Top Button

Data Security and Privacy

Ice Miller’s Data Security and Privacy Practice has extensive legal and real-world technological experience.

As former information technology professionals, system engineers, and analysts, our attorneys understand the technologies involved in data and are able to effectively and efficiently advise clients on all aspects of the complex business, technological, legal and regulatory issues that relate to protecting such information. With experience throughout multiple legal disciplines, Ice Miller provides end-to-end coverage of privacy and data security issues. We aid clients in developing information privacy and security programs, modifying such programs to reflect changes in the business or legal landscape and investigating and responding as quickly as possible to incidents that might arise.

In light of a significant portion of data breaches often being related to current or former employees, we advise businesses in dealing with data privacy issues and developing security plans depending on their particular industry. Employees are often at the front line of data breaches and we assist business and government clients with drafting appropriate employee policies, including bring-your-own-device (BYOD) policies, overall record/data retention procedures and training to heighten security awareness of management and other employees with data access. We also assist clients in dealing with employee social media and e-privacy issues.

Click the icon below to learn more about each area of practice.  

Incident Response

Compliance

International Issues

M&A Due Diligence

Insurance

Incident Response

We work with clients to investigate and respond to many incidents and data breaches involving the loss or misuse of consumer, employee or business information. We assist private businesses ranging from restaurants, online retailers, investment firms, hospitals and universities to housing complexes and multi‑national manufacturers in evaluating legal obligations related to data breach notification requirements and response across federal and state law in 47 states and Puerto Rico. 
 
Our attorneys stay up-to-date on federal and state data breach laws and have experience working alongside internal client data security and privacy teams or outside vendors to find and understand the issues resulting from an incident based on these laws. Ice Miller also helps clients develop a practical strategy in an incident situation that includes accessing insurance coverage, responding to media inquiries, addressing consumer expectations, evaluating ransom demands against company information and reacting to the incident as it evolves.
 

Compliance

HIPAA Compliance, Audits, and Investigations 

As patient data becomes increasingly digitized, both federal and state regulators are more rigorously examining health care organizations’ compliance with health information privacy and security laws and regulations. We have extensive experience advising clients on complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security and Breach Notification Rules. Our team includes a former investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which is the regulatory agency responsible for enforcing the HIPAA Rules. The clients who seek our HIPAA expertise range from health care providers and group health plans to vendors that support the health care industry.
  
We are pleased to offer our clients the following range of services:
  • Building and structuring HIPAA compliance programs, including preparing tailored policies and procedures to implement the HIPAA Rules
  • Helping clients prepare for OCR’s HIPAA audit program by conducting mock audits and issuing reports identifying compliance gaps and recommendations for remedying them
  • Assisting health care technology start-up companies with navigating novel HIPAA compliance issues
  • Drafting and negotiating business associate agreements and other data sharing arrangements
  • Assisting with incident response and breach reporting, including responding to OCR and state attorney general investigations and negotiating settlements
  • Reviewing and preparing HIPAA Security Rule risk analyses and risk management plans
  • Counseling on the intersection between the HIPAA Rules and other state and federal privacy and security laws and regulations, including laws related to the confidentiality of metal health information and substance abuse disorder records
  • Advising on HIPAA compliance issues and risks associated with mergers, acquisitions and other corporate transactions
Children's Online Privacy Protection Act (“COPPA”) Compliance
 
Companies who operate websites and mobile apps that may collect information from children under the age of 13 years old should be aware of the Children’s Online Privacy Protection Act of 2000 (“COPPA”). We assist businesses across all industries with evaluating and meeting their compliance obligations under COPPA.
  
Specifically, we offer our clients the following services related to children’s online privacy requirements:
  • Analyzing whether our clients’ online services are required to comply with COPPA and its implementing regulations
  • Drafting COPPA privacy policies and direct notices to parents that meet regulatory requirements and advising on their placement and delivery
  • Counseling regarding compliant mechanisms for obtaining “verifiable parental consent” under COPPA
  • Developing internal policies and procedures for ensuring COPPA compliance
  • Monitoring the Federal Trade Commission’s enforcement actions and guidance related to COPPA implementation
North American Electric Reliability Corporation (NERC) 

Ice Miller's Data Security and Privacy Practice serves clients’ general information security needs and assists with North American Electric Reliability Corporation (NERC) compliance, including Critical Infrastructure Protection (CIP) standards and Operations & Planning (693) standards. Our NERC CIP and 693 clients span the eight Regional Entities. Our familiarity and direct client experience with many of the eight Regional Entities allows us to evaluate the varying interpretations of CIP and 693 standards to ensure our clients' needs are properly considered.
  
