Data Privacy and Security

Members of our data privacy and security team include more than 30 interdisciplinary lawyers on the front lines of this rapidly evolving area of the law. We provide proactive counseling designed to protect the integrity of our clients’ systems, investigative and remediation services that may be required after a breach, and guidance to assist our clients as they develop new relationships and sources of revenue. Whatever the context, the team possesses the experience and professional networks necessary to address all our clients’ global needs in the area of data privacy and security.

Our team includes experienced IP litigation counsel, class-action litigators and technology industry and defense professionals to assist clients with transactional matters as well as instances where an alleged breach has led to litigation. Through McGuireWoods Consulting, we also offer lobbying services to ensure that our clients have a voice in shaping precedent-setting and far-reaching legislation. Our goal is to provide a comprehensive solution for our clients by working not only with their lawyers, but also with IT staff, human resources professionals and product specialists. This approach permits us to deliver integrated services that promote information-sharing within the organization and account for the interests of all stakeholders.

Team members regularly advise clients dealing with cybercrime and inadvertent breaches. Further, as new and multiple uses for technology emerge, we help clients respond to unforeseen consequences that require immediate action. As such, team members have become globally recognized legal resources in this practice area, with many clients hailing from diverse industries, including:

• Defense Contractors: Advising contractors on incident response; DOD and SEC security standards; general security regulatory requirements and liability exposures; industrial espionage and trade-secret theft representation; counseling with respect to DOD NISPOM 1-301 breach notification obligations
• Healthcare: Assisting clients with HIPAA and HITECH security requirements and policies; security assessments; OCR audit preparation; breach-notification requirements
• Finance: Counseling on GLB and SO security requirements; data-breach exposures and response
• Telecommunications: Preparing cloud computing contracts and security requirements for a Fortune 500 telecommunications provider; advising clients on new initiatives in the healthcare arena and HIPAA/HITECH implications; counseling regarding Commerce Department export control and deemed-export issues such as development of technologies and encryption systems
• Retail: Counseling regarding computer intrusions and stolen credit-card information; PCI DSS standards counseling and response to card brand investigations; representation before the FTC regarding security policies and practices; litigate vendor contract breaches and negligence that led to computer intrusion
• Utilities and Power: Advising clients on generally applicable security requirements relating to the protection of PII and retail transactions, as well as on NERC security standards
• Supply Chain: Assisting clients with protecting the integrity of their supply chains, including examining the security of supply sources and delivery mechanisms, in order to ensure that component parts and services are free from malicious threats and final products and services can be certified and trusted
• Construction: Conducting privacy and data security liability audits of company intranet and extranet, including evaluation of ramifications of new state employee privacy-protection requirements, as well as an evaluation of Commerce Department export control issues related to international intranet and extranet exchange of technical information; advising clients on data security policies to protect PII and protection of company trade secrets and proprietary information
• Domestic and International Transportation and Distribution: Assisting clients with export control and deemed-export control requirements enforced by U.S. Commerce Department; developing international cloud computing contracts that meet U.S. and EU Data Security requirements
• Nonprofit Organizations: Advising international nonprofit organizations of security standards required to protect organization donor lists and other PII, as well as of applicable international European and state laws regarding breach notification

International Practice

Because global commerce recognizes no boundaries, the team’s Data Privacy and Security clients rely heavily on our deep international experience. Our team’s international practice helps clients secure their data globally, and navigate through U.S. (federal and state), Canadian, European, Middle Eastern and Asian data security and privacy laws. Team attorneys collectively speak 13 languages and respond to matters relating to international cloud computing, data transfer and international e-discovery matters.

Incident Response

In the event of a breach or other security matter, it is essential to be able to mobilize a broad-based response that includes resources outside of the client and our firm. Our data privacy and security team, which includes several former federal prosecutors, draws upon the resources of a large, external support network composed of qualified computer forensic examiners and law enforcement agents around the world. Among these resources are high-level technical subject matter experts and liaisons with the FBI, U.S. Secret Service, Postal Inspectors, New Scotland Yard and the big four international accounting firms. This network is further expanded through active memberships in InfraGard (FBI) and the Federal Electronic Crimes Task Force (U.S. Secret Service).

Director and Officer Protection

Our team is keenly aware of the dangers that security breaches pose to an organization as a whole, as well as the exposure of directors and officers in the event of such breaches. Therefore, a fundamental part of our practice is regularly counseling directors and executive officers on what they do and don't need to know, what the risks are of not knowing, and procedures and tips for how to stay educated and abreast of regulatory and hostile technology developments within and outside of their organizations. Whatever the risk profile of the company, we help ensure that the individual directors and officers are taking appropriate measures to faithfully fulfill their fiduciary duties, thereby protecting themselves as well as the companies they represent.

