Overview
Manage Information with Efficiency, Integrity and Accountability
In an information economy, your business must protect its information assets and avoid the costly consequences of not minding legal requirements or controlling valuable electronic data. Effective information management policy and practice must integrate privacy, security and e-discovery considerations with efficient business use of the information.
The team of cybersecurity and data privacy professionals at Stinson have been at the forefront of data law for more than 20 years. Our practice started with online privacy compliance in the 90's internet boom and branched into early privacy and security laws such as GLBA, HIPAA, COPPA, CAN-SPAM, and the EU Data Directive. Our experience evolved to include data breach response and compliance with the growing body of privacy laws including the EU's General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), the FTC Telemarketing Sales Rule, the Biometric Information Privacy Act (BIPA), the California Consumer Privacy Protection Act (CCPA) and a variety of other state privacy and data security laws. Our team includes attorneys who have received the Certified Information Privacy Professional (CIPP) designation from the International Association of Privacy Professionals.
Our strong banking, health care and technology practices ensure that we are on the cutting edge of the regulatory landscape. We have significant experience in data privacy and cybersecurity related to online platforms for e-learning and education. We undertake projects with your data security in mind by limiting and controlling access and using highly developed policies, procedures and information technology.
Our team can assist your business in the following areas:
Data Security, Privacy and Information Governance
Our technology and regulatory attorneys have been working hand in hand for years to help clients anticipate and prepare for cybersecurity challenges. We help your legal and information governance teams establish policies and procedures to meet regulatory requirements, manage risk and be ready for prompt and thorough response to cybersecurity threats and breaches. Our lawyers undertake data security and privacy audits, and assist with document retention, employee training and data management. Our lawyers negotiate complex technology vendor agreements on a daily basis and can help your team with vendor due diligence. We routinely advise clients on incoming and outgoing data protection agreements and other privacy compliance related documents.
Stinson attorneys are proactive about the changing landscape in cybersecurity. Our experienced policy team in our Washington, DC office follows new developments in Congress and the executive branch to keep our advice focused on new developments and future movements in the technology industry. We track and adapt to technology industry growth into areas like big data, the internet of things (IoT), responsible disclosures, artificial intelligence, biometrics, software as a service and cloud computing.
We represent clients who acquire and operate data centers, along with clients who contract with data centers for storage and other services. This experience enables us to help clients navigate cybersecurity and privacy risks involving data storage and processing.
We frequently draft, update and analyze privacy policies under general privacy law, the FTC Act, COPPA, HIPAA the EU General Data Protection Regulation (GDPR), the Privacy Shield, GLB, CalOPPA, CCPA, PIPEDA, and other state and federal laws and guidelines. Our technology attorneys represent national brands in their privacy compliance on both the internet generally and in the context of mobile apps and social networking. In this capacity, our technology attorneys have the depth of experience to work with technology developers to understand and properly disclose privacy practices.
We understand that risk reduction must align with marketing and operational efforts. We work closely with our clients' marketing and information technology teams to ensure a proper balance between business goals and effective compliance and risk management.
Our legal team has extensive experience dealing with consumer privacy regulation. We have assisted clients in investigations under the FTC Act including proceedings before the Children's Advertising Review Unit. We have a deep understanding of unfair and deceptive trade practices, including privacy and security implications.
Financial Privacy Law
Our financial services attorneys have years of in-depth experience with consumer privacy laws applicable to financial institutions and companies providing financial services. This experience includes compliance with the Gramm-Leach-Bliley Act and the corresponding Financial Privacy Rule. We provide guidance on the Safeguards Rule which requires safeguards to protect customer information to avoid identity theft and pretexting. We also provide legal guidance relation to the Payment Card Industry Data Security Standard (PCI-DSS).
Children's Privacy
Having represented many clients who collect and use the personal information of children under the age of 13, our attorneys understand the intricacies of the Children's Online Privacy Protection Act (COPPA). We have evaluated complex online client services for compliance with COPPA and helped clients navigate the difficult challenge of obtaining verifiable parental consent. Our COPPA experience includes detailed guidance on necessary disclosures and various issues relating to online promotion to children.
