Privacy & Data Security

Our privacy and data security attorneys help our clients assess what personal information they collect, how they internally use and how they externally share it, in order to analyze and create practical strategies to address their obligations under the myriad of privacy laws in the United States, including the California Consumer Privacy Act (CCPA) and other similar state laws, the NY SHIELD Act, Children's Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, and sector-specific laws in industries including health care, education, and financial services. We do this in many ways, spanning from enterprise-wide privacy assessments to answering discrete questions that arise in daily business operations. In addition, many of our clients engage in marketing activities using email, automated telephone dialing systems, text message marketing or artificial or prerecorded calls. In the United States, the CAN-SPAM Act, TCPA, and related state laws impose strict requirements around how this marketing must be conducted. Our clients rely on us to assist them in building marketing programs that address and mitigate related risk without impacting customer experiences or business goals.

We leverage both the firm’s counseling and litigation offerings for companies looking for practical and solution-oriented assistance navigating the compliance, regulatory enforcement, and class action risks presented by the emerging patchwork of complex (and often conflicting) privacy laws with private rights of action. We have deep experience with the privacy statutes that have become active breeding grounds for debilitating class action litigation: the federal Telephone Consumer Protection Act (TCPA); Illinois’ Biometric Information Privacy Act (BIPA); and the California Consumer Privacy Act (CCPA), the California Invasion of Privacy Act (CIPA) and other similar state laws; the Florida Telephone Solicitation Act (FTSA); the Florida Security of Communications Act (FSCA); and the Video Privacy Protection Act (VPPA). These laws contain private rights of action and provide for uncapped statutory damages, often leading to “bet-the-business” class action damage calculations. Consequently, they are heavily used by the plaintiffs’ bar. We help companies across all industries understand and address their obligations under these laws while proactively taking steps to mitigate potential regulatory and class action exposure.

Learn More

We lead our clients through potentially catastrophic privacy events with a steady hand and work closely with stakeholders throughout our clients’ organizations, such as chief executives, general counsels, and information technology teams, to forge a path forward. We have handled privacy investigations that include ransomware, phishing, cyber extortion, theft of personal information, loss or theft of devices containing sensitive information, rogue employee access to information, infiltration of unauthorized foreign nationals, unauthorized use or disclosure of customer data, and other cyber events. Winston works closely with its network of forensic, notification, and other providers to help clients navigate these complicated investigations, along with related remediation, restoration, and notification efforts.

Winston is well-versed in government investigations and actions brought by federal, state, local, and international authorities related to security incidents, and has developed relationships with many of these government authorities. In particular, we have deep experience defending clients in front of state Attorneys General, the Department of Health and Human Services (HHS), Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Congress, and the Consumer Financial Protection Bureau (CFPB). Our attorneys work closely together to ensure a consistent and intentional defense strategy across all areas of potential liability.

Similarly, security incidents are frequently followed by class action litigation filed in multiple jurisdictions, as a company may have employees or consumers who live in many different states at the time of the incident. Our privacy attorneys are particularly experienced with handling actions on multiple fronts at once. We approach all security incident response investigations with an eye towards potential litigation and regulatory inquiries to help ensure that we are considering all possible areas of risk and liability when helping our clients with critical decision-making early on in the process.

We work with our clients to ensure that if, and when, they experience a security incident, they are prepared and ready to respond in a highly strategic and efficient manner. We help our clients develop and revise security incident response plans and pressure test their response procedures. This includes evaluating response vendors and working with cyber carriers to ensure that these vendors are accessible and fully prepared in the event of an incident. Our team also frequently provide executive-level tabletop exercises to help raise awareness of issues that may arise in the course of an incident response and hammer out potential strategies to be utilized during an actual response.

Winston’s privacy attorneys have robust experience defending clients in the rapidly developing field of privacy and data security litigation. We are well-versed in the best ways to litigate privacy statute cases to minimize the likelihood of a class being certified. If it is in the client’s best interest to negotiate a settlement, we understand the best way to structure a deal, whether on a class-wide or individual basis. Our record of success obtaining favorable results for clients in privacy class actions is exceptional, and, due to our unique approach to working with opposing counsel and assessing early in the litigation process which matters are truly bet-the-company versus those that are ripe for dismissal, we are frequently able to resolve these matters in the early stages.

We have defeated privacy class actions in multiple jurisdictions for clients across a wide range of industries, including healthcare, insurance, financial services, lending, pharmaceutical and life sciences, cable/telecommunications, manufacturing, retail, consumer goods, and private equity. In the healthcare space, our litigators have worked closely with our counseling team to navigate the complications that HIPAA often creates in other privacy-related actions, such as lawsuits that are filed following security incidents.

