The privacy of personally identifiable information is an increasingly sensitive and important issue across industries. As information technology becomes a greater part of our daily lives, the value of information to businesses continues to increase, and the labyrinth of state, federal and international laws designed to regulate and protect information grows more complex. It is increasingly becoming the rule that entities engaged in the collection, distribution or utilization of personally identifiable information about individuals will be required by law to protect the privacy and security of that information. Navigating the maze of government regulation pertaining to data privacy and security requires counsel with an understanding of both the unique data needs of your operations and the broader legal framework.
Akin Gump Strauss Hauer & Feld LLP’s privacy and data protection practice offers a full array of services, including developing compliance programs, providing day-to-day compliance counseling, furnishing strategic advice on structuring business relationships in a manner that is sensitive to data privacy and security concerns, providing legislative and regulatory advocacy services, assisting with data breach investigations and responses, providing advice in connection with government investigations and litigating privacy matters in federal and state courts at both the trial and appellate levels. Our firm represents clients across a broad range of industries—including health care, retail, insurance, telecommunications, professional sports, media and entertainment, e-commerce and data aggregation—with regard to privacy matters.
Our areas of focus include—
Advertising, Marketing and Sales
For many businesses, data privacy is a customer-driven necessity, as businesses process, track and use potentially sensitive financial or personal information as key components of their business models. We understand the complex risks that our clients face in the current and evolving regulatory environment. Our lawyers have experience handling data privacy matters relating to consumer-focused advertising and shopper data tracking, evaluating whether contemplated marketing activities comply with federal and state privacy laws, assisting with data breach investigations and defending companies under investigation by the Federal Trade Commission (FTC) with respect to privacy issues.
We regularly deal with FTC staff, including the lawyers of the Division of Privacy and Identity Protection. We handle matters involving Section 5 of the FTC Act, the federal statute closest to imposing general privacy obligations under U.S. law, as well as the more-focused privacy statutes such as the Gramm-Leach-Bliley (GLB) Act, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and the Children’s Online Privacy Protection Act (COPPA). We also have substantial experience advising clients regarding laws governing the communications channels used for marketing, such as the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule and the CAN-SPAM Act.
Our lawyers are especially focused upon retailing activities. Our clients include numerous supermarket retailers, their suppliers and other related industry partners. We also have experience advising insurance industry clients on advertising, marketing and sales issues.
Communications and Information Technology
Our lawyers provide a range of privacy counseling and compliance services to wireline and wireless telecommunications carriers, broadband carriers, cable providers and Internet service providers. We advise wireline and wireless telecommunications carriers regarding compliance with the customer proprietary network information (CPNI) rules administered by the Federal Communications Commission (FCC), which restrict the ability of a carrier to use and disseminate information about its subscribers’ telecommunications services and calling habits and require carriers to implement sophisticated safeguards with respect to their subscribers’ CPNI. We also assist wireline and wireless telecommunications and broadband carriers in complying with the Communications Assistance for Law Enforcement Act (CALEA), which governs their obligations to provide certain communications surveillance technological capabilities to law enforcement. We advise cable providers regarding the Cable TV Privacy Act and assist providers of Internet access and related services in complying with other applicable privacy statutes and regulations, such as the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act.
Data Breach Response
The effects of a catastrophic data breach can be far-reaching, potentially impacting a company’s operations, reputation and bottom line. Our catastrophic breach response team stands ready to assist clients with their regulatory, legislative, investigatory and dispute resolution needs in the wake of a data incident. Our regulatory lawyers assist clients in navigating state and federal breach notification requirements, including evaluating whether such requirements apply and drafting appropriate notices where needed. Our litigators conduct internal investigations for clients that suspect a breach has occurred, provide advice to clients interfacing with law enforcement officials and furnish dispute resolution services as needed. Our government relations and advocacy team works with clients facing—or potentially facing—congressional inquiries concerning the breach.
Disclosure of Information to and by the Government
Our lawyers have extensive experience in matters arising under the Freedom of Information Act (FOIA), including high-level, sophisticated experience in matters before the U.S. Supreme Court and the D.C. Circuit. Our experience includes handling issues arising under FOIA’s Exemption 1 (national security information), Exemption 4 (allowing the withholding of certain confidential business information), Exemption 6 (allowing the withholding of personnel, medical or similar files where the release would constitute a clearly unwarranted invasion of personal privacy) and Exemption 7(C) (providing protection for law enforcement information where the release could constitute an unwarranted invasion of personal privacy). Our team includes practitioners who have worked in the government on FOIA litigation, including a former assistant to the solicitor general who handled the most important FOIA privacy decision in the Supreme Court in recent decades (National Archives and Records Admin. v. Favish). We also handle cases seeking the release of information through FOIA, as well as cases where clients seek to block such disclosure (so-called reverse-FOIA actions).
Employee Data Privacy – Domestic
Our lawyers frequently advise clients on a variety of workplace privacy issues. We counsel clients on the proper conduct of background investigations on applicants and employees pursuant to the FCRA and FACTA, as well as on state laws and Equal Employment Opportunity Commission (EEOC) guidance concerning the use of such information in the employment context.
Our lawyers have experience advising clients on privacy issues concerning records relating to employer-sponsored group health plans and on issues arising under the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Americans with Disabilities Act (ADA). We routinely advise employer-sponsored group health plans on compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), and related regulations.
