Cyber Security, Data Management & Privacy

These days, if your business or organization even touches data about individuals or other protected information – let alone collects, stores or shares it – it is likely subject to an ever-growing and complex web of state, federal and foreign laws, regulatory schemes and industry standards. These rules require your company or organization to implement and support appropriate privacy and data security safeguards, as well as mitigate the harm of any breach. Privacy and data security compliance also requires you to identify, understand and meet the increasingly heightened standards often included in contracts with customers, vendors, lenders, members and others.

Our privacy and data protection team can guide your compliance with those laws and contract duties, helping you manage, use and dispose of information in a way that is both practical and cost-effective. In the event of a breach, we walk our clients through all facets of the crisis, including by assisting with internal and external forensic investigations, communicating with law enforcement, determining the extent of any required notifications, ensuring that notices and other actions comply with applicable laws, mitigating the harm done, managing the damage to reputation, and defending against regulatory penalties and lawsuits.

Our team understands the technology, the laws and the underlying principles of privacy, data security and data management. For well over a decade, we have worked with clients to reduce privacy and data security exposure in a landscape of rapidly changing risks, while accounting for their unique circumstances and resources.

Use our experience to protect your business

  • Compliance:  The alphabet soup of U.S. laws requiring compliance includes HIPAA, HITECH, CAN-SPAM, COPPA, FISMA, FERPA, FCRA and others. And that is just at the U.S. national level. Most states have their own, unique laws, such as California’s CCPA. At the same time, foreign jurisdictions are increasingly adopting strict data protection laws with extraterritorial application that reaches U.S. organizations, including GDPR and ePrivacy laws (European Economic Area), PIPEDA (Canada) and other laws that are either copycats of, or inspired by, GDPR.
  • Industry standards:  You may also be subject to binding industry standards, such as the Payment Card Industry – Data Security Standards (PCI-DSS), which apply to any business that accepts credit or debit card payments.
  • Understand where you are today: We have developed a comprehensive information governance audit/privacy audit to help you with a comprehensive overview of your information governance processes and policies and determine which aspects may be vulnerable, or out of compliance, with applicable legal and industry requirements.
  • Vendor contracts:  Outside of your own facilities and processes, you may be vulnerable because of your agreements with vendors, such as cloud service providers and web hosting firms. We will review your existing contracts and negotiate or renegotiate them to ensure compliance, as well as protection if the vendor defaults.
  • Policies and processes:  Weak passwords, flash drives and memory sticks, and laptops loaded with unprotected confidential data can all lead to exposure for a breach. Employees need to be trained to understand the vulnerability of your data. The right policies and processes can reinforce this training, including penalties for carelessness, two-factor authentication, and preventing employees from downloading apps and software programs onto the organization's devices. We partner with computer and system experts to ensure that you have the proper technical, administrative and physical safeguards in place.
  • Insurance policy assessments: While major insurance companies offer insurance against the cost of a breach, there is as yet no agreement on industry standards. With a full understanding of the policy language and how it would apply in the event of a breach, we can provide you the room you need to negotiate with insurance companies.
  • Practical, pragmatic advice: As business lawyers, we understand the need to balance risk against costs.  We are experienced in helping clients manage the differing needs and interests of their internal stakeholders, including accounting, marketing, human resources, IT and legal.


And if a data breach does occur...

A security breach has financial, reputational, operational, physical and legal costs. When a breach occurs, it is important to react swiftly and comprehensively. Our Cybersecurity team has developed strategies for managing the risks that follow a breach, from crisis management to responding to governmental inquiries and investigations. And, in the disputes that can often follow a breach, we represent clients in all phases of resolution, whether in negotiated settlements or contentious litigation.

Client Alert: Maryland Adopts Groundbreaking Online Data Privacy Act of 2024: What You Need to Know

On May 9, 2024, Governor Wes Moore signed into law the Maryland Online Data Privacy Act of 2024 (“MODPA”). MODPA will take effect on October 1, 2025, but will not apply to personal data processing activities occurring before April 1, 2026. MODPA is the latest in a series of state data privacy laws that impose comprehensive obligations on businesses that collect, process, or sell personal data of consumers and otherwise meet certain jurisdictional thresholds.  

Client Alert: Navigating AI in Tort Law: Considerations for Businesses

In today's rapidly evolving technological landscape, the integration of artificial intelligence (“AI”) into various aspects of business operations is becoming increasingly prevalent. From streamlining processes to enhancing decision-making capabilities, AI offers a multitude of benefits for businesses across industries. However, along with these advancements come complex legal considerations, particularly in the realm of tort law.

