Policy Drafting and Implementation
Our lawyers have been intimately involved in drafting policies, procedures, and programs directed at data privacy and information security for a wide variety of businesses in myriad industries. In many instances, we have assisted clients in updating existing policies to meet new challenges in their business operations. These efforts have ranged from creating straightforward plans for smaller employers to authoring multi-level plans for companies engaged in international commerce.
State Privacy Laws
Forty-seven jurisdictions in the United States now have specific breach notification laws. These laws differ in significant respects as to how and when notification requirements are triggered. We have performed state-by-state surveys and regularly update those surveys so we can advise our clients on notification requirements in an expedited and efficient manner. Additionally, we have advised and assisted clients with the Massachusetts Data Information Security regulations and the Nevada Data Encryption Law—and we are monitoring the potential enactment of similar laws in other states.
Our experience includes defending privacy cases brought under various state laws under a number of different jurisdictions. These cases, for example, have included invasion of privacy claims which implicate insurance industry practices involving disclosure of policyholders’ specific information, as well as confidential information obtained from state motor vehicle departments.
From an employer perspective, we regularly review state privacy laws as they relate to personal health information obtained by employers implementing leave and disability programs.
Demonstrating our recognized leadership in the area of state privacy laws, a member of our team co-authored the New York State Bar Association’s survey, report and recommendation with respect to privacy law issues.
We are well-positioned to counsel our clients on all state privacy laws.
Federal Privacy Laws
Our team has been closely tracking Congress’ attempt to pass federal data security breach legislation.
BakerHostetler lawyers also have been tracking the FTC’s attempts to implement the Red Flags Rule. In anticipation of its implementation, we have assisted a number of clients in drafting and reviewing policies that ensure compliance. We also have counseled our clients on tailoring Red Flags in order to be specific to their industries and business objectives. While the rule is in its infancy, we anticipate ongoing communications with our client both in the regulations and implementation of the rule.
We’re also highly familiar with the FTC’s regulation of “behavioral advertising.”
With respect to other federal regulations, we regularly assist clients on preparation of customer notification under Gramm-Leach-Bliley privacy laws. We have successfully defended financial institutions against attempts by consumers to bring private rights of action under Gramm-Leach-Bliley privacy laws.
A member of our team served as Chairman of the House Financial Services Committee during its passage of the Fair and Accurate Credit Transactions Act, giving us first-hand knowledge of the Act’s identity theft protection requirements—including credit card number encryption.
BakerHostetler regularly counsels companies on privacy provisions under the Fair Credit Reporting Act, which guide what can be done with an individual’s credit report information.
Our team assists clients in complying with the National Institute of Standards and technology, which are mandatory for government contractors and which function as industry standards for companies facing heightened security risks and liabilities.
We also provide guidance concerning the Genetic Information Nondiscrimination Act and its recently issued proposed and interim regulations.
And demonstrating our recognized leadership in this arena, a member of our team was the principal author of a white paper issued by the Mortgage Bankers Association of America offering guidance on compliance with privacy and security regulation.
We have extensive experience advising clients on the HIPAA Privacy Rule as it applies to healthcare providers and their business associates. In addition, we counsel clients on the HITECH Act provisions that have expanded and enhanced HIPAA privacy and security and will have a growing impact in coming years. Our knowledge extends to the policies, standards and implementation requirements of the HIPAA Security Rule.
Our attorneys assist clients in developing documents that comply with various regulations. For example, we have revised business associate agreements in light of new HITECH provisions regarding data breach notification, updated HIPAA Notice of Privacy Practices for healthcare clients and prepared services provider agreements in compliance with the Red Flags Rule. Our team also advised a hospital client on investigation of and responses to Office of Civil Rights HIPAA complaint investigations.
We also counsel healthcare providers on the Red Flags Rule identify theft regulation and its applicability to hospitals that offer covered accounts to consumers.
Members of our Healthcare team help providers and related companies in the industry develop and implement HIPAA compliance policies and procedures, and they further advise clients on related operational issues as well as clinical trial agreements.
Our attorneys develop HIPAA compliance programs for group health plans and providers, focusing on business associate agreements, privacy notices and policies/procedures conforming to HIPAA’s privacy and security regulations. We advise employers on taking steps to protect employee information acquired through benefit plan administration.
