Data Privacy & Cybersecurity
Capabilities

Group Leader
Leech Tishman’s Data Privacy & Cybersecurity Group is positioned to counsel clients on preparing for and responding to data, privacy, and cybersecurity challenges. We offer clients a full spectrum of counseling and litigation capabilities, with a focus on privacy, data protection, information security, Internet and computer/cyber law, e-commerce, and consumer protection.
The field of data privacy and cybersecurity is complex and oftentimes multidimensional. Companies should be prepared to respond to the inevitable–they will experience a data incident or breach at some point. Our attorneys are skilled in assisting clients with the implementation of preventative measures to reduce data breaches, protect their data assets and limit operational disruptions. We regularly counsel businesses on protecting data and personal consumer information in compliance with applicable data privacy laws including the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) and help them navigate these highly technical regulations to avoid significant liability.
Privacy and Data Security Laws
Privacy laws affect every business. There is no single, comprehensive data privacy law in the United States and many across the globe. With rapidly developing state consumer protection laws coupled with increased attacks on networks, privacy and data security concerns are now at the forefront of businesses. Massive breaches of protected data has become a daily occurrence. This has caused more legislation and regulatory oversight and a shift for businesses which requires each to re-focus their efforts on their data and privacy. Unfortunately, many are not aware of or equipped with the right information and struggle to understand and keep up with the ever-changing laws.
To help our clients relieve some of this business stress, our experienced Data Privacy & Cybersecurity lawyers have a rich background in the field of information technology, giving them a fundamental understanding of data management and how data flows within an organization’s IT infrastructure. We work with clients in mapping high risk data, implementing safeguards, complying with rapidly changing data privacy and security laws, developing and implementing incident response plans, creating data breach notification policies, and educating employees on data protection principles. Our experienced team consists of attorneys selected from multiple practice areas to address privacy and security concerns across the spectrum of industries and business operations. We appreciate the importance of knowing the law and applying it to relevant circumstances, allowing our clients to effectively develop and deploy their business strategies. Aside from counseling clients through data breaches, hacks, investigations and litigation, we also have extensive experience related to privacy compliance audits, transactional due diligence, digital asset protection (estate planning), intellectual property, finance, corporate, workplace privacy and employment matters.
Compliance Counseling
Privacy and data security are critical at every stage of business operations and growth. It is critical for owners, directors and officers to identify how an organization collects and processes personal information. We help clients recognize, develop and modify internal procedures that govern use of personal information, and assist each to develop and implement internal privacy compliance and periodic audit programs including but not limited to the following:
- Addressing company obligations under applicable privacy laws
- Guidance on regulatory actions and security concerns in a variety of regulated industries (CAN-SPAM, CCPA, CFAA, CMMC, COPPA, GDPR, GLBA, ECPA, FCRA, FERPA, HIPAA, PCI DSS, SOPIPA, TCPA and VPPA)
- Review and assist in drafting data processing and data transfer agreements
- Assess, revise, develop and implement privacy and cybersecurity policies
- Monitor, assess and analyze current and proposed legislation
- Telecommunications
- National security
Audits & Risk Assessment
- Counseling to address critical security and IP vulnerabilities
- Policy review and data process procedure evaluation to verify compliance and recommend mitigation strategies
- Development of privacy/cybersecurity programs to avoid the risk of breach
- Review of contracts and insurance policies for data breach protection to address additional policy coverage needs with existing vendors and explore options with vendors who are more focused on data privacy and breach awareness
Privacy Program & Policy Development
- Assessment, development, and implementation of achievable and defensible privacy policies and public facing privacy notices
- Development of policy enforcement processes
- Assistance with building a privacy compliance infrastructure that meets or exceeds industry-standard regulatory, compliance, and cybersecurity obligations
Awareness & Training
- Develop awareness and employee training programs to ensure legal compliance and address employee handling/ use of data, permissible usage of IT assets and services and guidance on identity theft issues
- Employer training regarding employers’ rights to monitor/ intercept employee communications
Incident Response Planning
- Creation of data breach mitigation plan to communicate effectively and appropriately with agencies, regulators, customers and the public while protecting business integrity and continuity
Corporate
For most businesses, data is their most valuable asset. More particularly, the personal data that businesses collect, store and process must be handled with care. We understand that communications between IT departments and boards of directors and officers is critical for an effective implementation of a data privacy and cybersecurity plan. Our experience in both information technology and law can help bridge those gaps within an organization.
