Privacy & Cybersecurity

In an increasingly digital world, the value of company data is growing exponentially and a company’s ability to optimize this data is vital to its competitive edge. Global enterprises recognize the untapped value their data holds, and understand that in order to effectively maximize the data they collect and analyze, they must safeguard it and fully understand the legal obligations they have in relation to it.

Dechert’s privacy & cybersecurity group takes a holistic and practical approach to the legal issues that arise from data optimization and data collection. Our lawyers are adept at designing and implementing global privacy and cybersecurity programs that enable companies to lawfully collect, analyze, secure and transfer data across borders.

Protecting our clients’ interests by ensuring robust compliance policies

Dechert’s global privacy & cybersecurity team helps clients navigate the complex business and regulatory challenges arising from today’s data management environment.

We work with our clients to ensure robust compliance with up-to-date policies and sound practices in business transactions. We help clients prepare for adverse events by advising them on incident response plans and strategies, and by keeping them up to date on challenges and changes in the regulatory landscape. When threats arise, our experienced team handles the specific data security and privacy issues raised by data breaches, including government or regulatory enforcement actions and litigation. Through webinars and publications, we work to keep clients apprised of key regulatory developments in this area.

Dechert was named a “Leading Cybersecurity Law Firm” in BTI Law Firms Best at Cybersecurity 2017, an independent report issued by BTI Consulting Group.

Breach response, litigation and enforcement actions

Dechert’s privacy & cybersecurity lawyers are well versed in representing clients in privacy litigation and enforcement actions brought by both federal and state regulators. We have handled numerous sensitive data breach response incidents for clients across a broad spectrum of industries, including the insurance, health care, life sciences and financial services sectors. We have also successfully represented clients in Federal Trade Commission (FTC) investigations arising out of large scale and multi-national data thefts.

  • A major e-commerce company on a data intrusion involving the possible loss of over 100 million records relating to personal information.
  • A major job search website in connection with U.S. and European notice and compliance issues following an outside hacker attack that affected data relating to 1.3 million customers.
  • A company in connection with an FTC investigation of alleged privacy violations related to pharmacy benefits data.
  • A company in preparing comments to the FTC on health care privacy studies and policy analyses.
  • An internet-based company in an FTC investigation into data security features of mobile phone applications, after which the FTC closed the investigation with no further action.
  • A major bank in a litigation arising out of the wireless theft of millions of credit card account numbers across the globe.
  • Mutual funds, hedge funds, retailers and other corporations in data breach responses, including compliance with various state breach notifications in various jurisdictions in the EU, U.S., Asia and Africa.
  • Mutual funds and retailers on designing and implementing comprehensive privacy programs.
  • Mutual funds and other financial institutions on the privacy implications of sharing data with third party vendors.
  • A global bank in its worldwide management and processing of client and employee data, the preparation of appropriate customer and company agreements, and the conduct of an international survey of privacy laws applicable to its business.
Cybersecurity crisis and response planning

Providing real-time responses in an uncertain and fast-paced environment, a central component of our practice is helping our clients prepare for, respond to, and recover from cybersecurity crises. Working closely with our clients’ IT, legal and compliance teams to create a coordinated and informed approach to potential crises, we review existing cybersecurity crises plans and make necessary updates to ensure clients have a detailed, effective plan in place that is tailored to their specific business and data flows. We work on the immediate steps to take in response to any cybersecurity crisis, including halting the attack, preserving critical evidence and escalating critical issues to senior management. We also manage the internal investigations that can follow a cybersecurity crisis, including representing clients in interactions with regulators and customers, and advising on the complex, potentially cross-border, legal issues in the wake of a cybersecurity crisis.

Banking and financial services

We have deep experience working with clients from the financial services industry. A primary focus of our practice involves assisting financial institutions, including registered investment advisers, broker-dealers and registered investment companies, with their cybersecurity- and privacy-related issues. Our lawyers review and develop robust information security policies that are compliant with US-based privacy and information security laws, including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Securities and Exchange Commission’s (SEC’s) Privacy of Consumer Financial Information (Regulation S-P), other related federal and state privacy regulations, and state regulations like the Massachusetts Standards for the Protection for Personal Information. Our lawyers are well-versed in the evolving cybersecurity guidance issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) via Risk Alerts and through enforcement actions and we regularly advise asset managers of all sizes on practical ways in which to meet the SEC’s expectations. Dechert lawyers also provide legal guidance to clients as they conduct risk assessments to determine the ways in which their privacy & cybersecurity programs need to be expanded to meet regulators’ expectations.

