The need for privacy and cybersecurity compliance measures has become a paramount consideration as businesses become more digitally driven, data breaches become more publicized, and regulation continues to increase. Company executives, boards of directors, employees, customers, and third-party providers all have data security obligations. Leveraging our industry-specific command of privacy and cybersecurity issues and our experience navigating complex regulatory environments, we customize solutions and policies to meet each client’s business demands and ever-changing technology footprint.
We recognize that companies have a legitimate need to collect, process, and disseminate information—and the resultant data is a valuable asset that companies need to leverage and protect. Our team helps clients achieve their business goals while addressing privacy and cybersecurity concerns in a manner that protects the clients’ brands and reputations and complies with applicable regulations. This arena consists of three main components: compliance management, transactional issues, and data breach response and litigation.
Our compliance management team helps clients proactively develop and implement privacy and cybersecurity processes and policies for their workforces and third parties. The group also conducts compliance reviews and audits, and addresses online and website privacy requirements. The transactional team assists clients with third-party vendor and customer transactions, due diligence, and data collection, acquisition, and use. When breaches, disputes, or litigation is underway or unavoidable, our crisis-tested and trial-ready data breach response and litigation lawyers focus on efficient and practical responses and resolutions. We work to protect our clients before, during, and after a data breach incident.
Morgan Lewis privacy and cybersecurity lawyers advise clients operating in the United States, Europe, South America, and Asia on compliance with privacy and cybersecurity regulations. Regulations in the United States include the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Electronic Communications Privacy Act (ECPA), the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, the Children’s Online Privacy Protection Act (COPPA), and the Fair Credit Reporting Act (FCRA). European regulations include the European Commission’s ePrivacy Directive, European Critical Infrastructure Directive, and Data Protection Directive. We also counsel clients on investigations by the Federal Trade Commission (FTC), by the US Department of Health and Human Services’ Office of Civil Rights (OCR), and under the Sarbanes-Oxley Act, as well as e-commerce issues across industries such as retail, financial services, healthcare, pharmaceutical and life sciences, and manufacturing.
A company that wants to both advance its business objectives and minimize risk when handling private data must fully assess its strategic needs and current methods for collecting, using, storing, and securing information about customers, employees, and other individuals. Morgan Lewis conducts privacy audits with a threefold goal of ensuring that clients:
Within the United States, at least 47 states have enacted data breach notification laws that require businesses to communicate suspected unauthorized disclosures of personally identifiable information in the event of a breach. Outside the United States, countries in Europe, Asia, and Latin America have enacted myriad laws, with localities in Africa also imposing many restrictions.
Our lawyers have performed countless audits and policy reviews, including global assessments of data protection compliance procedures and reviews of international transfer mechanisms. Since HIPAA was enacted in 1996, Morgan Lewis has represented US-based clients such as large insurers, employers, health plans, healthcare providers, clearinghouses, and business associates of such entities in related compliance matters.
We provide guidance on the intricacies of HIPAA’s privacy and security standards, and we can customize form or model documents to meet a client’s particular needs. We also review and revise clients’ HIPAA privacy and security compliance plans, business associate agreements, authorization forms, notices of privacy practices, and related documents.
Our labor and employment lawyers advise clients on privacy and security issues relating to employee and employer privacy, including the following:
We help businesses such as Fortune 10 companies and small start-ups, among others, with their online privacy policies and use of data collected on websites.
From cookies and web beacons to behavioral advertising, our command of the technical and marketing language and issues in this area enables us to analyze our clients’ matters with precision, apply evolving standards and laws, and develop appropriate business strategies.
Our clients engage in many types of transactions that involve the disclosure, processing, collection, and use of critical business and sensitive personal data. At Morgan Lewis, we understand the regulatory and industry environments that impact these transactions, and we provide practical, business-oriented advice in connection with third-party vendor and customer transactions, due diligence, and data collection, acquisition and use, and commercialization.
Morgan Lewis lawyers manage and perform diligence reviews and exercises to help clients understand the types and categories of data being stored or processed, how the data is protected, whether the appropriate security protocols have been or will be in place, whether there are any weaknesses or issues, whether the appropriate response and remediation procedures are in place, and whether specific disclosures are necessary. We participate in such diligence exercises for transactions that include mergers, acquisitions, strategic alliances, joint ventures, outsourcing, hosting and cloud services, and data analytics.
The use and leveraging of data is big business, and it is becoming a critical part of how companies understand their operations and customers. We help clients navigate the legal issues relating to data collection, acquisition, use, and commercialization, and we work with them to implement solutions that comply with legal and contractual requirements.
Our privacy and cybersecurity team has guided clients through compliance and damage control in more than 800 data breach incidents. In that role, we:
We advise retail, healthcare, technology, and e-commerce clients regarding data breaches involving notification laws as well as Fair and Accurate Credit Transactions Act (FACT Act or FACTA) violations; licensing, regulatory, and code-of-conduct issues; and acquisition agreements. We also counsel clients on the HIPAA Breach Notification Rule.
