Data Strategy, Security & Privacy
- Holland & Knight’s Data Strategy, Security & Privacy Team offers the full range of solutions our clients need to operate in today’s data-driven marketplace. We have the sophisticated capability to understand the nuances of each client’s particular sector and the complicated risks that cybersecurity brings to each of them, an offering few other firms can demonstrate.
- We deliver pragmatic business-oriented solutions to address legal needs.
- Our data strategy, security and privacy litigators have defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.
Overview
Our Data Strategy, Security & Privacy Team helps clients capitalize on data and tech capabilities while managing associated risks and incidents that arise. We have advised and represented clients on many of the largest public (and nonpublic) data issues and security incidents in the U.S.
Our practice spans a full spectrum of proactive and reactive services:
- Counseling and Program Management
- Government Policy and Regulatory Compliance
- Litigation and Class Action Defense
- Incident Response, Crisis Management and Insurance
- Investigations and Regulatory Enforcement
With dozens of attorneys in our practice, and backed by Holland & Knight's global team of more than 2,200 lawyers and other professionals, we have attorneys in 34 U.S. offices – from California to Florida – and admitted to practice in nearly every U.S. jurisdiction, as well as robust capabilities in Latin America, particularly in Colombia and Mexico. We pride ourselves on being a diverse team, and believe diversity of thought and perspective enables us to best serve our clients.
Our team is sensitive to unique data, security and privacy needs of different clients and is closely integrated with the firm's other highly knowledgeable attorneys across many industry sectors:
- Financial Services
- Healthcare & Life Sciences
- Retail & Consumer Products
- Technology & Telecommunications
- Real Estate & Hospitality
- Transportation & Infrastructure
We deliver: 1) pragmatic business-oriented solutions to address legal needs, 2) documentation you need for legal compliance and contracting, and 3) strategic representation during an incident, as well as in investigations and litigations that may follow. We do it efficiently, with transparent budgeting and billing.
Counseling and Program Management
Privileged Risk Assessments
Legal exposure often hinges on a lack of preparedness and perceived failure to comply with laws, public representations and contractual obligations. Our team therefore conducts a variety of risk and compliance assessments around data, cybersecurity and privacy, including a review of legal, operational and technical policies and practices in view of applicable laws, industry standards and public norms.
Attorney-client privileged reviews provide a safer environment to assess practices, identify potential gaps and facilitate candid discussions with stakeholders in order to enhance the go-forward posture and further mitigate risk. Some examples of the assessments that we perform include privacy program reviews, cybersecurity program reviews and enterprise risk audits.
Policies and Program Management
A robust set of documentation promotes mature business operations while also evidencing reasonable practices in the event of regulatory investigations or legal disputes. We work with clients on public-facing materials (e.g., website terms of use and privacy policies) as well as their internal cybersecurity, privacy, incident response and employee practices (e.g., acceptable use; social media). We also advise clients on the use of data analytics, machine learning (ML) and artificial intelligence (AI), advertising, marketing, sales and other data utilization opportunities involving personal data.
We assist clients on documenting and operationalizing programs in compliance with a vast spectrum of federal, state and foreign legal obligations including the Federal Trade Commission (FTC), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Children's Online Privacy Protection Act (COPPA), Driver's Privacy Protection Act (DPPA), Video Privacy Protection Act (VPPA), California Online Privacy Protection Act (CalOPPA), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Telephone Consumer Protection Act (TCPA), state privacy and security laws and Payment Card Industry (PCI) standards.
Third-Party Risk Management, Contracting and Deal Support
Vendors and other third-party relationships present one of the largest cyber and privacy risk vectors. Many of the worst incidents in the past decade were attributed to such relationships. Therefore, we advise clients on vendor risk management programs, contract provisions and negotiation strategies to address intellectual property (IP) and data rights, cybersecurity, data privacy and liability/indemnity obligations. Our work includes an array of cloud services, customer-supplier deals, software agreements and data licensing.
We also advise on mergers and acquisitions (M&A) and other corporate transactions with appropriate due diligence support on information technology, IP, cybersecurity and data privacy assessments and recommendations, with appropriate representations and warranties, and, if necessary, advise on other risk mitigation strategies in view of the particular deal economics.
