The protection of sensitive data—from patient information to trade secrets to classified information—that organizations create and maintain is increasingly vital to business operations and risk management.
The privacy of personally identifiable information is an increasingly sensitive and important issue across industries, as the labyrinth of state, federal and international privacy, data protection and security laws with which businesses must contend grows ever more complex. It is increasingly becoming the rule that entities engaged in the collection, use or disclosure of personally identifiable information will be required by law to protect the privacy and security of that information. Cyber threats to sensitive data are immediate and real, as massive data breaches are making headlines with alarming frequency.
Akin Gump Strauss Hauer & Feld LLP’s cybersecurity, privacy and data protection practice understands the unique needs of businesses and has extensive experience helping clients navigate the myriad regulatory requirements, including assisting clients with data breach preparedness and response efforts, and related investigations and litigation. Our practice offers a full array of services, including developing compliance programs; providing day-to-day compliance counseling; providing legislative and regulatory advocacy services; assisting with data breach investigations and responses; handling regulatory investigations; and litigating cybersecurity, privacy and data protection matters in federal and state courts at both the trial and appellate levels. We also furnish strategic advice on structuring business relationships in a manner that is sensitive to cybersecurity, privacy and data protection concerns. We address cybersecurity, privacy and data protection concerns that are central to the matter at hand, as well as those that are collateral to transactions, ongoing congressional investigations, litigation or bankruptcy proceedings. Our firm represents clients across a broad range of jurisdictions and industries—including health care, retail, insurance, telecommunications, professional sports, media and entertainment, e-commerce and data aggregation—with regard to cybersecurity, privacy and data protection matters.
Our areas of focus include:
- data breach preparedness and response
- critical infrastructure cybersecurity
- health information privacy and security
- communications and information technology
- government relations and advocacy
- employee data privacy
- international cybersecurity, privacy and data protection
- consumer data privacy
- financial data privacy
- disclosure of information to and by the government
- privacy of government-maintained records
- Supreme Court and appellate advocacy.
Data Breach Preparedness and Response
The effects of a catastrophic data breach – or even a seemingly smaller-scale data incident – can be far reaching, potentially impacting a company’s operations, reputation and bottom line. Our breach response team stands ready to assist clients with their regulatory, legislative, investigation and dispute resolution needs in the wake of a data incident. Our regulatory lawyers assist clients in navigating state and federal breach notification and disclosure requirements, including evaluating whether such requirements apply and drafting appropriate notices where needed. Our litigators conduct internal investigations for clients that suspect a breach has occurred, provide advice to clients interfacing with law enforcement officials and state attorneys general and furnish dispute resolution services as needed. Our government relations and advocacy team works with clients facing—or potentially facing—congressional inquiries concerning the breach. Our team also assists clients in the normal course of business, and in the wake of a breach, in developing and improving data breach preparedness and risk management plans.
Critical Infrastructure Cybersecurity
The voluntary National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity developed pursuant to President Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” presents a new set of risk management issues for companies in industries that are responsible for critical infrastructure services. Akin Gump lawyers are intimately involved in these impacted industries, including energy, utilities, national security, communications and information technology, health care, food and transportation, among others. We advise clients on legal issues related to critical infrastructure cybersecurity risk management.
Health Information Privacy and Security
Health information is protected by a complex, continually evolving patchwork of state and federal laws and regulations, including most notably the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Our lawyers advise entities across industries, including traditional health-sector participants as well as others outside the mainstream that are caught in the web of state and federal health information privacy, security and breach notification regulations. We advise hospitals, pharmacies, pharmaceutical companies, health clinics, medical device companies, health plans, research entities, software vendors, consumer electronics manufacturers, service providers, trade associations and professional sports entities, among others. Our lawyers assist clients, including those that are not mainstream health industry participants, in determining the extent to which HIPAA applies to their operations and in understanding compliance requirements.
