Seemingly everyday, cybersecurity, privacy and data breaches are making major national headlines. No doubt about it, confidential and sensitive personal and corporate information is at risk to cybercrime and nation-state attackers.
The key to defending against such attacks is preparation; to wit, developing the policies, plans and strategies to resist data breaches and mitigate potential damage. To that end, M&R offers a vertically integrated, interdisciplinary team of lawyers who work diligently to protect our clients’ security environments, maximize uninterrupted use of networks, prevent unauthorized access and cyber incidents and otherwise minimize cybersecurity and privacy risks and exposure.
The firm’s professionals employ their vast legal and technical knowledge and experience in counseling a wide range of organizations in an array of industries – advertising and digital Media, banking and financial services, health care, hospitality, insurance and retail and apparel, among them – on improving cybersecurity preparedness and policy development to quickly mitigate and recover from cyber attacks should they occur.
Areas Of Expertise
- Breach Response
Law enforcement has been warning for years that an organization’s next data breach is not a matter of “if,” but “when.” In today’s cyber climate, it is virtually inevitable that all companies will experience a security breach at some point during their lifecycles – what is crucial to surviving such an incident is an effective breach response strategy. As regulators reduce the time for data breach reporting, M&R attorneys are prepared to swiftly respond in the event of a data breach, coordinating with requisite vendors (e.g., forensics, network recovery, public relations and insurance) as well as law enforcement and industry regulators during this critical time. We also help businesses navigate the relevant maze of state and federal breach notification requirements. While satisfying clients’ applicable reporting obligations, the firm additionally focuses on maximizing the amount of attorney-client privilege protection allowed by law.
- Data Privacy and Management Practices
Particularly in the face of new GDPR regulations on data collection and processing, it is important for businesses to develop clear internal policies specifying the types and intended uses for collected consumer data. Both in the U.S. and overseas, companies must understand that indiscriminate data collection (collecting customer information with no immediately identifiable business purpose) and mismanaged data governance can be problematic, resulting in unnecessarily potential liability in the event of a data breach with no offsetting organizational benefit. Also, businesses that collect data from a myriad of sources subject to a wide range of use restrictions must tread lightly given the difficulty in identifying how such information can be utilized. Our attorneys can prepare key data governance policies and counsel clients on how to align data collection and disclosure practices with current and future business plans. At the same time, the firm provides advice regarding risk assessment, management, and strategies to (1) expand potential uses for collected data and (2) open up actual or pseudonymous data sets for use in analytics, monetization or other purposes.
When security breaches result in lawsuits, we provide aggressive representation of our clients’ business interests. Lawyers in the firm’s Commercial & Business Litigation Practice Group are well versed in cybersecurity issues and poised to demonstrate client compliance with the ever-evolving best practices in the world of cybersecurity. The firm is always mindful of clients’ business goals when developing litigation strategies, and stands ready to zealously litigate cybersecurity cases from beginning to end. Our cybersecurity team can provide valuable counsel when resolving such litigation, discussing settlement ranges based on the scope of sensitive data involved, litigation trends (including shareholder suits against officers and directors for lack of cybersecurity due diligence and prioritization), as well as potential C-suite fallout as a consequence of cyber events.
- Pre-Breach Planning
The optimal time to prepare for a potential cyber incident is before a costly breach occurs. Toward that end, our cybersecurity team helps clients prepare tailored cybersecurity policies and Incident Response Plans (IRPs). IRPs allow companies to more easily identify potential threats in their security environments, implement systems for reporting such threats to key stakeholders, and provide roadmaps for satisfying state and federal regulatory compliance obligations in the event of a breach. When it comes to cybersecurity, one size does not fit all, which is why M&R’s cybersecurity policies are tailored to address the unique structure and geographic composition of each of our clients, as well as the responsibilities and capabilities of their key personnel.
- Regulatory Compliance
Cybersecurity and data privacy are hot issues on the minds of many regulators, both in the U.S. (at the state and federal levels) and internationally. M&R advises companies on the ongoing compliance mandates in jurisdictions around the globe, and provides insight into how new and developing legislation will likely be enforced in a myriad of industries.
- Insurance/Financial Services – With the adoption of cybersecurity requirements by the New York Department of Financial Services and a pending data security model law proposed by the National Association of Insurance Commissioners (NAIC), insurance and insurance-related companies as well as brokers, agents and adjusters are now (or, outside New York, will soon be) under similar cybersecurity regulatory obligations as health care providers (under the Health Insurance Portability and Accountability Act (HIPPA)) and financial institutions (under the Gramm-Leach-Bliley Act (GLBA) and SEC regulations).
