maintaining the free flow of personal information while minimizing risk.
For companies that conduct business internationally, Morgan Lewis prepares business-friendly guidelines and checklists regarding consent, notice, registration, privacy policies, and data transfers—all with the goal of harmonizing multinational activities and complying with global requirements in connection with the implementation of equity programs.
The firm regularly advises clients on a variety of privacy and security issues relating to cross-border transfers and is well practiced in project managing on a multijurisdictional basis. A number of Morgan Lewis's privacy-related engagements have focused on particular geographic regions, such as Canada, Latin America, and Asia- Pacific in the context of a particular subject, such as compliance with the Canadian Personal Information Protection and Electronic Documents Act.
Online Privacy and eCommerce
We help a wide range of businesses—from Fortune 10 companies to small startups—with their online privacy policies and use of data collected on websites.
From cookies and Web beacons to behavioral advertising, our command of the technical and marketing language and issues in this area enables us to analyze our clients' matters with precision, apply evolving standards and laws, and develop appropriate business strategies.