Data Strategy, Security & Privacy

  • Holland & Knight’s Data Strategy, Security & Privacy Team offers the full range of solutions our clients need to operate in today’s data-driven marketplace. We have the sophisticated capability to understand the nuances of each client’s particular sector and the complicated risks that cybersecurity brings to each of them, an offering few other firms can demonstrate.
  • We deliver pragmatic business-oriented solutions to address legal needs.
  • Our data strategy, security and privacy litigators have defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.
data strategy

Overview

Our Data Strategy, Security & Privacy Team helps clients capitalize on data and tech capabilities while managing associated risks and incidents that arise. We have advised and represented clients on many of the largest public (and nonpublic) data issues and security incidents in the U.S.

Our practice spans a full spectrum of proactive and reactive services:

  • Counseling and Program Management
  • Government Policy and Regulatory Compliance
  • Litigation and Class Action Defense
  • Incident Response, Crisis Management and Insurance
  • Investigations and Regulatory Enforcement

With dozens of attorneys in our practice, and backed by Holland & Knight's global team of more than 2,200 lawyers and other professionals, we have attorneys in 34 U.S. offices – from California to Florida – and admitted to practice in nearly every U.S. jurisdiction, as well as robust capabilities in Latin America, particularly in Colombia and Mexico. We pride ourselves on being a diverse team, and believe diversity of thought and perspective enables us to best serve our clients.

Our team is sensitive to unique data, security and privacy needs of different clients and is closely integrated with the firm's other highly knowledgeable attorneys across many industry sectors:

  • Financial Services
  • Healthcare & Life Sciences
  • Retail & Consumer Products
  • Technology & Telecommunications
  • Real Estate & Hospitality
  • Transportation & Infrastructure

We deliver: 1) pragmatic business-oriented solutions to address legal needs, 2) documentation you need for legal compliance and contracting, and 3) strategic representation during an incident, as well as in investigations and litigations that may follow. We do it efficiently, with transparent budgeting and billing.

Counseling and Program Management

Privileged Risk Assessments

Legal exposure often hinges on a lack of preparedness and perceived failure to comply with laws, public representations and contractual obligations. Our team therefore conducts a variety of risk and compliance assessments around data, cybersecurity and privacy, including a review of legal, operational and technical policies and practices in view of applicable laws, industry standards and public norms.

Attorney-client privileged reviews provide a safer environment to assess practices, identify potential gaps and facilitate candid discussions with stakeholders in order to enhance the go-forward posture and further mitigate risk. Some examples of the assessments that we perform include privacy program reviews, cybersecurity program reviews and enterprise risk audits.

Policies and Program Management

A robust set of documentation promotes mature business operations while also evidencing reasonable practices in the event of regulatory investigations or legal disputes. We work with clients on public-facing materials (e.g., website terms of use and privacy policies) as well as their internal cybersecurity, privacy, incident response and employee practices (e.g., acceptable use; social media). We also advise clients on the use of data analytics, machine learning (ML) and artificial intelligence (AI), advertising, marketing, sales and other data utilization opportunities involving personal data.

We assist clients on documenting and operationalizing programs in compliance with a vast spectrum of federal, state and foreign legal obligations including the Federal Trade Commission (FTC), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Children's Online Privacy Protection Act (COPPA), Driver's Privacy Protection Act (DPPA), Video Privacy Protection Act (VPPA), California Online Privacy Protection Act (CalOPPA), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Telephone Consumer Protection Act (TCPA), state privacy and security laws and Payment Card Industry (PCI) standards.

Third-Party Risk Management, Contracting and Deal Support

Vendors and other third-party relationships present one of the largest cyber and privacy risk vectors. Many of the worst incidents in the past decade were attributed to such relationships. Therefore, we advise clients on vendor risk management programs, contract provisions and negotiation strategies to address intellectual property (IP) and data rights, cybersecurity, data privacy and liability/indemnity obligations. Our work includes an array of cloud services, customer-supplier deals, software agreements and data licensing.