From a global perspective, our lawyers have experience advising banking and financial services clients on the compliance challenges that arise from cross-border data transfers, particularly with respect to transfers of European residents’ personal data from the EU to the U.S. Dechert lawyers have advised on the EU-US Privacy Shield Framework, implemented model contract clauses and developed binding corporate rules compliance issues. We also regularly advise on the legal issues and practical challenges raised by the EU General Data Protection Regulation and by China’s Cybersecurity Law. Dechert’s European lawyers advise on financial services regulator information security requirements such as the UK Financial Services Authority’s (FSA’s) Codes of Business, as well as the implications of the European data protection directives. We counsel clients on how their privacy obligations are affected by other federal statutes and regulations, including anti-money laundering obligations under the Bank Secrecy Act (BSA) as amended by the USA PATRIOT Act.

We also assist with privacy issues related to outsourcing, such as subcontractor processing of bank software, participating in third-party internet banking systems and contracting with acquisition agents.

Compliance with international privacy regulations

Differences between U.S. privacy laws and the privacy regimes of other countries pose significant data collection issues and transfer restrictions affecting any company operating internationally.

We help multinational businesses ensure their data collection and storage practices conform with regulatory requirements wherever they do business, advising them on local data protection and privacy laws in the United States, Europe and Asia. We have advised clients on EU privacy law (including advice on the GDPR), China’s cybersecurity law, and new privacy regulations in Russia. We advise on legitimate means to transfer data across borders, particularly transfers to and from the European Union.

Transactions affecting data utilization, transfer and the cloud

The move toward cloud computing and software-as-a-service (SaaS) arrangements has created a range of new and complex legal issues for our clients in a wide range of industries, and we provide guidance on associated data protection, cybersecurity, licensing, outsourcing and cross-border issues. Dechert advises clients on the best strategies and contract provisions to address data protection and cybersecurity issues in commercial arrangements. Our clients include both customers and providers of technology services. Clients rely on Dechert to provide guidance on domestic and cross-border technology development and licensing, technology services agreements, SaaS services agreements, service level agreements, security standards and audits, outsourcing agreements, managing liability and indemnification for security breaches, and protection of related intellectual property rights and data protection issues. 

E-business and consumer marketing

Dechert advises buyers and sellers on important e-issues such as data collection and consumer information exchange policies, transactions and indemnification. In the United States, we provide guidance on the Federal Trade Commission Act, Electronics Communications Privacy Act (ECPA), Video Privacy Protection Act (VPPA), Computer Fraud and Abuse Act (CFAA) and Children’s Online Privacy Protection Act (COPPA). We have represented and counseled clients involved in Federal Trade Commission inquiries concerning their privacy practices.

Our privacy & cybersecurity team also advises on telemarketing regulatory schemes internationally, including the U.S. national do-not-call rule, corporate do-not-call lists, the CAN-SPAM Act, SEC regulation through NASD Rule 2212, state privacy rules, banking rules and other privacy matters.

In Europe, we advise on the operation of European regulation on data protection, as well as the anti-spam rules arising from the privacy in telecommunications directive and compliance with the supervisory authorities’ guidance on the application of those rules. We also help with best practices to prevent identify theft, using firewalls and other computer security measures.

Health care, pharmaceutical and life sciences industries

With extensive experience in state and federal privacy and related matters, we assist clients, including health care providers and employer health plans, in complying with the complexities and often unanticipated effects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Our services include assessing clients’ privacy and security practices, implementing practices to safeguard protected health information and employee data, employee training and developing other aspects of HIPAA compliance programs.

Recognized as leaders in the health care/pharmaceutical field, our lawyers speak and write extensively on HIPAA and other issues related to privacy and security. We also regularly conduct privacy and security training sessions for clients’ human resources departments.

Employee Privacy

We regularly counsel clients on issues related to workplace privacy, drafting policies on employee use of communications networks and equipment, employee use of social media, and other privacy issues raised by employers’ efforts to maintain safe and productive workplaces.