Today's digital world presents both great opportunity and risk. From a discrete deal to the most complex incident response, Ballard Spahr's cross-disciplinary team helps clients achieve their objectives and mitigate cyber risk.

Our team of over 50 attorneys across the country works closely with our clients—leveraging industry vendors when needed—on all aspects of information risk management programs, privacy and data security issues in transactions, legal and regulatory compliance, vendor assessment and management, privacy and information security disclosures, cyber incident response planning, employee and vendor training and awareness, and information governance. We also are investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and both civil and criminal litigation.

Privacy and Cybersecurity Counseling

Day-to-Day Counsel and Information Risk Management: Our attorneys advise clients on privacy and security considerations in designing and implementing their products and services throughout their data life cycles. We conduct information asset inventories and data mapping, design and execute comprehensive risk assessments, and help clients develop data security and cyber-incident response policies and programs that comply with federal and state laws, self-regulatory rules, and industry best practices.

We also assist clients in preparing for third-party assessments and audits and design information governance plans. As part of our advice on organizational governance, we help formulate presentations on privacy and security issues and initiatives to boards of directors and senior officers, and deploy training and awareness programs throughout their workforce. We also assist clients with drafting legal disclosures relating to information risks and risk management practices.

Transactions and Vendor Management: Engaging in transactions where others will have access to sensitive data or systems multiplies the privacy and security risks to an organization. We help clients assess vendors, business partners, and other external entities by conducting legal due diligence focused on privacy and data security. We then develop appropriate risk management programs to govern these relationships. We also assist in drafting and negotiating transactional documents, handling post-closing issues, and monitoring contractual compliance.

Cross-Border Transfer: We counsel clients on the privacy and data security aspects of cross-border transactions and data flows. We help clients map cross-border data transfers and assist in designing and implementing cross-border data transfer mechanisms, including those pursuant to the EU-US Privacy Shield. Our attorneys work with clients on compliance with the EU Data Protection Directive, the EU "Cookie Directive," and in preparing for the General Data Protection Regulation (GDPR).

Regulatory Compliance: We help clients comply with state, federal, and international laws, regulations, and industry standards relating to privacy and data security. We assist in the development and maintenance of privacy and data security policies and programs needed to comply with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA), Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), CAN-SPAM Act, Children's Online Privacy Protection Act (COPPA), New York Department of Financial Services (NYDFS) cybersecurity regulations, state and federal unfair, deceptive, or abusive acts or practices (UDAAP) laws, as well as self-regulatory rules. We draft consumer agreements and disclosures; negotiate and draft commercial agreements with third parties; advise on advertising and marketing requirements; represent clients in examinations, rulemakings and regulatory enforcement actions; and assess the impact of evolving federal, state and international laws and judicial decisions on privacy and data security compliance.

Privacy and Consumer Marketing Compliance: We work seamlessly with clients on deploying advanced marketing solutions, such as brand loyalty programs, social media channels, and behavioral advertising. We help design corporate and IT initiatives that comply with applicable privacy and data security laws without compromising the client's business needs or culture. We understand a range of specific data environments, allowing us to advise on: point of sale payments, e-commerce practices, online privacy practices, telemarketing policies, website and mobile accessibility, identity and access management, and physical security practices. We also draft and review consumer-facing disclosures and marketing materials.

Cyber Incident Response

Cyber Incident Response Planning: Careful planning is the best way to ensure an efficient and defensible response to a cyber incident. Key components of our proactive approach include:

  • privileged and periodic cybersecurity assessments
  • the creation and refinement of data security and cyber incident response plans
  • employee/vendor training to implement a holistic information security program
  • "table top" exercises under simulated cyber incident scenarios
  • periodic updates on the evolving threat landscape
  • "lessons learned" reviews from cyber incidents around the globe

We leverage our relationships with law enforcement, cybersecurity and forensic investigators, breach notification vendors, and communications/crisis management professionals to help our clients develop turnkey response solutions before they are needed.

Cyber Incidents and Data Breaches: We have handled a multitude of cyber incidents in a variety of areas, with a significant concentration in the financial services, media and entertainment, health care, hospitality, manufacturing, technology and education industries. We are available around-the-clock, every day, to quickly mobilize a scalable response to any cyber incident. We handle incidents from garden-variety data breaches to national security threats, seamlessly integrating into our clients' internal and external teams to craft a comprehensive and tailored response under the protection of attorney-client and other applicable privileges. We assist in:

  • directing investigations and responses to cyber incidents
  • interacting with law enforcement and intelligence communities, as well as privacy and cybersecurity regulators at the federal, state, and international levels
  • devising strategies and preparing materials for cyber incident notifications
  • implementing post-incident remediation plans

We help clients prepare for and manage all contingencies that may follow such notifications and the public release of information about cyber incidents.

Investigations and Litigation: Our team members have engaged in hundreds of internal and governmental investigations covering every major type of cyber incident, including network intrusions; digital espionage; identity and intellectual property theft; ransomware, wiperware, and other destructive attacks; Internet-facilitated fraud; export control violations; cyberstalking, extortion and online threats; obstruction of justice; online child exploitation; and terrorism. We have particular experience in managing advanced persistent threats and ongoing investigative interactions with law enforcement and intelligence communities. We advise on cyber-based national security issues, as well as governmental demands for third-party data and assistance in investigations, including subpoena and warrant response. We also are deeply experienced in responding to non-malicious cyber incidents, such as the lost device, operational error, inadvertent electronic transmission, or technological glitch resulting in data exposure.

Our team of experienced litigators represents clients as victims, witnesses, and targets in government investigations and regulatory, civil, and criminal litigation. We handle pre-litigation planning and negotiation, eDiscovery and pre-trial litigation, as well as trial and appellate advocacy on a full range of cyber-related disputes. These cases typically involve consumer protection, intellectual property, labor and employment, tort, contract, insurance, speech, privacy, defamation, constitutional, and criminal issues. We have significant experience in privacy class action litigation across various industries, including financial services, life sciences, education, communications, and technology.

In matters involving criminal conduct, we ensure that our clients' rights, as victims, are fully protected throughout the investigative and litigation processes. We conduct internal investigations; prepare employees for law enforcement interviews, grand jury, and courtroom testimony; protect confidential and proprietary information in discovery and at trial; and advocate at the sentencing phase. We also seek to utilize the civil and criminal litigation processes to recover assets, seize criminal proceeds, and dismantle cybercrime infrastructure, where possible.