Unlike some “big firm” privacy and cybersecurity practices, our practice isn’t focused on hourly billings from massive data breaches. We are more than happy to help a client dust off and regain its footing after a breach, and to defend any associated litigation, but our primary goal is to reduce the likelihood that litigation will arise by helping clients build cost-effective yet powerful privacy and security programs and maintain them over the long term.
We will assist organizations of all shapes and sizes, but we focus our efforts on:
- professional services firms like law firms, dental practices, and medical practices
- local governments
- school boards and educational nonprofits
- other nonprofits
- state-chartered banks and credit unions
- introducing brokers and independent financial advisors
- contractors and other participants in the construction industry
- software developers
- manufacturers of products that are part of the Internet of Things
Neil Riemann leads this practice. He holds a Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals and also has technical experience with software development and information security. He actively participates in the Sedona Conference’s Working Group 11 on Data Security and Privacy Liability as well as the activities of the Information Systems Security Association and the North Carolina Technology Association. He also presents on legal topics at conferences of privacy and security professionals like the Triangle InfoSeCon, and he maintains the blawg known as nccyberlaw.com.
More detailed information about specific aspects of the practice can be found below.
Information Privacy and Security Policies
We help all types and sizes of organizations develop comprehensive written privacy and security policies that satisfy business needs while still complying with applicable domestic and foreign legal requirements. These policies consider all aspects of an organization’s operations, including things like the organization’s legal and practical information security and record retention requirements, the privacy implications of the organization’s products or services and its operations, employee use of social media, employee use of mobile devices, location tracking, and the management of vendors and subcontractors receiving shared information.
We help organizations draft privacy statements that satisfy applicable legal requirements and explain their public-facing privacy practices to their customers or clients.
Organizations often entrust personal or other sensitive business information to third-party vendors like call centers and cloud service providers. In a typical case, they are legally and practically required to oversee the performance of that third party as it pertains to the information shared. We can help organizations implement contracts that allow effective oversight without imposing unnecessary liability, and we can show them how to monitor contract performance effectively.
As we noted at the outset, we will advise and represent any type of organization that suffers a data breach. We can provide advice on how to address the breach, oversee a privileged investigation, and, if necessary, mount a cost-effective defense in litigation.
Many state bars affirmatively impose on lawyers an ethical duty of technological competence as well as more specific duties with respect to the use of certain technologies like cloud services. Clients, particularly in regulated industries, may impose similar burdens. We can help law firms establish comprehensive written privacy and security policies that will satisfy the Bar and regulators alike and, more importantly, help firms effectively implement the policies by pointing them toward hardware and software tools and informational resources of value to their practices.
Medical and Dental Practices
HIPAA includes both Privacy and Security Rules. These impose duties on medical and dental practices that require them to keep patient information confidential and protect it from disclosure. As with law firm clients, we can help these practices establish a comprehensive written privacy and security policies that will satisfy regulators and clients, and we can help them effectively implement the policies by identifying hardware and software tools and informational resources of value to medical practices.
We can advise local governments on how best to balance the public’s right to know against the privacy rights of their citizens while complying with all applicable laws. We have both legal and technical familiarity with techniques like anonymization and pseudonymization as well as evolving phenomena like the dissemination of so-called “big data” and other information via “open data” portals and other mechanisms.
School Boards and Education Nonprofits
We have a detailed understanding of FERPA, the PPRA, and COPPA, and we can advise both school boards and educational nonprofits on the privacy rights conferred on parents and children by those federal laws. We are also well versed in state laws related to education privacy.
We can also advise educational organizations about the privacy issues raised by many of the actual tools, apps, and other technologies in use today.
We also understand the Institutional Review Board, data privacy, and security requirements that apply as school boards, schools, teachers, and educational nonprofits alike rely more and more on third parties to perform research, to provide education, and to test or evaluate students or programs. We can advise our clients on all of these matters.
Many nonprofits are cash-strapped and therefore fail to give due consideration to information privacy and cybersecurity. This is a mistake. Depending on the consumer’s need for the product or service provided, she may not be free abandon a for-profit enterprise after a breach. But a nonprofit’s donor base and customers are less likely to be constrained in that way, so a breach can be that much more dangerous. The information privacy and cybersecurity requirements applicable to most nonprofits are manageable, and we can help nonprofits implement appropriate programs to manage them.
While most national banks have fairly sophisticated information privacy and cybersecurity programs in place to satisfy regulatory requirements, many state-chartered banks and credit unions struggle to keep up with these requirements. We can help these smaller competitors satisfy federal and state privacy laws as well as evolving cybersecurity requirements and expectations, thereby minimizing the likelihood of regulatory action or a significant breach and the financial and reputational damage that would follow.
Brokerages and Investment Advisors
The SEC and FINRA have recently stepped up their examination of information privacy and cybersecurity practices in the securities industry. These stepped-up examinations have resulted in increased enforcement. While many large brokerages are now well prepared, many introducing brokers and smaller investment advisors are not. We can advise these brokerages and advisors on the implementation of privacy and security programs that will withstand regulatory scrutiny and reduce the likelihood of a data breach or interruption of service due to hacking.
Construction Industry and Manufacturing
Our construction industry and manufacturing clients do not face the sectoral regulation of privacy and cybersecurity that applies to some other types of business or the lawsuits and reputational risk often associated with massive breaches of consumer data. While they have confidential information and trade secrets to protect, they may be more concerned with hacking that impairs their access to, or the integrity of, their information systems. Our firm has expertise in both the law of cybersecurity and the tools organizations use to catalog and address these risks to information technology infrastructure.
Software and App Developers
The Federal Trade Commission investigates and takes enforcement action against online services and app providers that deceive consumers or treat them unfairly. The most typical action against a service or app involves the provider’s use, or misuse, of a customer’s personal information. We are very familiar with the FTC’s investigations and enforcement actions in this area, and we can help developers implement an application that satisfies the FTC’s expectations and complies with other applicable laws regarding information privacy or cybersecurity.
Developers for the Internet of Things
As is the case with apps and other software, the Federal Trade Commission also takes a dim view of products for the Internet of Things that misuse, or fail to disclose how they use, personal information. The Commission expects manufacturers of such products to incorporate both privacy and security considerations in the design and sale of their products. We also understand the FTC’s views in this area well, and we can help developers manufacture products that satisfy the law’s and the FTC’s requirements.