Privacy & Cybersecurity

A company that wants to both advance its business objectives and minimize risk when handling private data must fully assess its strategic needs and current methods for collecting, using, storing, and securing information about customers, employees, and other individuals. Morgan Lewis conducts privacy audits with a threefold goal of ensuring that clients:

• Meet their data needs ethically, legally, and as cost effectively as possible
• Implement customized, comprehensive privacy and cybersecurity policies that further the clients’ business objectives but minimize potentially costly data breach risks
• Have contingency plans in place for prompt, effective management of any possible data breach emergency

Within the United States, at least 47 states have enacted data breach notification laws that require businesses to communicate suspected unauthorized disclosures of personally identifiable information in the event of a breach. Outside the United States, countries in Europe, Asia, and Latin America have enacted myriad laws, with localities in Africa also imposing many restrictions.

Our lawyers have performed countless audits and policy reviews, including global assessments of data protection compliance procedures and reviews of international transfer mechanisms. Since HIPAA was enacted in 1996, Morgan Lewis has represented US-based clients such as large insurers, employers, health plans, healthcare providers, clearinghouses, and business associates of such entities in related compliance matters.

We provide guidance on the intricacies of HIPAA’s privacy and security standards, and we can customize form or model documents to meet a client’s particular needs. We also review and revise clients’ HIPAA privacy and security compliance plans, business associate agreements, authorization forms, notices of privacy practices, and related documents.

Our labor and employment lawyers advise clients on privacy and security issues relating to employee and employer privacy, including the following:

• The preparation of privacy and security policies
• Regulatory compliance
• Enforcement of privacy- and security-related statutes and regulations
• Data protection and security
• Cross-border transfers and compliance with European Union (EU) privacy legislation applicable to employee information website protection
• HIPAA privacy
• Security breach incidents and mitigation strategies
• The available options for maintaining the free flow of personal information while minimizing risk

We help businesses such as Fortune 10 companies and small startups, among others, with their online privacy policies and use of data collected on websites.

From cookies and web beacons to behavioral advertising, our command of the technical and marketing language and issues in this area enables us to analyze our clients’ matters with precision, apply evolving standards and laws, and develop appropriate business strategies.

Our clients engage in many types of transactions that involve the disclosure, processing, collection, and use of critical business and sensitive personal data. At Morgan Lewis, we understand the regulatory and industry environments that impact these transactions, and we provide practical, business-oriented advice in connection with third-party vendor and customer transactions, due diligence, and data collection, acquisition and use, and commercialization.

Third-Party Vendor & Customer Transactions

• Commercial Contracts: We advise clients on drafting, reviewing, and negotiating the provisions in commercial contracts that involve the protection and use of confidential information, as well as the actions and liability associated with the unauthorized use and disclosure of such information.
• Third-Party Vendor Management: Our clients operate in many industries, each with increased focus on third-party vendor compliance and management. Morgan Lewis lawyers know the challenges associated with third-party vendor governance and oversight. We also understand the ongoing need to review and confirm compliance with security safeguards dictated by contractual and regulatory requirements. Our team helps clients develop and implement governance programs, and counsels them on contract interpretation issues, as well as contract and policy updates necessary to meet industry and regulatory standards.
• E-Commerce and Websites: The Morgan Lewis team handles legal issues that arise when setting up, maintaining, and operating e-commerce and other websites. We advise clients on website privacy and acceptable use policies, click-through agreements, security requirements and processes, and data retention issues.

Due Diligence

Morgan Lewis lawyers manage and perform diligence reviews and exercises to help clients understand the types and categories of data being stored or processed, how the data is protected, whether the appropriate security protocols have been or will be in place, whether there are any weaknesses or issues, whether the appropriate response and remediation procedures are in place, and whether specific disclosures are necessary. We participate in such diligence exercises for transactions that include mergers, acquisitions, strategic alliances, joint ventures, outsourcing, hosting and cloud services, and data analytics.

Data Collection, Acquisition, Use & Commercialization

The use and leveraging of data is big business, and it is becoming a critical part of how companies understand their operations and customers. We help clients navigate the legal issues relating to data collection, acquisition, use, and commercialization, and we work with them to implement solutions that comply with legal and contractual requirements.

