Navigating a Rapidly Changing Privacy & Data Security ... · mation systems, wearable devices, and...
Transcript of Navigating a Rapidly Changing Privacy & Data Security ... · mation systems, wearable devices, and...
Navigating a Rapidly Changing
Privacy & Data Security Landscape
PRIVACY & DATA SECURITY
ROPES & GRAY PRIVACY & DATA SECURITY
ADVANCES IN TECHNOLOGY have changed today’s glob-al business environment. Privacy and data security issues are everywhere, affecting individuals, busi-nesses and governments worldwide. Understand-ing increasingly complex privacy and data security
laws and meeting those legal requirements must be top priorities. And should an organization be ac-cused of violating those laws, expert legal advice is a must, especially when the accusation arises out of a data security breach.
MARKET PERCEPTION
n Law 360 Named Privacy Group of the Year (2011, 2012, 2015 and 2016). Doug Meal named a Privacy MVP, 2012–2016. Michelle Visser recognized as a Rising Star, 2015.
n ChambersRanked as leading privacy & data security practice in 2016 in Chambers Global and Chambers USA. Heather Sussman ranked
individually in Chambers USA 2015. Doug Meal ranked individually in Chambers USA 2016.
n The Legal 500 Ranked in the top tier in the U.S. for “Media, technology and telecoms: Cybercrime,” with Doug Meal listed as a leading lawyer; also ranked for “Technology: data protection and privacy,” with Heather Sussman ranked as a
leading lawyer. Rohan Massey recommended for data protection in The Legal 500 UK. Jim DeGraw and Seth Harrington are also recommended.
n Financial TimesDoug Meal named a top 10 innovative lawyer, 2013. Mark Szpak named a U.S. Innovative Lawyer, 2012.
HOW WE CAN HELP
The use of data has changed the way businesses in virtually every industry work. The collection, storage, use and sharing of data creates com-petitive, reputational and financial risks. With the world’s most experienced privacy and data security lawyers, our team can counsel clients with compliance and risk management issues and, if necessary, advise on disputes related to security breaches.
INCIDENT RESPONSE AND CYBERSECURITYIssues arising from privacy or data security breaches and any resulting theft, loss or unauthorized use of confidential or personal information
ENFORCEMENTIssues arising from alleged violations of applicable privacy and data security requirements
B. ENFORCEMENT
A. COUNSELING
COUNSELINGPrivacy and data security compliance, counseling, response and incident prevention
C. INCIDENT RESPONSE AND CYBERSECURITY
OUR TEAM REGULARLY HELPS CLIENTS manage information and leverage the incredible value of data and digital technolo-gies in ways that not only meet compliance obligations, but
also support innovation, deliver value to the business, and so-lidify brand and consumer trust.
A. PRIVACY AND DATA SECURITY COMPLIANCE COUNSELING
OUR TRACK RECORD
n PERFORMED privacy, security and digital risk assessment for consumer products company with operations in more than 100 countries around the globe.
n ROLLED OUT global privacy policy, terms of use and correspond-ing user dashboard for popular suite of fitness apps using teams of local counsel spanning five continents.
n MANAGED a global team of privacy and security experts provid-ing advice to a U.S.-based tech company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
n DEVELOPED global privacy program for food products company in more than 40 countries around the globe.
n DEVELOP privacy and security strategy for integration of three separate mobile app platforms, including addressing global issues of user consent, control and transparency
n ADDRESSED privacy and security aspects for a U.S. and E.U. rollout of a popular mobile application and provide continuing
support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.
n DRAFTED AND REVISED a website privacy statement of an intel-ligent media company to address data collection use and disclo-sure through multiple platforms, including website, mobile, and social as well as integrating client’s existing safe harbor policy.
n REGULARLY CONDUCT privileged, confidential investigations into cyber incidents, data misuse and trade secret misappropriation concerns for clients across the technology sector.
n ADVISED on privacy and cybersecurity aspects of home auto-mation systems, wearable devices, and geolocation tracking components, including privileged security assessments (testing of both hardware and software), security vulnerability remedia-tion, implications of E.U.’s GDPR and more.
n DEVELOP and successfully negotiated Binding Corporate Rules application for multinational health IT company.
