Virtually all businesses today collect information relating to their employees, clients, customers, patients, or other parties. Because myriad international, federal, and state privacy laws and regulations cover not only rights of those parties but also matters of national security and crime
prevention, it is not unusual for one business to be subject to overlapping privacy laws and regulations. Thus, businesses face the challenge of complying with all relevant privacy laws and regulations and ensuring that safeguards are in place to prevent the improper use or disclosure of this information. Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group helps clients understand and stay compliant with the privacy standards and industry
best practices that are applicable to the collection, use, and transfer of their confidential information. Since the key to privacy compliance is establishing a strong, effective, and well-documented privacy program, our services include: Ever-changing privacy laws and requirements, along with advances in technology, have been creating
new challenges and opportunities for employers. For instance, employers face restrictions on the type of information about employees and job applicants that they can collect and utilize in order to make shrewd business and employment decisions. These restrictions relate to such areas as background checks, employee monitoring, employee biometric information, and the transfer and maintenance of employee data and employee health-related information. Workplace privacy-related issues also arise under
the Americans with Disabilities Act, the FCRA, the GDPR, and the FACTA, among other laws. The Privacy, Cybersecurity, and Data Asset Management Group at Epstein Becker Green has the knowledge and experience necessary to effectively guide employers through the complexities of workplace privacy and cybersecurity. We help employers properly balance privacy considerations with workforce management concerns and employee data collection and protection. Our services in
this area include the following: At Epstein Becker Green, we provide daily counsel to clients throughout the health care industry to structure
business, clinical, and administrative operations in compliance with health data privacy laws and regulations, including HIPAA and its privacy, security, and breach notification rules; HITECH and its regulations; and federal and state privacy laws regarding mental health and substance use disorder data. We work with our clients to facilitate the development of health data privacy strategies that complement their business strategy. The members of our Privacy, Cybersecurity, and Data
Asset Management Group are prolific authors and sought-after lecturers on health information privacy and security topics, and also serve on the advisory boards of publications such as Thompson’s Employer’s Guide to HIPAA. Because we want to ensure that clients comply with health privacy laws, our Privacy, Cybersecurity, and Data Asset Management Group’s services include: Since no compliance program is foolproof, if a privacy violation occurs, we assist the client with remedial measures and incident responses, and we defend the client in any investigations and litigation concerning the violation.Our Services
Workplace Privacy Strategies
Our Services
Health Data Privacy Strategies
Our Services
The TCPA and implementing regulations by the Federal Communications Commission (FCC) impose complex restrictions on business communications. The TCPA protects consumers from unsolicited auto-dialed and prerecorded phone calls, text messages, and faxed advertisements.
Businesses need to understand the scope and magnitude of the TCPA. Even a company with a strong compliance program could find itself facing allegations that its call, text, or fax activities violated the TCPA. And just one TCPA violation could have serious legal, insurance, reputational, and financial consequences—recipients of such unsolicited communications are allowed to sue for damages of $500 (an amount that a court can treble) for each unlawful call, text, or fax. Not surprisingly, damages for TCPA violation can easily run into the millions of dollars.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group knows the nuances of the TCPA, and the severe consequences of noncompliance. We provide TCPA counseling to clients of all sizes and various industries—including, among others, health care, financial services, technology, hospitality, retail, communications, and transportation. Our services consist of the following:
- Counseling clients on the TCPA and its accompanying FCC regulations
- Designing and implementing (or revising) marketing and communications programs, as well as existing policies, procedures, and business practices, to minimize risk and ensure compliance with the TCPA and its accompanying FCC regulations, applicable FTC telemarketing rules, and state-specific telemarketing statutes
- Advising health care clients on the interplay between the TCPA and HIPAA
- Revising contracts with third parties and consumers to ensure compliance with the TCPA
- Training personnel on the TCPA’s impact on telemarketing and debt collection
- Monitoring new TCPA-related developments and updating compliance programs, as necessary
In addition, we represent clients in TCPA class action lawsuits filed in federal and state courts. We know the complex defenses available under the TCPA and the FCC’s implementing regulations as well as the bases for defeating class certification. And because we’re sensitive to the limits on a client’s time and resources, we evaluate the prudence of seeking an early resolution of the case (through pretrial motions, an alternative dispute resolution method, or favorable settlement). When litigation is the better strategy, our litigators are distinctly qualified to provide the superior caliber of services upon which Epstein Becker Green has built its outstanding reputation.