Keeping Pace

Given the ever-changing technology landscape, McGuireWoods’ data privacy and security team members ensure that they are up-to-date on the latest legal trends, court decisions and regulations, one such example being the “bring your own device” (BYOD) issue. We are involved in forums and think tanks, such as the NTIA call for commentary on issues relating to how companies will manage data privacy in an age in which employees have multiple online lives through a single mobile device.

Areas of our experience include:

• Breach notification and representation before regulators
• Data transfer and representation before regulators
• e-discovery issues relating to U.S. and European litigation
• EU data privacy and regulator representation
• PIPEDA data privacy compliance
• Industrial espionage investigations and litigation
• Intellectual property litigation
• Trade-secret protection and litigation
• Bring your own device (BYOD)
• Cloud computing, contracts and security
• Computer intrusion
• Crisis communications
• Defense contracting and security
• Employee data management
• Employer and employee relations and privacy
• Encryption policy deployment and export controls
• Global data transfer
• Government and criminal investigations
• HIPAA and HITECH security assessments and audits
• Identity theft
• Incident Response
• Mobile data privacy
• Payment credit-card industry data security standards (PCI DSS)
• Privacy consulting
• Regulatory consulting on security standards
• Safe-harbor provisions
• Technology export and import controls

Included in team member credentials are:

• The team leader is a former assistant U.S. attorney responsible for leading the Justice Department’s Computer Crimes Task Force with over 80 trials. His testimony before Congress, the National Science Foundation and the FCC helped shape the direction of data security liability law. He is also the recipient of an FBI commendation for Computer Fraud Prosecutions, a U.S. Secret Service award for Law Enforcement Assistance, U.S. Justice Department Special Commendation and Special Achievement awards, a U.S. Customs Commissioner’s award for Export Prosecutions, and a U.S. Commerce Department award for Commerce Commodity Control Litigation. Since 2008, he has been recognized as a “Leader in the Field” by Chambers USA and Chambers Global for his security and privacy practice.
• The U.S. Army CIO for a joint special operations task force in which he was responsible for all IT personnel and systems used to conduct hundreds of successful raids against high-value targets. During recall to active duty, he created a new capability being used by senior military and intelligence leaders in the global war on terror. He has a Top-Secret/Sensitive Compartmental Information (TS/SCI) security clearance.
• A former chief of staff for the U.S. House of Representatives Committee on Science and Technology.
• Chair of the firm’s transactional Intellectual Property practice. Her experience includes auditing and evaluating client data security policies, drafting website privacy policies, negotiating cloud computing agreements from both the vendor and customer perspectives, and providing support in the aftermath of a data breach, including compliance with breach-notification laws.
• Two Brussels-based partners are members of the European Privacy Association (EPA), a pan-European network of privacy, data protection and security experts, which works closely with the EU institutions. These partners both have experience in all privacy-related issues involving national data protection authorities and EU institutions, as well as broad experience in regulatory issues such as cloud computing, data transfers, coordination with foreign discovery or antibribery teams, interactions with intellectual property rights, re-use of public sector information, employee monitoring, and privacy audits.
• A London-based partner with extensive experience in European regulatory issues, including data protection and security; cross-border data transfer; privacy; encryption; export controls; technology and EU public procurement regulations. One recent focus has been on technology transfer and regulation in the banking and financial markets sectors.
• Chair of the firm’s Supply Chain practice, an experienced data privacy and security lawyer, who routinely counsels clients on protective measures to employ in the construction of policies and critical contracts in order to prevent security breaches, investigations, lawsuits and similar harmful events. He focuses on a variety of matters, including data storage, cloud computing and social-media risks and has particular knowledge of the Payment Card Industry Data Security Standards.

Conclusion

Increasing sophistication of technology and a borderless marketplace have given rise to new sources, types and levels of risk. Hostile and criminal abuses of private data are escalating. National and global political environments are shifting faster and more radically, and regulatory scrutiny and pressure to protect our privacy and security are expanding. Boardroom liability and ever-evolving intellectual property and privacy laws complete the perfect storm for heightening business and personal risk. McGuireWoods’ data privacy and security team is highly qualified and brings a unique depth of experience to tackling the challenges of protecting our clients’ data, and equally important, their reputations.