Our team provides clients with the strategic insight and agency relationships they need to prepare for, or respond efficiently to, regulatory scrutiny in this area. Our government alumni include lawyers who formerly held positions with the FTC, the US Department of Justice (DOJ), many state enforcement agencies, and a number of district attorney offices across the United States.
With increasing public focus on privacy issues and corporate responsibility, Morgan Lewis takes all possible measures to steer clients clear of, or efficiently and effectively resolve, privacy-related litigation.
Among other matters, we have represented clients in litigation involving:
Energy companies turn to Morgan Lewis for help complying with Critical Infrastructure Protection (CIP) Reliability Standards, which have been difficult and expensive for electric utilities to implement. The standards require a melding of security concerns, energy company information technology (IT) infrastructure and operations, and legal advice.
Our lawyers advise clients on the implications of the National Institute of Standards and Technology (NIST) Cybersecurity Framework for owners of critical infrastructure. We counsel clients on how to incorporate that framework into existing cybersecurity practices and how to leverage the framework to improve the cybersecurity of critical power systems infrastructure.
Because we’ve worked with utilities since the beginning of CIP compliance, we have familiarity with the unique compliance risks stemming from the CIP Reliability Standards. We help electric utilities understand the application of CIP Reliability Standards to the utilities’ unique IT environments, analyze the compliance issues arising in the CIP context, and defend compliance monitoring and enforcement actions, including CIP audits and spot checks.
Working alongside both business and technical leaders within companies as well as the companies’ outside IT consultants, our lawyers help electric utilities design their CIP compliance programs and defend those CIP efforts when necessary. We bridge the divide between a utility’s complex IT environment and the cybersecurity framework that the CIP Reliability Standards impose. Each utility is unique, with varying numbers of Critical Assets and Critical Cyber Assets and a variety of approaches to designing and implementing Electronic Security Perimeter and Physical Security Perimeter protections.
Our cybersecurity efforts extend to developments on Capitol Hill, as cybersecurity enforcement remains a likely subject of additional federal legislation and agency regulation. We advised clients on the Cyber Intelligence Sharing and Protection Act and the Cybersecurity Act of 2012 in their various forms, as well as Executive Order 13636 and the resulting development of the NIST Cybersecurity Framework.
When a business is the victim of a cyberattack, the company must decide when and how to best cooperate with the government agencies investigating the attack. Nowhere is this more important than in the financial services industry, where the protection and security of customer assets and information is under constant scrutiny, particularly as hackers become more sophisticated and cyberattacks become more widespread.
Because an attack could have an expansive impact on the capital markets, the US Securities and Exchange Commission (SEC) has said it intends to focus on companies’ and firms’ risks and weaknesses in their cybersecurity preparedness. This includes conducting mandatory cybersecurity-focused compliance examinations of brokerage firms, investment advisors, and hedge funds. Additionally, the SEC has called on boards of directors to become more proactive in identifying and mitigating cybersecurity threats.
Our former SEC and DOJ lawyers use their government experience to help companies identify unique cyberthreats. We also counsel companies on methods to protect clients, data, networks, and operations from theft, disruption, and destruction. Our team evaluates and strengthens the adequacy of our clients’ internal controls systems, including safeguarding customer identity and other data. The group also helps clients work through response plans and handles issues such as breaches in third-party service providers or attacks involving corporate espionage aimed at the disruption of financial markets.
We help clients manage their privacy obligations under the Gramm-Leach-Bliley Act, the FCRA, the SEC’s Regulation S-P, the Bank Secrecy Act, and other US federal and state privacy regulations. Additionally, we counsel clients on regulations outside the United States, such as those pertaining to the UK Financial Services Authority’s Codes of Business. Specifically, Morgan Lewis advises on issues critical to financial services firms, including the following:
Because medical information is especially sensitive, privacy and security compliance is a central concern for healthcare companies. Since HIPAA was enacted in 1996, Morgan Lewis has represented large US-based healthcare organizations in HIPAA compliance matters. We counsel clients regarding HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act, state medical privacy laws, FTC standards, electronic health record meaningful use regulations, and actions of the OCR.
Our healthcare privacy and security counseling services include the following:
Morgan Lewis advises on healthcare industry HIPAA compliance matters in the following sectors: hospitals, health plans and insurers, pharmaceutical companies, pharmacies, healthcare clearinghouses, healthcare IT companies, laboratories, academic medical centers, medical device manufacturers, health information exchanges, physician groups, third-party administrators, universities, and vision centers.
With our understanding of best practices and guidance (both formal and informal) from state and federal regulators, we develop corporate privacy compliance programs that comprehensively address privacy and security laws. We advise both HIPAA-covered entities and service providers to the healthcare industry that are seeking to demonstrate compliance with HIPAA business associate obligations. Our lawyers also advise institutions on the impact of the HIPAA Privacy Rule on research operations.