We conduct assessments of employer wellness and medical examination programs for compliance with the ADA, which places restrictions on when medical examinations may be conducted, and Title 2 of GINA, which prohibits the deliberate acquisition of genetic information, prohibits employers from discriminating on the basis of genetic information and places strict limits on disclosure of genetic information that is acquired. EEOC has issued regulations and sub-regulatory guidance on medical examinations and medical inquiries and is also promulgating rules to implement Title 2 of GINA, which may impact practices that employers are carrying out in compliance with other statutes, such as the ADA and HIPAA.
Employee Data Privacy – International
Our attorneys assist clients with a wide variety of issues concerning privacy and protection of employee data flowing across borders in today’s global economy, including compliance with the EU Data Protection Directive and laws of other jurisdictions worldwide. Because data privacy and protection laws vary from country to country, transnational companies face the complex challenge of complying with local privacy laws in all jurisdictions in which they operate. We work with clients to develop and implement employee data privacy policies and procedures that address this challenge, draft data protection consent agreements, ensure certification under Safe Harbor and register with local data protection authorities in various jurisdictions. Our attorneys have experience working with the privacy laws of the European Union, as well as with the individual requirements of its member countries, South American countries, Canada, Russia, Japan, Hong Kong, Vietnam, Thailand, Singapore, India, Iran, United Arab Emirates, South Africa and others.
Financial Data Privacy
Use, disclosure and protection of personally identifiable information collected by entities in the financial services and credit reporting industries is regulated under various laws, including the GLB Act, FCRA and FACTA, and related regulations, including GLB’s Safeguard Rule and the Red Flags Rules developed under FACTA. We counsel clients on compliance with these legal requirements and represent financial institutions in litigation involving the theft of customer information.
Government Relations and Advocacy
Our lawyers monitor regulatory and legislative developments in the privacy arena on behalf of clients from various industries. We advocate on behalf of clients with respect to pending legislation or existing laws relating to the privacy of personally identifiable information. We also advocate on behalf of clients on privacy issues at all phases of the regulatory process.
Health Information Privacy
Our health industry practice has maintained a robust privacy practice since HIPAA’s passage in 1996. Health information is protected by a complex, continually evolving patchwork of state and federal laws and regulations. As those touched by the health information privacy and security regulatory scheme were finally adjusting to operating under HIPAA and its implementing regulations, Congress passed the HITECH Act as part of ARRA, dramatically impacting data privacy and security obligations and risks. Our lawyers have the depth of experience needed to handle health information privacy and security issues in these dynamic times.
As data privacy and security issues take on increased significance and are subjected to ever-increasing levels of regulation, our lawyers advise entities across industries, including traditional health sector participants as well as others outside the mainstream that are caught in the web of state and federal regulations. We assist hospitals, pharmacies, pharmaceutical companies, health clinics, health plans, third-party administrators, research entities, software vendors, service providers, trade associations and even a professional sports league, among others, in addressing concerns relating to data privacy and security.
We counsel clients on compliance with state and federal privacy, security and breach notification requirements. We address health information privacy and security issues arising in the course of clients' day-to-day operations, and also develop forward-looking, comprehensive compliance programs and toolkits tailored to individual client needs. We draft internal policies and procedures to assist clients in their compliance efforts, and we prepare forms to meet the full range of compliance needs (including notices of privacy practices and forms authorizing the use or disclosure of health information). We assist clients in structuring relationships and drafting contracts that are tailored to address health information privacy and security issues (including preparing and negotiating appropriate business associate agreements). We assist clients in investigating, responding to and remediating data breaches, and counsel providers in connection with HHS Office for Civil Rights (OCR) investigations of alleged HIPAA privacy violations. We also advocate on behalf of clients for legislative and regulatory change in the federal health information privacy and security regime. We address privacy and data protection issues that are at the crux of the matter, as well as those that are collateral to ongoing congressional investigations, litigation or bankruptcy proceedings.
Privacy of Government-Maintained Records
We assist clients with issues implicating the Privacy Act in various contexts, such as guiding clients through data breach situations and other similar incidents. Our team includes the attorney who handled Doe v. Chao, the first Privacy Act case considered by the U.S. Supreme Court. Our lawyers assist clients seeking Privacy Act protection for their individual records and have extensive experience assisting contractors in addressing issues arising from the inclusion of the Privacy Act and its implementing regulations in contracts with the federal government.
Supreme Court and Appellate Advocacy
Our attorneys have briefed and argued many of the seminal cases in privacy law at the highest levels. Our Supreme Court and appellate experience on privacy matters includes FOIA, reverse-FOIA, the federal Privacy Act, FCRA and the Family Educational Rights and Privacy Act (FERPA). Our attorneys have won two Supreme Court cases under FCRA, as well as a FERPA case in which the Supreme Court addressed whether FERPA may be enforced through an action under 42 U.S.C. § 1983. Our team includes a former assistant to the solicitor general who handled the most important FOIA privacy decision in the U.S. Supreme Court in recent decades, as well as the first Privacy Act case considered by the Court. We also won a reverse-FOIA action in the D.C. Circuit, overturning as arbitrary and capricious an agency decision that involved the disclosure of contractor auditing materials (United Technologies Corp. v. Department of Defense, 601 F.3d 557 (2010)), and are handling other FOIA matters in both federal district court and before federal agencies.
Key cases briefed or argued in the Supreme Court by current Akin Gump lawyers include—