Services
Intellectual Property

Data Privacy & Cybersecurity

Advising at the confluence of technology, data, business, law and regulation, Benesch's Data Privacy & Cybersecurity lawyers provide comprehensive counsel on global technology and data-related issues and develop innovative policies, practices and protocols that minimize risk while supporting business growth.

Leveraging & Protecting Data

Our team helps clients protect and leverage data and use it creatively and safely while remaining fully compliant with the many applicable laws and regulations. Our lawyers also navigate clients through the complexities posed by emerging technologies and an ever-evolving landscape of data privacy and cybersecurity requirements.

We advise clients in designing and implementing cost-effective, business-minded solutions to their most complex data-driven legal issues and concerns. With a focus on long-term resilience, our lawyers take the time to understand each client’s technologies, business processes and goals. Then we deliver practical, tailored future-proof strategies and data governance structures to limit their exposure, position them to achieve their full potential and ensure compliance on a global scale. We think strategically and pragmatically, advising clients across a wide range of industries from e-commerce, retail, technology, higher education and hospitality to the highly regulated financial services, insurance, healthcare and pharmaceutical sectors.

Guidance at Every Stage

Our experience spans a wide range of privacy and data protection matters involving data use, collection, retention, sharing and disposal. Our services include:

Risk assessment and prevention
Data privacy impact assessments, protection, policies, procedures and incident preparedness training
Cybersecurity and trade secret, confidential information and personal data protection strategies
Global legal and regulatory compliance
Internal audits, and government inquiries and investigations
Data privacy litigation and enforcement actions
Information security program design and implementation
E-commerce and internet-related issues
Outsourcing arrangements and associated risks and responsibilities
Data breaches, response and crisis management
Intellectual property and technology transactions
Emerging technologies matters, such as AI, fintech, Internet of Things (IoT), metaverse law and connected medical devices
Sensitive data collections, including biometric and geolocation information

Regulatory and Compliance

Our attorneys are data privacy regulatory authorities well-versed and experienced in cybersecurity and privacy law matters on a global scale. We have long-established, effective working relationships with officials at key government agencies and ready access to agency decision-makers, which optimizes our ability to effect action. Should a compliance violation or data breach occur, we help clients manage the associated risk and respond swiftly and effectively while striving to end matters confidentially.

We help clients comply with the various U.S. federal, state and local laws, rules and regulations, as well as those of Canada, the EU/EEA and other global jurisdictions, and we offer guidance on proposed laws, rules and regulations. Our experience includes the following:

Blockchain and smart contracts
BYOD policies
California Privacy Acts, including the Consumer Privacy Act (CCPA), Privacy Rights Act (CPRA), Online Privacy Protection Act (CalOPPA), Invasion of Privacy Act (CIPA), and Do-Not-Track legislation (DNT) and similar laws emerging in other states
Illinois Biometric Information Privacy Act (BIPA)
EU General Data Protection Regulation (GDPR)
Computer Fraud and Abuse Act (CFAA)
Health Insurance Portability and Accountability Act (HIPAA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Federal Trade Commission Act (FTCA)
Gramm-Leach-Bliley Act (GLBA)
Fair Credit Reporting Act (FCRA)
Defend Trade Secrets Act (DTSA)
Children’s Online Privacy Protection Act (COPPA)
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Family Educational Rights and Privacy Act (FERPA)
Stored Communications Act (SCA)
Video Privacy Protection Act (VPPA)
Payment Card Industry-Data Security Standards (PCI-DSS)
New York State Department of Financial Services (NYDFS)
Fair Information Practice Principles (FIPPs)
Data breach notice laws

An Exceptional Team Immersed in Technology and Data Security

Members of our Data Privacy & Cybersecurity Group have been instrumental in creating cybersecurity policies, laws and enforcement programs and served in high-level governmental operational and policy roles in cybercrime, cybersecurity, counterterrorism, counterintelligence, critical infrastructure protection and national security-related matters.

We have decades of experience representing businesses ranging from startups to global consumer companies, B2B brands and major venture capital and private equity funds and their portfolio companies, and we provide risk-based and actionable legal counsel on matters.

Immersed daily in all facets of the technology industry and data security issues, we are an interdisciplinary team composed of Intellectual Property, Healthcare, Labor & Employment and Litigation lawyers. Our group includes former in-house lawyers, PhDs, attorneys who have worked as scientists or engineers, Certified Information Privacy Professionals (CIPP/US) and members of the International Association of Privacy Professionals (IAPP). Recognized as go-to legal thought leaders in the privacy and cybersecurity sector, we are up to speed on data privacy laws and regulations, with an eye on future guidance and emerging issues including technology-related concerns.