We have also represented clients in enforcement actions relating to COPPA. This experience includes negotiating settlement with the Children's Advertising Review Unit (CARU) and assisting in the revision of websites to comply with COPPA guidance and settlement.
We have assisted many companies and websites that collect information from children between the COPPA threshold age of 13 and the applicable state of majority. This guidance includes the less structured issue of parental consent for older children and drafting privacy policies that comply with various state laws protecting minors. Our experience includes websites that provide online yearbooks, online educational materials, consumer products, social networking, and even online bidding for products targeted to children.
FTC Compliance
While the US does not currently have a general comprehensive privacy law, the FTC enforces consumer through the FTC Act and its prohibitions on deceptive trade practices. The FTC is also the ultimate authority on COPPA and is one of eight federal agencies that enforces provisions of the Gramm-Leach-Bliley Act. The FTC also enforces the EU-US Privacy Shield. Our attorneys closely follow FTC policy statement and enforcement actions and frequently provide guidance to clients on FTC compliance. Our Washington DC office attorneys provide focused insight as to the FTC enforcement and compliance.
Educational Privacy
Stinson attorneys have years of experience representing states, school districts and other public bodies in connection with education funding, school desegregation, constitutional and statutory law claims, and other issues that are frequently litigated for and against educational institutions. This experience in education related litigation translates to a unique perspective on education related privacy issues. We frequently advise clients on various issues related to the Family Education Rights and Privacy Act. (FERPA).
European Privacy
Our attorneys have long guided clients through the complex EU Data Protection Directive including compliance with the Safe Harbor and use of EU Model Contract Clauses. We assisted in numerous Safe Harbor and Privacy Shield applications, adapted privacy policies to the Data Protection Directive and the EU General Data Protection Regulation (GDPR). We routinely help processors navigate Data Protection Agreements and the Model Contract Clauses. Since the invalidation of the Safe Harbor, our attorneys have closely followed the promulgation of the new Privacy Shield and are actively assisting clients in compliance with this new compliance path. We provide GDPR compliance guidance, documentation and training for controllers and processors.
Policies and Procedures for Consumer Privacy
We frequently draft, update and analyze privacy policies under general privacy law, the FTC Act, COPPA, FERPA, HIPAA, GDPR, GLBA, CCPA and other state and federal laws and guidelines. Our technology attorneys represent national brands in their privacy compliance on both the internet generally and in the context of mobile apps and social networking. In this capacity, our technology attorneys have the depth of experience to work with technology developers to understand and properly disclose privacy practices.
State Law Privacy Compliance
Most of our clients who conduct business on the Internet must navigate the "web" of state privacy related laws. We include state privacy law compliance in our privacy policies and compliance efforts. California is often a first adopter in this area. We have advised clients on compliance with the California Online Privacy Protection Act of 2003 (CalOPPA) that applies to commercial websites that collect personally identifiable information from California residents. We have expanded our state law privacy compliance to include new privacy laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), Nevada's recently enacted privacy law, Virginia's recently enacted privacy law, and various state biometric privacy laws. We provide CCPA compliance guidance, documentation and training for businesses and service providers.
Data Security Incident Response Team
Data breach notification laws require quick response, analysis and action planning. Our team combines technology professionals experienced in handling data breaches with regulatory insight in the highly regulated fields of health care and banking. We also have a deep bench of attorneys in other regulated fields, including energy and critical infrastructure. Our compliance attorneys can help your company board or management team understand the risks and make informed decisions. We maintain comprehensive tools allowing our team to quickly access the data breach notification laws in all states. We assist clients with cyber incident response simulations and presentations to train company personnel.
Our data security team will respond quickly to help you determine whether you are dealing with vulnerability or an actual data breach. We are well versed in data breach notification laws and at working with legal authorities and technology consultants to determine the nature and magnitude of the threat or breach. Our team will help you determine whether notice is required and how to address other possible disclosures and damage control. We also frequently help clients with data security threats that don't necessarily include personally identifiable information but can be critical to the operation or value of a business.
Our data security team works with many third party vendors for remediation and security solutions. We provide guidance on how to collect, store and transmit information in a threat situation. We also have experience drafting and implementing policies and procedures to help make the response process more efficient in the future. Our litigators frequently assist in data incident response through actions for injunctive relief and Computer Fraud and Abuse Act litigation.