International Privacy Regulations and Global Policies
BakerHostetler attorneys are experienced in counseling clients on compliance with the “safe harbour” negotiated between United States Department of Commerce and European Commission. This process offers a streamlined method for U.S. companies to comply with the EU’s data protection directive, which regulates the processing of personal data, regardless if the processing is automated or not. Safe Harbour agreements are not always appropriate for all situation and we counsel on other means of complying with European privacy laws.
Our bipartisan lobbying team represents the interests of clients across a full spectrum of issues—financial institution data, healthcare information, FTC regulations, First Amendment and online communication. They work in concert with the lawyers in relevant practice areas to craft legislative strategies that result in the best outcome for our clients. We possess significant contacts throughout the federal government and regularly work with the House and Senate committees of jurisdiction on privacy issues.
Industry Security Standards
Data security in the payment card industry is an emerging legal area that requires hands-on experience. Data security standards such as PCI-DSS are being developed and amended on a regular basis in an effort to keep up with the criminal elements that have plagued this industry in recent years. PCI-DSS standards are comprehensive requirements developed by the industry to ensure consistency in data security measures on a global basis.
BakerHostetler’s lawyers have precisely this type of experience and regularly follow all developments in not only the card brand security standards, but all operating regulations that define acquirers’ and processors’ rights and liabilities. We have assisted clients in achieving compliance with these standards by working directly with auditors. We also regularly counsel clients on addressing related matters with payment card issues.
We are highly familiar with advertising industry self-regulatory standards and privacy standards, which are issued by industry groups such at the Better Business Bureau.
Data Breach and Incident Response
Taking a proactive approach, BakerHostetler emphasizes the importance of preparing clients to respond when a breach occurs. We routinely work with clients to prepare for such possibilities as negative media coverage, government investigations by the FTC and state attorneys general and related consent decrees, consumer complaints and other potential issues. Our goal is to provide practical guidance that will help clients minimize the impact on their customers and maintain goodwill. This often begins with a comprehensive incident response plan that includes internal and external actions. Our lawyers have drafted a number of such plans for a variety of businesses.
Within the payment card industry, we help clients determine the appropriate level of notice for card brands and customers based on state laws and industry regulations. We then develop appropriate remediation steps and address customer inquiries about the incident and available remedies to consumers, including credit monitoring.
Our representative experience includes counseling financial institutions, retailers, processors and third-party providers in managing and responding to significant data breaches. This experience has included negotiating and consummation of some of the largest settlements on record disposing of fines and reimbursements in the payment card industry. Our lawyers have developed long and productive relationships with industry representatives that have proven successful in obtaining very favorable results.
We routinely recommend to our clients that they initiate forensic investigations if they anticipate or believe that a data breach may have occurred. An early and comprehensive investigation can prove critical in defending claims against the breached entity. In that regard, we have engaged directly with forensic consultants when appropriate to protect the substance of certain opinions. In this role, we have helped ensure that the results of the forensic investigations are complete and accurate. Over the past several years, we have developed close working relationships with a number of nationally recognized forensic consultants, and these positive and productive relationships have served our clients well.
Employee Privacy Issues
BakerHostetler advises employers on a wide range of privacy areas, including compliance with federal and state regulations. For example, we have worked with clients to ensure the confidentiality of medical/disability-related records in compliance with the Americans with Disabilities Act and related state laws. We counsel clients on compliance with the Fair Credit Reporting Act and comparable state law with respect to pre-employment background checks and post-hire investigations, as well as with the Employee Polygraph Protection Act in connection with investigations of employee misconduct/theft.
We guide clients on such internal investigative processes as the monitoring of employee telephonic and electronic communications in compliance with federal and state wiretapping and privacy laws, and on the use of video surveillance equipment without violating employees’ statutory and/or common law right to privacy.
Our team has significant experience assisting clients as they navigate through workplace situations brought about by rapidly changing regulations. For example, we defended a FORTUNE 100 employer with respect to one of the first cases involving application of the controversial Florida “bring-your-guns-to-work” law.
We also help clients maintain the necessary confidentiality of investigations of alleged workplace harassment, and we ensure that employers comply with statutory restrictions on searches of employee’s persons/possessions/cars (e.g., guns-at-work legislation).
In addition, our team assists employers in responding to third-party requests for information concerning current and former employees (including responses to subpoenas for employment records).