n Worldwide risk assessmentsn Data rights and use case analysisn Mapping data flows
n Online privacy policies and terms
n Internet of Things, wearables and connected devices
1
n Big Datan Privacy impact assessments
n Regulatory gap assessmentsn Digital engagement and strategyn Advertising, marketing and social networking
2
n Cybersecurity strategy and defensen Written information security programs
n Worldwide records retention programsn E-discovery readiness and planning
3n Incident response planningn Worldwide data breach response
n Best-in-class vendor management clausesn Cloud service solutions, contract development and outsourcing agreements
4
n Standard Contractual Clausesn Intracompany agreementsn Privacy Shieldn APEC CBPRsn Binding Corporate Rules
5
n Data disposal requirementsn Data destruction risk assessmentsn Disposal and destruction policies
n Worldwide records retention programs
6
5TRANSFER
6DISPOSAL
1COLLECTION
2USE
3STORAGE
4DISCLOSURE
MASTERS OF THE DATA
LIFE CYCLE
ROPES & GRAY PRIVACY & DATA SECURITY
B. PRIVACY AND DATA SECURITY ENFORCEMENT
When an organization is accused of having violated applicable privacy and/or data security requirements, we have the knowledge and experience to quickly master the relevant facts.
CLASS-ACTION LITIGATION
When a major breach or alleged pri-vacy violation is announced, litigation is a near certainty. We leverage our experience to develop a global defense strategy.
OUR TRACK RECORD
Our experience includes handling class actions alleging that our client failed to employ legally required measures to protect the data in question after theft, and that our client unlawfully collected or used consumer information.
We have unparalleled experience de-fending clients against class actions, from motions to dismiss through class certification. Our clients include some of the largest data breaches of personal information, facing claims by individ-ual consumers, financial institutions and shareholders, as well as privacy violations, such as alleged unlawful workarounds for third-party cookies and alleged non-compliance with regu-lations on facsimile transmissions.
REGULATORY ENFORCEMENT
The regulatory environment for pri-vacy and data security is a compli-cated web of federal, state and foreign regimes. Following the discovery of a major breach or alleged privacy vio-lation, regulatory investigations are
becoming increasingly common. Our attorneys have extensive experience defending against investigations re-garding the collection, use and protec-tion of consumer information.
OUR TRACK RECORD
We have served as global coordinating counsel in worldwide investigations for some of the world’s most recog-nized brands. We have also defend-ed clients by challenging the FTC’s theory that a section of the FTC Act imposes a duty on companies to have reasonable security in place to prevent data breaches, including representing a client in an appeal of the first ever decision by the FTC finding that a company’s data security practices vio-lated the FTCA.
INNOVATIVE STRATEGY AND THOUGHT LEADERSHIP
Our attorneys are deeply engaged in anticipating developments in the law, creatively advancing a client’s interests.
ARTICLE III STANDING When the U.S. Supreme Court ruled in Clapper that Article III requires a plaintiff to show that threatened injury is “cer-tainly impending,” we recognized the implications for data security breach litigation, where consumers often cannot plead that exposure of
data has or will imminently cause financial injury. Numerous courts have dismissed claims based on this extension.
PROTECTING PRIVILEGE Our attor-neys know how to lead investiga-tions into a data security breach to maximize the likelihood that privilege will apply. In the only pub-lished decisions on this issue, we have successfully defended against efforts to defeat the application of
privilege to such investigations.
FIRST-OF-A-KIND LITIGATION Ropes & Gray is the only firm to litigate against Visa and MasterCard, chal-lenging the lawfulness of fines, fees and assessments they imposed fol-lowing a data breach. Additional-ly, we represented Wyndham and LabMD in the only litigated cases to challenge the FTC’s authority to bring enforcement actions over data security issues.
“Their record is unmatched. Many law firms claim to have a major data security practice, but Ropes invented it, litigated, and won all of the important early cases in this field.”
—U.S. News & World Report
C. INCIDENT RESPONSE AND CYBERSECURITY
THE RISK OF A CYBERATTACK is a real threat to any organization that main-tains electronic records containing personal information of individuals or confidential business information, or that depends upon a computer net-work for critical business purposes.
When a data breach occurs, an orga-nization must respond urgently and ef-fectively to mitigate exposure. Having experienced counsel on call to provide legal advice regarding the myriad is-sues that arise is essential in such situ-ations. Not only is there an immediate demand for legal analysis on multiple fronts, but having informed legal ad-vice on how to manage the crisis can pay substantial dividends by allowing the organization to avoid common and not so common pitfalls.
