Navigating a Rapidly Changing

Privacy & Data Security Landscape

PRIVACY & DATA SECURITY

ROPES & GRAY PRIVACY & DATA SECURITY

ADVANCES IN TECHNOLOGY have changed today’s glob-al business environment. Privacy and data security issues are everywhere, affecting individuals, busi-nesses and governments worldwide. Understand-ing increasingly complex privacy and data security

laws and meeting those legal requirements must be top priorities. And should an organization be ac-cused of violating those laws, expert legal advice is a must, especially when the accusation arises out of a data security breach.

MARKET PERCEPTION

n Law 360 Named Privacy Group of the Year (2011, 2012, 2015 and 2016). Doug Meal named a Privacy MVP, 2012–2016. Michelle Visser recognized as a Rising Star, 2015.

n ChambersRanked as leading privacy & data security practice in 2016 in Chambers Global and Chambers USA. Heather Sussman ranked

individually in Chambers USA 2015. Doug Meal ranked individually in Chambers USA 2016.

n The Legal 500 Ranked in the top tier in the U.S. for “Media, technology and telecoms: Cybercrime,” with Doug Meal listed as a leading lawyer; also ranked for “Technology: data protection and privacy,” with Heather Sussman ranked as a

leading lawyer. Rohan Massey recommended for data protection in The Legal 500 UK. Jim DeGraw and Seth Harrington are also recommended.

n Financial TimesDoug Meal named a top 10 innovative lawyer, 2013. Mark Szpak named a U.S. Innovative Lawyer, 2012.

HOW WE CAN HELP

The use of data has changed the way businesses in virtually every industry work. The collection, storage, use and sharing of data creates com-petitive, reputational and financial risks. With the world’s most experienced privacy and data security lawyers, our team can counsel clients with compliance and risk management issues and, if necessary, advise on disputes related to security breaches.

INCIDENT RESPONSE AND CYBERSECURITYIssues arising from privacy or data security breaches and any resulting theft, loss or unauthorized use of confidential or personal information

ENFORCEMENTIssues arising from alleged violations of applicable privacy and data security requirements

B. ENFORCEMENT

A. COUNSELING

COUNSELINGPrivacy and data security compliance, counseling, response and incident prevention

C. INCIDENT RESPONSE AND CYBERSECURITY

OUR TEAM REGULARLY HELPS CLIENTS manage information and leverage the incredible value of data and digital technolo-gies in ways that not only meet compliance obligations, but

also support innovation, deliver value to the business, and so-lidify brand and consumer trust.

A. PRIVACY AND DATA SECURITY COMPLIANCE COUNSELING

OUR TRACK RECORD

n PERFORMED privacy, security and digital risk assessment for consumer products company with operations in more than 100 countries around the globe.

n ROLLED OUT global privacy policy, terms of use and correspond-ing user dashboard for popular suite of fitness apps using teams of local counsel spanning five continents.

n MANAGED a global team of privacy and security experts provid-ing advice to a U.S.-based tech company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.

n DEVELOPED global privacy program for food products company in more than 40 countries around the globe. 

n DEVELOP privacy and security strategy for integration of three separate mobile app platforms, including addressing global issues of user consent, control and transparency

n ADDRESSED privacy and security aspects for a U.S. and E.U. rollout of a popular mobile application and provide continuing

support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.

n DRAFTED AND REVISED a website privacy statement of an intel-ligent media company to address data collection use and disclo-sure through multiple platforms, including website, mobile, and social as well as integrating client’s existing safe harbor policy.

n REGULARLY CONDUCT privileged, confidential investigations into cyber incidents, data misuse and trade secret misappropriation concerns for clients across the technology sector.

n ADVISED on privacy and cybersecurity aspects of home auto-mation systems, wearable devices, and geolocation tracking components, including privileged security assessments (testing of both hardware and software), security vulnerability remedia-tion, implications of E.U.’s GDPR and more. 

n DEVELOP and successfully negotiated Binding Corporate Rules application for multinational health IT company.

n Worldwide risk assessmentsn Data rights and use case analysisn Mapping data flows

n Online privacy policies and terms

n Internet of Things, wearables and connected devices

1

n Big Datan Privacy impact assessments

n Regulatory gap assessmentsn Digital engagement and strategyn Advertising, marketing and social networking

2

n Cybersecurity strategy and defensen Written information security programs

n Worldwide records retention programsn E-discovery readiness and planning

3n Incident response planningn Worldwide data breach response

n Best-in-class vendor management clausesn Cloud service solutions, contract development and outsourcing agreements

4

n Standard Contractual Clausesn Intracompany agreementsn Privacy Shieldn APEC CBPRsn Binding Corporate Rules

5

n Data disposal requirementsn Data destruction risk assessmentsn Disposal and destruction policies

n Worldwide records retention programs

6

5TRANSFER

6DISPOSAL

1COLLECTION

2USE

3STORAGE

4DISCLOSURE

MASTERS OF THE DATA

LIFE CYCLE

ROPES & GRAY PRIVACY & DATA SECURITY

B. PRIVACY AND DATA SECURITY ENFORCEMENT

When an organization is accused of having violated applicable privacy and/or data security requirements, we have the knowledge and experience to quickly master the relevant facts.

