back to top

Privacy and Cybersecurity

Privacy and Cybersecurity


Cybersecurity and privacy risks, and liability exposure continue to rise. The risks have heightened for any organization that touches personal, hospital and healthcare, financial, human resources, trade secret, and other sensitive information in the course of domestic and international business operations.

Companies of all sizes, and in every industry and market vertical, face an increasingly toxic brew of cyber-threats, financial loss, and legal liability from employees, clients, shareholders, federal, state, and international regulators, as well as consumers of goods and services. The cyber-threat arena now includes:

  • Ransomware
  • Data breaches
  • Business Email Compromise
  • Phishing
  • Trade Secret Misappropriation
  • Wire and payment fraud
  • Connected (aka "Smart" device) compromise (medical, supply chain, industrial, and consumer)
  • Identity Compromise
  • Smart Product liability

State and local governments are also at increased risk from cyber-threats and should take appropriate steps to investigate, assess, and then mitigate risks from ransomware and other cyber-attacks. The objectives for these attacks can be focused on:

  • Ransomware - Extortion for payment by locking out (encrypting) municipality data
  • Disruption of vital services (traffic, power, law enforcement, and waste management)
  • Election data interference

The legal and regulatory environment surrounding involving data breaches, and failures to prepare for those and other cyberthreats is also expanding:

  • All 50 states now require some form of breach notification. Some states require only an intrusion (and not an outflow) of Personally Identifiable Information (PII) to trigger notification.
  • California’s Consumer Privacy Act of 2018 imposes new online disclosure requirements and grants consumers new opt-out rights
  • General Data Protection Regulation – covering sensitive data of residents of the European Economic Area, but has world-wide application and significant monetary penalties
  • Securities and Exchange Commission –
    • Increased its cybersecurity oversight and investigatory role for public companies, including issuing a Section 21(a) report indicating that companies that fail to have adequate internal controls (which include assessing and addressing cyber-security threats) may be in violation of Section 13(b)(2)(B)
    • Increased vigilance in enforcing the Safeguards Rule and the Identity Theft Red Flags Rule, both of which generally requires broker-dealers to adopt written policies and procedures “that address administrative, technical and physical safeguards for the protection of customer records and information,” and the Identity Theft Red Flags Rule.

  • Shareholder Litigation – for violations of management fiduciary duty
  • Federal Trade Commission investigations and penalties
  • Department of Health and Human Services Office of Civil Rights (for HIPAA violation investigations) investigations and penalties
  • Federal Food and Drug Administration (for connected medical devices)
  • Banking - New York State enacted 23 NYCRR 500 in 2017, which generally requires covered entities regulated by the state’s Department of Financial Services to comply with enhanced cybersecurity requirements, including risk assessment, adequate cybersecurity funding, policy development and reporting. Covered entities include licensed lenders, state-chartered banks, trust companies, service contract providers, private bankers, mortgage companies, insurance companies doing business in New York, and non-U.S. banks licensed to operate in New York. 

Addressing cyber-threats must be every company’s new normal. Each client’s cyber-security needs differ, and while our cyber-security and privacy practice services are comprehensive, we endeavor to tailor them to your needs – keeping in mind a minimum-security baseline, as well as budgeting for immediate, intermediate, and long-term objectives.

Among the services we offer are the following:

  • Risk assessment and investigation
  • Internal Policy development (cybersecurity, incident response, incident investigation and remediation, etc.)
  • Drafting policies, disclosures, and procedures that govern the collection, use, storage, and sharing of sensitive data and use of technology
  • Drafting and implementing privacy and security compliance plans around state, national, and international laws and standards
  • Reviewing, revising, and preparing contracts and releases with third-parties to ensure compliance and limit liability
  • Assisting our clients during transactions with privacy due diligence and protective deal mechanisms
  • Advising clients on cyber-insurance policies and other applicable insurance policies
  • Advising clients on digital advertising and marketing, virtual currencies, and social media
  • Handling data breaches and privacy complaints
  • Representing clients during privacy-related matters before federal and state courts, administrative agencies, and professional boards
  • Responding to subpoenas and law enforcement inquiries as well as privacy torts / class actions
  • Managing eDiscovery and data governance

Our goal is simple: to help our clients reduce their cyber, privacy, and data liability risks. We accomplish this through education and implementing a variety of risk-transfer mechanisms focused on each client’s unique needs. These mechanisms include training, risk assessments, policy creation, contracts, or insurance. While no level of cybersecurity prevention can completely eliminate the risk cyber-risk, the firm’s holistic and pragmatic approach can help reduce the likelihood of occurrence, and in conjunction with cyberforensic experts, help mitigate the legal, liability, and other consequences arising out of a cyber-security incident.

Check out Chair Steven Teppler's Litigation Intelligence Cyber Security Blog.

February 4, 2020Tom Brennan Spoke on Fulfilling Network Security Requirements and Business Needs at InfoSecurity Virtual Roundtable


Read More

January 6, 2020Lauren X. Topelsohn Speaking at the RSA 2020 Security Conference in San Francisco

Lauren X. Topelsohn, a Member in our Privacy and Cybersecurity Practice Group will be speaking at the RSA 2020 Security Conference in San Francisco. Lauren will be participating in "If You Can't Trust The Phone Company: A Mock Trial", which involves a ransomware attack on a medical laboratory that results in the exfiltration of critical test results ("protected health information" or "PHI"). To learn more about the session and the RSA Conference, click here....

Read More

July 6, 2018Cybersecurity Alert: Class Action Liability Risks for Violations of ADA and New York Human Rights Laws

Check out our latest Cybersecurity Law Alert published by Steven Teppler and Lauren X. Topelsohn on ADA Compliance for websites and the recent uptick in class action lawsuits for violations of ADA and New York Human Rights Law in light of the Federal Government's Web Content Accessibility Guidelines....

Read More

June 26, 2018Cybersecurity Alert: Brand Name Spoofing Still a Popular Phishing Tactic

Check out our latest Cybersecurity Alert about Brand Name Spoofing, a popular phishing tactic that can put you and your company at risk. The Firm's Privacy & Cybersecurity Practice led by Of Counsel Steven Teppler, who co-authored the Alert with Member Lauren X. Topelsohn, helps business owners to prevent and mitigate damages from cyber attacks....

Read More

13 Feb2017 Mandelbaum Barrett Year in Review

We are pleased to share our 2017 Year in Review which highlights some of the Firm's notable successes during the last year. We are thankful to our clients who have allowed us to continue doing what we love. We continue to expand our practice areas and bench to reflect our clients needs....

Read More

11 DecThe Use of Social Media in Family Law Cases


Read More

27 FebLauren X. Toplesohn Featured in NJBiz Triple Play About Protecting Company Information

Lauren X. Toplesohn, a Member in the Firm's Employment & Labor and Cybersecurity Practice Groups recently authored an NJ Biz Triple Play feature that discussed ways to help employers protect their company information. The article, which ran on February 26 and 27th in NJ Biz, can...

Read More

2 JanTraveling a Long Road with Tumi

Tumi, Inc., the worldwide premiere brand of high-end luxury luggage, leather goods, bags and business accessories, continues to be one of Mandelbaum Barrett's most well-known clients. Tumi has engaged the firm as outside counsel for more than 20 years, under the direction of relationship manager...

Read More

To receive current news and events concerning our Privacy and Cybersecurity Practice Group, please provide your contact information.