We also advise on mergers and acquisitions (M&A) and other corporate transactions with appropriate due diligence support on information technology, IP, cybersecurity and data privacy assessments and recommendations, with appropriate representations and warranties, and, if necessary, advise on other risk mitigation strategies in view of the particular deal economics.

Breach Preparation: Incident Response Planning and Tabletop Exercises

Security incidents are inevitable in today's interconnected world, so it pays to be prepared. That means having an effective Incident Response Plan (IRP) along with a cross-functional team that knows how to use it. We help develop a practical IRP that functions as a playbook for guiding the response team through an incident investigation and key decision points, and also assist in reviewing the plan through a Tabletop Exercise during which the designated response team meets to work through hypothetical scenarios and "test" the IRP – confirming that it meets the organization's needs and effectively addresses roles and responsibilities, communication needs and decision-making tasks.

Cyber Liability Insurance

Transferring cyber and privacy exposure is a core risk management function. We advise clients on suitable cyber insurance terms and coverage amounts to address their enterprise risk tolerance. Our advice helps clients improve policy language and maximize insurance recoveries.

We literally wrote the book on cyber insurance, and have strong relationships with insurance carriers and brokers to strategically collaborate with them to drive the best outcome for clients. See A Buyer's Guide to Cyber Liability Insurance Coverage.

Government Policy and Regulatory Compliance

Holland & Knight is recognized among the top 5 federal lobbying and law firms in Washington, D.C., with a strong bipartisan government affairs team and deep ties across federal legislative and agency bodies. Our firm's D.C.-led Public Policy & Regulation Group represents clients on the public policy, government relationships and legislative front, advising on the evolving – and often conflicting – patchwork of state, local, federal and international regulatory environments as they relate to cybersecurity and data privacy matters across all industry sectors.

Incident Response, Crisis Management and Insurance

We have consulted on more than a thousand actual or suspected incidents of loss, theft or misuse of data or information systems to date. We serve as trusted allies and coaches to clients experiencing a data breach or privacy incident, or building resiliency to prevent, detect or quickly respond to one. We advise on the full range of legal, technical and reputational challenges that arise in such events.

We are well versed in, and routinely navigate, the relevant demands of public law (e.g., GLBA, HIPAA, U.S. Department of Defense (DoD) requirements for contractors, U.S. Securities and Exchange Commission (SEC) guidance, state breach law) as well as private law (e.g., PCI Data Security Standard (DSS) and card brand rules) in these emergency circumstances. We have counseled on breaches involving dozens of corporate counterparties, incidents involving information about tens of millions of persons, intrusions that compromised the integrity of medical records, and on breaches impacting consumers and regulators globally. 

In all of this, we work closely with a client's other trusted third parties, including forensic investigators, crisis management and public relations teams, and cyber insurance carriers. Every step of the response and recovery is carefully and strategically executed to ensure the best possible outcome.

Investigations and Regulatory Enforcement

Our team has significant experience working closely with – and, where needed, in opposition to – the leading cybersecurity and privacy regulators. Our team has represented clients in significant matters before the FTC, U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), SEC, U.S. Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), U.S. Department of Justice (DOJ), Consumer Financial Protection Bureau (CFPB), Secret Service, FBI, state attorneys general and other state regulators, including insurance and banking regulators.

Our firm's government affairs practice regularly assists clients in connecting with, and presenting cases to, government agencies, staffers and Congress. We have assisted clients and trade organizations in response to inquiries on cyber risk, data breaches and privacy issues before all levels of government.

Litigation and Class Action Defense

Practice leader Mark Melodia is ranked as one of the top privacy and data security litigators in the country by Chambers USA (2019-2024) and Chambers Global (2020-2024). Our seasoned team of data privacy and cybersecurity litigators has defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.

Class actions are a common and challenging consequence of privacy and data security incidents, and increasingly extend to even mainstream data collection and usage practices, including the latest trend of the use of state anti-wiretap laws as a vehicle to sue software developers and businesses for the use of ubiquitous cookies, pixels and other website software, such as session replay technology. We have a team of nationally recognized litigators who defend clients in privacy class actions based on a wide variety of alleged claims, including breach of contract, breach of warranty, fraudulent representations, negligence, breach of state privacy and security laws, breach of state consumer fraud laws, the Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act (CFAA), as well as the DPPA, VPPA and TCPA, to name a few. In so doing, we often work closely and collaboratively with carriers providing coverage.