CLASS-ACTION LITIGATION

When a major breach or alleged pri-vacy violation is announced, litigation is a near certainty. We leverage our experience to develop a global defense strategy.

OUR TRACK RECORD

Our experience includes handling class actions alleging that our client failed to employ legally required measures to protect the data in question after theft, and that our client unlawfully collected or used consumer information.

We have unparalleled experience de-fending clients against class actions, from motions to dismiss through class certification. Our clients include some of the largest data breaches of personal information, facing claims by individ-ual consumers, financial institutions and shareholders, as well as privacy violations, such as alleged unlawful workarounds for third-party cookies and alleged non-compliance with regu-lations on facsimile transmissions.

REGULATORY ENFORCEMENT

The regulatory environment for pri-vacy and data security is a compli-cated web of federal, state and foreign regimes. Following the discovery of a major breach or alleged privacy vio-lation, regulatory investigations are

becoming increasingly common. Our attorneys have extensive experience defending against investigations re-garding the collection, use and protec-tion of consumer information.

OUR TRACK RECORD

We have served as global coordinating counsel in worldwide investigations for some of the world’s most recog-nized brands. We have also defend-ed clients by challenging the FTC’s theory that a section of the FTC Act imposes a duty on companies to have reasonable security in place to prevent data breaches, including representing a client in an appeal of the first ever decision by the FTC finding that a company’s data security practices vio-lated the FTCA.

INNOVATIVE STRATEGY AND THOUGHT LEADERSHIP

Our attorneys are deeply engaged in anticipating developments in the law, creatively advancing a client’s interests.

ARTICLE III STANDING When the U.S. Supreme Court ruled in Clapper that Article III requires a plaintiff to show that threatened injury is “cer-tainly impending,” we recognized the implications for data security breach litigation, where consumers often cannot plead that exposure of

data has or will imminently cause financial injury. Numerous courts have dismissed claims based on this extension.

PROTECTING PRIVILEGE Our attor-neys know how to lead investiga-tions into a data security breach to maximize the likelihood that privilege will apply. In the only pub-lished decisions on this issue, we have successfully defended against efforts to defeat the application of

privilege to such investigations.

FIRST-OF-A-KIND LITIGATION Ropes & Gray is the only firm to litigate against Visa and MasterCard, chal-lenging the lawfulness of fines, fees and assessments they imposed fol-lowing a data breach. Additional-ly, we represented Wyndham and LabMD in the only litigated cases to challenge the FTC’s authority to bring enforcement actions over data security issues.

“Their record is unmatched. Many law firms claim to have a major data security practice, but Ropes invented it, litigated, and won all of the important early cases in this field.”

—U.S. News & World Report

C. INCIDENT RESPONSE AND CYBERSECURITY

THE RISK OF A CYBERATTACK is a real threat to any organization that main-tains electronic records containing personal information of individuals or confidential business information, or that depends upon a computer net-work for critical business purposes.

When a data breach occurs, an orga-nization must respond urgently and ef-fectively to mitigate exposure. Having experienced counsel on call to provide legal advice regarding the myriad is-sues that arise is essential in such situ-ations. Not only is there an immediate demand for legal analysis on multiple fronts, but having informed legal ad-vice on how to manage the crisis can pay substantial dividends by allowing the organization to avoid common and not so common pitfalls.

Drawing on our experience in numer-ous such cases—including many of the largest data breaches to date—our attorneys are able to act quickly to organize a comprehensive plan to ad-dress breach-related issues, including any loss or theft of data or any unau-thorized use of confidential informa-

tion, while analyzing the associated risk and potential exposure posed by the incident. Our experience allows us to develop legal strategies that glob-ally address the multiple simultaneous challenges that arise, including:

n FORENSIC INVESTIGATION of the breach’s actual scope and cause

n CONTAINMENT AND IMPLEMENTATION of appropriate security enhancement programs

n NOTIFICATION consistent with statu-tory and contractual disclosure and notice obligations

n PRESERVATION of forensic data, electronic records and other material evidence

n LAW ENFORCEMENT cooperation and appropriate collaboration

n REGULATORY ENGAGEMENT in meet-ing obligations and responding to inquiries and investigations

n LITIGATION DEFENDING against indi-vidual, class, contractual and regula-tory threats, and vindicating rights against third parties

OUR TRACK RECORD

In matters of incident response, strict confidentiality is often paramount.

