Re-Assessing Data Security In 2010: A List of Practical Action Items
This article examines legal obligations that companies face when handling personal information, both customer and employee data.
Kelley Drye is at the forefront of evolving privacy and information security law, advising clients on issues that directly impact their market momentum and business risk. We have a reputation for providing broad and deep legal services on privacy and data security issues, with a focus on offering practical and timely advice. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending policies and programs, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding the handling of clients’ customer and employee data, and representing clients in connection with federal and state regulatory investigations. Whether your matter involves privacy and data security compliance, the launch of a new marketing campaign or new media issues, Kelley Drye will help your business achieve a competitive edge while satisfying the appropriate privacy and data security obligations.
Kelley Drye’s Privacy and Information Security practice group includes recognized leaders in the field, including two former directors of the Bureau of Consumer Protection at the Federal Trade Commission (FTC). While at the FTC, members of our group targeted Internet privacy, identity theft, and electronic commerce issues, and directed the FTC’s implementation and enforcement of the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach Bliley Act (GLBA). Our group also includes the chair of the American Bar Association’s Privacy and Information Security Committee and editor of the ABA’s Data Security Handbook and The Secure Times newsletter.
The firm’s Privacy and Information Security practice has been ranked the past several years in Chambers USA and U.S. Legal 500, and has been named one of the top privacy advisers among law firms and consulting firms around the world in a survey published by Computerworld magazine. Notably, sources tell Chambers researchers that the group “prioritizes risk to provide practical, thoughtful advice in a timely manner. These are highly competent people with a huge experience base who work collaboratively both internally and externally.”
Our attorneys apply experience gained from working with clients in a range of industries. This team regularly counsels clients in the following areas:- Investigations – Kelley Drye represents clients in investigations and inquiries from the Federal Trade Commission, state Attorneys General, and federal and state courts and agencies regarding their privacy and information security business practices.
- Compliance and Planning – We ensure that clients’ business practices are designed to comply with privacy and information security laws and regulations. We counsel on all aspects of privacy and information security laws, including COPPA, GLBA, the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the EU Data Protection Directive and other national and local privacy laws around the world, the FTC Act, FCC Customer Proprietary Network Information (CPNI) regulations, and state privacy and data security laws.
- Marketing Campaigns – Our group counsels clients on how to use consumers’ personal information and CPNI lawfully in marketing, including obtaining effective consent for email marketing, text messaging and online behavioral marketing. We advise clients about their compliance obligations with related laws including the FCC’s CPNI regulations, the Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act. In the early stages of marketing campaigns, the firm represents clients in meetings with privacy advocates to address use of consumer information, particularly with regard to online behavior.
- Policy Development and Training – Our attorneys help clients draft, review, revise and interpret their privacy, data security and CPNI policies and procedures, and develop appropriate, comprehensive security programs. The team’s lawyers also train clients’ employees on privacy, data security, advertising and business practices that comply with consumer protection laws.
- Business Practice Audits – We perform privacy or data security audits of existing business practices. This involves assessing client compliance with current policies and reviewing how clients receive and share personal information and CPNI with affiliates and third parties to ensure that such information sharing complies with laws and business policies.
- Third-Party Compliance – Kelley Drye drafts clients’ agreements with third parties, and advises on how to oversee and monitor these parties, to ensure clarity and compliance in how they handle personal data.
- Data Breach Counseling – We develop policies and procedures to help clients avoid data breach events and ensure that they are prepared to meet their legal obligations. In the event of a breach, we advise clients on proper notifications to customers and government agencies at the state and federal level, as well as manage the public relations implications.
Representative Experience
- Appointed Consumer Privacy Ombudsman by United States Trustees in various bankruptcy proceedings, submitting reports and recommendations to the courts regarding the disposition of customer lists and other personally identifiable information.
- Represented leading children’s specialty retailer in an FTC investigation of the company's in-store and online privacy practices. Successful in convincing the FTC to close the investigation without pursuing law enforcement or remedial action.
- Represented leading academic research company in separate privacy investigations by the FTC and 42 state attorneys general, and negotiated FTC consent order and state Assurance of Voluntary Compliance.
- Represented online retailer in investigation of security breaches involving customer information by New York Attorney General’s Office, resulting in negotiation of Assurance of Discontinuance.
- Represented leading online retailer in FTC privacy investigation, resulting in closing of investigation.
- Defended a national financial services company in an FTC investigation for GLBA Safeguards Rule violations. The matter was closed without action.
- Assisted major retailer with a gap analysis for privacy compliance. This involved dividing the business units into discreet parts with similar privacy compliance issues. Our analysis then cataloged every applicable privacy law in the United States (federal and state) in the form of easy-to-follow questions for the business units to answer, which allowed the legal department to identify compliance gaps and most efficiently focus resources on those areas that needed it most.
- Represented a financial institution in an investigation by the FTC concerning an information security breach the business incurred, and whether the company’s business practices complied with Section 5 of the FTC Act, the GLBA Safeguards Rule, and the GLBA Privacy Rule. The case resolved with a settlement that included relatively narrow injunctive relief (compared to other similar FTC settlements), and no monetary damages or penalties.
- Counseled a Fortune 50 computer and technology company on global privacy and data security compliance, including assisting on compliance with the various U.S. state developments, enforcement trends and strategies for managing vendor relationships worldwide. Our work included drafting appropriate contractual language and developing and counseling on oversight and monitoring procedures for a company that maintains a very large and diverse set of vendors that raise varied data security compliance issues in the European Union and Asian countries in which they do business.
- Work with international retailers to review and certify data practices under the Safe Harbor program, to permit them to lawfully transfer its European Union employee and customer data to the United States.
- Assist major consumer electronics retailers in connection with implementing a behavioral advertising initiative.
- Regularly advise Fortune 500 and 1000 clothing retailers on privacy and data security matters, including working closely with the companies in designing tailored privacy and data security compliance programs that meets federal and state regulatory requirements.
- Provide comprehensive privacy and data security advice for a major online retailer. This includes advising on compliance with the Children’s Online Privacy Protection Act, CAN-SPAM, and relevant FTC and state consumer protection, privacy, and data security laws.
- Defending an apparel manufacturer in two major California class actions alleging violations of the Song-Beverly Act in the collection of customers’ personal information.
- Counsel telecommunications clients on privacy-related communications issues, including advising on compliance with the FCC’s CPNI regulations, FTC Red Flags rule, Children’s Online Privacy Protection Act, CAN-SPAM, HIPAA and relevant FTC and state consumer protection, privacy, and data security laws. This also includes drafting policies, process and training documents, as well as advice on transactional matters.
- Counseled a Fortune 500 clothing manufacturer on enterprise-wide data security compliance. This included strategies for data protection compliance, legal policies, managing vendor relationships, negotiating privacy and data security terms in vendor contracts, and exercising privacy and due diligence in the company’s acquisition of new businesses, data assets and service providers.
- Counseled numerous clients – retailers, financial service entities, and telecommunications providers – on appropriate responses to a data breach event in accordance with legal obligations and business risks.
