Data Security & Privacy
Helping clients comply as they innovate.
Our team of business, intellectual property and litigation attorneys advises on all aspects of privacy compliance, information handling, data security, breach preparation and response, enforcement and other related litigation. We guide clients in taking practical steps to meet their legal obligations, mitigate operational and reputational risks, and institutionalize resilience through effective digitization and data management solutions.
We recognize that an effective compliance program or incident response plan must be tailored to each client’s operations, data practices, and risk profile. We draw upon our collective experience and deep regulatory knowledge to help clients enhance their organization’s cybersecurity architecture, respond strategically to breaches, and navigate their legal and regulatory requirements in the U.S., Europe and globally.
Key Contact
Member
Florence, KY
How We Help Clients
Our data security team not only understands the cyber-threat landscape, but we know where to prioritize. We help clients identify system vulnerabilities, incorporate security-by-design principles where necessary, and develop proactive incident response plans to minimize the legal and reputational impact of cybersecurity threats. In the event of a data breach or ransomware attack, we work with clients to contain the threat, recoup losses, draft and issue disclosure statements, and take appropriate steps to limit their legal and regulatory exposure. We also advise clients on the scope and application of cyber risk insurance policies and protections, including the negotiation of favorable terms and conditions.
As the frequency and sophistication of cybercrimes have increased, we’ve built a robust practice around assisting companies in the immediate aftermath of actual ransomware attacks—both for clients who have incident response plans and those who do not. We frequently act as “Breach Coach,” coordinating with our clients’ leadership and IT teams to mount a calculated response. We oversee and direct various breach response activities, including forensic investigations, coordination with law enforcement agencies, compliance with all applicable state breach notification laws, compliance with contractual notice obligations, and responding to inquiries from the Federal Trade Commission and state attorneys general.
Experience Highlights
- Served as breach coach in a ransomware attack upon a foreign-owned mid-tier automobile manufacturing business located in the Midwest that was attacked by the Sodinokibi aka REvil ransomware malware variant. Responsibilities included organizing the company’s response, vendor retention (forensics, evidence analysis, translation and intermediary services), overseeing the stakeholder communication matrix, law enforcement, employee relations, threat actor negotiations and pursued the subrogation action to recover for the client’s benefit the principal part of its out-of-pocket losses.
- Served as breach in a ransomware attack for a financial institution located in the Midwest that was attacked by the Avvadon ransomware malware variant. Responsibilities included working as a team with the insurer, organizing an incident response strategy, vendor retention (public relations, forensic, post-attack security, intermediary and call center services), drafting external and internal communications, interaction with financial regulators, overseeing the stakeholder communication matrix, employee meetings, threat actor negotiations, data breach notification guidance (consumers and state AGs) and Call Center/Credit monitoring matters.
- Served as breach coach in a ransomware attack on a Texas-based manufacturer of renewable energy products attacked by the SunCrypt ransomware malware variant. Responsibilities included organizing the company’s response strategy, vendor retention (forensics, intermediary and post-attack security services), overseeing the stakeholder communication matrix, law enforcement, employee relations, threat actor negotiations and data breach response work.
- Assisted a national restaurant chain with a credit card data breach in dozens of states with over one million card exposures. Responsibilities included emergency response coaching, breach evaluation, breach notification, breach vendor management, liability assessments, negotiations with processors, acquiring banks, issuing banks and card brands, and litigation support.
- Assisted a large multinational corporation with its evaluation of and response to a ransomware attack that crippled all corporate servers, including human resources and payroll.
- Assisted a company with response and notification arising from infiltration of the company’s system that altered payroll files processed by a third-party payroll processor. Responsibilities included working with a forensics investigation firm, coordination of notification to employees, and negotiation with the cyber liability insurance provider.
- Consulted with an international manufacturing business regarding a “phishing” incident directed at employees’ personal data. Responsibilities included identification of the scope of attempted intrusion, analysis of potentially applicable law of multiple jurisdictions, and assessment of technological safeguards in place to prevent an actual security breach of the information systems in question.
- Advised a midsized consumer retail services business on response to employee theft of personal information from company systems. Worked with the client’s IT department to identify access and attempted misappropriation of information and coordinated with law enforcement for potential prosecution and assessment of any breach notification.
- Assisted a large multinational corporation with its evaluation of and response to a ransomware attack that debilitated all corporate servers, including human resources and payroll.
Key Contact
-
Gene F. Price
Member
Louisville, KY
Our team emphasizes a coordinated approach to risk assessments and the development of compliance solutions for our clients, drawing upon the broad experience of our group and the firm’s industry-specific knowledge. We believe that being proactive with respect to data privacy and security compliance obligations, while incorporating privacy-by-design principles where possible, ensures that our clients remain responsive to the expectations of government regulators and ahead of their competition in this escalated privacy environment.
Our team includes IAPP-certified privacy professionals in both U.S. and EU law, as well as former technologists, engineers, and software developers. While each attorney on our team brings a distinct skill set, the one common denominator is that we are all fluent in the underlying technology and sophisticated data management systems used by businesses competing in today’s data-driven economy. We stay on top of legal developments in this complex and rapidly changing environment, making us well-positioned to help our clients navigate their regulatory requirements in the United States, Europe, and globally.
Experience Highlights
- Advising private and publicly traded companies regarding the collection, use, protection, and disclosure of confidential and personal information.
- Advising companies regarding compliance with the European Union’s General Data Protection Regulation (GDPR) and related laws, as well as the California Consumer Privacy Act and other state privacy laws.
- Advising companies on domestic and international laws affecting cross-border transfers of confidential information, as well as the necessary content of privacy notices.
Key Contact
-
Michael E. Nitardy
Member
Florence, KY
Increasingly, a company’s data and information assets are as valuable as their material assets, with the potential to create efficiency gains and significant growth opportunities. Our team helps clients assess the strengths and weaknesses of their data governance and record retention practices, while harnessing the power of data to make strategic decisions and improve organizational performance.
We offer experienced counsel on the development and implementation of comprehensive information governance and data security programs and policies, along with training to boards of directors, executives, and employees on managing cybersecurity risks. We also conduct due diligence in connection with company mergers and acquisitions, including privileged and proprietary issues review and analysis.
Experience Highlights
- Advised a midsized consumer retail services business on response to employee theft of personal information from company systems. Worked with the client’s IT department to identify access and attempted misappropriation of information and coordinated with law enforcement for potential prosecution and assessment of any breach notification.
- Etc.
- Etc.
- Etc.
-
Robert W. Dibert
Counsel
Louisville, KY