Our lawyers address health information privacy and security issues arising in the course of clients’ day-to-day operations and also develop forward-looking, comprehensive compliance programs and toolkits tailored to individual client needs. We draft internal policies and procedures to assist clients in their compliance efforts, and we prepare forms to meet the full range of compliance needs (including notices of privacy practices and forms authorizing the use or disclosure of health information). We assist clients in structuring relationships and drafting contracts that address health information privacy and security issues. We assist clients in investigating, responding to and remediating data breaches, and counsel providers in connection with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigations of alleged HIPAA privacy violations. We advocate on behalf of clients for legislative and regulatory change in the federal health information privacy and security regime. Our health information privacy and data security work has included providing strategic advice, operational counseling, compliance and complex contracting services.
Communications and Information Technology
Our lawyers provide a range of privacy counseling and compliance services to wireline and wireless telecommunications carriers, broadband carriers, cable providers and Internet service providers. We advise wireline and wireless telecommunications carriers regarding compliance with the customer proprietary network information (CPNI) rules administered by the Federal Communications Commission (FCC), which restrict the ability of a carrier to use and disseminate information about its subscribers’ telecommunications services and calling habits and require carriers to implement sophisticated safeguards with respect to their subscribers’ CPNI. We also assist wireline and wireless telecommunications and broadband carriers in complying with the Communications Assistance for Law Enforcement Act (CALEA), which governs their obligations to provide certain communications surveillance technological capabilities to law enforcement. We advise cable providers regarding the Cable TV Privacy Act and assist providers of Internet access and related services in complying with other applicable privacy statutes and regulations, such as the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act.
Government Relations and Advocacy
Our lawyers monitor regulatory and legislative developments in the privacy arena on behalf of clients from various industries. We advocate on behalf of clients with respect to pending legislation or existing laws relating to the privacy of personally identifiable information. We also advocate on behalf of clients on privacy issues at all phases of the regulatory process.
Employee Data Privacy
Our lawyers advise clients on a variety of workplace privacy issues. We counsel clients on the proper conduct of background investigations on applicants and employees pursuant to the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA), as well as on state laws and Equal Employment Opportunity Commission (EEOC) guidance concerning the use of such information in the employment context. We have experience addressing workplace privacy issues both online and offline, including experience relating to employer and employee social media use. We are particularly well versed in providing day-to-day counseling to clients in the financial services industry on the use of social media and employee data pre- and during employment.
We routinely advise employer-sponsored group health plans on compliance with HIPAA, as amended by HITECH, and related regulations. Our lawyers advise clients on privacy issues concerning records relating to employer-sponsored group health plans and on issues arising under the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Americans with Disabilities Act (ADA). We conduct assessments of employer wellness and medical examination programs for compliance with the ADA, which places restrictions on when medical examinations may be conducted, and Title 2 of GINA, which prohibits the deliberate acquisition of genetic information, prohibits employers from discriminating on the basis of genetic information and places strict limits on disclosure of genetic information that is acquired.
International Privacy and Data Protection
Because privacy and data protection laws vary from country to country, transnational companies face a complex challenge of complying with local privacy laws in all jurisdictions in which they operate. Our team has experience working with privacy and data protection laws of the European Union (including under the General Data Protection Regulation), Asia, the United Arab Emirates, the Russia Federation, Brazil, South Africa, India, Canada and others. We monitor legal and policy developments, working with our clients to understand the implications and navigate to ensure compliance with the relevant privacy and data protection requirements. As new privacy and data security frameworks, like the GDPR and China’s Cybersecurity Law are adopted, our team’s experience and understanding from working through a range of existing frameworks can help clients better understand and manage the risks they present.
Consumer Data Privacy
Our lawyers are experienced in handling data privacy matters relating to consumer-focused advertising and shopper data tracking, evaluating contemplated marketing activities to ensure compliance with federal and state privacy laws, assisting with data breach investigations and defending companies under investigation by the Federal Trade Commission (FTC) with respect to privacy issues. We frequently interact with FTC staff, including the lawyers of the Division of Privacy and Identity Protection. We handle matters involving Section 5 of the FTC Act, the federal statute closest to imposing general privacy obligations under U.S. law, as well as more-focused consumer privacy statutes such as the Gramm-Leach-Bliley (GLB) Act, FCRA, FACTA, the Video Privacy Protection Act (VPPA) and the Children’s Online Privacy Protection Act (COPPA). We also have substantial experience advising clients regarding laws governing the communications channels used for marketing, such as the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act.
