Privacy and Information Security REGULATORY AND GOVERNMENT AFFAIRS

WilmerHale has an exceptional privacy, data protection and data security practice. Our interdisciplinary team is composed of lawyers with a broad mix of litigation, regulatory, counseling and transactional expertise.

Our lawyers work on privacy and data security issues with clients across all sectors of the economy, including e-commerce operators and vendors, communications and media companies, financial institutions, defense contractors, health care providers, retailers and human resources companies. These companies come to us for help navigating their most difficult domestic and cross-border privacy issues. We have helped clients across the globe develop company-wide privacy and security compliance strategies; conduct security breach and other sensitive investigations; address cutting-edge law enforcement issues; litigate a host of issues of first impression; and navigate various legal regimes in the US and abroad, including the Electronic Communications Privacy Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, Health Insurance Portability and Accountability Act (HIPAA), and relevant European Union (EU) Directives and member state laws.

Where our practice particularly stands out is our ability to martial lawyers with an array of skill sets and expertise to address a client’s privacy issue, so that all aspects of it can be handled by a coordinated team. In a typical example, when employees at a company publicly released customer data without authorization, our team conducted an internal investigation to determine the facts; our litigators handled the resulting class action; our subject matter and regulatory experts developed a white paper and responded to inquiries from the Federal Trade Commission, state attorneys general, and members of Congress; and we worked with the client to review and strengthen its internal policies and procedures to prevent similar incidents in the future.

WilmerHale has an exceptional privacy, data protection and data security practice. Our interdisciplinary team is composed of lawyers with a broad mix of litigation, regulatory, counseling and transactional expertise.

Our lawyers work on privacy and data security issues with clients across all sectors of the economy, including e-commerce operators and vendors, communications and media companies, financial institutions, defense contractors, health care providers, retailers and human resources companies. These companies come to us for help navigating their most difficult domestic and cross-border privacy issues. We have helped clients across the globe develop company-wide privacy and security compliance strategies; conduct security breach and other sensitive investigations; address cutting-edge law enforcement issues; litigate a host of issues of first impression; and navigate various legal regimes in the US and abroad, including the Electronic Communications Privacy Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, Health Insurance Portability and Accountability Act (HIPAA), and relevant European Union (EU) Directives and member state laws.

Read More
Braun, Martin

Dr. Martin Braun

Partner

+49 69 27 10 78 207 (t)

martin.braun@wilmerhale.com

Carome, Patrick J.

Patrick J. Carome

Partner

+1 202 663 6610 (t)

patrick.carome@wilmerhale.com

Holter_Michael.jpg

Michael Holter

Partner

+44 (0)20 7645 2574 (t)

michael.holter@wilmerhale.com

Hurewitz, Barry J.

Barry J. Hurewitz

Partner

+1 202 663 6089 (t)

barry.hurewitz@wilmerhale.com

Jain, Samir

Samir Jain

Partner

+1 202 663 6083 (t)

samir.jain@wilmerhale.com

von Hehn, Paul A.

Paul A. von Hehn

Partner

+32 475 902 965 (m) +32 2 285 49 03 (t)

paul.vonhehn@wilmerhale.com

Zachary, Heather

Heather Zachary

Partner

+1 202 663 6794 (t)

heather.zachary@wilmerhale.com

Experience

Regulatory Proceedings and Investigations and Legislation

We regularly represent clients before federal and state agencies and officials such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and state Attorneys General (AG) in connection with investigations, rulemaking proceedings, legislation, and other matters raising privacy and data security issues.

Rulemaking and Similar Proceedings

We have assisted clients with advocacy in regulatory proceedings seeking to develop or modify privacy and security rules on a variety of subjects, including the development of a self-regulatory framework for behavioral advertising, the FCC’s customer proprietary network information (CPNI) rules, the FTC’s and Security and Exchange Commission’s document disposal rules, implementation rules for the Gramm-Leach-Bliley Act, FCC rules regarding the scope of federal statutory requirements to maintain capabilities to assist with government electronic surveillance, and law enforcement’s proposed FCC rules to limit overseas access to and storage of customer telephone records.

Legislation

We also work with clients in strategy development and advocacy in connection with legislative activity in the privacy and security arena. Our work in this area has dealt with subjects such as spam, responses to data security breaches, financial privacy, consumer reporting, behavioral targeting and online data collection, and electronic surveillance.