Multimedia

Two Byte Conversations - Decoding the Future of AI Regulation and Frontier Models
Podcast - Decoding the Future of AI Regulation and Frontier Models
Sound Waves
Owl Explains Episode 40: U.S. Congressman Dusty Johnson (R-S.D.)
Two Byte Conversations: Robots, Rights and New Tech: Balancing Innovation and Data Privacy
Podcast - Robots, Rights and New Tech: Balancing Innovation and Data Privacy
Regulatory Phishing Podcast Episode ft Kelsey Hayes
Podcast - Discussing a DOJ Lawsuit Under the Civil-Fraud Initiative
Sound Waves
What Contractors Need to Know, Now That the CMMC Rule Is Finalized
Sound Waves
The Contractor Cybersecurity Locomotive Picks Up Steam
Regulatory Phishing Podcast - Cybersecurity Roundup: Analyzing New and Proposed Rules for Contractors
Podcast - Cybersecurity Roundup: Analyzing New and Proposed Rules for Contractors
Sound Waves
Mitigation and Managing Third-Party Risks with Priya Keshav & Kim-An Hernandez
Sound Waves
A Big Defense Cybersecurity Requirement for Contractors Moves Closer to Reality
Sound Waves
The SEC’s Intensified Focus on AI Washing Practices
Sound Waves
The Future of Sports and Crypto: Karate Combat
AI Forum
Artificial Intelligence Forum
UpdatedEOW_NDAA_Ep2_STILL
Podcast: Emerging Technology in the FY24 NDAA
Podcast: Cybersecurity Provisions in the FY24 NDAA
Podcast: Cybersecurity Provisions in the FY24 NDAA
Congressional Activity on the Development of Quantum Computer Technology
Congressional Activity on the Development of Quantum Computer Technology
Government Contracts 2023 Year in Review: What Happened and What It Means
Government Contracts 2023 Year in Review: What Happened and What It Means
Webinar Thumbnail
Impact of the CMMC Proposed Rule on Government Contractors
Sound Waves
Navigating Information Blocking Regulations in Healthcare Transactions
CUI STILL
Cybersecurity and CUI in Government Contracts: What's New and What's Next?
Podcast - The Role of Managed Service Providers with Stuart Itkin
Podcast - The Role of Managed Service Providers with Stuart Itkin
Sound Waves
Small Business Contracting: A Year in Review
Ep.7Regulatory _Phishing_Still
Podcast - The When, Where, Why and How of CMMC with Fernando Machado
CTC Title Slide
Podcast - Data Privacy and Tracking Technology Compliance
Artificial Intelligence: Breaking Down the New Biden Administration Executive Order
Artificial Intelligence: Breaking Down the New Biden Administration Executive Order
SEC's New Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
SEC's New Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
Podcast: Discussing the Implications of Healthcare Privacy Violations
Podcast: Discussing the Implications of Healthcare Privacy Violations
The State of Contractor Cybersecurity with Katie Arrington
Podcast - The State of Contractor Cybersecurity with Katie Arrington
Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield
Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield
Episode Still Image
Podcast - Artificial Intelligence in Healthcare and How to Comply with HIPAA and State Privacy Laws
RP Ep. 5 Still
Podcast - Navigating the TikTok Ban: Implications for Government Contractors
RP - The Impact of Cybersecurity Compliance on Corporate Transactions Still
Podcast - The Impact of Cybersecurity Compliance on Corporate Transactions
Sound Waves
What Do Policymakers Think About When They Think About Blockchain?
Sound Waves
Nothing From the Government Comes Without Gobs of Documentation
Still
Podcast - What Do the Newly Released CMMC 2.1 Documents Mean?
A Lo Legal En Par Minutos Inteligencia Artificial Still
Podcast - Artificial Intelligence
Regulatory Phishing Ep. 2 Still
Podcast - Third-Party Assessments and NIST SP 800-171

Insights

Upcoming Events

News and Headlines