Financial Data Privacy
We counsel clients on compliance with various laws, including the GLB Act, FCRA and FACTA, and related regulations, including GLB’s Safeguard Rule and the Red Flags Rules developed under FACTA, as well as Regulation S-P and the New York Department of Financial Services Cybersecurity Rules. We assist clients in responding to and remediating data breaches involving disclosure of investor information. We also represent financial institutions in litigation involving the theft of customer information.
Disclosure of Information to and by the Government
Our lawyers have extensive experience in matters arising under the Freedom of Information Act (FOIA), including high-level, sophisticated experience in matters before the U.S. Supreme Court and the D.C. Circuit. Our experience includes handling issues arising under FOIA’s Exemption 1 (national security information), Exemption 4 (allowing the withholding of certain confidential business information), Exemption 6 (allowing the withholding of personnel, medical or similar files where the release would constitute a clearly unwarranted invasion of personal privacy) and Exemption 7(C) (providing protection for law enforcement information where the release could constitute an unwarranted invasion of personal privacy). Our team includes practitioners who have worked in the government on FOIA litigation. We also handle cases seeking the release of information through FOIA, as well as cases where clients seek to block such disclosure (so-called reverse-FOIA actions).
Privacy of Government-maintained Records
We assist clients with issues implicating the Privacy Act in various contexts, such as guiding clients through data breach situations and other similar incidents. Our lawyers assist clients seeking Privacy Act protection for their individual records and have extensive experience assisting contractors with issues arising from the inclusion of the Privacy Act and its implementing regulations in contracts with the federal government.
Supreme Court and Appellate Advocacy
Our Supreme Court and appellate experience on privacy matters includes issues arising under the Freedom of Information Act (FOIA), reverse-FOIA, and the Fair Credit Reporting Act (FCRA). Our lawyers have experience litigating these issues both from inside the federal government and from the private sector, in federal courts of appeals as well as the U.S. Supreme Court. Our appellate team won a Fair and Accurate Credit Report Act (FACTA) case (based on printing of consumer credit card information) on behalf of a major retailer in the 8th Circuit and defended that judgment in the Supreme Court (Hammer v. Sam’s East, Inc., 754 F.3d 492, 500 (8th Cir. 2014), cert. denied, 135 S.Ct. 1175 (2015)). We have also won a reverse-FOIA action in the D.C. Circuit, overturning as arbitrary and capricious an agency decision that involved the disclosure of contractor auditing materials (United Technologies Corp. v. Department of Defense, 601 F.3d 557 (2010)).
- advise clients, including clients acting in their capacity as employers and plan sponsors, on breach reporting obligations following data incidents
- draft data breach remediation and response policies and procedures for clients ranging from retailers to health information exchanges to employer-sponsored group health plans
- provide public policy advocacy related to cybersecurity and biometric initiatives on behalf of an identity management company
- advise a manufacturing company regarding a federal cybersecurity investigation involving the Economic Espionage Act
- assist a communications client with regard to a Government Accountability Office inquiry and related congressional investigative inquiries regarding supply chain and cybersecurity issues
- risk management and compliance issues relating to a national cybersecurity center in the Gulf Cooperation Council (GCC)
- data breach investigations and remediation involving an energy infrastructure company in the GCC
- legal advice relating to international criminal and civil proceedings involving cyber intrusions and intellectual property disputes in Europe, the United States and the GCC
- advise a multinational company on its privacy and data protection policy and procedures, including a review and overhaul of the company’s domestic policy on collection, use and handling of personally identifiable information
- advise on data breach investigations involving the personal information of high-level officials
- represent an online consumer service in an FTC investigation into so-called “secondary phishing” in user accounts that resulted in thefts from consumers; after demonstrating the company’s commitment to Internet security and use of best practices to protect consumer information, and educating the FTC team on the differences between data breaches, primary phishing in the company’s sites and secondary phishing, the FTC dropped its investigation without taking any action against our client
- advocate to policymakers regarding the value of behavioral marketing to mitigate potential regulatory changes involving online and offline collection and use of consumer data
- advise a national sports league on privacy issues, primarily focusing on state and federal laws including HIPAA, HITECH and the ADA confidentiality requirements
- draft comprehensive privacy and data protection policies and procedures for HIPAA covered entities and business associates
