Privacy & Security |
Perkins Coie’s Privacy & Security group represents some of the world’s leading Internet companies, wired and wireless communications providers, brick-and-mortar retailers and emerging online businesses on issues including:
Data and security breaches are increasingly headline news and the current legal climate includes complex and nuanced rules governing the collection, use, storage, and disposal of information that vary by jurisdiction and is continually evolving. We work closely with our clients to help them stay abreast of national and international regulatory and statutory changes and industry initiatives related to mobile applications, online and mobile advertising, means of capturing location information, and cloud computing. We are ranked by Chambers USA among the best firms in the nation for privacy and data security. We also were recognized by Law360 as a “Practice Group of the Year” in 2013.
We regularly advise clients on how to implement "privacy by design" principles into their organizations, and how to best respond to law enforcement and civil requests for user information, sophisticated network attacks and other security breaches. Our data breach and network intrusion response team, including several former DOJ cybercrime prosecutors, regularly counsels clients with concerns about data breaches and assists with coordinating incident response and required notifications.
"Privacy by design," privacy assessments, security breach response plans, insurance coverage and contractual provisions for transferring data and securing it, are all tools for developing a successful privacy program. Privacy plans also must address responding to consumer complaints, litigation or regulatory inquiries. We help our clients respond to immediate issues and understand that it is never too late to address privacy and security matters.
Product and General Privacy and Security Counseling
We routinely review products and services to identify and resolve privacy and data security issues. These reviews cover privacy policies, disclosures and terms, and also include an in-depth understanding of the data flows involved in the company’s products or services. Representative projects include:
- Helping clients launch social components to large retail e-commerce sites
- Advising on product privacy on mobile applications
- Guiding on roll-outs of new web-based payment processing services
- Drafting policies for data sharing with cloud service providers
- Designing compliance programs to launch international services in more than 60 jurisdictions
We have extensive experience helping clients develop data security policies and programs needed to comply with PCI Data Security Standards, Red Flag Rules, HIPAA, GLBA, COPPA, TCPA, FERPA, FCRA, CAN-SPAM, FTC guidelines, state data protection laws, as well as self-regulatory rules.
Electronic Surveillance and User Information Requests
We provide training and advice to clients in complying with surveillance laws and responding to requests for customer information. We also regularly advise clients and litigate on their behalf on issues related to their obligations under the:
- Wiretap Act
- Pen/Trap Statute
- Stored Communications Act
- Foreign Intelligence Surveillance Act
- National Security Letters
- Communications Assistance for Law Enforcement Act
Online and Mobile Advertising
As advertising models increasingly rely on user data, regulatory scrutiny of the collection and use of information of all types from browsers and mobile apps continues to increase. Representative experience includes:
- Helping companies draft meaningful and accurate disclosures of their advertising practices, including how to provide “just in time” notice
- Counseling on how, and under what circumstances, clients should offer choice with respect to data collection and use practices, and what form such choice should take
- Training on compliance with self-regulatory rules and state and federal consumer protection statutes, the Children’s Online Privacy Protection Act (COPPA), and state laws governing advertising to minors
- Counseling major technology companies, web publishers and online retailers on responding to web browser-based “do not track” signals
We counsel advertising technology companies, communications providers, and web and mobile application publishers on how to structure their practices in a manner that is consistent with self-regulatory rules as well as regulatory and legal frameworks. We have deep experience with self-regulatory bodies, including the Network Advertising Initiative, Digital Advertising Alliance and Better Business Bureau, regarding online behavioral advertising and mobile advertising issues.
Privacy Reviews, Assessments and Data Transfers
Privacy assessments are rapidly becoming an important part of every business that handles customer or user information. Before a company can fully appreciate its obligations and risks, or implement “privacy by design," it needs to “know its data,” which means that it needs to understand what types of user information it collects and uses, where the data is stored, with whom the data is shared, and when and how the data is disposed.
To help companies fully understand their collection, use and sharing of personal and other sensitive data, we conduct comprehensive privacy reviews. Retailers, telecommunication providers, power companies, cloud providers and international companies are among the companies for whom we have provided reviews. Contexts in which we have performed privacy assessments include:
Honed during repeated engagements, our approach to gathering data is efficient as we assist in or conduct onsite interviews. Our custom reports offer specific and practical recommendations and checklists to help our clients quickly understand the data they handle and the myriad laws and regulations that apply to their collection, use, storage and sharing of that data.
