Cybersecurity and Data Privacy

As companies manage or store increasing amounts of data, cybersecurity and data privacy issues and obligations transcend geographies to become huge assets or liabilities. The costs associated with a data breach or other cybersecurity event can be devastating, and thus protecting organizations from a breach has become the responsibility of senior executives and directors. Every company must implement appropriate safeguards and best practices to protect data, comply with the many regulations and statutes, and minimize risks. The failure to follow proper cybersecurity and data privacy protocols can expose an organization to significant liability.

Carter Ledyard’s Cybersecurity and Data Privacy Group helps clients to better understand the ever-changing landscape of cybersecurity and data protection threats and how to best address those threats. We counsel clients on a wide variety of cybersecurity and data privacy issues, including:

Development of cybersecurity, data protection, and privacy policies
Compliance counseling
Corporate governance
Data protection and breach prevention
Risk assessment and management, and mitigation strategies
Incident response planning and execution, and related investigations
Incident reporting and disclosure in accordance with regulatory requirements
Third-party vendor assessment and management
Cybersecurity insurance assessment
Litigation
Mergers and Acquisitions due diligence

Our Cybersecurity and Data Privacy team collaborates across numerous practice areas, including litigation, intellectual property, corporate transactions, employment and financial services regulations. This diversity of experience enables the Cybersecurity and Data Privacy Group to provide clients with well-rounded advice on developing, strengthening, testing, and enforcing their information protection policies and procedures. The Group has advised for-profit and not-for-profit clients of various sizes, from small firms and start-ups with limited resources to middle market firms and large, public companies, helping clients navigate the myriad of state, federal and international cybersecurity and data protection regulations and guidelines.

Our attorneys have helped clients develop cybersecurity and data privacy programs and manage related challenges, including:

Advised an international technology company in connection with a cyber ransomware attack and associated disclosure obligations.
Prepared and updated privacy policies, terms of use, cookie policies, and notices of consumer rights under the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) for many clients, including for-profit and nonprofit entities across many industries, such as textiles, cosmetics, cannabis, and e-commerce.
Reviewed privacy policies, terms of use, and other privacy documents of target companies in connection with due diligence efforts for M&A transactions.
Provided advice to foreign clients on cyber risk disclosures in publicly filed documents, including those filed with the SEC.
Advised a non-profit in connection with a data breach resulting in the disclosure of personal data, which involved incident response and an assessment of regulatory reporting obligations.
Responded to a regulatory inquiry on behalf of a broker-dealer in connection with a cyber attack, and advised on the client’s cybersecurity policies, procedures, and incident response plan.
Conducted a cybersecurity assessment and developed cybersecurity policies and procedures, an incident response plan, and vendor due diligence protocol for a FinTech company
Advised international organizations on GDPR compliance
Advised an industrial conglomerate in connection with a data breach resulting in the theft of a domain name and website, which involved a forensic investigation, litigation, and related strategies to recover the domain name
Analyzed conflicting U.S. and foreign regulations regarding data and employee privacy for a global financial firm engaged in private banking, asset management, and investment banking
Drafted a GDPR-compliant privacy policy and terms of use for a not-for-profit membership corporation with members in the U.S. and abroad
Assisted a not-for-profit organization in developing a standard certification of cybersecurity best practices to be included in its third-party contracts
Responded to a regulatory inquiry on behalf of a broker-dealer in connection with a cyber attack, and advised on the client’s cybersecurity policies, procedures, and incident response plan

View Our “Looking Ahead” Cybersecurity and Data Privacy section

Introduction to Cybersecurity Enforcement and the NY SHIELD Act – A Video Series

News & Insights

Latent Ambiguities in New York’s Digital Fair Repair Act as Finally Enacted

SEC Adopts New Cybersecurity Disclosure Rules for Public Issuers

Understanding Tech Terms: Cybersecurity, Crypto, and Data Privacy — Part IV

The Growing Risks of Collecting and Using Biometric Data: Regulations in New York and Elsewhere

Jonathan Trafimow Joins Carter Ledyard’s Employment Law Practice as Partner

No Way Out: Antitrust Considerations Buttress Right To Repair Statutes