Our team of professionals has deep experience enabling us to focus on immediate privacy concerns. Our experienced lawyers approach data privacy and protection by first understanding a client’s business, the purposes and uses of personal information and the manner in which the data is managed. We offer clients, among other services:
- Privacy strategy and program development
- Privacy Impact Assessments
- Data Protection Impact Assessments
- Privacy program management
- Development of policies and procedures
- Analysis and drafting of transactional, contracts and third-party agreements
- Review and analysis of contractual privacy and data protection
- Due diligence and support during M&A and related transactions
- Review, drafting and updating of contracts with third parties to ensure compliance with data privacy laws and third-party adherence to data privacy laws
Litigation
We live in a digital and information technology environment. Businesses across the globe are facing data protection and cybersecurity incidents and claims at astronomical rates. In each instance, organizations must expend significant time and resources to prevent or worse, defend them in court. Our seasoned lawyers advocate and defend clients in litigation (state, federal or administrative) resulting from alleged privacy violations, data breach actions and government investigations. We represent clients in regulatory actions, defend clients against individual or class action lawsuits, and ensure data security obligations are enforced. We work closely with our clients to obtain favorable resolutions as early and as efficiently as possible under the circumstances of each unique case, whether by obtaining dismissals, defeating class certification motions, negotiating favorable settlements, obtaining insurance compensation or litigating cases through trial and appeal; including the following:
- Evaluation of potential claims
- Assessment of liability risks
- Preparation and implementation of subpoena response policies
- Evaluation of contract disputes
- Client counseling on appropriate responses to regulatory activities
- Providing litigation services in the event of a data breach, business email compromise, lawsuit and/or privacy enforcement agency action
- Prosecuting and defending against civil suits and enforcement actions due to privacy and cybersecurity issues
Estate Planning
Communicating your succession, retirement or estate plan is critical to protect and give your assets to your loved ones. However, many do not understand or consider their “digital assets” when planning. In a broader sense, digital assets include all of the electronic “possessions” an individual may have, including emails, digital photos, videos, tweets, texts, songs and e‐books, cryptocurrency as well as online account information for websites, social media and bank accounts, among others. There is also a lack of understanding around privacy laws that at times thwart the efforts of executors and administrators from marshalling digital assets. We guide clients on how to properly identify and take an inventory of their digital assets in their estate planning management, as well as the different categories of legal rights applicable to the assets or how to exercise various rights “to be forgotten” in the digital world. We also advise personal representatives (estate executors and administrators) of their obligations and rights in administering an estate and how to access or correct personal information on behalf of the deceased.
Healthcare
Medical identity theft and incomplete or improper patient disclosure due to a data or other cybersecurity breach can be deadly to patients and overall quality of care. With ransomware and other advanced threats on the rise, the FBI has identified healthcare organizations as prime targets for hackers. Additionally, the FDA cautions that medical devices need improved security as compliance regulations become more complex. Protecting data and securing it in the healthcare industry is not easy. Healthcare providers and their business associates are balancing the protection of patient privacy and delivering high quality of care while also attempting and meeting the strict regulatory requirements set forth by the HIPAA security and privacy rules. With protected health information (PHI) being an individual’s most sensitive and valuable (for bad actors) private data, the failure of healthcare providers and other organizations to properly handle, use, share or transmit such data will come with substantial penalties and fines for breaches. Due to the laws and regulations governing PHI, healthcare organizations must implement a best practices proactive approach for security. Our attorneys can assist healthcare providers in the following matters, among many more data privacy issues they may face:
- Perform a Security Risk Analysis and audits
- Develop an action plan to mitigate risks
- Manage Business Associate relationships
- Draft vendor contracts
Hospitality
The hospitality world is re-opening. The industry relies largely on personal data and particularly credit card transactions as its payment method, both of which will attract cybercriminals. Other attacks include “DarkHotel” hacking in which criminals use a hotels Wi-Fi to target business guests through targeted spear-phishing spyware and malware-spreading campaigns. Due to the nature of the data collected by companies operating within hospitality, information security is critical and an industry with some of the highest numbers of security breaches. Hotels, motels, resorts, rentals and other lodging all gather and store (electronically) a wide range of personal information from their guests and staff. This, like every industry that gathers such electronic information, the hospitality arena is becoming a playground for cyber criminals to hack into and access databases as well as devices containing both payment card information (PCI) and personally identifiable information (PII). Our lawyers can assists hospitality businesses with:
- Implement best practices for data security
- Create a staff training program on customer privacy
- Advise on ever changing laws and relevant regulations (i.e., PCI DSS)
- Perform audits and conduct social engineering penetration tests
Intellectual Property
Almost every business organization has created some sort of “technology.” In many instances that technology captures some personally identifiable information from a user, whether through artificial intelligence (AI) innovations that use biometrics data or a simple online fill in the blank form. As organizations develop IP, issues can arise with the implantation and use of such technology with respect to newly enacted and developing data privacy laws and regulations. For example, the device you may be using to read this content may have required you to use facial recognition to open the device—that personalized data is now part of the enormous and misunderstood data privacy legal and regulatory landscape. Our team of attorneys assist public and private organizations across a variety of sectors to protect each from a technological nightmare—a breach for the unwary, resulting in potentially large money damages, statutory penalties and harm to a business’s reputation. We can give companies the guidance to comfortably build their technology and remain in position to combat data privacy concerns by:
- Developing written policies and programs to addressing how the company will collect, use, distribute and destroy such data
- Establish systems to record informed consent received from employees and customers regarding the use of their data
- Storing only the relevant data that is needed
- Limiting the access to data
- Assist in de-identification and data anonymization efforts to mitigate breach risks
- Reviewing and drafting consumer facing contracts
- Advising on liability, property, criminal and cyber insurance and adequacy for data privacy risks
- Reviewing and drafting technology license agreements or joint development agreements
- Creating trade-secret protection programs
Real Estate & Construction
The real estate industry is not immune to privacy and cybersecurity risks. The protection of consumers’ sensitive personal information in real estate transactions is self-evident. Real estate transactions contain significant amounts of personal information, including, but not limited to, financial data, social security numbers, driver’s license numbers, passports numbers, insurance information and passwords. Real estate professionals collect, store and share this sensitive information. The exchange of information related to the ownership or buying and selling of real estate is a giant data pool in which cybercriminals are actively swimming. The damage that identity theft can do to disrupt a real estate purchase can be devastating. Additionally, most properties are “connected” with smart home/building technology. The Internet of Things (loT) and technology- fueled economy are driving market disruption and innovation in a way that has far-reaching impact for the commercial real estate (CRE) industry. People today expect reliable, integrated, and high-performing connectivity for all aspects of their daily life, which creates an ever-increasing demand on facility network infrastructure and bandwidth capacity. As business functions and consumer needs hinge on high-performance connectivity, robust in-building wireless technologies are increasingly shaping CRE planning, development, and facilities management. As a result, privacy and cybersecurity issues must be analyzed and addressed. Our attorneys understand these realities. IT safeguards are only one aspect for protection. Practical administrative safeguards also are necessary. Our lawyers can assist in the development of a data security program and plan to protect the security, confidentiality, and integrity of data consistent with the best practices and industry regulations of the real estate business.
Business Restructuring & Insolvency
A debtor filing for bankruptcy has an obligation to protect personally identifiable information (PII) and other confidential information under data security laws and applicable non-bankruptcy law. PII can be a valuable asset for a bankruptcy estate to monetize through a sale of the business as a going concern or in a more limited sale of customer data. It can also be a burden to store and dispose of PII. We guide our clients to manage and operate property of the estate, as well as assist in strategies related to proof of claims and disputes with creditors.
Aviation & Aerospace
The aviation industry is not immune to data privacy attacks. Aviation is unique in that a cyberattack could result in the loss of many lives, which can also result in the destruction of a carrier’s reputation. We can conduct a thorough cyber assessment of critical elements of the aviation infrastructure and information systems. With a lack of clear and required regulations, as well as an abundance of data and security risks, the aerospace industry is quickly becoming one of the biggest targets for cybersecurity attacks in the world. As of 2020, enhanced security standards for defense contractors, including many in the aerospace and defense industry took effect. The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) subject contractors to a certification process designed to bolster security and enhance visibility into the supply chain. This means every company within the DoD supply chain will be required to get certified to contract with the DoD. Currently, smaller to midsize defense contract contractors are in need of a CMMC audit. We can assist these organizations, which would include an initial assessment, gap analysis, remediation testing and education.
Cannabis
Legal cannabis organizations are also in the data privacy business. In fact, these businesses are held to a higher standard than others due to industry-specific data collection and mandatory retention requirements. At the time of each legal sale, a cannabis customer is required to provide personally identifiable information (i.e., customer or patient name, date of birth, address, phone number, driver’s license or medical ID card numbers as well as email addresses and signatures; and is required to present a government-issued ID card to confirm age and possibly proof of a prescription). These requirements create data security issues. Additionally, guidelines for collecting and maintained this personal information varies by state. For example, Ohio and California operators are required to store personal data through third-party software to track inventory and retail point-of-sales, whereas Illinois operators cannot store any personally identifiable information onsite but must use cloud or other off-location software or services. The issues do not stop with consumers but employees as well as employee records often contain sensitive data along with personally identifiable information. Our attorneys can assist cannabis operators to protect the data customers and staff. We can implement proactive plans to avoid becoming an easy target.
Employment & Labor
For many organizations, employees may be their biggest liability. Organizations collect and use volumes of information about their employees. With new technology evolving and laws and regulations, new and complex privacy concerns are springing up across the workplace. Protecting sensitive data is more important now than ever. Businesses need proper guidance to assess the risks and then a plan to take appropriate action. Our lawyers guide companies through the patchwork of local, state, federal and international laws relating to data privacy to avoid costly litigation, investigations and government enforcement actions, let alone negative press. We thoroughly understand every aspect of the legal issues in the workplace law and privacy issues within it. Our team can help you:
- Analyze, create or update policies related to:
- Use of personal devices (“BYOD”)
- Remote work or telework
- Tracking and monitoring employees
- Perform cybersecurity audits
- Complete your privacy impact assessments (PIA) or audits
- Design privacy information management system (PIMS)
- Manage vendor relationships
- Negotiate and draft effective data security agreements
- Adhere to government contractor regulations
- Advise on the collection and storage of biometrics
- Assist client in understanding the rules and regulations of businesses requiring Covid-19 testing and vaccination