Cybersecurity and Data Privacy

Keeping data, organizations, and individuals safe in an increasingly complex online world.

Risk mitigation and incident response.

With decades of government and private practice experience dealing with increasingly complex cybersecurity incidents and data privacy laws, Choate’s cybersecurity and data privacy practice counsels a wide range of businesses and organizations on compliance with U.S. data privacy laws, responding to cybersecurity incidents, conducting and evaluating risk assessments, and handling cybersecurity and privacy litigation.

Data Privacy: We represent companies and investors in a wide range of privacy-related matters across industries. We have deep HIPAA expertise and routinely advise healthcare providers and their business partners in developing policies, procedures and programs to comply with privacy laws and also in response to patient complaints, audits and investigations. We regularly advise companies on rapidly evolving state data privacy laws and have particular expertise in sophisticated data sharing arrangements.

Cybersecurity: Our team advises businesses and institutions responding to cybersecurity incidents, helping them recover, remediate, recoup, and mitigate further risk, including conducting internal investigations and cybersecurity reviews, preparing incident response plans, complying with U.S. data breach laws, and interfacing with the FBI and other law enforcement agencies. Additionally, we represent clients in obtaining compensation for losses from responsible vendors or other third parties.

We also advise clients in retaining incident response and forensic investigation firms to assess the nature and extent of any cybersecurity incident, and we manage the investigation and response process with the technical firm.  In order to mitigate risk, we frequently work with clients and technical firms to implement, test and monitor cybersecurity systems.

In addition, our team assists businesses and high net worth individuals in responding to and recovering from increasing and constantly evolving forms of cybercrime – such as ransomware, email account compromise, hacking, identity theft, online fraud, and cyberstalking/harassment.

Representative Experience in Cybersecurity and Incident Response

  • Represented global auction house in a putative class action data breach lawsuit, where we obtained a motion to stay the lawsuit and compelled arbitration, with the parties ultimately stipulating to dismissal of the matter with prejudice.
  • Counsel international cloud computing company on responding to law enforcement investigations into cybersecurity incidents and cybercrime perpetrated by nation-state actors, organized cybercrime groups and other criminal actors. 
  • Counseled an electronics manufacturer on its response to a significant ransomware incident involving the company’s servers, including crafting a negotiation strategy, assessing the legal and contractual obligations stemming from the incident, devising and implementing a remediation plan, and providing guidance to help the company improve its cybersecurity posture and reduce the risk of future incidents
  • Advised national transportation company on investigation of and response to incident involving unauthorized access to PII of thousands of individuals, including conducting interviews with individuals involved in the incident, interfacing with law enforcement, drafting notification letters to state governments and individuals, and engaging vendors to help with the response. 
  • Advised a hospital system and insurance company in investigating and remediating a phishing-based cybersecurity incident that led to the exposure of Personal Health Information and unauthorized access to account information for thousands of institutional customers.
  • Advised an elite Northeast college on investigating several cybersecurity data privacy incidents and advising on notification obligations under state or federal law.
  • Represented high net worth individuals in investigation and remediation of cybercrime and recovery of fraud losses.

Representative Experience in Data Privacy

  • Routinely provide corporate and transactional support, including privacy and cybersecurity-related diligence, for mergers and acquisitions and advice related to the buying, selling and licensing of data.
  • Routinely represent life sciences companies in complex collaborations to develop, engage in secondary use, or otherwise enter into data-related collaborations.
  • Represented national healthcare provider in development and implementation of HIPAA privacy and security policies across its clinics and provider organizations.
  • Represent healthcare institutions in responding to government investigations into website data privacy issues
  • Represent life sciences companies with respect to privacy of clinical trial data, including privacy of clinical trial agreements and defense of freedom of information act requests related to research matters.
  • Routinely advise companies on evolving state law requirements for privacy policies, data collection, transfer and storage procedures, and registration requirements.

Collaborators

Adam J. Bookbinder

Co-Chair - Government Enforcement & Compliance

Christine G. Savage

Co-Chair - Healthcare

Julia R. Hesse

Co-Chair - Healthcare

Elizabeth Powers

Of Counsel

Sara K. Frank

Principal

Recent Insights

Publications 04.16.2024

FTC Seeks Significant Penalties from Two Health Companies Alleging Misuse of Consumer Personal Information

The FTC continues its aggressive pursuit of companies it believes have mishandled consumers’ personal health information, and in particular those who have shared consumers’ information with third-party advertising platforms without consumers’ express authorization.

Publications 02.08.2024

2024 Boston Bar Association Privacy, Cybersecurity and Digital Law Conference on AI Takeaways

We have compiled key takeaways from the recent Boston Bar Association Privacy, Cybersecurity and Digital Law Conference, which focused on five insightful panel discussions related to issues arising from AI.

 

Events 01.18.2024

Adam Bookbinder Moderating at BBA Privacy, Cybersecurity and Digital Law Conference

Adam Bookbinder, co-chair of Choate's Government Enforcement & Compliance practice, will speak at the Boston Bar Association (BBA) Privacy, Cybersecurity and Digital Law Conference on Thursday, January 25, 2024 at 1:00 p.m.

Announcements 11.02.2023

Adam Bookbinder Quoted in Tollbooth Data Privacy Article

Adam Bookbinder, co-chair of Choate’s Government Enforcement & Compliance Group, has been quoted in the article “Mass. officials defend emergency police use of tollbooth camera info,” published by MassLive Media.

Events 05.31.2023

Adam Bookbinder Speaking on Cybersecurity at New England Corporate Counsel Association

Adam Bookbinder will be speaking on cybersecurity issues for in-house counsel at the New England Corporate Counsel Association (NECCA). The program, "You Can Go To Jail For That? Cybersecurity, Data Breaches & Potential Personal Liability of In-House Counsel," will take place on Wednesday, June 7th from 10:00 a.m. to 12:00 p.m.

Publications 05.22.2023

Fertility App Premom Faces FTC and State AG AdTech Enforcement

In its third Adtech enforcement action this year, the FTC turned its attention to Premom Ovulation Tracker (“Premom”) a free ovulation tracking mobile application (“app”) owned by Easy Healthcare Corporation.