Attorneys & ProfessionalsView List
Complying with the growing number of domestic and international regulations is increasingly complex. Our team benefits from representing progressive clients who are first-adopters of seemingly countless technologies – both decades ago and today. Clients regularly call upon us to advise them on emerging technologies and opportunities, such as issues related to analytics and big data. We’re also providing counsel on a variety of privacy and security issues related to the Internet of Things, and at each stage of the data lifecycle.
As a result, we have stayed abreast of the requirements of federal laws and regulations such as Section 5 of the FTC Act; Gramm-Leach-Bliley Act; Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act; Health Insurance Portability and Accountability Act of 1996; CAN-SPAM; Telephone Consumer Protection Act; Children’s Online Privacy and Protection Act; California Online Privacy Protection Act; Telemarketing Sales Rule; FTC guidelines, reports and orders; and state laws and regulations addressing marketing, privacy and security, including online disclosures, telemarketing, notice of breach, protection of Social Security numbers, and laws limiting the collection of customer data at the point of sale.
We regularly advise clients on compliance with payment card security standards, such as PCI DSS and PA-DSS, and other industry-specific data security requirements. We assist in the evaluation of and compliance with self-regulatory guidelines affecting privacy and marketing issues, particularly with respect to tracking and targeting customers in both on and off-line environments, mobile applications and text messaging issues.
Global Privacy Programs
Many of our clients have called upon our counsel as they expand their businesses globally. Vorys oftentimes quarterbacks the creation and coordination of global privacy programs by calling upon our vast network of international local counsel. Our attorneys manage the launch of these programs by understanding the intricacies and risks associated with international privacy regimes. We’re familiar with international privacy and data security laws and regulations, including in the EU, Canada and the APEC regions.
We assist clients with international operations in devising appropriate practices and procedures for collecting data in foreign jurisdictions, transferring data across international borders, and sharing the data within and without the client’s enterprise.
We have developed a reliable network of data and privacy attorneys around the globe who assist us in protecting our clients’ interests in foreign jurisdictions. In addition, Vorys is a member of the International Alliance of Law Firms, a network of more than 60 select, business-oriented law firms operating in 43 countries.
Whether it’s human resources data, employee health records, or employee email accounts, every employer has some form of sensitive information about its employees. We help our clients protect that data while retaining their own ability to access information when they need it, whether it is stored on their own servers, on their employees’ personal devices, or in the cloud.
Health Privacy & Security
Our attorneys are highly experienced in the developing area of health information privacy and the confidentiality of medical information, including the Privacy Rules of HIPAA and other federal and state privacy laws. In addition to working with numerous providers to develop their HIPAA/privacy policies and procedures, we have counseled large health care trade associations and their members on the full range of legal issues pertaining to HIPAA/privacy compliance. Our attorneys also are available to provide extensive HIPAA/privacy compliance training to providers and health care organizations. In addition, as health care has become an increasingly technological business, our attorneys have advised providers and third-party services concerning information systems privacy and the interplay between technology and corporate compliance.
Health information security and privacy compliance influences key business decisions about patient care, quality improvement and information technology. Our attorneys are well versed in the rapidly changing fields of health information exchanges, electronic and personal health records, paper and electronic data privacy and security, health information management, and state and federal discovery rules for Electronically Stored Information (ESI).
We routinely instruct and counsel health care providers on preemption and the requirements of state and federal laws, including the HIPAA Privacy and Security Rules, state notice of breach laws, and the production of individually identifiable health information in response to discovery requests, court orders, law enforcement investigations, public health concerns, and regulators responsible for health care oversight. We also clients on the new federal notice of breach requirements, changes to anticipate for covered entities, business associates and private vendors of electronic health records and how to qualify for federal financial incentives for the further development of electronic health records. Additional resources are available on the firm’s blog, HealtHITech Law.
IT & Technology Contract Review
We have handled complex transactions for mission-critical technology services, web applications, equipment, point of sale (POS) systems, radio frequency identification (RFID) tags, medical billing systems and electronic health records systems and software licenses, and our attorneys help our clients understand the privacy and cyber security implications of these transactions. We work to identify the emerging legal issues and compliance requirements for our clients’ internet and e-commerce business operations and to advise our clients on practical methods to minimize privacy and data security risks. Additionally, with the increased regulatory focus, as well as media attention, on privacy issues related to vendor management, we assist clients in negotiating specific privacy components of agreements, including those types of transactions listed above as well as payments contracts, marketing contracts, cloud services and analytics contracts. Lastly, we often assist clients in negotiating cyber insurance policies to cover their liability for data breaches and other cyber issues.
- Assisting with the data breach that occurred at a large university, involving 700,000 individuals. We worked with a committee made up of various groups within the university, including IT, information security, treasury, public relations, alumni, legal and others to put together a plan for the response. We also worked with the companies providing forensic reviews of the incident and assisted with finalizing the contract with Experian for credit monitoring for and notification of the affected individuals. From the HR side, we conducted interviews at the conclusion of the events to prepare a report with recommendations.
- Representing a restaurant chain with multiple franchisees in a data breach event involving approximately one-third of the restaurants. We worked with the forensic investigator to encourage them to continue to look for the actual cause of the breach, and the investigator did discover a flaw in the certified software. Although the amount of counterfeit fraud in this matter was significant, the result of the software discovery and our efforts significantly limited the assessments to the client from the payment card brands.
- Working with a national retailer to create and implement a privacy audit, evaluate the results of the audit and prepare recommendations to address gaps discovered during the audit.
- Participating in desktop incident response trainings with an international energy company over several years. The training then provided the opportunity to amend the incident response plans that we had put in place for the client.
- Negotiating with American Express, Visa and MasterCard on numerous occasions to address liabilities related to data breaches. We understand the formulaic processes applied in these cases, and we are able to significantly reduce assessments by the payment card brands after data breach events.
- Providing data breach coaching services for retailers, conducting customized tabletops for senior management, advising on incident response planning, negotiating with data breach related vendors.
- Representing a national food & beverage chain before the Federal Trade Commission during the investigation related to a data breach. Negotiated the resulting consent decrees with no monetary liability to our client, and advised on the compliance obligations imposed by those consent agreements.
- Advising clients on TCPA risks, compliance measures and strategies, and best practices, as well as representing clients in TCPA litigation.