Client Alert: New Laws Prohibit Certain Data Transfers to China, Russia, Iran, and other Foreign Adversaries of the U.S.

In addition to its well-publicized move to prohibit more than 150 million Americans from posting embarrassing dance videos of themselves on TikTok (at least while it is Chinese-owned), the U.S. federal government recently adopted two significant federal data transfer prohibitions: (1) the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFA”); and (2) an Executive Order entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Any organization that currently shares, or is considering sharing, sensitive personally identifiable information with anyone in China, Russia, Iran or any other “foreign adversaries” of the United States should determine whether these new prohibitions require them to change their data transfer activities.

Client Alert: New Jersey Privacy Law

On January 16, 2024, New Jersey became the fourteenth state to enact comprehensive privacy legislation after the passage of the New Jersey Data Privacy Act (“NJDPA”), adding to the growing national focus on consumer personal data protections, albeit at the state level. 

Client Alert: Is Your Credit Union Ready to Comply with Updated NCUA Cyber Incident Notification Requirements?

Under final regulations updated on March 1, 2023 and effective as of September 1, 2023, the National Credit Union Administration (“NCUA”) imposed stringent new cyber incident reporting requirements on federally chartered corporate credit unions and federally insured, state-chartered corporate credit unions (“FICUs”). FICUs that experience a cyber incident that rises to the level of a “reportable cyber incident” must now notify the NCUA (a) as soon as possible; and (b) no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

Client Alert: State Privacy Laws and Nonprofit Organizations

The U.S. data privacy regulatory framework is complex and is becoming more so with each passing day. On July 18, 2023, Oregon became the eleventh state to enact comprehensive privacy legislation, joining five other states (Iowa, Indiana, Montana, Tennessee, and Texas) that have passed “comprehensive” privacy legislation this year.

Client Alert: Texas and Tennessee Join the Cacophony of State Data Privacy Laws 

On June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation after the recent passage of the Texas Data Privacy and Security Act (“TDPSA”). Texas now joins Tennessee as the latest entry into an increasingly complex web of state privacy laws. On May 11, Gov. Bill Lee signed into law the Tennessee Information Protection Act (“TIPA”), which itself follows recent enactments of data privacy laws in Iowa, Indiana, Florida, and Montana.  
 

Data Breaches and Your Privacy/Cybersecurity Program

Data breaches have become a commonplace occurrence. Nearly every business, including nonprofits , collects, stores and uses personal information (PI) that is valuable to bad actors. All organizations store and process PI about their employees. Many nonprofit organizations store and process PI about their donors and volunteers. Bad actors can cause financial harm to the individuals whose PI is stolen.

Client Alert: Maryland Considers Adoption of Biometric Data Privacy Act

If your organization collects or uses, or is thinking about collecting or using, biometric data, such as fingerprints, DNA scans, retinal scans or voice prints obtained from customers, employees or others, the Maryland Biometric Data Privacy Act (the “Biometric Act”) currently under consideration by the Maryland General Assembly should be of keen interest to you. If adopted, House Bill 33  (“HB 33”) (and its companion, Senate Bill 169), would regulate “private entities’” which collect or possess biometric data and subject those who violate those regulations to investigations and claims brought by the Maryland Attorney General or private litigants.

Data Privacy and Security in the Remote Work Era

During the course of the pandemic, IT departments were overwhelmed by the pressing need to provide employees with remote access in a very short time. That need may have, in some cases, overridden established processes and procedures around data security.

Client Alert - The Colorado Privacy Act: Both Bark and Bite

Europe began the trend, California followed suit shortly after, and now the flood gates have opened.  Colorado is the third state that is on the brink of enacting a strict and extensive privacy law that has significant implications for a wide variety of organizations that control or process personal data.

Client Alert: Executive Order on Cybersecurity – What Government Contractors Need to Know

In the wake of the Colonial Pipeline Hack, on May 12, 2021, the Biden Administration issued an Executive Order (EO) on Improving the Nation’s Cybersecurity. The Government is proposing broad changes to the Federal Acquisition Regulation (FAR) and Department of Defense FAR Supplement (DFARS) in two areas. What do government contractors need to know?

