Print

Privacy and Cybersecurity

Our Privacy and Cybersecurity attorneys help businesses of all sizes reduce their cyber, privacy, and data liability risks through education and risk-transfer mechanisms such as policy creation.

Cybersecurity and privacy risks, and liability exposure continue to rise. The risks have heightened for any organization that touches personal, hospital and healthcare, financial, human resources, trade secret, and other sensitive information in the course of domestic and international business operations.

Companies of all sizes, and in every industry and market vertical, face an increasingly toxic brew of cyber-threats, financial loss, and legal liability from employees, clients, shareholders, federal, state, and international regulators, as well as consumers of goods and services. The cyber-threat arena now includes:
  • Ransomware
  • Data breaches
  • Business Email Compromise
  • Phishing
  • Trade Secret Misappropriation
  • Wire and payment fraud
  • Connected (aka “Smart” device) compromise (medical, supply chain, industrial, and consumer)
  • Identity Compromise
  • Smart Product liability

State and local governments are also at increased risk from cyber-threats and should take appropriate steps to investigate, assess, and then mitigate risks from ransomware and other cyber-attacks. The objectives for these attacks can be focused on:
  • Ransomware – Extortion for payment by locking out (encrypting) municipality data
  • Disruption of vital services (traffic, power, law enforcement, and waste management)
  • Election data interference

The legal and regulatory environment involving data breaches, and failures to prepare for those and other cyberthreats is also expanding:
  • All 50 states now require some form of breach notification. Some states require only an intrusion (and not an outflow) of Personally Identifiable Information (PII) to trigger notification.
  • California’s Consumer Privacy Act of 2018 imposes new online disclosure requirements and grants consumers new opt-out rights
  • General Data Protection Regulation – covering sensitive data of residents of the European Economic Area, but has world-wide application and significant monetary penalties
  • Shareholder Litigation – for violations of management fiduciary duty
  • Federal Trade Commission investigations and penalties
  • Federal Food and Drug Administration (for connected medical devices)
  • Banking – New York State enacted 23 NYCRR 500 in 2017, which generally requires covered entities regulated by the state’s Department of Financial Services to comply with enhanced cybersecurity requirements, including risk assessment, adequate cybersecurity funding, policy development and reporting. Covered entities include licensed lenders, state-chartered banks, trust companies, service contract providers, private bankers, mortgage companies, insurance companies doing business in New York, and non-U.S. banks licensed to operate in New York.
  • Department of Health and Human Services Office of Civil Rights (for HIPAA violation investigations) investigations and penalties
  • Securities and Exchange Commission –
    • Increased its cybersecurity oversight and investigatory role for public companies, including issuing a Section 21(a) report indicating that companies that fail to have adequate internal controls (which include assessing and addressing cyber-security threats) may be in violation of Section 13(b)(2)(B)
    • Increased vigilance in enforcing the Safeguards Rule and the Identity Theft Red Flags Rule, both of which generally requires broker-dealers to adopt written policies and procedures “that address administrative, technical and physical safeguards for the protection of customer records and information,” and the Identity Theft Red Flags Rule.
Addressing cyber-threats must be every company’s new normal. 
Each client’s cyber-security needs differ, and while our cyber-security and privacy practice services are comprehensive, we endeavor to tailor them to your needs – keeping in mind a minimum-security baseline, as well as budgeting for immediate, intermediate, and long-term objectives.
Among the services we offer are the following:
  • Risk assessment and investigation
  • Internal Policy development (cybersecurity, incident response, incident investigation and remediation, etc.)
  • Drafting policies, disclosures, and procedures that govern the collection, use, storage, and sharing of sensitive data and use of technology
  • Drafting and implementing privacy and security compliance plans around state, national, and international laws and standards
  • Reviewing, revising, and preparing contracts and releases with third-parties to ensure compliance and limit liability
  • Assisting our clients during transactions with privacy due diligence and protective deal mechanisms
  • Advising clients on cyber-insurance policies and other applicable insurance policies
  • Advising clients on digital advertising and marketing, virtual currencies, and social media
  • Handling data breaches and privacy complaints
  • Representing clients during privacy-related matters before federal and state courts, administrative agencies, and professional boards
  • Responding to subpoenas and law enforcement inquiries as well as privacy torts / class actions
  • Managing eDiscovery and data governance

Our goal is simple: to help our clients reduce their cyber, privacy, and data liability risks. We accomplish this through education and implementing a variety of risk-transfer mechanisms focused on each client’s unique needs. These mechanisms include training, risk assessments, policy creation, contracts, or insurance. While no level of cybersecurity prevention can completely eliminate the risk cyber-risk, the firm’s holistic and pragmatic approach can help reduce the likelihood of occurrence, and in conjunction with cyberforensic experts, help mitigate the legal, liability, and other consequences arising out of a cyber-security incident.

Check out Chair Steven Teppler’s Litigation Intelligence Cyber Security Blog.

Mandelbaum Barrett CIO Tom Brennan authors article titled "17 Technical Controls for Effective M&A Due Diligence"

April 12, 2022

Mandelbaum Barrett Chief Information Officer Tom Brennan has authored a Cyber Security article in the April 6th, 2022 issue of CPO Magazine titled "17 Technical Controls for Effective M&A Due Diligence."

Steven Teppler to present webinar titled "The vCISO Engagement and Legal Liability – What You Need to Know"

February 15, 2022

Mandelbaum Barrett Of Counsel Steven Teppler will be the Keynote speaker for a "vCISO Engagement and Legal Liability – What You Need to Know" webinar powered by the vCISO News professional community on Wednesday, February 16th, 2022 from 10:30am to 12:00pm.

Tom Brennan Spoke on Fulfilling Network Security Requirements and Business Needs at InfoSecurity Virtual Roundtable

February 4, 2021

Tom Brennan joined a panel of cybersecurity experts on the InfoSecurity Magazine virtual roundtable, Fulfilling Network Security Requirements and Business Needs. Tom and the panelists addressed a wide range of issues, including managing a multi-vendor network environment, handling the rapid demand for network changes with automation, and ways to avoid errors and misconfigurations in a […]

Lauren X. Topelsohn Speaking at the RSA 2020 Security Conference in San Francisco

January 6, 2020

Lauren X. Topelsohn, a Member in our Privacy and Cybersecurity Practice Group will be speaking at the RSA 2020 Security Conference in San Francisco. Lauren will be participating in "If You Can't Trust The Phone Company: A Mock Trial", which involves a ransomware attack on a medical laboratory that results in the exfiltration of critical test results ("protected health information" or "PHI"). To learn more about the session and the RSA Conference, click here.

Cybersecurity Alert: Class Action Liability Risks for Violations of ADA and New York Human Rights Laws

July 6, 2018

Check out our latest Cybersecurity Law Alert published by Steven Teppler and Lauren X. Topelsohn on ADA Compliance for websites and the recent uptick in class action lawsuits for violations of ADA and New York Human Rights Law in light of the Federal Government's Web Content Accessibility Guidelines.

Cybersecurity Alert: Brand Name Spoofing Still a Popular Phishing Tactic

June 26, 2018

Check out our latest Cybersecurity Alert about Brand Name Spoofing, a popular phishing tactic that can put you and your company at risk. The Firm's Privacy & Cybersecurity Practice led by Of Counsel Steven Teppler, who co-authored the Alert with Member Lauren X. Topelsohn, helps business owners to prevent and mitigate damages from cyber attacks.

Partners

Of Counsel