- Retail – The Federal Trade Commission has opined that inadequate cybersecurity measures could be deemed an “unfair trade practice” if there is a substantial likelihood that consumers could be injured as a result. While retail has traditionally been an industry with little cybersecurity regulatory oversight in the U.S., this model is quickly changing with the rapid increase in data breaches of large retail chains. We help our retail clients establish the cybersecurity and privacy policies to both improve on preparedness to resist a cyberattack, as well as the data minimization strategies to effectively mitigate any resulting harm to consumers.
- Healthcare – HIPAA’s Security Rule has been in effect behind the scenes since 2005, but it has received substantially less attention than more consumer-facing privacy rules. Nevertheless, with the ever-increasing risk of cyberattacks against healthcare providers (particularly the debilitating effects of ransomware attacks that can result in shutdowns and terminate treatment), it is incumbent upon such providers and their business affiliates to develop robust cybersecurity and data privacy programs. The firm crafts comprehensive and enforceable policies that are critical when it comes to demonstrating due diligence in the face of an OCR investigation.
- Training and Tabletop Simulations
An Incident Response Plan should not be executed for the first time in response to an actual emergency. For this reason, we train our clients’ key C-suite and information security personnel to respond to simulated attacks using real-world tabletop exercises. These safe and controlled exercises help stakeholders to fully grasp and internalize the reality of cyber attacks and their impact on business operations. They also prepare executives and staff to confidently respond when actual breaches occur, using the skills and tools developed through this comprehensive training.
National Insurance Broker (Regulatory Compliance): Drafted cybersecurity policies, incident response plans, third party service provider security policies, disaster recovery plan and other cybersecurity policies for regulatory compliance.
International Music Instrument Retailer (Regulatory Compliance): Drafted data governance policy and assisted in data mapping exercises for EU GDPR compliance.
Healthcare Provider (Breach Response): Counseled health care provider relating to alleged data breach by litigation opponent.
E-Commerce Retailer (Breach Response): Counseled national retailer regarding data breach by third party payment processor affecting e-commerce sales and issuance of statutory notifications.
International Supply Chain Vendor (Regulatory Compliance): Drafted cybersecurity policies, incident response plans, third party service provider security policies and other cybersecurity policies for regulatory compliance.
International Child’s Clothing Retailer (Regulatory Compliance): Drafted data governance policy and assisted in data mapping exercises for EU GDPR compliance.
Healthcare Provider (Breach Response): Represented health care provider in breach response investigation and issuance of statutory notifications.
Educational Institution (Breach Response): Represented university in breach response investigation and counseled on removal of private data from public websites.
Financial Services (Breach Response): Represented financial service provider in investigating and responding to data breach incidents.
Insurance (Cybersecurity Training): Trained client executives and key employees in incident response plan protocols and advised on methods to improve security policies and procedures.
Software Development (Data Privacy Policies): Counseled software developer on revision of privacy policies, end-user license agreements, end-of-support announcement and requirements and user sweepstakes program.
Financial Services (Data Security): Represented multi-state financial services client in responding to government inquiries regarding product data security.
National Big Box Retailer (Digital Advertising and Media): Advised national retailer on CAN-SPAM Act and Telephone Consumer Protection Act (TCPA) compliance for text messaging and email advertising programs involving joint marketing campaign with third-party retailer.
National Insurance Brokers (Incident Response Planning): Represented multi-state insurance clients in development of incident response plans and network security policies.
Automotive (Intellectual Property): Assisted client in negotiating transfer of intellectual property relating to alleged security vulnerabilities from security researchers.
- Corporate Counsel, May 24, 2017
- Forecast for Overseas Data: Partly Cloudy May 9, 2018
- HMM, CPAs LLP 2017 Healthcare SummitMelville, NY, November 30, 2017
- American Agents Alliance (AAA) Convention and ExpoPalm Desert, CA, September 24, 2017
- Legal Hackers of Orange CountyIrvine, CA, September 18, 2017
- Property Casualty Insurers Association of America (PCI) ACIC General Counsel SeminarSan Diego, CA, July 27, 2017
- Louisiana Insurers' Conference (LIC) Annual Compliance Seminar & Legislative ReviewNew Orleans, LA, June 22, 2017
- Finding Problems Before the Bad Guys: A Legal and Technical Discussion on Penetration Testing and Managed Security ServicesProperty Casualty Association of America (PCI) 29th Annual Western Region General Counsel SeminarSan Diego, CA, July 26, 2018