Cybersecurity and Data Privacy
Keeping data, organizations, and individuals safe in an increasingly complex online world.
Risk mitigation and incident response.
With decades of government and private practice experience dealing with increasingly complex cybersecurity incidents and data privacy laws, Choate’s cybersecurity and data privacy practice counsels a wide range of businesses and organizations on compliance with U.S. data privacy laws, responding to cybersecurity incidents, conducting and evaluating risk assessments, and handling cybersecurity and privacy litigation.
Data Privacy: We represent companies and investors in a wide range of privacy-related matters across industries. We have deep HIPAA expertise and routinely advise healthcare providers and their business partners in developing policies, procedures and programs to comply with privacy laws and also in response to patient complaints, audits and investigations. We regularly advise companies on rapidly evolving state data privacy laws and have particular expertise in sophisticated data sharing arrangements.
Cybersecurity: Our team advises businesses and institutions responding to cybersecurity incidents, helping them recover, remediate, recoup, and mitigate further risk, including conducting internal investigations and cybersecurity reviews, preparing incident response plans, complying with U.S. data breach laws, and interfacing with the FBI and other law enforcement agencies. Additionally, we represent clients in obtaining compensation for losses from responsible vendors or other third parties.
We also advise clients in retaining incident response and forensic investigation firms to assess the nature and extent of any cybersecurity incident, and we manage the investigation and response process with the technical firm. In order to mitigate risk, we frequently work with clients and technical firms to implement, test and monitor cybersecurity systems.
In addition, our team assists businesses and high net worth individuals in responding to and recovering from increasing and constantly evolving forms of cybercrime – such as ransomware, email account compromise, hacking, identity theft, online fraud, and cyberstalking/harassment.
Representative Experience in Cybersecurity and Incident Response
- Represented global auction house in a putative class action data breach lawsuit, where we obtained a motion to stay the lawsuit and compelled arbitration, with the parties ultimately stipulating to dismissal of the matter with prejudice.
- Counsel international cloud computing company on responding to law enforcement investigations into cybersecurity incidents and cybercrime perpetrated by nation-state actors, organized cybercrime groups and other criminal actors.
- Counseled an electronics manufacturer on its response to a significant ransomware incident involving the company’s servers, including crafting a negotiation strategy, assessing the legal and contractual obligations stemming from the incident, devising and implementing a remediation plan, and providing guidance to help the company improve its cybersecurity posture and reduce the risk of future incidents
- Advised national transportation company on investigation of and response to incident involving unauthorized access to PII of thousands of individuals, including conducting interviews with individuals involved in the incident, interfacing with law enforcement, drafting notification letters to state governments and individuals, and engaging vendors to help with the response.
- Advised a hospital system and insurance company in investigating and remediating a phishing-based cybersecurity incident that led to the exposure of Personal Health Information and unauthorized access to account information for thousands of institutional customers.
- Advised an elite Northeast college on investigating several cybersecurity data privacy incidents and advising on notification obligations under state or federal law.
- Represented high net worth individuals in investigation and remediation of cybercrime and recovery of fraud losses.
Representative Experience in Data Privacy
- Routinely provide corporate and transactional support, including privacy and cybersecurity-related diligence, for mergers and acquisitions and advice related to the buying, selling and licensing of data.
- Routinely represent life sciences companies in complex collaborations to develop, engage in secondary use, or otherwise enter into data-related collaborations.
- Represented national healthcare provider in development and implementation of HIPAA privacy and security policies across its clinics and provider organizations.
- Represent healthcare institutions in responding to government investigations into website data privacy issues
- Represent life sciences companies with respect to privacy of clinical trial data, including privacy of clinical trial agreements and defense of freedom of information act requests related to research matters.
- Routinely advise companies on evolving state law requirements for privacy policies, data collection, transfer and storage procedures, and registration requirements.