Data Life Cycle

Benesch's Intellectual Property Practice Group

Benesch’s IP Group has more than 25 attorneys, patent agents, and paralegals, many of whom are former scientists or engineers. Several of our attorneys are members of the International Association of Privacy Professionals (IAPP) who have achieved CIPP certifications.

We regularly assist a range of clients, from large, publicly traded companies to privately held middle market companies, in their global data security privacy compliance efforts, breach response and mitigation actions, and related issues. We also regularly handle complex transactions involving all manner of U.S. and foreign data privacy compliance.

We are unique in that we are a large general practice law firm with a full data security and privacy compliance and litigation practice. We provide strategic advice and assist our clients to develop strategies to protect, enforce, and commercialize data, IP assets and rights, and, if necessary, litigate data breach and IP disputes across the country.

We do extensive data security compliance work, helping our clients comply with a variety of federal, state, local, and foreign laws, rules, and regulations in the U.S., Canada, and the EU/EEA, including:

Blockchain & smart contracts
BYOD policies
The California Consumer Privacy Act (CCPA)
The California Online Privacy Protection Act (CalOPPA) and Do-Not Track laws
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
The Children’s Online Privacy Protection Act (COPPA)
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
The Defend Trade Secrets Act (DTSA)
The EU General Data Protection Regulation (GDPR)
The Fair Credit Reporting Act (FCRA)
The Family Educational Rights and Privacy Act (FERPA)
The Federal Trade Commission Act
The Gramm-Leach-Bliley Act (GLBA)
The Health Insurance Portability and Accountability Act (HIPAA and HITECH)
The FTC’s Telemarketing Sales Rule (TSR)
The FTC’s Fair Information Practice Principles (FIPPs)
The Telephone Consumer Protection Act (TCPA)
The Video Privacy Protection Act
Various state laws, including workplace privacy statutes, antispam statutes, AG enforcement actions, and other privacy protection statutes

We also assist our clients in applying best practices for complying with the vast array of data security and privacy technical standards and guidelines, including PCI-DSS, AICPA SOC 1 and SOC 2, SSAE 16 and SSAE 18, ISO 27001, ITIL, COBIT, and NIST standards, as well as with data classification, breach response, and mitigation, and in creating and implementing applicable policies/procedures.

Service Examples:

CCPA and other state law based compliance for a variety of clients located within the U.S. that do business in California and other states with robust data security and privacy laws, rules and regulations.
EU GDPR compliance for a host of clients, including two publicly traded manufacturing companies located in the U.S. with substantial EU operations and customer bases.
All of the data privacy and security due diligence and transactional issues in connection with corporate transactions (acquisitions and divestitures) of data-centric companies for two publicly held U.S. financial services companies.
Data breach response and mitigation for a publicly held U.S.-based steel fabrication company.
Gramm-Leach-Bliley compliance for the financing subsidiary of a global U.S.-based polymer company.
Document-retention compliance for a major U.S.-based transportation and logistics company.
IP and technology issues for a U.S.-based vendor of smart-grid technology, including in connection with its acquisition by a major strategic acquirer.
Privacy and security compliance for a global U.S.-based consumer products manufacturer.

Benesch's Healthcare+ Practice

Updates to HIPAA have rippled throughout the healthcare industry to now directly regulate vendors and other service providers to the healthcare industry (“business associates”), along with hospitals, health plans, doctor’s offices, and others within the industry, who must take special care in managing information about patients and their care. One of the most noticeable trends in the industry is the movement to electronic medical records and use of electronic tools to manage care.

Benesch understands the technology and regulations shaping the healthcare landscape. Our team members offer diverse perspectives, specialized knowledge, and experience that provide an insider’s viewpoint and deep understanding to each engagement.

Service Examples:

Business associate agreements
Technology vendor selection and implementation
Privacy policies and data security systems
Data management, sharing, and disclosure
Experience serving physician organizations, health systems, long-term care and senior living facilities, behavioral health providers, diagnostic imaging enterprises, durable medical equipment manufacturers and suppliers, pharmaceutical retailers, wholesalers, distributors and manufacturers, and more.

Benesch's Labor & Employment Practice

Employers face major regulatory challenges from HIPAA, the Fair Credit Reporting Act (FCRA), the Americans with Disabilities Act (ADA), and others. Management of the resulting data is critical, which has put a premium on the increased use of technology for data storage, sharing and security.

In today’s workplaces, it is important to have a partner who helps ensure the proper processes, policies and tools are in place to protect the sensitive information that belongs to your business, your employees, and your customers.