Breach Preparation: Incident Response Planning and Tabletop Exercises
Security incidents are inevitable in today's interconnected world, so it pays to be prepared. That means having an effective Incident Response Plan (IRP) along with a cross-functional team that knows how to use it. We help develop a practical IRP that functions as a playbook for guiding the response team through an incident investigation and key decision points, and also assist in reviewing the plan through a Tabletop Exercise during which the designated response team meets to work through hypothetical scenarios and "test" the IRP – confirming that it meets the organization's needs and effectively addresses roles and responsibilities, communication needs and decision-making tasks.
Cyber Liability Insurance
Transferring cyber and privacy exposure is a core risk management function. We advise clients on suitable cyber insurance terms and coverage amounts to address their enterprise risk tolerance. Our advice helps clients improve policy language and maximize insurance recoveries.
We literally wrote the book on cyber insurance, and have strong relationships with insurance carriers and brokers to strategically collaborate with them to drive the best outcome for clients. See A Buyer's Guide to Cyber Liability Insurance Coverage.
Government Policy and Regulatory Compliance
Holland & Knight is recognized among the top 5 federal lobbying and law firms in Washington, D.C., with a strong bipartisan government affairs team and deep ties across federal legislative and agency bodies. Our firm's D.C.-led Public Policy & Regulation Group represents clients on the public policy, government relationships and legislative front, advising on the evolving – and often conflicting – patchwork of state, local, federal and international regulatory environments as they relate to cybersecurity and data privacy matters across all industry sectors.
Incident Response, Crisis Management and Insurance
We have consulted on more than a thousand actual or suspected incidents of loss, theft or misuse of data or information systems to date. We serve as trusted allies and coaches to clients experiencing a data breach or privacy incident, or building resiliency to prevent, detect or quickly respond to one. We advise on the full range of legal, technical and reputational challenges that arise in such events.
We are well versed in, and routinely navigate, the relevant demands of public law (e.g., GLBA, HIPAA, U.S. Department of Defense (DoD) requirements for contractors, U.S. Securities and Exchange Commission (SEC) guidance, state breach law) as well as private law (e.g., PCI Data Security Standard (DSS) and card brand rules) in these emergency circumstances. We have counseled on breaches involving dozens of corporate counterparties, incidents involving information about tens of millions of persons, intrusions that compromised the integrity of medical records, and on breaches impacting consumers and regulators globally.
In all of this, we work closely with a client's other trusted third parties, including forensic investigators, crisis management and public relations teams, and cyber insurance carriers. Every step of the response and recovery is carefully and strategically executed to ensure the best possible outcome.
Investigations and Regulatory Enforcement
Our team has significant experience working closely with – and, where needed, in opposition to – the leading cybersecurity and privacy regulators. Our team has represented clients in significant matters before the FTC, U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), SEC, U.S. Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), U.S. Department of Justice (DOJ), Consumer Financial Protection Bureau (CFPB), Secret Service, FBI, state attorneys general and other state regulators, including insurance and banking regulators.
Our firm's government affairs practice regularly assists clients in connecting with, and presenting cases to, government agencies, staffers and Congress. We have assisted clients and trade organizations in response to inquiries on cyber risk, data breaches and privacy issues before all levels of government.
Litigation and Class Action Defense
Practice leader Mark Melodia is ranked as one of the top privacy and data security litigators in the country by Chambers USA (2019-2024) and Chambers Global (2020-2024). Our seasoned team of data privacy and cybersecurity litigators has defended approximately 120 privacy class actions, multidistrict litigations (MDLs) and other "bet-the-company" suits throughout the U.S.
Class actions are a common and challenging consequence of privacy and data security incidents, and increasingly extend to even mainstream data collection and usage practices, including the latest trend of the use of state anti-wiretap laws as a vehicle to sue software developers and businesses for the use of ubiquitous cookies, pixels and other website software, such as session replay technology. We have a team of nationally recognized litigators who defend clients in privacy class actions based on a wide variety of alleged claims, including breach of contract, breach of warranty, fraudulent representations, negligence, breach of state privacy and security laws, breach of state consumer fraud laws, the Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act (CFAA), as well as the DPPA, VPPA and TCPA, to name a few. In so doing, we often work closely and collaboratively with carriers providing coverage.