When we can determine that a poten-tial incident does not trigger reporting obligations, our clients are better able to manage the reputational impact of such events. Our attorneys recognize the importance of this analysis and are well positioned to help organiza-tions maintain confidentiality and control to the extent possible.

Many data breaches, however, do become public, and the public data breaches in which we have been en-gaged to advise on incident response in-clude some of the largest and most com-plex data breaches announced to date.

We have served as global coordinat-ing counsel, managing all legal fronts, and have also collaborated closely with co-counsel. In either context, we bring our unmatched experience to bear in helping our clients meet those challenges.

MIG Allegation of third-party cookie workaround

MAJOR PRIVACY AND DATA SECURITY INCIDENTS

In the 10 years since data security breaches have begun to make an impact on global commerce, Ropes & Gray attorneys have handled some of the highest-profile breaches, with hundreds of millions of dollars at stake. Companies represented include:

THE TJX COMPANIESData security breach

TARGETData security breach

LABMDRopes & Gray challenges FTC at 11th Circuit

WYNDHAM HOTELS AND RESORTSData security breaches of computer networks

SONYCriminal cyberattacks affecting more than 100 million Sony en-tertainment accounts

HEARTLAND PAYMENT SYSTEMSSecurity breach within processing system

USIS Advanced Persistent Threat cyberattacks

MAJOR INS. CO.Criminal cyberattack on computer network

THE HOME DEPOTData security breach

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

SUPERVALUCyberattacks on portions of computer network

HONG KONG | SEOUL | SHANGHAI | TOKYO

NEW YORK | WASHINGTON, D.C. | BOSTON | LONDON

CHICAGO | SAN FRANCISCO | SILICON VALLEY

© 2017 Ropes & Gray LLP. All rights reserved. Prior results do not guarantee a similar outcome. Communicating with Ropes & Gray LLP or a Ropes & Gray lawyer does not create a client-lawyer relationship. 17_0184_0525

ropesgray.com

NEW YORK | WASHINGTON, D.C. | BOSTON | LONDON

CHICAGO | SAN FRANCISCO | SILICON VALLEY

HONG KONG | SEOUL | SHANGHAI | TOKYO

ROPES & GRAY PRIVACY & DATA SECURITY

GLOBAL CONTACTS

Marc BergerNew YorkLitigation & Enforcementmarc.berger@ropesgray.com+1 212 841 8871

Paul RubinWashington, D.C.Litigation & Enforcementpaul.rubin@ropesgray.com+1 202 508 4709

Doug Meal BostonLitigation & Enforcementdouglas.meal@ropesgray.com+1 617 951 7517

Seth HarringtonBostonLitigation & Enforcementseth.harrington@ropesgray.com+1 617 951 7226

Mark SzpakBostonLitigation & Enforcementmark.szpak@ropesgray.com+1 617 951 7606

Michelle VisserSan FranciscoLitigation & Enforcementmichelle.visser@ropesgray.com+1 415 315 6347

Heather Egan SussmanBostonCounseling & Complianceheather.sussman@ropesgray.com+1 617 951 7125

Laura HoeyChicagoLitigation & Enforcementlaura.hoey@ropesgray.com+1 312 845 1318

Rohan MasseyLondonCounseling & Compliancerohan.massey@ropesgray.com+44 20 3201 1636

Jim DeGrawSan FranciscoCounseling & Compliancejames.degraw@ropesgray.com+1 415 315 6343

David CohenNew YorkLitigation & Enforcementdavid.cohen@ropesgray.com+1 212 841 8880

Andy DaleHong KongLitigation & Enforcementandrew.dale@ropesgray.com+852 3664 6438

Clare SellarsLondonCounseling & Complianceclare.sellars@ropesgray.com+44 20 3847 9036

Marcus ThompsonLondonLitigation & Enforcementmarcus.thompson@ropesgray.com+44 20 3201 1648

David ChenShanghaiCounseling & Compliancedavid.chen@ropesgray.com+86 21 6157 5283

Tim McCrystalBostonCounseling & Compliancetimothy.mccrystal@ropesgray.com+1 617 951 7278

Debbie GershChicagoCounseling & Compliancedeborah.gersh@ropesgray.com+1 312 845 1307

Cori LableHong KongLitigation & Enforcementcori.lable@ropesgray.com+852 3664 6480