resilience through diligence

Data Breach Investigation and Response

• Dorsey recently was approached by a number of California wineries who had been notified by a common vendor that their customer information may have been hacked. We put together a team overnight to provide breach notifications to customers of over 30 wineries for 48 different jurisdictions and to dozens of state Attorneys General within 24 hours of being retained. While the Krebs blog had a head start on us, by the time it “broke the story,” customers had already been notified, and the media ignored the event.
• Dorsey developed immediate response measures for a large agricultural cooperative whose sensitive payroll information of high-level executives had been compromised as well as emergency communication procedures. Within an hour of the incident we assessed the potential scope of disclosure, possible methods for retrieval to minimize potential dissemination of material, and assessed reporting obligations.
• Our cybersecurity team assisted a health care provider with a data breach response involving unauthorized disclosure of PHI by an employee. Our team assessed potential notification requirements, retrieved data from various devices used by the former employee and her family, and developed creative alternatives to address emerging issues not covered by regulatory guidelines.
• Members of Dorsey’s data protection team represented a health care organization in an Office of Civil Rights investigation of potential HIPAA violations following a data breach involving over 38,000 individuals.
• Dorsey represented a human capital management company in a class action lawsuit arising from a third-party hacker. Plaintiffs alleged that because the hacker accessed their personal information, they faced an increased risk of identity theft, and were forced to pay for credit monitoring and identify theft protection. A New Jersey trial court granted Dorsey’s motion to dismiss on the grounds that Plaintiffs lacked standing to sue absent alleged actual misuse of their personal information or actual identity theft. The Third Circuit affirmed.

Proactive Prevention

• A Fortune 500 multi-national corporation turned to Dorsey to assess its privacy and data protect policies and procedures, and completely update them. Our attorneys worked with a multi-dimensional in-house team to determine data collection, flow, retention and destruction; access protocols; EU-data transfers; certification requirements; and ongoing compliance monitoring.
• A Dorsey cybersecurity team analyzed potential privacy and data protection issues associated with a risk management solutions company’s potential acquisition of a mobile app authentication service.
• Dorsey counsels a nationwide retailer on the constantly evolving best practices for structuring communications to customers of its pharmacy operations.
• Dorsey’s privacy group drafted a complex set of website terms for use in 21 countries, with significant user-generated content issues, using its knowledge of international privacy laws to provide insight and practical advocacy.
• Our team assisted a Fortune 100 insurance company in drafting and implementing an internal social networking policy.
• Dorsey regularly advises clients with European online presence on how they can benefit from immunity from liability in relation to user-generated content under the eCommerce Directive and on the pit-falls presented by the Privacy in Electronic Communications legislation in relation to matters, such as the use of cookies in websites and the challenges of targeted advertising.
• We have deep experience in registering both generic and country code domain names for clients and in counseling clients on managing their domain name portfolios to deter cybersquatters.

Compliance

• A Native American gaming organization turned to Dorsey for assistance in developing assessment mechanisms to ensure compliance with guidelines and regulations for data and privacy protection and reporting. This project included assessment of applicability of state breach laws to a sovereign tribe, potential waiver consequences associated with voluntary compliance and mechanisms for ongoing assessment and improvement of policies and procedures.
• Dorsey served as general counsel to a public-private Health Information Exchange formed to facilitate the exchange of health information electronically in compliance with HIPAA/HITECH.
• Working with app developers, our privacy compliance professionals have counseled on designing apps in compliance with the FTC’s endorsement guidelines.
• Dorsey has extensive experience with counseling clients on complying with and drafting policies concerning the Digital Millennium Copyright Act, the CAN-SPAM Act, the Communications Decency Act, the Children’s Online Privacy Protection Act, online behavioral advertising principles, and other internet-related laws.
• Dorsey has helped numerous app developers design online advertising platforms and draft user rules in compliance with the FTC’s endorsement guidelines.
• Our Financial Services privacy lawyers develop and audit internal privacy procedures to address both Graham-Leach-Bliley Act compliance and customer expectations for their personal financial information.
• Dorsey Financial Services privacy practitioners also assist in dealing with subpoenas and other legal processes served on clients that trigger Graham-Leach-Bliley issues.
• When two of its former financial advisors refused to return confidential client information, a financial services company hired our cybersecurity litigators to represent it in two different state court actions implicating the Gramm-Leach-Bliley Act. In both matters, the courts granted motions for a temporary restraining order preventing a former financial advisor from using or further disclosing the confidential information. FINRA (Financial Industry Regulatory Authority) arbitration panels subsequently approved the company's requests for a permanent injunction requiring the former advisor to, among other things, return the information.
• A brokerage firm relied on Dorsey’s cybersecurity practitioners to handle a class action suit relating to a database containing certain confidential personal and financial information of approximately 250,000 of the client’s then current and former customers. The database was compromised by a computer hacker who illegally obtained access to the information through a sophisticated network intrusion. Plaintiffs alleged violations of the Fair Credit Reporting Act, breach of contract, violations of the Montana Consumer Protection Act, negligence and negligence per se. After our client filed its motion to dismiss, the parties entered into a class-wide settlement agreement, which was approved by the Court.