Cybersecurity and Data Privacy

Cybersecurity and Data Privacy


Electronic data fuels innovation and productivity for the global economy, but the connectivity that is revolutionizing workplace collaboration is also creating unprecedented vulnerability to data theft, loss and disclosure.

Effective data security must protect the intellectual property of the company and the privacy rights of customers and employees, while at the same time preserving the data accessibility the marketplace demands. Schiff Hardin mobilizes attorneys from across the firm’s practice groups and offices to provide our clients with a multidisciplinary, national Cybersecurity and Data Privacy Client Service Team to address these challenges.

Risk Management Means More Than Breach Prevention

Perfect data security and perfect legal compliance are unlikely in the current environment. Technology provides malefactors, both foreign and domestic, with the upper hand, and the laws governing data security in the United States are a patchwork of inconsistent state and federal statutes and regulations that fall short as a reliable roadmap for corporate best practices. The overlay of an evolving body of global data privacy law only complicates the compliance landscape. Cyber breaches are inescapable for even those companies with the most sophisticated security framework, and the investigations that follow each breach usually uncover at least some corporate compliance issues.

When a Breach Happens, Neutralizing the Business Risk Requires Skilled Advocacy

Meaningful risk management requires much more from outside counsel than a checklist of cyberlaw do’s and don’ts. Our goal, and how we measure success, is helping our clients minimize cybersecurity risk as a threat to customer goodwill, corporate intellectual property and shareholder confidence. We help clients develop and communicate a persuasive company narrative that places a cyberbreach in the proper context and demonstrates to all relevant constituencies — regulators, shareholders, customers, employees and the courts — that they can and should continue to have confidence in the company’s data security and culture of corporate compliance.

The building blocks for this narrative should already be in place before a breach occurs. An integrated data security strategy views legal compliance as an important element but not the final measure of success. Our team is uniquely positioned to help the client neutralize data security as a business risk both before and after a breach occurs.

Our Firm Stands Ready With a Multidisciplinary, National Team

Our Cybersecurity and Data Privacy Team combines the skill sets of trial advocates, subject matter experts and compliance counsel, and reflects our firm’s depth of experience in both trade secrets litigation and corporate internal investigations.

Long before “cybersecurity” became a watchword in corporate boardrooms, our Trade Secrets litigators had substantial experience investigating and bringing to trial complex claims for theft of electronic data, often relying on sophisticated computer forensic analysis. Although cyberbreaches involving consumer information may receive substantial public attention, the breaches of greatest economic value remain thefts of trade secrets and other sensitive commercial information.

At the heart of our Cybersecurity and Data Privacy Team are attorneys who grapple daily with the challenges of translating legal compliance into policies and procedures and of negotiating appropriate contracts to protect and share confidential business and personal information. Our attorneys provide counsel on compliance with industry-specific standards such as the Payment Card Industry (PCI) Data Security Standards as well as industry-specific privacy laws such as those applicable to medical (HIPAA) and financial (Gramm-Leach-Bliley) data. We also advise clients on online data collection and crafting website privacy policies.

  • Experience

    • Data breach counsel for a national medical association. Our response included an internal investigation, and notifications to consumers and governmental agencies. We advised the client on strengths and weaknesses in its current practices, drafted new policies and procedures, and assisted with implementation.
    • Transactional counsel for a web-based provider of outsourced human resources, benefits, retirement, and payroll services. We negotiated agreements with online service providers, including favorable terms governing data security, privacy, access to security audits, and indemnification for data breaches.
    • Trial counsel for a leading manufacturer of heavy construction equipment in a high-stakes litigation to recover stolen trade secrets. The defendant was a departing executive who had been responsible for overseeing a highly confidential multi-year redesign and marketing plan for the client’s entire product line. To prove theft of the product specifications and marketing plan, we conducted a complex forensic investigation that included reconstructing from backup tapes an image of the entire corporate network and tracing the executive’s network activity as well as searching and developing a usage history for more than fifty external storage devices. Our client prevailed on proof that the departing executive had stolen and refused to return certain files in defiance of a court order.
    • E-commerce counsel for a client launching a new web platform for an online hardware store. We provided advice regarding data protection and data breach liability. We also addressed online payments and payment card industry requirements.
    • While serving as a federal prosecutor, our partner was lead counsel in one of the first cases to charge a website operator with wire fraud, for selling hacked and reconfigured cable modems providing free, untraceable internet access. The same attorney was co-lead counsel in an international fraud prosecution for theft of bank account numbers and PINs.
    • Data privacy counsel for a financial services client. We provided advice regarding privacy disclosures for use of website analytics services and third party ad serving vendors.
    • Data breach counsel for a national supplier of barcodes and RFIDs. We conducted an internal investigation and provided advice regarding consumer notification and notification to governmental agencies. We then assisted the client to draft and implement enhanced data privacy and security policies.