Website and Social Networking Privacy Issues
In the area of online commerce and communication, we help companies establish Internet privacy policies that comply with FTC regulations and other relevant regulation. Our team also guides clients on consent decrees with the FTC.
Clients face specific challenges when dealing with social media and their online presence. BakerHostetler helps clients minimize risks while taking advantage of the benefits offered by this technology. For example, we frequently advise clients on participation in social networks for purposes of promotion and use of websites for purpose of promotion.
Through our counsel, clients enact proactive policies to protect information and avoid such issues as:
- Running afoul of securities regulations by overstating a company success or revealing information that should be part of an official filing.
- Posting a statement about a competitor that can be considered libelous.
- Making personal comments that might be interpreted as harassment or threats.
- Revealing trade secrets or proprietary information about the company itself, its employees or its customers.
We also help companies develop standards for monitoring of employee postings and participation in social media. And our attorneys stay abreast of federal and state laws as well as court decisions that may impact an employer’s ability to control employee communications.
Data Breach and Privacy Litigation
Clients in various industries turn to BakerHostetler when data and information security breaches result in investigations and even litigation. Our litigation efforts have produced some of the leading decisions in the nation and have helped to define the standards that courts are applying in the rapidly evolving area of data privacy litigation.
Our cases, brought both by consumers and businesses, have addressed many novel issues, such as standing, the existence of actual injury, causation and the ability of plaintiffs to expand traditional common law claims such as third-party benefits, or define statutory causes of action, to develop claims arising from large-scale data breaches. In a number of cases, our efforts have resulted in dismissal of the claims asserted.
Our experience includes the successful defense of dozens of class actions around the country, consolidation through the Judicial Panel on Multidistrict Litigation and the defeat of class certification.
Members of our team have served as counsel in some of the most significant data breaches in the payment card industry over the past five years, including BJ’s Wholesale Club, TJMaxx and Heartland Payment Systems. In fact, the BJ’s Wholesale Club case established new precedent disposing of negligence claims on the basis of the economic loss doctrine. This experience includes defending approximately 25 major class actions in the privacy/data breach litigation area. Separately, we have been involved in approximately 10 other litigated matters asserting claims arising out of data breaches. These cases have involved claims by consumers asserting identity theft, as well as suits brought by financial institutions against other financial institutions and breached entities for purposes of recovering losses paid to consumers in the wake of data breaches. We have also represented parties in the defense of class actions under FACTA.
Our team also has addressed privacy law implications when insurance industry class action cases involved disclosure of policyholder-specific information. Similarly, they have advised clients on the applicability of the Drivers Privacy Protection Act when confidential information is obtained from state motor vehicle entities as part of the discovery process.
BakerHostetler’s representative data breach decisions include:
- In Re: TJX Cos. Retail Security Breach Litigation, 2009 U.S. App. LEXIS 6636 (1st Cir. Mar. 30, 2009)
- In Re: TJX Cos. Retail Security Breach Litigation, 524 F. Supp. 2d 83 (D. Mass. Oct. 12, 2007) (granting motion to dismiss negligence and contract claims)
- In Re: TJX Cos. Retail Security Breach Litigation, 246 F.R.D. 389 (D. Mass. Nov. 29, 2007) (denying motions for class certification)
- Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3rd Cir. 2008)
- Sovereign Bank, 395 F. Supp. 2d 183 (M.D. Pa. 2005) (granting motion to dismiss negligence claims)
- Sovereign Bank, 427 F. Supp. 2d 526 (M.D. Pa. 2005) (granting motion to dismiss promissory estoppel claims)
- Sovereign Bank, 2006 WL 1722398 (M.D. Pa. Jun. 16, 2006) (granting summary judgment on contract claim)
- Pa. State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317 (M.D. Pa. 2005) (granting, in part, motion to dismiss)
- Pa. State Employees Credit Union, 2006 WL 1724574 (M.D. Pa. Jun. 16, 2006) (granting summary judgment on third-party beneficiary claim)
- CUMIS Ins. Society, Inc. v. BJ’s Wholesale Club, Inc., 24 Mass. L. Rep. 117 (Mass. Super., Jun. 4, 2008) (granting summary judgment)
- CUMIS Insurance Society, Inc. v. BJ’s Wholesale Club, Inc., 455 Mass. 458 (2009) (affirming summary judgment)