We work with clients to develop, negotiate, and execute major contracts, including business associate agreements, that implicate the use, sharing, disclosure, and safeguarding of personal information. As companies increasingly rely on vendors (including cloud platform and data transfer companies) to perform tasks like administering employee benefits, hosting consumer or patient data, and contacting customers on their behalf (e.g., via text message), they must transfer the sensitive personal information under their purview into the care of third-parties. We help clients develop strategies to address material risks in this area, including assigning responsibilities related to breach notification and indemnification, and negotiating contracts that give them maximum protection. We also assist in vetting potential vendors and negotiating licensing and service agreements, particularly with respect to the privacy and data security provisions in such contracts.

Our team has extensive experience working with emerging technologies, including artificial intelligence (AI), blockchain, facial recognition, and Internet of Things (IoT). We have built data-privacy compliance programs applied to new technology. We provide strategic counseling to help companies best position themselves to comply with existing privacy and data-security laws and employ privacy by design in anticipation of future legal requirements. We take a comprehensive approach to these deeply complicated matters by working with our Intellectual Property lawyers, who bring technical know-how to help our clients protect the technology and data, and data-security experts, who help meet the challenge of applying best practices and reasonable security. The Privacy and IP teams also work closely together to counsel clients regarding building, protecting, and commercializing proprietary technology and data and the use of third-party or open-source AI technologies and data.

We represent some of the world’s largest and most well-known brands and retailers, and we help their business teams understand how they can best reach their intended customer base while still addressing the rapidly changing requirements for privacy policy disclosures, consumer privacy choices and disclosure of cookie use. In particular, we assist with the creation of consumer-facing privacy policies and website terms of use, and the development of back-end compliance infrastructure to address various levels of consumer notice, choice, and opt-outs that satisfy the requirements of global companies interacting with a myriad of laws. We also work with our clients to review websites and develop mobile applications to identify privacy-related issues like marketing consent and cookie consent language. In addition, we assist clients with respect to issues surrounding the analysis of large data sets and the de-identification, aggregation, and sharing of personal information.

Our clients operate on a worldwide basis and constantly encounter issues related to complying with the various privacy and data-security laws in jurisdictions in which they operate, as well as navigating data localization and cross-border data issues. In the EU and UK, our attorneys work together to address GDPR and member-state implementing measures.

Our privacy counselors work closely with our intellectual property team to help our clients assess how they wish to leverage their cache of data and what rights they need to secure in order to meaningfully do so. Our attorneys help our clients navigate complex regulatory and contractual obligations to understand what rights they have to the data and what they can do with it. On the other side of the equation, we also help clients create frameworks for allowing their vendors to use their data, including negotiating and revising the relevant agreements.

Our team regularly helps clients navigate the complexities of information governance and records retention. We address cutting-edge issues like the impact of encrypted messaging apps and ephemeral data, and the proliferation of personal information on corporate data retention and compliance. Our team starts with a comprehensive data landscape assessment (including mapping and risk identification) to develop customized policies for data access, retention, personal information handling, and litigation and regulatory discovery response. We advise on record retention schedules, navigate regulatory compliance hurdles, and implement strategies to manage information effectively at every stage. We go beyond retention to help clients devise strategies to protect sensitive data from unauthorized access and use. By staying at the forefront of regulatory and technological changes, we help clients build robust data governance frameworks tailored to their organization's and industry's unique nuances, while supporting their overall data management strategy.

Our team includes a former federal regulator from the U.S. Department of Health and Human Services – Office for Civil Rights, uniquely positioning us to provide practical advice about how to navigate HIPAA and HITECH compliance obligations and address related risks. Outside the United States, our capabilities extend to some of the most challenging jurisdictions, such as the UK and EU, where our locally qualified data lawyers advise multinational healthcare services providers on the collection, storage, process, and transfer of healthcare data and assist in designing and implementing local data strategies, including telemedicine.

We emphasize not only meeting regulatory requirements, but also creating compliance infrastructure that can be effectively and successfully implemented in our clients’ business environments. Our goal is to create a compliance program where employees understand how to appropriately secure and maintain the privacy of patient information without these obligations interfering with the critical care that they provide. We also assist in reviewing business associate and other vendor agreements, advising on the use of patient information for marketing and advertising purposes, and crafting incident response and breach-notification plans.

We represent more clients in the financial services industry than in any other sector. Our extensive financial industry knowledge includes a long history of representing companies before domestic and international regulatory agencies, including the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Financial Crimes Enforcement Network and the Office of Foreign Assets Control, among others. Our attorneys also represent financial institutions before courts and legislatures, and assist clients navigate through arbitration panels and international tribunals. Our experience includes advising and assisting financial institutions on risk management and regulatory compliance, including within the FinTech and payments space where we support both banks and FinTech companies throughout the entire FinTech product lifecycle—from proof of concept through maturity. This includes advising financial institutions on their privacy and data security obligations, including Gramm-Leach-Bliley/Regulation P and Fair Credit Reporting Act compliance.

When investigating a privacy incident or security breach in the workplace, complicated questions often arise when it appears that an employee may be at the center of the issue. Our privacy team works closely with Winston’s labor and employment attorneys to ensure that all relevant laws are considered when investigating, interviewing and sanctioning employees in connection with how their actions may have impacted an employer’s obligations under privacy and security laws.