We have also represented hundreds of healthcare organizations in responding to security breaches involving medical information, and we offer knowledgeable, practical advice in these critical situations. OCR is ramping up HIPAA enforcement and audits in the wake of the HITECH Act, and the FTC and state attorneys general are increasingly concerned with privacy and security matters. In this heightened enforcement environment, our lawyers defend healthcare organizations in connection with administrative, civil, and criminal audits, investigations, and litigation relating to privacy matters.
Our lawyers handle healthcare IT–related deals, including the formation of health information exchanges, spin-offs, sales of companies, acquisitions, financings, and ventures in transaction processing.
Privacy and security compliance have become increasingly critical due diligence issues in healthcare acquisitions and joint ventures. Morgan Lewis counsels healthcare IT companies, as well as traditional healthcare providers, on privacy and security issues arising from strategic alliances and joint ventures with third-party technology companies. We advise on the outsourcing of business functions such as website maintenance and application development, as well as teaming agreements to jointly market and sell existing healthcare IT products and services.
The Morgan Lewis employee benefits team has developed risk-management tools targeted to employers across all industries that sponsor group health plans for their employees, as well as the business associates of those plans. The firm’s HIPAA Privacy Compliance Initiative arms plan sponsors with the tools they need to navigate HIPAA in the new era of increased enforcement activity in addition to the heightened civil and criminal penalties that the HITECH Act ushered in. We offer these services—which include self-audit assistance, workforce training, and privacy officer assistance—based on a fixed-fee pricing model designed to meet each client’s needs.
The hospitality and travel industry is a primary target for cyberattacks. As the industry and its increasingly sophisticated loyalty programs continue to go digital—with heavy reliance on mobile devices—the risk of attacks remains high.
Technology is revolutionizing how the industry operates, collects, uses, and transmits huge amounts of sensitive data. Consequently, hospitality and travel organizations need to understand how to assess and manage these risks to meet state, federal, and global privacy and security law requirements. They also need to know where vulnerabilities exist—from reservation systems and loyalty databases to point-of-sale software used at restaurants, bars, and gift shops.
Morgan Lewis lawyers identify possible data security threat vulnerabilities, while also reviewing privacy and cybersecurity insurance options. Many hospitality and travel companies turn to Morgan Lewis to review customer notification procedures and costs, credit card company procedures, fines and penalties, and technologies used as part of day-to-day operational procedures.
Retailers have a legitimate need to amass large amounts of information about customers, business partners, competitors, and employees. But headlines confirm what we have known for years: Privacy and cybersecurity are massive challenges for retail companies—with threats emanating from hackers, data thieves, regulators, plaintiffs’ lawyers, insurers, and credit card companies. Drawing on our experience working with hundreds of retail companies, Morgan Lewis helps these clients address how they collect, transmit, store, use, and manage sensitive information.
For years, retail companies have experienced data breaches at a greater rate than those in any other industry. We’ve helped our clients manage more than 300 data breaches—from the smallest inadvertent disclosure of a single person’s information to epic hacking events, with hundreds of millions of credit card numbers at risk. When it’s time to respond to a data breach, our lawyers handle the initial investigation, government and individual notifications, and litigation from customers or others allegedly affected by the breach, among other responsibilities. We also help clients with cost recoveries against vendors, others potentially responsible for the breach, or insurers.
Our experience includes helping retailers with challenges in:
Retirement plans are a rich source of valuable personal data about participants and beneficiaries, including Social Security numbers, addresses, dates of birth, bank account records, and pension benefit information. This collection of information presents an attractive and potentially exploitable opportunity for hackers and cybercriminals. Breach of personal information from a retirement plan could harm participants and beneficiaries through identity theft, theft of pension benefits, or access to other financial accounts and information. For the employer, plan sponsor, or plan administrator, a security incident can be expensive, harmful to its business and reputation, and damaging to its relations with employees and retirees.
While there is no comprehensive data privacy or cybersecurity law or regulation that expressly covers retirement plans, the Employee Retirement Income Security Act’s (ERISA) fiduciary duties of loyalty and prudence impose broad duties and obligations on plan fiduciaries to act in participants’ best interests and to undertake diligent efforts to protect these interests. Any fiduciary that breaches these duties and responsibilities may be responsible for making affected participants whole for any losses or damages. Specifically under ERISA, a fiduciary’s liability for a breach of its duties can include:
We help retirement plan fiduciaries, sponsors, and administrators address and manage these risks. We assist with identifying sources of data privacy risk; preparing and implementing protective administration policies and procedures; evaluating service provider relationships and negotiating contractual provisions and protections to address data privacy issues; addressing the monitoring of service providers on an ongoing basis; and creating, implementing, and maintaining comprehensive information and data security breach response plans. Our risk management strategies account for requirements under ERISA and, in collaboration with our colleagues in other practices, other applicable federal, state, and local laws and regulations. In addition, we continue to monitor new requirements and developments from the US Department of Labor, the US Department of Homeland Security, Congress, state legislatures, state and local regulators, and industry and trade associations.