Our privacy and cybersecurity team has guided clients through compliance and damage control in more than 800 data breach incidents. In that role, we:

• Conduct investigations and recommend immediate preventive measures
• Determine whether notification to affected individuals or government authorities is required
• Conduct the notification
• Contain exposure
• Implement remedial and cost-recovery measures, including insurance recovery

We advise retail, healthcare, technology, and e-commerce clients regarding data breaches involving notification laws as well as Fair and Accurate Credit Transactions Act (FACT Act or FACTA) violations; licensing, regulatory, and code-of-conduct issues; and acquisition agreements. We also counsel clients on the HIPAA Breach Notification Rule.

Our team provides clients with the strategic insight and agency relationships they need to prepare for, or respond efficiently to, regulatory scrutiny in this area. Our government alumni include lawyers who formerly held positions with the FTC, the US Department of Justice (DOJ), many state enforcement agencies, and a number of district attorney offices across the United States.

With increasing public focus on privacy issues and corporate responsibility, Morgan Lewis takes all possible measures to steer clients clear of, or efficiently and effectively resolve, privacy-related litigation.

Among other matters, we have represented clients in litigation involving:

• Corporate investigations conduct
• Data breaches
• Data privacy class action defenses
• Disposal of personal information
• Employer group health plan privacy
• Violations of FACTA

Energy companies turn to Morgan Lewis for help complying with Critical Infrastructure Protection (CIP) Reliability Standards, which have been difficult and expensive for electric utilities to implement. The standards require a melding of security concerns, energy company information technology (IT) infrastructure and operations, and legal advice.

Our lawyers advise clients on the implications of the National Institute of Standards and Technology (NIST) Cybersecurity Framework for owners of critical infrastructure. We counsel clients on how to incorporate that framework into existing cybersecurity practices and how to leverage the framework to improve the cybersecurity of critical power systems infrastructure.

Because we’ve worked with utilities since the beginning of CIP compliance, we have familiarity with the unique compliance risks stemming from the CIP Reliability Standards. We help electric utilities understand the application of CIP Reliability Standards to the utilities’ unique IT environments, analyze the compliance issues arising in the CIP context, and defend compliance monitoring and enforcement actions, including CIP audits and spot checks.

Working alongside both business and technical leaders within companies as well as the companies’ outside IT consultants, our lawyers help electric utilities design their CIP compliance programs and defend those CIP efforts when necessary. We bridge the divide between a utility’s complex IT environment and the cybersecurity framework that the CIP Reliability Standards impose. Each utility is unique, with varying numbers of Critical Assets and Critical Cyber Assets and a variety of approaches to designing and implementing Electronic Security Perimeter and Physical Security Perimeter protections.

Our cybersecurity efforts extend to developments on Capitol Hill, as cybersecurity enforcement remains a likely subject of additional federal legislation and agency regulation. We advised clients on the Cyber Intelligence Sharing and Protection Act and the Cybersecurity Act of 2012 in their various forms, as well as Executive Order 13636 and the resulting development of the NIST Cybersecurity Framework.

When a business is the victim of a cyberattack, the company must decide when and how to best cooperate with the government agencies investigating the attack. Nowhere is this more important than in the financial services industry, where the protection and security of customer assets and information is under constant scrutiny, particularly as hackers become more sophisticated and cyberattacks become more widespread.

Because an attack could have an expansive impact on the capital markets, the US Securities and Exchange Commission (SEC) has said it intends to focus on companies’ and firms’ risks and weaknesses in their cybersecurity preparedness. This includes conducting mandatory cybersecurity-focused compliance examinations of brokerage firms, investment advisors, and hedge funds. Additionally, the SEC has called on boards of directors to become more proactive in identifying and mitigating cybersecurity threats.

Our former SEC and DOJ lawyers use their government experience to help companies identify unique cyberthreats. We also counsel companies on methods to protect clients, data, networks, and operations from theft, disruption, and destruction. Our team evaluates and strengthens the adequacy of our clients’ internal controls systems, including safeguarding customer identity and other data. The group also helps clients work through response plans and handles issues such as breaches in third-party service providers or attacks involving corporate espionage aimed at the disruption of financial markets.

