| Privacy and Information Security |
WilmerHale has one of the nation’s premier privacy, data protection and data security practices. Our interdisciplinary team is comprised of internationally recognized lawyers with a broad mix of litigation, regulatory, counseling and transactional expertise.
Our lawyers work on privacy and data security issues with clients across all sectors of the economy, including e-commerce operators and vendors, communications and media companies, financial institutions, health care providers, retailers and human resource companies. These companies come to us for help navigating their most difficult domestic and cross-border privacy issues. We have helped clients across the globe develop company-wide privacy and security compliance strategies; conduct security breach and other sensitive investigations; address cutting edge law enforcement issues; litigate a host of issues of first impression; and navigate various legal regimes in the US and abroad, including the Electronic Communications Privacy Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, Health Insurance Portability and Accountability Act (HIPAA), and relevant European Union (EU) Directives and member state laws.
Where our practice particularly stands out is our ability to martial lawyers with an array of skill sets and expertise to address a client’s privacy issue, so that all aspects of it can be handled by a coordinated team. In a typical example, when employees at a company publicly released customer data without authorization, our team conducted an internal investigation to determine the facts, our litigators handled the resulting class action, our subject matter and regulatory experts developed a white paper and responded to inquiries from the Federal Trade Commission, state attorneys general, and members of Congress, and we worked with the client to review and strengthen its internal policies and procedures to prevent similar incidents in the future.
Regulatory Proceedings and Investigations and Legislation
We regularly represent clients before federal and state agencies and officials such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and state Attorneys General (AG) in connection with investigations, rulemaking proceedings, legislation, and other matters raising privacy and data security issues.
Rulemaking and Similar Proceedings
We have assisted clients with advocacy in regulatory proceedings seeking to develop or modify privacy and security rules on a variety of subjects, including the development of a self-regulatory framework for behavioral advertising, the FCC’s customer proprietary network information (CPNI) rules, the FTC’s and Security and Exchange Commission’s document disposal rules, implementation rules for the Gramm-Leach-Bliley Act, FCC rules regarding the scope of federal statutory requirements to maintain capabilities to assist with government electronic surveillance, and law enforcement’s proposed FCC rules to limit overseas access to and storage of customer telephone records.
Regulatory Investigations and Enforcement Actions
We regularly represent clients in enforcement proceedings and investigations raising cutting edge issues. Recent experience includes:
- Negotiating a settlement of an FTC investigation in a case involving the claimed compromise of customer debit and credit card information
- Assisting an online data server company in negotiating a settlement with state AG relating to compliance with Gramm-Leach-Bliley Act
- Representing social networking site in convincing the FTC to abandon its investigation and reverse its initial determination regarding alleged violations of the Children’s Online Privacy Protection Act
- Representing e-commerce companies in settling FTC investigations of alleged violation of the CAN SPAM act
- Negotiating an Assurance of Discontinuance with the New York AG’s office on behalf of an online personal search service relating to use of personal financial information
Legislation
We also work with clients in strategy development and advocacy in connection with legislative activity in the privacy and security arena. Our work in this area has dealt with subjects such as spam, responses to data security breaches, financial privacy, consumer reporting, behavioral targeting and online data collection, and electronic surveillance.
Compliance, Privacy Policies, and Data Security
We are trusted advisors to a large number of clients on many novel and important questions concerning privacy and security issues. We have developed practical enterprise-wide privacy and security policies and programs for multi-national corporations in the online services, financial services, information technology (IT), manufacturing, telecommunications and retail sectors. We regularly advise clients on developing security incident response plans and providing data breach crisis management. We counsel clients on compliance with numerous federal and state statutes related to privacy and the application of such laws to emerging practices such as behavioral advertising, online payment platforms, mobile marketing and electronic delivery of health information. Our work has included:
Communications, Privacy and Internet
- Advising clients on privacy issues in connection with monitoring communications for purposes of network management and detecting unlawful activity such as accessing child pornography
- Advising clients such as broadband service provider, online content company and wireless carrier concerning the privacy implications of offering targeted advertising using behavioral data from customers’ Internet usage, location data and other demographic information
- Counseling various clients concerning state and federal law governing the recording of telephone conversations, do-not-call restrictions and pre-texting
- Advising clients on application of FCC rules concerning subjects such as CPNI and cable privacy to new services, including broadband access and wireless advertising
Financial Services
- Representing merchant in negotiations with, and during compliance proceedings conducted by, the major credit card companies arising from claimed merchant data compromises
- Counseling consumer reporting agencies and information furnishers and users on applicability and requirements of Fair Credit Reporting Act
- Advising various clients on applicability of and compliance with Gramm-Leach-Bliley, including compliance with Safeguards Rule, information sharing with joint marketing partners and responses to high-profile security incidents
Human Resources/Employee Data
- Advising multinational companies on data protection issues affecting centralization of global human resources information systems
- Counseling global provider of outsourced human resources benefits management about compliance with international privacy and data transfer laws, including those applicable to sensitive (e.g., medical and financial) personal information; privacy and security obligations in connection with large-scale outsourcing; and security incident response and state and international breach notification obligations
- Assisting numerous companies with respect to employee privacy concerns arising in connection with litigation discovery, internal investigations, and regulatory and Congressional investigations
Health Information
- Developing and implementing HIPAA compliance policies and procedures and negotiating business associate agreements for clients such as a leading mail order pharmacy and online health information provider
- Developing patient consent and patient privacy documentation for clinical research
Cross-Border Data Transfers and International Privacy Laws
Our privacy and security practice is international in scope. Our domestic team is recognized for its understanding of international privacy regimes and for its ability to craft practical solutions to transborder data flow issues. We frequently draw on the expertise of our lawyers in our offices located in Europe and elsewhere to advise on international e-commerce laws and cross-border data protection issues such as compliance with the European Union data privacy directive. Recent matters include:
- Working with various multinational businesses to develop privacy and security programs to comply with cross-border EU data protection requirements for transfer of customer and employee data and to obtain Safe Harbor certifications
- Developing data security programs to support offshore outsourcing of various data processing activities
- In conjunction with the World Bank and International Finance Corporation, advising African countries on the development of credit reporting systems that protect consumer privacy and provide consumer protections
- Advising various clients on compliance with European data protection rules in connection with marketing strategies, licensing agreements, enforcement of corporate compliance rules, and data retention for online service providers
- Working with Internet top level domain registries to craft WHOIS policies in compliance with applicable data protection law and Internet Corporation for Assigned Names and Numbers (ICANN) policies
Privacy Litigation
Our seasoned litigators have litigated precedent-setting privacy and data security-related national class actions and other cases in federal and state courts throughout the country. Highlights in recent years include:
- Representing Bell operating company in national, multi-district class action litigation in connection with claims that it violated communications privacy laws by allegedly providing assistance to the National Security Agency in connection with alleged electronic surveillance activities
- Defending large Internet service provider in national privacy class action arising from public release of subscribers’ Internet search query data
- Representing merchant in numerous trial level actions and an appeal involving claims arising from alleged breach of credit and debit card data
- Assisting online clients in successfully challenging subpoenas and other legal process seeking subscriber data, search query data, and similar information on privacy and free speech grounds