Compliance, Privacy Policies, and Data Security

We are trusted advisors to a large number of clients on many novel and important questions concerning privacy and security issues. We have developed practical enterprise-wide privacy and security policies and programs for multi-national corporations in the online services, financial services, information technology (IT), manufacturing, telecommunications, defense and retail sectors. We regularly advise clients on developing security incident response plans and providing data breach crisis management. We counsel clients on compliance with numerous federal and state statutes related to privacy and the application of such laws to emerging practices such as behavioral advertising, online payment platforms, mobile marketing and electronic delivery of health information. Our work has included:

Communications, Privacy and Internet

  • Advising clients on privacy issues in connection with monitoring communications for purposes of network management and detecting unlawful activity such as accessing child pornography
  • Advising clients such as broadband service providers, online content companies and wireless carriers concerning the privacy implications of offering targeted advertising using behavioral data from customers’ Internet usage, location data and other demographic information
  • Counseling various clients concerning state and federal law governing the recording of telephone conversations, do-not-call restrictions and pre-texting
  • Advising clients on application of FCC rules concerning subjects such as CPNI and cable privacy to new services, including broadband access and wireless advertising

Financial Services

  • Representing merchants in negotiations with, and during compliance proceedings conducted by, the major credit card companies arising from claimed merchant data compromises
  • Counseling consumer reporting agencies and information furnishers and users on applicability and requirements of Fair Credit Reporting Act
  • Advising various clients on applicability of and compliance with Gramm-Leach-Bliley, including compliance with Safeguards Rule, information sharing with joint marketing partners and responses to high-profile security incidents

Human Resources/Employee Data

  • Advising multinational companies on data protection issues affecting centralization of global human resources information systems
  • Counseling companies about compliance with international privacy and data transfer laws, including those applicable to sensitive (e.g., medical and financial) personal information; privacy and security obligations in connection with large-scale outsourcing; and security incident response and state and international breach notification obligations
  • Assisting numerous companies with respect to employee privacy concerns arising in connection with litigation discovery, internal investigations, and regulatory and Congressional investigations

Health Information

  • Developing and implementing HIPAA compliance policies and procedures and negotiating business associate agreements for clients such as a leading mail order pharmacy and online health information provider
  • Developing patient consent and patient privacy documentation for clinical research

Cross-Border Data Transfers and International Privacy Laws

Our privacy and security practice is international in scope. Our domestic team is recognized for its understanding of international privacy regimes and for its ability to craft practical solutions to transborder data flow issues. We frequently draw on the expertise of our lawyers in our offices located in Europe and elsewhere to advise on international e-commerce laws and cross-border data protection issues such as compliance with the European Union data privacy directive. Recent matters include:

  • Working with various multinational businesses to develop privacy and security programs to comply with cross-border EU data protection requirements for transfer of customer and employee data and to obtain Safe Harbor certifications
  • Developing data security programs to support offshore outsourcing of various data processing activities  
  • Advising various clients on compliance with European data protection rules in connection with marketing strategies, licensing agreements, enforcement of corporate compliance rules, and data retention for online service providers  

Privacy Litigation

Our seasoned litigators have litigated precedent-setting privacy and data security-related national class actions and other cases in federal and state courts throughout the country. Highlights in recent years include:

  • Representing Bell operating company in national, multi-district class action litigation in connection with claims that it violated communications privacy laws by allegedly providing assistance to the National Security Agency in connection with alleged electronic surveillance activities
  • Defending large Internet service provider in national privacy class action arising from public release of subscribers’ Internet search query data
  • Representing merchant in numerous trial level actions and an appeal involving claims arising from alleged breach of credit and debit card data
  • Assisting online clients in successfully challenging subpoenas and other legal process seeking subscriber data, search query data, and similar information on privacy and free speech grounds

Publications & News

View

February 13, 2014

NIST and DHS Release Final Cybersecurity Framework, Roadmap, and Voluntary Program for Cybersecurity Assistance

Yesterday, the National Institute of Standards and Technology (NIST) released the final version of the voluntary federal cybersecurity standards known as the Cybersecurity Framework, along with a “Roadmap” explaining how the government will work with the private sector, other countries, and international organizations to refine and improve the Framework over the next several years.

January 27, 2014

Defense Department and GSA Issue Recommendations for Improving Cybersecurity in Government Contracting

On January 23, the Department of Defense and the General Services Administration published their joint recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration . . . [including] what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

December 16, 2013

Legal 500 Germany 2014 Recognizes WilmerHale Lawyers and Practice Areas

The Legal 500 launched its new edition Legal 500 Deutschland, Germany's guide to outstanding lawyers, and recognizes WilmerHale in seven categories.

November 21, 2013

Defense Department Publishes Final Rule Implementing Enhanced Information Protection and Cyber Incident Reporting Requirements

September 30, 2013

California Adopts "Do Not Track" and Expanded Data Breach Notification Laws

On Friday California Governor Jerry Brown signed into law the second and third of a cluster of four privacy and data security bills recently passed by the state legislature, continuing California’s role as among the most active states in extending the reach of on-line privacy and information security regulation.

August 30, 2013

NIST Issues Discussion Draft of Preliminary Cybersecurity Framework

February 13, 2013

President Obama Issues Cybersecurity Executive Order

June 7, 2012

Chambers USA 2012 Final Results Announced

April 12, 2012

US V. Nosal — Implications For CFAA Cases

An article by Jonathan Cedarbaum, Randolph Moss, Benjamin Powell, Patrick Carome, Steven Lehotsky and Jason Chipman, appearing in the April 12, 2012 edition of Law360California, Technology, Intellectual Property, Employment, Appellate, White Collar and Privacy & Consumer Protection. To view the full article click here.

April 11, 2012

 En Banc Ninth Circuit's Nosal Decision Restricts Computer Fraud and Abuse Act's Reach