Technological innovations continue to place personal and corporate information at risk. As private data becomes increasingly subject to sophisticated tracking, collection, and processing, attention to cybersecurity is as critical as ever. M&R offers a vertically integrated, interdisciplinary team of lawyers who work diligently to protect our clients’ security environments, assure uninterrupted use of networks, prevent unauthorized access and cyber incidents, and otherwise minimize cybersecurity and privacy risks and exposure.
M&R professionals employ their vast legal and technical knowledge in counseling a wide range of organizations in an array of industries – financial services, insurance, advertising and digital media, hospitality, technology, and retail, among them – on improving cybersecurity defenses and developing policies to quickly mitigate and recover from cyber attacks should they occur. Likewise, M&R attorneys are leaders in creating comprehensive internal and compliant external privacy policies.
Areas Of Expertise
- Breach Fallout
There have been a sufficient number of data breach suits settled, providing insight into the potential costs resulting from a breach event. Consequently, M&R’s Cybersecurity Team can discuss settlement ranges based on the scope of sensitive data involved, litigation trends (including shareholder suits against officers and directors for lack of cybersecurity due diligence and prioritization), as well as C-suite turnover as a consequence of cyber events.
- Breach Litigation
When security breaches result in lawsuits, M&R’s Cybersecurity Team provides aggressive representation of our clients’ business interests. Lawyers in the firm’s Commercial & Business Litigation Department are well versed in cybersecurity issues and poised to demonstrate client compliance with the ever-evolving best practices in the world of cybersecurity. M&R’s CBL attorneys, always mindful of clients’ business goals when developing litigation strategies, stand ready to zealously litigate cybersecurity cases from beginning to end.
- Breach Response
Given today’s cyber climate, it is virtually inevitable that all organizations will experience a security breach at some point during their lifecycle – what is crucial to surviving such an incident is an effective breach response strategy. M&R’s Cybersecurity Team specializes in this area, coordinating with requisite vendors (e.g., forensics, network recovery, public relations, and insurance) as well as law enforcement and industry regulators during this critical time.
M&R also helps companies navigate the relevant maze of state and federal breach notification requirements. While satisfying clients’ applicable reporting obligations, the firm also focuses on providing client response efforts with the maximum amount of attorney-client privilege protection allowed by law.
- Data Privacy Policies
State and federal law requires companies to communicate privacy policies to consumers. Such policies must disclose how any given business collects, processes, discloses, stores, and destroys data as it relates to the individuals providing it. M&R’s Privacy Team assists clients in satisfying these statutory and regulatory mandates by creating clear and coherent data privacy policies that inform their customers about the protection and use of private consumer information.
- Data Privacy Practices
It is important for businesses to develop clear internal policies specifying the types and intended use of consumer data collected. Companies must understand that indiscriminate data collection (i.e. collecting customer information with no immediately identifiable business purpose) can be problematic and could unnecessarily create potential liability in the event of a data breach, with no offsetting organizational benefit. Also, businesses that collect data from a myriad of sources subject to a wide range of use restrictions must tread lightly given the difficulty in identifying how such information can be utilized.
M&R’s Privacy Team counsels clients on how to align data collection and disclosure practices with current and future business plans. At the same time, the firm provides advice and counsel regarding risk assessment, management, and strategies to (1) expand potential uses for collected data and (2) open up actual or pseudonymous data sets for use in analytics, monetization, or other purposes.
- Incident Response Planning
The optimal time to prepare for a potential cyber incident is before the occurrence of a costly breach. Toward that end, M&R’s Cybersecurity Team helps clients prepare tailored Incident Response Plans (IRPs). IRPs allow companies to more easily identify potential threats in their security environments, implement systems for reporting such threats to key stakeholders, and provide roadmaps for satisfying state and federal regulatory compliance obligations in the event of a breach.
When it comes to cybersecurity, one size does not fit all, which is why M&R’s IRPs are tailored to address the unique structure and geographic composition of each of our clients, as well as the responsibilities and capabilities of their key personnel.
- Regulatory Compliance
With the adoption of cybersecurity requirements by the New York Department of Financial Services and a pending data security model law proposed by the National Association of Insurance Commissioners (NAIC), insurance and insurance-related companies as well as brokers, agents and adjusters are now (or, outside New York, will soon be) under similar cybersecurity regulatory obligations as healthcare providers (under the Health Insurance Portability and Accountability Act – HIPPA) and financial institutions (under the Gramm-Leach-Bliley Act – GLBA – and SEC regulations). M&R can advise companies on the ongoing compliance mandates in New York and provide insight into how the NAIC model regulations will likely be enforced and in which jurisdictions.
- Training and Tabletop Simulations
An IRP should not be executed for the first time in response to an actual emergency. For this reason, M&R’s Cybersecurity Team trains our clients’ key c-suite and information security personnel to respond to simulated attacks using real-world tabletop exercises. These safe and controlled exercises help stakeholders to fully grasp and internalize the reality of cyber attacks and their impact on business operations. They also prepare executives and staff to confidently respond when actual breaches occur, using the skills and tools developed through this comprehensive training.
- Breach Response: Represented healthcare provider in breach response investigation and issuance of statutory notifications.
- Breach Response: Represented university in breach response investigation and counselled on removal of private data from public websites.
- Breach Response: Represented financial service and healthcare providers in investigating and responding to data breach incidents.
- Cybersecurity Training: Trained client executives and key employees in incident response plan protocols and advised on methods to improve security policies and procedures.
Data Privacy Policies: Counseled software developer on revision of privacy policies, end-user license agreements, end-of-support announcement and requirements, and user sweepstakes program.
- Data Security: Represented client in responding to government inquiries regarding product data security.
Digital Advertising and Media: Advised national retailer on CAN-SPAM Act and Telephone Consumer Protection Act (TCPA) compliance for text messaging and email advertising campaigns involving joint marketing campaign with third-party retailer.
- Incident Response Planning: Represented insurance clients in development of incident response plans and network security policies.
- Intellectual Property: Assisted client in negotiating transfer of intellectual property relating to alleged security vulnerabilities from security researchers.
- Corporate Counsel, May 24, 2017
- HMM, CPAs LLP 2017 Healthcare SummitMelville, NY, November 30, 2017
- American Agents Alliance (AAA) Convention and ExpoPalm Desert, CA, September 24, 2017
- Legal Hackers of Orange CountyIrvine, CA, September 18, 2017
- Property Casualty Insurers Association of America (PCI) ACIC General Counsel SeminarSan Diego, CA, July 27, 2017
- Louisiana Insurers' Conference (LIC) Annual Compliance Seminar & Legislative ReviewNew Orleans, LA, June 22, 2017