We help clients manage their privacy obligations under the Gramm-Leach-Bliley Act, the FCRA, the SEC’s Regulation S-P, the Bank Secrecy Act, and other US federal and state privacy regulations. Additionally, we counsel clients on regulations outside the United States, such as those pertaining to the UK Financial Services Authority’s Codes of Business. Specifically, Morgan Lewis advises on issues critical to financial services firms, including the following:

• Guiding and advising financial services firms that are preparing for and responding to SEC examinations focused on cybersecurity preparedness
• Educating and advising boards, audit committees, directors, management, and employees on how to assess and manage cybersecurity risks
• Updating and improving companies’ and firms’ disclosures on potential cybersecurity risks
• Investigating potential cybersecurity breaches and, when appropriate, communicating the results of those investigations to the SEC, the Financial Industry Regulatory Authority (FINRA), the DOJ, and relevant state agencies
• Responding to requests, subpoenas, or inquiries from the SEC, FINRA, and the DOJ relating to cybersecurity disclosures, breaches, and risks of breaches
• Defending potential litigation with regulatory agencies and private plaintiffs relating to alleged violations of the securities laws as a result of cyberbreaches
• Counseling boards, directors, and management on insurance-related issues concerning SEC investigations and private litigation, including directors and liability coverage

Because medical information is especially sensitive, privacy and security compliance is a central concern for healthcare companies. Since HIPAA was enacted in 1996, Morgan Lewis has represented large US-based healthcare organizations in HIPAA compliance matters. We counsel clients regarding HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act, state medical privacy laws, FTC standards, electronic health record meaningful use regulations, and actions of the OCR.

Our healthcare privacy and security counseling services include the following:

• Developing privacy policies and procedures
• Performing HIPAA compliance audits
• Training workforce members on HIPAA requirements
• Counseling on everyday issues regarding the use and disclosure of protected health information under state and federal healthcare privacy laws
• Drafting and negotiating HIPAA business associate agreements
• Assisting with security breach responses under the HIPAA Breach Notification Rule
• Advising on how Big Data projects may be conducted consistent with HIPAA requirements
• Developing breach response plans

Morgan Lewis advises on healthcare industry HIPAA compliance matters in the following sectors: hospitals, health plans and insurers, pharmaceutical companies, pharmacies, healthcare clearinghouses, healthcare IT companies, laboratories, academic medical centers, medical device manufacturers, health information exchanges, physician groups, third-party administrators, universities, and vision centers.

With our understanding of best practices and guidance (both formal and informal) from state and federal regulators, we develop corporate privacy compliance programs that comprehensively address privacy and security laws. We advise both HIPAA-covered entities and service providers to the healthcare industry that are seeking to demonstrate compliance with HIPAA business associate obligations. Our lawyers also advise institutions on the impact of the HIPAA Privacy Rule on research operations.

We have also represented hundreds of healthcare organizations in responding to security breaches involving medical information, and we offer knowledgeable, practical advice in these critical situations. OCR is ramping up HIPAA enforcement and audits in the wake of the HITECH Act, and the FTC and state attorneys general are increasingly concerned with privacy and security matters. In this heightened enforcement environment, our lawyers defend healthcare organizations in connection with administrative, civil, and criminal audits, investigations, and litigation relating to privacy matters.

Transactional & Corporate Matters

Our lawyers handle healthcare IT–related deals, including the formation of health information exchanges, spin-offs, sales of companies, acquisitions, financings, and ventures in transaction processing.

Privacy and security compliance have become increasingly critical due diligence issues in healthcare acquisitions and joint ventures. Morgan Lewis counsels healthcare IT companies, as well as traditional healthcare providers, on privacy and security issues arising from strategic alliances and joint ventures with third-party technology companies. We advise on the outsourcing of business functions such as website maintenance and application development, as well as teaming agreements to jointly market and sell existing healthcare IT products and services.

Employee Benefits: Special Resources

The Morgan Lewis employee benefits team has developed risk-management tools targeted to employers across all industries that sponsor group health plans for their employees, as well as the business associates of those plans. The firm’s HIPAA Privacy Compliance Initiative arms plan sponsors with the tools they need to navigate HIPAA in the new era of increased enforcement activity in addition to the heightened civil and criminal penalties that the HITECH Act ushered in. We offer these services—which include self-audit assistance, workforce training, and privacy officer assistance—based on a fixed-fee pricing model designed to meet each client’s needs.

The hospitality and travel industry is a primary target for cyberattacks. As the industry and its increasingly sophisticated loyalty programs continue to go digital—with heavy reliance on mobile devices—the risk of attacks remains high.

