Data, often a company’s most valuable asset, can also be one of its greatest liabilities if it is not properly protected and used. Developing and implementing appropriate contracts, policies and procedures is critical. In addition, the explosion of data innovation surrounding the development of distributed ledger technologies and related products such as blockchain (Web3) presents opportunities and risks for cutting-edge companies seeking to capitalize on these developments.
Armstrong Teasdale’s Data Innovation, Security and Privacy team is highly experienced in guiding organizations through the thicket of federal, state and international rules governing personal information. We routinely counsel clients in connection with development and implementation of, and updates to, information privacy and security programs. Our team is also adept at handling data breaches and related incidents. When a client is the victim of a data breach – whether by a malicious hacker, a departing employee, a competitor or another third party – we provide responsive guidance to stop the dissemination of the data, recover it, provide notice to affected parties, and mitigate risks.
Web3 is a broad term encompassing blockchain technologies, cryptocurrencies and digital assets, and novel business models, among other things. While this nascent field is rapidly evolving, Armstrong Teasdale lawyers have already developed a deep understanding of the technologies involved and the relevant laws, regulations and industry standards. We also monitor and engage with government agencies establishing new, comprehensive safety and security guidelines. Working collaboratively with members of the Securities, Financial Services and Banking, Fintech and other relevant practices, the Data Innovation, Security and Privacy team counsels clients ranging from startups to Fortune 500 firms on innovative technologies and uses for data, and related concepts, including:
- Nonfungible Tokens (NFTs), digital assets stored on blockchain technology, created by computer code and often bought with cryptocurrency. The computer code underlying an NFT includes “smart contracts,” is unique, and is noninterchangeable. Their investment potential is complicated by questions of ownership in agreements, the dramatic rise in illegal activity surrounding them, which has led to the increased likelihood of government regulations and legal oversight on the horizon.
- Decentralized Finance (DeFi), which encompasses a wide variety of applications (including blockchain technology) designed to eliminate intermediaries (such as banks). Their hallmarks of efficiency and responsiveness give rise to regulatory and compliance complications, as well as heightened transactional risks that have eroded consumer trust.
- Decentralized Autonomous Organizations (DAOs), entities governed by a community organized around a specific set of rules enforced on a blockchain via smart contracts. As prominent losses from cybersecurity incidents run into the hundreds of millions of dollars, calls for regulation have increased as consumers bear the brunt of these losses.
- Cryptocurrency, which has experienced a rapid—and volatile—evolution. Lacking a centralized regulatory authority, they present risks both for security as well as compliance. And like DeFi, their “borderless” nature makes it difficult to establish jurisdiction.
Information Security and Privacy
Our cross-disciplinary team of lawyers has in-depth experience with matters involving both U.S. and international privacy and data security laws. Given the increasing opportunities for savvy data use and the commensurate risk to business and the steady influx of regulation, it’s critical to understand your company’s vulnerabilities and mitigate risk.
Our robust team includes a Certified Ethical Hacker (C|EH), a Certified Information Systems Security Professional (CISSP), a Fellow of Information Privacy (FIP), Certified Information Privacy Professionals (CIPP/US, CIPP/C and CIPP/E) and a former Fortune 20 Chief Privacy Officer. Members of the practice routinely advise clients ranging from internet startups to Fortune 100 companies in a variety of industries, including financial services, insurance, communications, health care, retail, legal, technology and energy and utilities. Our lawyers are experienced in handling multijurisdictional events, as well as working with the Office of Civil Rights and other state and federal regulators. The issues we routinely address for clients fall into three key categories: preparedness, response and litigation.
We counsel clients on a wide variety of matters, including:
- Compliance with the California Consumer Privacy Act (CCPA), the upcoming California Privacy Rights Act (CPRA), the Utah Consumer Privacy Act (UCPA), and the Colorado Privacy Act (CPA), as well as the emerging patchwork of other state-level privacy laws
- Compliance with federal privacy laws and regulations, such as the HIPAA privacy and security rules, the GLBA safeguards rule, the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), the FTC Act and the Telephone Consumer Protection Act (TCPA)
- Regulatory compliance and investigations, including with the Department of Health and Human Services and the Office of Civil Rights
- Breach response, including notification and state and federal compliance
- Litigation, including class action lawsuits
- Immediate injunctive relief to stop the proliferation of data
- Enhancing their privacy and security programs and elevating privacy and security issues to boards and top-level management
- General Data Protection Regulation (GDPR) compliance, data protection impact assessments and cross-border data transfers
- Commercial contracts involving data use and data protection issues
- Security programs and policies, including Written Information Security Programs (WISPs) and Acceptable Technology Use Policies
- Confidential information and trade secret protection
- Computer tampering violations
- Data recovery
- Document retention and best practices
- Employee training programs
- Loss of customer, client or employee data
- Network security gap analysis
- Noncompete, nonsolicitation, nondisclosure and confidentiality agreements
- Privacy and security audits
- Privacy by design principles
- Enterprise risk management
- Software license audits