Drawing on our experience in numer-ous such cases—including many of the largest data breaches to date—our attorneys are able to act quickly to organize a comprehensive plan to ad-dress breach-related issues, including any loss or theft of data or any unau-thorized use of confidential informa-
tion, while analyzing the associated risk and potential exposure posed by the incident. Our experience allows us to develop legal strategies that glob-ally address the multiple simultaneous challenges that arise, including:
n FORENSIC INVESTIGATION of the breach’s actual scope and cause
n CONTAINMENT AND IMPLEMENTATION of appropriate security enhancement programs
n NOTIFICATION consistent with statu-tory and contractual disclosure and notice obligations
n PRESERVATION of forensic data, electronic records and other material evidence
n LAW ENFORCEMENT cooperation and appropriate collaboration
n REGULATORY ENGAGEMENT in meet-ing obligations and responding to inquiries and investigations
n LITIGATION DEFENDING against indi-vidual, class, contractual and regula-tory threats, and vindicating rights against third parties
OUR TRACK RECORD
In matters of incident response, strict confidentiality is often paramount.
When we can determine that a poten-tial incident does not trigger reporting obligations, our clients are better able to manage the reputational impact of such events. Our attorneys recognize the importance of this analysis and are well positioned to help organiza-tions maintain confidentiality and control to the extent possible.
Many data breaches, however, do become public, and the public data breaches in which we have been en-gaged to advise on incident response in-clude some of the largest and most com-plex data breaches announced to date.
We have served as global coordinat-ing counsel, managing all legal fronts, and have also collaborated closely with co-counsel. In either context, we bring our unmatched experience to bear in helping our clients meet those challenges.
MIG Allegation of third-party cookie workaround
MAJOR PRIVACY AND DATA SECURITY INCIDENTS
In the 10 years since data security breaches have begun to make an impact on global commerce, Ropes & Gray attorneys have handled some of the highest-profile breaches, with hundreds of millions of dollars at stake. Companies represented include:
THE TJX COMPANIESData security breach
TARGETData security breach
LABMDRopes & Gray challenges FTC at 11th Circuit
WYNDHAM HOTELS AND RESORTSData security breaches of computer networks
SONYCriminal cyberattacks affecting more than 100 million Sony en-tertainment accounts
HEARTLAND PAYMENT SYSTEMSSecurity breach within processing system
USIS Advanced Persistent Threat cyberattacks
MAJOR INS. CO.Criminal cyberattack on computer network
THE HOME DEPOTData security breach
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
SUPERVALUCyberattacks on portions of computer network
HONG KONG | SEOUL | SHANGHAI | TOKYO
NEW YORK | WASHINGTON, D.C. | BOSTON | LONDON
CHICAGO | SAN FRANCISCO | SILICON VALLEY
© 2017 Ropes & Gray LLP. All rights reserved. Prior results do not guarantee a similar outcome. Communicating with Ropes & Gray LLP or a Ropes & Gray lawyer does not create a client-lawyer relationship. 17_0184_0525
ropesgray.com
NEW YORK | WASHINGTON, D.C. | BOSTON | LONDON
CHICAGO | SAN FRANCISCO | SILICON VALLEY
HONG KONG | SEOUL | SHANGHAI | TOKYO
ROPES & GRAY PRIVACY & DATA SECURITY
GLOBAL CONTACTS
Marc BergerNew YorkLitigation & [email protected]+1 212 841 8871
Paul RubinWashington, D.C.Litigation & [email protected]+1 202 508 4709
Doug Meal BostonLitigation & [email protected]+1 617 951 7517
Seth HarringtonBostonLitigation & [email protected]+1 617 951 7226
Mark SzpakBostonLitigation & [email protected]+1 617 951 7606
Michelle VisserSan FranciscoLitigation & [email protected]+1 415 315 6347
Heather Egan SussmanBostonCounseling & [email protected]+1 617 951 7125
Laura HoeyChicagoLitigation & [email protected]+1 312 845 1318
Rohan MasseyLondonCounseling & [email protected]+44 20 3201 1636
Jim DeGrawSan FranciscoCounseling & [email protected]+1 415 315 6343
David CohenNew YorkLitigation & [email protected]+1 212 841 8880
Andy DaleHong KongLitigation & [email protected]+852 3664 6438
Clare SellarsLondonCounseling & [email protected]+44 20 3847 9036
Marcus ThompsonLondonLitigation & [email protected]+44 20 3201 1648
David ChenShanghaiCounseling & [email protected]+86 21 6157 5283
Tim McCrystalBostonCounseling & [email protected]+1 617 951 7278
Debbie GershChicagoCounseling & [email protected]+1 312 845 1307
Cori LableHong KongLitigation & [email protected]+852 3664 6480