Technology is revolutionizing how the industry operates, collects, uses, and transmits huge amounts of sensitive data. Consequently, hospitality and travel organizations need to understand how to assess and manage these risks to meet state, federal, and global privacy and security law requirements. They also need to know where vulnerabilities exist—from reservation systems and loyalty databases to point-of-sale software used at restaurants, bars, and gift shops.

Morgan Lewis lawyers identify possible data security threat vulnerabilities, while also reviewing privacy and cybersecurity insurance options. Many hospitality and travel companies turn to Morgan Lewis to review customer notification procedures and costs, credit card company procedures, fines and penalties, and technologies used as part of day-to-day operational procedures.

Retailers have a legitimate need to amass large amounts of information about customers, business partners, competitors, and employees. But headlines confirm what we have known for years: Privacy and cybersecurity are massive challenges for retail companies—with threats emanating from hackers, data thieves, regulators, plaintiffs’ lawyers, insurers, and credit card companies. Drawing on our experience working with hundreds of retail companies, Morgan Lewis helps these clients address how they collect, transmit, store, use, and manage sensitive information.

For years, retail companies have experienced data breaches at a greater rate than those in any other industry. We’ve helped our clients manage more than 300 data breaches—from the smallest inadvertent disclosure of a single person’s information to epic hacking events, with hundreds of millions of credit card numbers at risk. When it’s time to respond to a data breach, our lawyers handle the initial investigation, government and individual notifications, and litigation from customers or others allegedly affected by the breach, among other responsibilities. We also help clients with cost recoveries against vendors, others potentially responsible for the breach, or insurers.

Our experience includes helping retailers with challenges in:

• The Payment Card Industry Data Security Standard (PCI DSS)
• FACTA
• The FCRA
• The CAN-SPAM Act
• The FTC’s Red Flags Rule
• California’s Song-Beverly Consumer Warranty Act
• Gathering information at point of sale
• The Telephone Consumer Protection Act (TCPA)
• Children’s privacy, including COPPA
• Online privacy policies
• Driver’s license scanning
• Data breach preparedness
• Credit card cost recoveries
• Payment processing systems
• Data privacy class actions
• Attorney general enforcement actions
• Criminal background checks
• FinCEN Anti-Money Laundering Rules
• Gift card information management
• Loyalty program customer data
• Radio frequency identification (RFID) tagging details
• In-store and online customer tracking
• Use of closed-circuit television (CCTV) cameras

Retirement plans are a rich source of valuable personal data about participants and beneficiaries, including Social Security numbers, addresses, dates of birth, bank account records, and pension benefit information. This collection of information presents an attractive and potentially exploitable opportunity for hackers and cybercriminals. Breach of personal information from a retirement plan could harm participants and beneficiaries through identity theft, theft of pension benefits, or access to other financial accounts and information. For the employer, plan sponsor, or plan administrator, a security incident can be expensive, harmful to its business and reputation, and damaging to its relations with employees and retirees.

While there is no comprehensive data privacy or cybersecurity law or regulation that expressly covers retirement plans, the Employee Retirement Income Security Act’s (ERISA) fiduciary duties of loyalty and prudence impose broad duties and obligations on plan fiduciaries to act in participants’ best interests and to undertake diligent efforts to protect these interests. Any fiduciary that breaches these duties and responsibilities may be responsible for making affected participants whole for any losses or damages. Specifically under ERISA, a fiduciary’s liability for a breach of its duties can include:

• liability for fiduciary breaches and losses stemming from those breaches,
• the obligation to restore profits,
• other equitable or remedial relief (e.g., attorney fees, removal from fiduciary position), and
• additional penalties, such as a monetary penalty of 20% of the recovery amount or criminal penalties for willful violations of reporting requirements or fraud, force, or violence.

We help retirement plan fiduciaries, sponsors, and administrators address and manage these risks. We assist with identifying sources of data privacy risk; preparing and implementing protective administration policies and procedures; evaluating service provider relationships and negotiating contractual provisions and protections to address data privacy issues; addressing the monitoring of service providers on an ongoing basis; and creating, implementing, and maintaining comprehensive information and data security breach response plans. Our risk management strategies account for requirements under ERISA and, in collaboration with our colleagues in other practices, other applicable federal, state, and local laws and regulations. In addition, we continue to monitor new requirements and developments from the US Department of Labor, the US Department of Homeland Security, Congress, state legislatures, state and local regulators, and industry and trade associations.