Data Security and Privacy

Ice Miller’s Data Security and Privacy Team: Technological and security experience focused on solutions for clients' real world legal needs.

Cybersecurity and data privacy represent serious business risks. Our team of data security and privacy attorneys seek to turn these risks into manageable business opportunities.

Our data security and privacy lawyers are intimately familiar with technology and associated security risks—our data security and privacy team includes information technology professionals; systems, network, and security engineers; software developers; and former CIA and defense department intelligence officers. We are well-versed in dealing with integration of technologies and software into business processes and enterprise systems, which enables our team to guide our clients to realistic and practical solutions to complex legal and regulatory issues. We understand that data security and cyber security are real risks for organizations, and by leveraging our expertise, clients know they are compliant and have the systems in place to mitigate cybersecurity risks should a cyberthreat materialize.

Our data security and privacy team has the legal resources that span information security, data privacy, personnel and physical security, our team can help clients implement end-to-end coverage of privacy and data security issues. We routinely design and implement information privacy and cybersecurity programs that reflect a client’s business and legal imperatives. Our data security and privacy team has the experience to navigate the specific cybersecurity needs for each client and across different industries. When problems arise, our incident response capabilities range from dealing with ransomware and malware events to managing the complex regulatory demands of breach notification and defending clients in state and federal courts.

Our attorneys include thought leaders in many key areas of information security and data privacy. This includes lawyers who take leading roles in developing best practices in data security, others who speak frequently to international audiences on issues such as cyberthreats, and others who serve as instructors for leading security and privacy organizations. As cyberthreats become an increasingly likely risk for businesses and organizations, proactively seeking counsel with specific expertise in data security and privacy laws mitigates risks and helps businesses arrive at resolutions more quickly.

Click the icon below to learn more about each area of practice.

Incident Response

Privacy & Data Protection

Risk Assessments / Compliance

Insurance

Incident Response

Incident response is a 24/7, high-velocity challenge. In the initial 24-48 hours, an effective response to a ransomware attack, an attempted fraud event or an industrial espionage compromise can prevent long-term financial, reputational, operational and legal crises. Our team’s experience, gained in handling hundreds of incidents for companies and in U.S. intelligence community and law enforcement, allows us to prioritize practical and responsive approaches to serious incidents.

We strive to continually monitor the evolution of threats and the vulnerabilities that are exploitable to inform our response protocols. Our team is well versed in the complex issues around federal and state breach laws and has developed relationships with regulators, law enforcement, and the intelligence community around the world to call upon when a client is in need. We are also experienced at the collateral and downstream implications that may arise with legal claims and regulatory enforcement.

Our team is adept at building and testing incident response plans and frameworks, conducing simulations and tabletop exercises and training executives, boards of directors, engineers, and anyone involved in response. We have also handled incident response for defense contractors and companies operating in the critical infrastructure sector.

Privacy & Data Protection

Providing counsel in the rapidly evolving legal landscape in privacy requires attorneys who have their pulse to the ground in this space. Our team has developed an integrated approach to data privacy and protection for clients across multiple sectors, many of them operating internationally. We strive to develop practical solutions that allow companies to demonstrate compliance with the EU’s General Data Protection Regulation (GDPR) to state-by-state laws in the United States. We approach privacy and data protection by focusing not only on what the laws and regulations require, but also understanding the myriad options for companies to calibrate business processes to comply with these requirements. Our team is adept at examining broader data “supply chain management” that is essential to an effective data privacy program.

Our attorneys stay up-to-date on federal and state data breach laws and have experience working alongside internal client data security and privacy teams or outside vendors to find and understand the issues resulting from an incident based on these laws. Ice Miller also helps clients develop a practical strategy in an incident situation that includes accessing insurance coverage, responding to media inquiries, addressing consumer expectations, evaluating ransom demands against company information and reacting to the incident as it evolves.

Clients also seek and receive our counsel on the collection and processing information under international legal frameworks and changes to the same.

Risk Assessments / Compliance

Risk assessments are the starting point for effective cybersecurity and data privacy programs. Our team is able to apply knowledge and frameworks to these enterprise risk management challenges. We are knowledgeable and experienced in using frameworks such as those of the National Institutes of Standard, the CIS Framework, and newer models such as the CMMC for defense contractors. As part of our risk assessments our team helps clients to develop tailored and often detailed response plans, conducing simulations and tabletop exercises and training client teams. Our experience is strong across many industries and sectors and covers private businesses ranging from restaurants, online retailers, investment firms, hospitals, and universities to housing complexes and multi‑national manufacturers.

Energy Infrastructure
Our team has extensive experience working on compliance with North American Electric Reliability Corporation (NERC), including Critical Infrastructure Protection (CIP) standards and Operations & Planning (693) standards.

Health Sector
Our team is experienced in building and structuring HIPAA compliance programs, including preparing tailored policies and procedures to implement the HIPAA Rules. We regularly help clients prepare for OCR’s HIPAA audit program by conducting mock audits and issuing reports identifying compliance gaps and recommendations for remedying them.

Insurance

We regularly advise clients in insurance coverage matters arising out of data and network security matters, managing claims and advocating policy construction that maximizes insurance recovery. We handle claims and obtain reimbursement for clients experiencing data breaches, wire transfer fraud, cyber extortion and other security events.

We also provide policyholders with counseling on pre-loss issues, ranging from assessments of coverage for particular risks to help with securing favorable coverage terms under specialty technology and cyber-liability insurance policies. We have also prepared dozens of cyber-insurance “gap” analyses. More broadly, the Firm has appeared as counsel of record in over 300 reported opinions in cases involving insurance coverage or insurance issues and has recovered hundreds of millions on behalf of policyholders.