Benesch has experience providing training to privacy officers to maintain compliance with data security regulations, and we work with companies to prevent data loss or to help mitigate a data breach. In addition, the team is able to offer pragmatic advice on how to reduce the risk of employee data theft. An expansion of HIPAA has created compliance needs for companies doing business with entities in the healthcare industry. Additionally, more companies are moving to self-funded health plans, which require data security and compliance on par with what is expected of traditional health insurers.

Service Examples:

Noncompete agreements and trade secret rights
Employer policies on Internet use, email, mobile devices, voicemail, and social media
Counsel for HIPAA, FCRA, and ADA compliance
Security measures for third-party providers
Employee privacy issues, including searches of employee property and drug and alcohol testing
Employee nondisclosure obligations for confidential and proprietary information
Securing, maintaining, and enforcing cyber insurance policies
Negotiation of new system implementations with European work councils

Benesch's Data Privacy Defense and Response Team

Our Data Privacy Defense and Response Team combines our vast experience in the litigation of commercial disputes with our experience in data security and privacy law to create a focused litigation defense capability in the data security and privacy area. Our Data Privacy Defense and Response Team is national in nature with the capability of handling complex litigation arising from governmental enforcement actions, private actions, and class actions in courts across the United States under the new and growing body of data security law that is emerging within the United States. Working closely with our IP, Healthcare, and Labor and Employment teams, our Data Privacy Defense and Response Team ensures that clients have sophisticated counsel in connection with disputes that arise in this burgeoning and risk-laden area.

Working together, our team provides insightful counsel and deep experience in how to protect your business.

Assessing Enterprise Risk

Finding areas where your business is at risk is the first step to protecting it. We have developed standard methodologies and tools to perform comprehensive gap analyses and assess the risk of noncompliance based on the major U.S. and global cybersecurity and data privacy requirements. We take a holistic approach, working with leading cybersecurity and data privacy technology consultants to assess not only legal risk but also technical risk. We have years of experience reviewing our clients’ risk management plans, including their cybersecurity and data privacy insurance coverages. We also counsel boards of directors, given their increasing role in monitoring and effectively mitigating enterprise cybersecurity and data privacy risk.

Developing and Implementing Compliance Programs

We have extensive experience developing compliance programs related to cybersecurity and data privacy, including the essential element of employee education. We work with security experts to identify security vulnerabilities, and help our clients prepare, adopt, and implement response plans. If a potential privacy or security breach occurs, we routinely assist in assessing the situation and determining the appropriate response.

Managing Breach Response and Defending Cyber Liability Claims

Because rapid response is essential if a cybercrime, network intrusion, or other data incident occurs, our 24/7/365 Data Breach Hotline instantly connects our clients to an experienced attorney on the team. We work closely with other trusted professional service providers to assist them in handling incident response, crisis management, and breach mitigation.

Our IP practice, Data Privacy Defense and Response Team, and white-collar defense and corporate investigations practice work together to both defend and assist our clients to pursue and enforce their rights, working closely with law enforcement agencies as warranted when a cybersecurity or data privacy event occurs.

Incorporating Cybersecurity and Data Privacy into Transactions

Unlike most general practice firms, our data security and privacy practice is fully integrated into our IP and technology transactions practices. As a result, we bring extensive experience in how to incorporate cybersecurity and data privacy into every transaction. Our team works on the most sophisticated, high-value technology and M&A deals and has helped companies in a variety of industries (manufacturing, IT, financial services, medical devices, health services, and more) in connection with their most significant “bet the company” technology transactions. We have prepared and negotiated hundreds of license agreements, and an extensive array of privacy policies and records retention policies across a variety of industries. We have helped clients close over $1 billion in deal value of data-centric M&A deals in the last several years.

Reviewing & Negotiating Third-Party Contracts

We regularly review and negotiate third-party IP vendor and outsourcing contracts to assure adequate protections for confidential and proprietary information. We have handled these matters opposite some of the largest and most well-known third-party vendors in the world, including numerous engagements representing corporate clients in transactions with the leading IP vendor outsourcing vendors, including IBM, SAP, Oracle, Salesforce.com, Accenture, Deloitte Consulting, PwC, KPMG, Tata Consultancy, Wipro, Cognizant, Verizon, Amazon Web Services, Microsoft Azure, and many other national and international vendors. All of these involve complex data-centric transactions, including business process outsourcing (SaaS, IaaS, PaaS), and include comprehensive confidentiality, data security, and privacy provisions for both on-shore and off-shore outsourcing deals.

Advising On Data Localization Requirements and Cybersecurity Best Practices

We actively assist our clients on data localization matters and requirements, particularly within the U.S., Mexico, Central and South America, Europe, and Asia, and in terms of cybersecurity best practices. We regularly provide guidance on best practices and compliance requirements in connection with the collection, storage, and transmission of personal data and cross-border data transmissions.