After conducting an assessment, we work closely with clients to prioritize needed remedial efforts. Privacy assessments make this follow-on work seamless and efficient. The assessment process provides us with a unique level of detail to thoroughly understand our clients’ data collection and use practices. Examples of follow-up projects include:
- Counseling related to individual products that were evaluated during the review
- Drafting incident response or disaster recovery plans
- Creating corporate information management programs
- Helping companies certify in the EU Safe Harbor program in order to lawfully transfer to the United States data about their European customers or employees
Network Intrusions and Data Breaches
Our data breach and network intrusion response team includes several former DOJ cybercrime prosecutors. We regularly counsel clients with concerns about data breaches and assist with coordinating incident response and required notifications. We have helped clients, ranging from public FORTUNE 100 companies and retailers with operations and customers nationwide to local nonprofits, school districts and small private companies, work through legal requirements and address their legal, reputational and commercial risks.
Lost, stolen or inadvertently disclosed electronic or physical records containing the personal information of users, customers or employees - not to mention trade secrets and intellectual property - implicate a web of state and federal laws and regulatory interest.
While not every breach involves a type of personal information that requires notification or disclosure, every breach requires attention and an individualized response tailored to the facts and nature of the breach, and an evaluation of how processes can be improved to minimize the risk of future breaches. Features of our service include:
- An efficient approach that includes triaging the initial breach, minimizing legal risk, identifying notification and disclosure obligations, and providing notice to affected individuals, regulators and others where necessary
- Capabilities to tap into existing relationships with forensics firms and breach notification providers when the size or nature of the breach warrants
- Addressing publicly traded companies' need for disclosures in security filings pursuant to the SEC’s guidance on disclosing cybersecurity risks
- Advice and counsel on network intrusions, such as companies’ obligations as the victim of an attack, and the steps necessary to remediate compromised networks
Perkins Coie's counsel includes extensive experience in helping clients avoid breaches through targeted product advice, privacy assessments and other counseling centered on understanding a company’s data and instituting programs to prevent and detect intrusions.
Privacy Litigation and Regulatory Investigations
Our attorneys help clients respond to regulatory inquiries from the FTC, FCC and state attorneys general. We assist in favorably resolving regulatory inquiries through our quick understanding of the client’s technology and by providing the agencies with the appropriate information to understand our client’s practices. Examples of our counsel to technology companies in regulatory investigations include:
- Represented Google in negotiation of first FTC "privacy by design" and EU Safe Harbor consent decree regarding Google Buzz
- Defended Google before regulatory bodies worldwide, including the FTC and a multistate attorneys general investigation, in inquiries stemming from Google's Wi-Fi data collection via Street View
- Represented a FORTUNE 50 company in connection with multiple criminal and civil inquiries by government agencies regarding alleged collection and sharing of subscriber data without consent
- Protected numerous mobile applications and mobile advertising companies in defense of FTC inquiries presenting issues under Section 5 of the FTC Act and also COPPA
We also routinely collaborate with attorneys in our Class Action Defense group, which has significant experience in managing and successfully defending consumer protection class action litigation. Examples of privacy-related class actions include:
- Represented Google in multiple nationwide class actions regarding privacy issues, including those regarding Google Buzz and regarding Google Play/Google Wallet
- Defended Twitter in class action regarding privacy issues related to uploading of mobile device address books
- Represented Sprint in putative class actions asserting claims under federal and state privacy laws
Our cyber enforcement group helps clients protect their websites, Internet and mobile services, and keep users safe from abuse. We have dedicated Internet investigation resources that help us identify, understand and document sophisticated schemes that target our clients and are instigated by spammers, hackers, phishers, scrapers, scammers and other computer system abusers and criminals.
We advise clients on effective enforcement strategies that may include referrals to regulatory agencies, referrals to law enforcement, or filing civil lawsuits against the wrongdoers. Perkins Coie also efficiently implements enforcement programs and readily adapts services to meet client needs. These programs may range from a single cease and desist letter and follow-up, to multifaceted, multiyear programs where a company outsources its enforcement work to our dedicated team of Internet enforcement lawyers.
International Privacy and Data Flows
Our clients operate around the world, which requires global guidance that allows them to move data in compliance with international privacy laws. Worldwide privacy challenges include data transfers, cross-border evidence gathering, investigations, civil discovery, employment matters, processing agreements, and mergers and acquisitions. Perkins Coie provides international privacy counsel in areas such as:
Compliance with non-U.S. law enforcement data requests and Mutual Legal Assistance Treaty requests
eDiscovery outside the U.S., and response to civil demands, Section 1782 requests and other civil matters
Defense of multijurisdictional privacy inquiries
Global product launches
We work with local counsel around the world to meet domestic privacy requirements, and we assist companies to conduct global data assessments and respond to data breaches.