Click here for more information on our insurance practice.

Click here to learn more about our technology-experienced lawyers and here to learn more about our diverse practice group.

Practice Areas of Concentration

Litigation and Investigations

Data Breach and Incident Response, Investigation and Litigation
Regulatory Agency Investigations into Data Privacy and Security Standards and Best Practices
Government Agency Data Requests
HIPAA-based Audits by the HHS Office for Civil Rights
Online Defamation, Right of Publicity
North American Electric Reliability Corporation Audits
PCI-DSS Compliance Audits

Counseling

EU Data Protection Issues – General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Cybersecurity and Network Intrusion Issues
Ransomware and Cyber Extortion Response, Prevention and Remediation
Insurance Coverage Analysis and Loss Recovery
Global Data Protection and International Data Transfers
Public and Private School and University Data Privacy Compliance
Legal Compliance and Information Security Assessments
Issues with Collection and Use of Employee Information
Implementation of Industry Best Practices in Data Privacy and Security
Information Management and Governance
Data Analytics and Big Data Concepts
Proper Collection and Use of Financial Information, Including Credit Card Information
Online Privacy Policies and Terms of Use
Data Mapping
HIPAA Security Rule Risk Assessments
HIPAA Privacy Rule and Breach Notification Rule Compliance
Preparation for both NERC Operations & Planning and CIP Audits, Including Acting as a Lead Mock Auditor
Assisting in Gap, Mock-Audit and Audit for both CIP and Operations & Planning NERC Audits
General Data Protection Regulation (GDPR) Compliance
Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA) Compliance
Illinois Biometric Privacy Act (BIPA) Compliance

Representative Experience

Incident Response

Assisted Fortune 100 information technology provider in analysis of fraud activity and management of forensic vendors, fraud loss analysis team, and insurance.
Assisted consumer software and device company in response to active data breach and extortion situation, including coordination between multiple forensics vendors, insurance, and company IT resources.
Assisted a retail brand, large data provider, investment firm and other entities in navigating insurance policies and litigation opportunities to recover losses from data breaches, including forensic and legal expenses and losses attributable to the breaches.
Represented a large data provider in identifying the scope of and responding to a data breach where a malicious third party utilized a distributed denial of service attack as a cloak over data exfiltration and a wire fraud attack. Our work included handling public-facing communications, evaluating contractual obligations, and assessing federal and state legal obligations.
Advised a private businesses ranging from a small-town restaurant to a multi‑national manufacturer in evaluating legal obligations across federal and state laws related to data breach notification requirements and response.
Assisted a multi-state landlord in addressing international laws as they relate to data breach response for foreign visitors.
Counseled a direct-mail marketing company in assessing whether misdirected mailings constituted a reportable security incident under Indiana law.

Health Care

Ongoing advice to health care providers in assessing and responding to a patient privacy complaint and determining whether a HIPAA breach of unsecured PHI had occurred.
Assisted a health care provider in determining whether handling of paper medical records constituted a HIPAA breach of unsecured PHI.
Representation of clients under audits of HIPAA compliance during audits from the Office for Civil Rights at the U.S. Department of Health and Human Services.

Employer Protections

Advised domestic and international clients in developing employee policies to protect corporate and customer data, including bring-your-own-device (BYOD), acceptable internet/e-mail use, mobile access and secure travel protocols.
Provided managerial and key staff training on the importance of data security and corporate security policies, as well as what constitutes a breach and how to appropriately respond if a breach occurs.

Litigation

Defended, and continue to defend, litigation filed by several plaintiffs based on a reported data breach.
Defended clients in class action litigation due to privacy related matters including claims under the Telephone Consumer Protection Act (TCPA).
Pursued and defended claims under the Computer Fraud and Abuse Act (CFAA).

Transactions

Advised many IT service providers, including IaaS, PaaS, and SaaS providers on development and implementation of information security and privacy programs designed to assess risk and/or comply with industry standards and frameworks.
Assisted a real-time operator and vertically integrated utilities in preparation of and acted as lead counsel during federally mandated cyber security audits.
Evaluated contracts with a lens towards data security and privacy during the IT procurement process.
Developed and implemented consumer-facing privacy statements and contracts that provide privacy commitments, acceptable use, and a privacy complaint process.
Evaluated and responded to consumer privacy complaints on behalf of IT service providers.
Developed, implemented, and been involved in testing of incident response plans.

Ice TV

Deals Done: Data Security

RSS

Firm Publications

News

Blog Posts

Professionals

Name	Position	Phone
Reena R. Bajowala	Partner	312-726-6220
Guillermo Christensen	Partner	202-572-1609
Nicholas R. Merker	Partner	317-236-2337
Kimberly C. Metzger	Partner	317-236-2296
Nicholas Reuhs	Partner	317-236-2160
Taryn E. Stone	Partner	317-236-5872
Eric McKeown	Of Counsel	317-236-2124
Siddharth Bose	Associate	317-236-2243
Mason Clark	Associate	317-236-5927
John B. Gregg	Associate	317-236-2108
Tiffany Kim	Associate	317-236-5931
Christian Robertson	Associate	202-807-4021
Rachel Spiker	Associate	614-462-2294

Practice Contacts

Reena R. Bajowala, Partner

reena.bajowala@icemiller.com

Guillermo Christensen, Partner

guillermo.christensen@icemiller.com

Nicholas R. Merker, Partner

nicholas.merker@icemiller.com