GLBA and Financial Services Industry Compliance Strategies
Since the passage of the GLBA in 1999, securing the privacy and cybersecurity of consumer financial data has become a high priority to the financial services industry. New York State has implemented Cybersecurity Requirements for Financial Services Companies. The National Association of Insurance Commissioners has adopted a model cybersecurity law, which has been adopted by certain states. The GLBA and its implementing regulations, and these state requirements, specifically require financial and other covered institutions in the United States to create an information security program to ensure the security and confidentiality of customer information, guard against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
However, innovations in technology—such as new mobile payment platforms and novel means of analyzing consumer financial data—are creating complex challenges for financial services institutions seeking to comply with the GLBA and other relevant privacy and cybersecurity laws.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group guides financial services clients through this highly regulated and rapidly changing environment. In addition, services provided by members of the group include:
- Counseling clients on applying the GLBA and existing federal and state privacy and cybersecurity laws to new strategies and emerging technologies
- Reviewing and revising, where necessary, clients’ existing privacy policies and programs, information sharing procedures, data safeguards, and opt-out notice provisions
- Advising on information security “best practices” for assessing, updating, and managing company policies, procedures, and data protection programs
- Creating training materials and compliance programs for employers and management to help ensure that consumer financial information is properly collected and managed
- Drafting confidentiality and privacy agreements between financial services clients and their business partners or third parties regarding the sharing, management, and protection of financial data
- Updating clients on new changes to the area of financial privacy and data protection, and revising client policies, programs, and practices, where necessary, to conform to those changes
- Representing clients in investigations and administrative proceedings concerning alleged violations of the GLBA and state law
- Representing clients in data breach litigation
GLBA and the Cloud
GLBA’s Financial Privacy Rule requires financial institutions to provide an annual notice to customers explaining how the customers’ data is maintained and shared as well as the steps that are taken to protect it. Additionally, the GLBA Safeguards Rule requires institutions to implement an information security program. However, the introduction of “cloud computing” and the use of the services of an outside cloud provider can complicate matters greatly. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption.
At Epstein Becker Green, we advise clients on cloud computing and other attractive and inexpensive storage technologies. We help our clients evaluate the risks of storing information in the cloud and then identify legal solutions—such as creating policies and procedures to ensure compliance with the GLBA’s Financial Privacy and Safeguards Rules and managing cloud providers—so that our clients are able to take advantage of these cost-saving technologies.
Privacy and Security Due Diligence
Any company—especially an entity in a highly regulated industry (such as financial services, health care, hospitality, retail, technology, and telecommunications)—seeking to sell, acquire, or merge with another company needs to carefully consider the privacy and cybersecurity concerns related to the sensitive business and personal data flowing through the target company. A thorough review of a target’s privacy and cybersecurity compliance programs is, therefore, a must before entering into any transaction. Compliance costs and litigation can significantly affect the value of a company, necessitating a careful assessment of any target’s potential liabilities or compliance costs that are likely to be passed on after the transaction.
Our Services
Epstein Becker Green’s Privacy, Cybersecurity, and Data Asset Management Group undertakes privacy and cybersecurity due diligence reviews and provides support capabilities to clients in the context of sales, acquisitions, mergers, and joint ventures. We help clients understand what data is being stored by the target and if it is protected; whether the target has put in place proper response and remediation processes and policies; and what, if any, disclosures are needed. Given our deep and longstanding experience in privacy and cybersecurity, we advise clients concerning potential liabilities and vulnerabilities in the target’s information security and data privacy practices.
Specifically, our due diligence reviews typically include the following components:
- a review of the target company’s privacy and cybersecurity policies, including compliance with relevant international, federal, and state laws and regulations
- an examination of the target company’s protocols, procedures, controls, or other implementation directives to ensure that the adopted policies are properly integrated into the target’s business practices
- an examination of the target company’s network security, risk assessments, and other cybersecurity safeguards to protect against unlawful disclosures of sensitive data
- verification that the target company has entered into appropriate data use agreements with any entity with which it has shared sensitive data, and a review of the content and implementation of those agreements
- a review of the target company’s regulatory history, including if it has been (or is currently) the subject of a government investigation regarding privacy and cybersecurity, as well as the manner in which the investigation was resolved
- an investigation into whether the target company has been (or is) the subject of private litigation relating to a violation of applicable privacy laws
In addition, Epstein Becker Green stays involved throughout the transactional process to ensure that sensitive data is transferred in accordance with all relevant laws, rules, and regulations. We identify, evaluate, and calculate risk to our client and then develop representations, warranties, indemnities, and other contractual provisions and protections, as well as negotiate licenses, service contracts, and supplier and other agreements, to safeguard confidential information and to shift or mitigate that risk.
Focus Areas
Experience
Our Team
Media
Events
Insights
- Elizabeth Scarola Featured in “People on the Move”
November 7, 2022less than a minute
- Epstein Becker Green Announces 2023 Promotions
October 28, 20223 minute read
- Elizabeth Scarola Named to the 2022 <em>Florida Rising Stars</em> List
June 24, 20223 minute read
- Alaap Shah Featured in AHLA <em>Connections</em> Magazine: Member Spotlight
June 14, 20222 minute read
- USA:
Security Considerations for VPNs
March 9, 2022less than a minute
- Alaap Shah Quoted in “HHS Guidance Addresses HIPAA and Emergency Protective Orders”
March 1, 20222 minute read
- USA: Privacy and Cybersecurity Considerations for Contactless Payment Solutions
February 14, 20223 minute read
- Robert Travisano Quoted in
“Businesses Face Growing Risk of Cyberattacks, Financial Loss”
February 11, 20222 minute read
- Epstein Becker Green’s Brian Cesaratto and Francesco DeLuca Named 2022 <em>BTI Client Service All-Stars</em>
February 8, 20222 minute read
- The Ransomware Plague Continues, but the Response Model Is Changing
October 19, 20212 minute read
- Gary Herschman Discusses Private Equity Driving Consolidation Across Orthopedic Healthcare in Q&A with Dana Jacoby
July 1, 2021less than a minute