Data Security and Privacy

Ice Miller’s Data Security and Privacy Practice has extensive legal and real-world technological experience. 


As former information technology professionals, system engineers, and analysts, our attorneys understand the technologies involved in data and are able to effectively and efficiently advise clients on all aspects of the complex business, technological, legal and regulatory issues that relate to protecting such information. With experience throughout multiple legal disciplines, Ice Miller provides end-to-end coverage of privacy and data security issues.  We aid clients in developing information privacy and security programs, modifying such programs to reflect changes in the business or legal landscape and investigating and responding as quickly as possible to incidents that might arise.

In light of a significant portion of data breaches often being related to current or former employees, we advise businesses in dealing with data privacy issues and developing security plans depending on their particular industry.  Employees are often at the front line of data breaches and we assist business and government clients with drafting appropriate employee policies, including bring-your-own-device (BYOD) policies, overall record/data retention procedures and training to heighten security awareness of management and other employees with data access. We also assist clients in dealing with employee social media and e-privacy issues. 

Incident Response and Investigations

We have worked with clients to investigate and respond to many incidents and data breaches involving the loss or misuse of consumer, employee or business information.  We have assisted private businesses ranging from restaurants, online retailers, investment firms, hospitals, universities, housing complexes, and multi‑national manufacturers in evaluating legal obligations across federal and state law in 47 states related to data breach notification requirements and response.
Our attorneys stay up to date on federal and state data breach laws and have experience working alongside internal client data security and privacy teams or outside vendors to find and understand the issues resulting from an incident based on these laws.  Ice Miller also helps clients develop a practical strategy in an incident situation that includes accessing insurance coverage, responding to media inquiries, addressing consumer expectations, evaluating ransom demands against company information, and reacting to the incident as it evolves. <go to top>
Information Security and Privacy Programs

Whether clients need an information security and/or privacy program built from the ground up or modified in light of the ever-changing legal and business landscape in this area, we are prepared to assist. Ice Miller attorneys have successfully worked with engineers, managers, executives and third parties to construct practical information security and privacy policies and processes that address regulatory compliance, applicable law and business needs. <go to top>
Cyber-Liability Insurance Recovery and Counseling
Our practice includes assisting clients in insurance coverage matters arising out of data and network security matters, managing claims, coordinating claim activity with insurers and advocating policy construction that maximizes insurance recovery. We also provide policyholders with counseling on pre-loss issues, ranging from assessments of coverage for particular risks to help with securing favorable coverage terms under specialty technology and cyber-liability insurance policies. <go to top>
International Data Transfer and Protection

Clients seek and receive our counsel on the collection and processing information under international legal frameworks and changes to the same, including PIPEDA, Canada Anti-Spam Legislation and upcoming requirements found in the EU General Data Protection Regulation ("GDPR"). This work includes assistance with transferring information outside of the EU through binding corporate rules, standard contractual clauses, and tracking of international agreements for transfer, like EU/US Privacy Shield. <go to top>

North American Electric Reliability Corporation (NERC) 

Ice Miller's Data Security and Privacy Practice serves clients’ general information security needs and assists with North American Electric Reliability Corporation (NERC) compliance, including Critical Infrastructure Protection (CIP) standards and Operations & Planning (693) standards. Our NERC CIP and 693 clients span the eight Regional Entities. Our familiarity and direct client experience with many of the eight Regional Entities allows us to evaluate the varying interpretations of CIP and 693 standards to ensure our clients' needs are properly considered.
We also advise clients on the NERC enforcement process, including pre-audit and audit preparation, spot checks and self-reports. We have sat as first chair attorneys representing clients during multiple audits, and we have helped our clients gather evidence, prepare subject matter experts and generally prepare for these audits. Our experience also includes conducting gap analyses and mock-audit preparation and assistance, compliance with reliability standards and post-audit activities, including negotiations with NERC and regional entities. <go to top>

HIPAA Compliance and Audit Response
The U.S. Department of Health & Human Services (HHS) is continuing to increase the frequency and rigor of HIPAA audits covering the Privacy and Security Rule. We work hand-in-hand with our covered entity and business associate clients to prepare for increased regulatory oversight by implementing or refining HIPAA compliance programs. In one example, our team includes a former HHS investigator who now conducts risk assessments for our clients to better understand how to protect patient information and remediate compliance gaps. <go to top>

The collection, processing, transfer and retention of information may create issues in business to business transactions, including mergers, acquisitions, joint ventures, outsourcing, licensing and commercial agreements. Identifying and addressing privacy and data security issues in a deal prior to execution is critical for some deals. We work closely with Ice Miller’s Business Services team to help build successful transactions for our clients. <go to top>
Practice Areas of Concentration