- bring privacy and security policies for an electronic medical record system being deployed by a national sports league into compliance with California privacy laws
- advocate for changes to pending legislation concerning the use and disclosure of health information
- draft comments on behalf of clients through the notice and comment rulemaking process, including preparing comments for submission to HHS on behalf of a major retail pharmacy chain and a group of cancer centers concerning proposed and final privacy rules
- advise an online support network for sick children and their families with regard to Internet applications and online privacy
- advise a major insurance company on the FACTA “Affiliate Marketing Rule” governing the proper use and sharing of consumer information with and among affiliated entities for cross-marketing purposes
- provide regulatory compliance advice regarding privacy and other issues to consumer-focused marketing companies, including companies developing new technology platforms and advertising techniques
- advise a major defense contractor on the FCRA consent and notification requirements relating to background investigations in the employment context and the permissible use of consumer reports in the employment context under the FCRA
- advise a major defense contractor on compliance with the FACTA Disposal Rule governing the destruction of sensitive consumer information
- assist a regional wireline telecommunications carrier and national wireless resellers in establishing appropriate CPNI procedures, addressing FCC enforcement efforts related to CPNI and making required filings with the FCC regarding their CPNI practices
- assist Internet access companies and national marketing companies utilizing new consumer-focused marketing channels in their efforts to understand and comply with ECPA
- assist broadband providers, wireless resellers and wireline telecommunications carriers in developing CALEA compliance plans and making appropriate CALEA-related filings with various government agencies
- obtain reversal in the D.C. Circuit on behalf of two large defense contractors in two reverse-FOIA lawsuits seeking to block the release of commercially sensitive information in response to FOIA requests submitted by news media organizations
- represent an individual in obtaining from the National Security Agency (NSA) and the Drug Enforcement Agency (DEA) alleged investigatory law enforcement records associated with the client
- advise an international bank on privacy obligations under a contract with the General Services Administration (GSA)
- advise a large publicly traded service contractor on implications of data security breach under the privacy clauses in its Department of Defense (DOD) contract
- advise clients on issues relating to relevant cybersecurity frameworks
- monitor federal legislative efforts to restrict data mining across various industries tracking and advocating in connection with federal policy and legislative efforts relating to consumer data
- draft and negotiate contracts, including complex business associate agreements and data use agreements, to address health information privacy and security concerns on behalf of clients ranging from health plans to pharmacy chains to hospitals and service providers
- advise clients on privacy issues arising under health reform initiatives, including the movement toward Accountable Care Organizations
- advise health care providers and health plans that have sustained data breaches on post-breach matters such as determining whether breach notification is required under state and federal law, preparing breach notices for individuals and breach reports to be submitted to HHS OCR, and responding to investigations opened by HHS OCR
- counsel health care providers in connection with investigations of alleged HIPAA privacy violations arising from individual complaints filed with HHS OCR
- advise a multinational corporation on the use of mandatory health risk assessments as part of its wellness program in light of the ADA and proposed rules on Title 2 of GINA
- advise major retail clients on the permissible scope of pre-employment inquiries regarding criminal convictions under state laws and EEOC guidance
- advise major retail clients on the permissible scope of pre-employment inquiries regarding criminal convictions under state laws and EEOC guidance
- address privacy and data protection issues arising in the course of cross-border litigation in multiple jurisdictions, including those within the European Union
- advise clients on various issues related to the transborder transfer of employees' personal data outside the Russian Federation
- advising a microfinance organization on various issues under Russian law relating to the processing of consumers’ personal data
- provide a multinational consumer electronics developer and manufacturer with guidance on the EU Data Protection Directive as it relates to privacy and health information, including analyzing the potential impact of different EU member states’ implementing statutes
- advise national cable programming providers with regard to the Cable TV Privacy Act as it applies to cable systems carrying their programming
- advise contractors on methods of marking submissions to the government to minimize risk that material will be releasable under the FOIA
- advise a large data provider on the implications of data security breach, including release of personally identifiable information, in its contracts with DOD and the Department of Homeland Security (DHS).