Privacy Compliance and Personal Data Processing 101 - Tips for Businesses and Nonprofit Organizations

Whiteford attorneys Razvan Miutescu and Kristen Bertch from our Intellectual Property and Technology group were interviewed by Dorothy Deng in this presentation. Over the past few years, the general public has grown to be much more aware about data privacy issues. With the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and new U.S. privacy legislations being introduced to protect personal data, we discuss observations on business trends, privacy principles, legal compliance and more. The presenters also provide action items and practical suggestions to help businesses and nonprofit organizations navigate the evolving privacy law landscape.

Client Alert: Washington DC Increases Breach Response Requirements and Focuses on Data Security

A recent amendment to the District of Columbia’s data breach notification law (the “D.C. Breach Law”) highlights the nation’s increased focus on data security standards. Generally, the changes to the D.C. Breach Law fall into three categories: (1) expanding what is considered a reportable incident; (2) expanding the notification requirements for breaches; and (3) emphasizing proactive data security measures.

Client Alert: Guidance Issued for Ed Tech Companies and Schools during the COVID-19 Crisis

The Children’s Online Privacy Protection Act (“COPPA”) generally requires that operators of commercial websites and online services take certain steps to protect online privacy and safety of children under the age of 13.  Those steps include COPPA’s requirement that companies covered by COPPA provide notice of their data collection and use practices and obtain verifiable parental consent before collecting certain data and that they maintain reasonable data security safeguards.

Client Alert: OCR Issues Guidance About Sharing Patient Information and Telehealth Communications during Pandemic

The Office of Civil Rights (“OCR”) recently issued bulletins with important guidance for health care providers during the COVID-19 pandemic. 

The OCR has recognized that, during the COVID-19 national emergency, health care providers may seek to communicate with patients, and provide so-called “telehealth” services, through remote communications technologies.  Some of these technologies, and the manner in which they are used by HIPAA-covered healthcare providers, may not fully comply with the requirements of the HIPAA Rules.  However, in light of the national emergency, the OCR said that it will not impose penalties against covered health care providers for the lack of a HIPAA business associate agreement (“BAA”) with video communication vendors, or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health crisis.

Client Alert: COVID-19 Cyber Scams: Protect Your Organization

With everyone’s attentions devoted to the COVID-19 crisis and the disruptions it has caused to the normal rhythms of business and personal affairs, it should come as no surprise that criminals and scammers are seeking to take advantage of the situation.

Developing an Insider Threat Program: Risk Mitigation and Compliance

Wednesday, November 30, 2016, marks the deadline by which affected contractors must comply with new US Government insider threat mitigation requirements. The US National Industrial Security Program (NISPOM) mandates measures companies must take to secure classified information. On May 18, 2016, the Department of Defense issued Change 2 to NISPOM, significant because it requires contractors (defined as any "industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency") to implement an Insider Threat Program no later than November 30, 2016. We're two weeks away from that deadline, and yesterday the Chesapeake Regional Technology Council convened a forum in which experts discussed mitigating the insider threat at the Chesapeake Innovation Center in Odenton, Maryland, to give companies some perspective on what NISPOM Change 2 means to them.

"Don't be evil"? Security breaches catch even the best-intentioned companies off guard

As Google and Facebook and countless others have discovered, most netizens tend to be pretty blasé about privacy – until all of a sudden they aren’t. While we all love the detailed photo views on Google Maps, the revelation that Google’s camera cars were also sweeping WiFi networks as they captured those images was met with outrage.  And, Facebook users seemed to carelessly love that app’s ability to track down long-lost friends, until last week it pulled friends’ phone numbers into a handy online directory “for you”.

Whiteford, Taylor going after cyber security clients with new group

A Baltimore law firm sees a business opportunity in helping thwart the growing number of online crooks trying to swipe a company’s sensitive data or disrupt its computer network.

Whiteford, Taylor & Preston LLP, a 153-lawyer business law firm, has launched a new industry group to advise clients on the legal issues related to cyber security and the protection of online data.

Whiteford Nominated for Cyber Award

Whiteford, Taylor & Preston LLP is honored to be nominated for the Cyber Resource of the Year Award by the Cybersecurity Association of Maryland, Inc. (CAMI). 

Countdown to GDPR

Whiteford attorneys quoted in ASAE's Associations Now article.

Cyber Alert: Anthem Data Breach: Self-Insured Plans

On February 4, Anthem, Inc., the second largest health insurer in the U.S., reported that hackers breached one of its IT systems and stole personal information relating to consumers and employees.  Described as “very sophisticated,” the attack involved the records of an estimated 80 million people.  While information accessed apparently did not involve medical information or credit card numbers, it did include such personally identifiable information as names, social security numbers, and income data.