Litigation and Investigations

  • Data Breach and Incident Response, Investigation and Litigation
  • Regulatory Agency Investigations into Data Privacy and Security Standards and Best Practices
  • Government Agency Data Requests
  • HIPAA-based Audits by the HHS Office for Civil Rights 
  • Online Defamation, Right of Publicity
  • North American Electric Reliability Corporation Audits
  • PCI-DSS Compliance Audits

  • EU Data Protection Issues
  • Cybersecurity and Network Intrusion Issues
  • Ransomware and Cyber Extortion Response, Prevention, and Remediation
  • Insurance Coverage Analysis and Loss Recovery
  • Global Data Protection and International Data Transfers
  • Public and Private School and University Data Privacy Compliance
  • Legal Compliance and Information Security Assessments
  • Issues with Collection and Use of Employee Information
  • Implementation of Industry Best Practices in Data Privacy and Security
  • Information Management and Governance
  • Data Analytics and Big Data Concepts
  • Proper Collection and Use of Financial Information, including Credit Card Information
  • Online Privacy Policies and Terms of Use
  • Data Mapping
  • HIPAA Security Rule Risk Assessments
  • HIPAA Privacy Rule, and Breach Notification Rule Compliance
  • Advising several clients in preparing for both NERC Operations & Planning and CIP audits, including acting as a lead mock auditor
  • Assisting in Gap, Mock-audit and audit for both CIP and Operations & Planning NERC audits
<go to top>

Representative Experience

Incident Response
  • Assisted Fortune 100 information technology provider in analysis of fraud activity and management of forensic vendors, fraud loss analysis team, and insurance.
  • Assisted consumer software and device company in response to active data breach and extortion situation, including coordination between multiple forensics vendors, insurance, and company IT resources.
  • Assisted a retail brand, large data provider, investment firm and other entities in navigating insurance policies and litigation opportunities to recover losses from data breaches, including forensic and legal expenses and losses attributable to the breaches.
  • Represented a large data provider in identifying the scope of and responding to a data breach where a malicious third party utilized a distributed denial of service attack as a cloak over data exfiltration and a wire fraud attack.  Our work included handling public-facing communications, evaluating contractual obligations, and assessing federal and state legal obligations.
  • Advised a private businesses ranging from a small-town restaurant to a multi‑national manufacturer in evaluating legal obligations across federal and state laws related to data breach notification requirements and response.
  • Assisted a multi-state landlord in addressing international laws as they relate to data breach response for foreign visitors.
  • Counseled a direct-mail marketing company in assessing whether misdirected mailings constituted a reportable security incident under Indiana law.
Health Care
  • Ongoing advice to health care providers in assessing and responding to a patient privacy complaint and determining whether a HIPAA breach of unsecured PHI had occurred.
  • Assisted a health care provider in determining whether handling of paper medical records constituted a HIPAA breach of unsecured PHI.
  • Representation of clients under audits of HIPAA compliance during audits from the Office for Civil Rights at the U.S. Department of Health and Human Services.
Employer Protections
  • Advised domestic and international clients in developing employee policies to protect corporate and customer data, including bring-your-own-device (BYOD), acceptable internet/e-mail use, mobile access and secure travel protocols.
  • Provided managerial and key staff training on the importance of data security and corporate security policies, as well as what constitutes a breach and how to appropriately respond if a breach occurs.
  • Defended, and continue to defend, litigation filed by several plaintiffs based on a reported data breach.
  • Defended clients in class action litigation due to privacy related matters including claims under the Telephone Consumer Protection Act (TCPA).
  • Pursued and defended claims under the Computer Fraud and Abuse Act (CFAA).
  • Advised many IT service providers, including IaaS, PaaS, and SaaS providers on development and implementation of information security and privacy programs designed to assess risk and/or comply with industry standards and frameworks.
  • Assisted a real-time operator and vertically integrated utilities in preparation of and acted as lead counsel during federally mandated cyber security audits.
  • Evaluated contracts with a lens towards data security and privacy during the IT procurement process.
  • Developed and implemented consumer-facing privacy statements and contracts that provide privacy commitments, acceptable use, and a privacy complaint process.
  • Evaluated and responded to consumer privacy complaints on behalf of IT service providers.
  • Developed, implemented, and been involved in testing of incident response plans.

Ice TV

Firm Publications


Blog Posts

View Full Site View Mobile Optimized