We also advise clients on the NERC enforcement process, including pre-audit and audit preparation, spot checks and self-reports. We have sat as first chair attorneys representing clients during multiple audits, and we have helped our clients gather evidence, prepare subject matter experts and generally prepare for these audits. Our experience also includes conducting gap analyses and mock-audit preparation and assistance, compliance with reliability standards and post-audit activities, including negotiations with NERC and regional entities.
 

International Issues

Clients seek and receive our counsel on the collection and processing information under international legal frameworks and changes to the same, including PIPEDA, Canada Anti-Spam Legislation and upcoming requirements found in the EU General Data Protection Regulation ("GDPR"). This work includes assistance with transferring information outside of the EU through binding corporate rules, standard contractual clauses and tracking of international agreements for transfer, like EU/US Privacy Shield. 

M&A Due Diligence

The collection, processing, transfer and retention of information may create issues in business-to-business transactions, including mergers, acquisitions, joint ventures, outsourcing, licensing and commercial agreements. Identifying and addressing privacy and data security issues in a deal prior to execution is critical for some deals. We work closely with Ice Miller’s Business Services team to help build successful transactions for our clients. 

Insurance

We regularly advise clients in insurance coverage matters arising out of data and network security matters, managing claims and advocating policy construction that maximizes insurance recovery. We handle claims and obtain reimbursement for clients experiencing data breaches, wire transfer fraud, cyber extortion and other security events.
 
We also provide policyholders with counseling on pre-loss issues, ranging from assessments of coverage for particular risks to help with securing favorable coverage terms under specialty technology and cyber-liability insurance policies. We have also prepared dozens of cyber-insurance “gap” analyses. More broadly, the Firm has appeared as counsel of record in over 300 reported opinions in cases involving insurance coverage or insurance issues and has recovered hundreds of millions on behalf of policyholders.
 

Incident Response

Incident Response

Incident Response

We work with clients to investigate and respond to many incidents and data breaches involving the loss or misuse of consumer, employee or business information. We assist private businesses ranging from restaurants, online retailers, investment firms, hospitals and universities to housing complexes and multi‑national manufacturers in evaluating legal obligations related to data breach notification requirements and response across federal and state law in 47 states and Puerto Rico. 
 
Our attorneys stay up-to-date on federal and state data breach laws and have experience working alongside internal client data security and privacy teams or outside vendors to find and understand the issues resulting from an incident based on these laws. Ice Miller also helps clients develop a practical strategy in an incident situation that includes accessing insurance coverage, responding to media inquiries, addressing consumer expectations, evaluating ransom demands against company information and reacting to the incident as it evolves.
 


Compliance

Compliance

Compliance

HIPAA Compliance, Audits, and Investigations 

As patient data becomes increasingly digitized, both federal and state regulators are more rigorously examining health care organizations’ compliance with health information privacy and security laws and regulations. We have extensive experience advising clients on complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security and Breach Notification Rules. Our team includes a former investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which is the regulatory agency responsible for enforcing the HIPAA Rules. The clients who seek our HIPAA expertise range from health care providers and group health plans to vendors that support the health care industry.
  
We are pleased to offer our clients the following range of services:
  • Building and structuring HIPAA compliance programs, including preparing tailored policies and procedures to implement the HIPAA Rules
  • Helping clients prepare for OCR’s HIPAA audit program by conducting mock audits and issuing reports identifying compliance gaps and recommendations for remedying them
  • Assisting health care technology start-up companies with navigating novel HIPAA compliance issues
  • Drafting and negotiating business associate agreements and other data sharing arrangements
  • Assisting with incident response and breach reporting, including responding to OCR and state attorney general investigations and negotiating settlements
  • Reviewing and preparing HIPAA Security Rule risk analyses and risk management plans
  • Counseling on the intersection between the HIPAA Rules and other state and federal privacy and security laws and regulations, including laws related to the confidentiality of metal health information and substance abuse disorder records
  • Advising on HIPAA compliance issues and risks associated with mergers, acquisitions and other corporate transactions
Children's Online Privacy Protection Act (“COPPA”) Compliance
 
Companies who operate websites and mobile apps that may collect information from children under the age of 13 years old should be aware of the Children’s Online Privacy Protection Act of 2000 (“COPPA”). We assist businesses across all industries with evaluating and meeting their compliance obligations under COPPA.
  
Specifically, we offer our clients the following services related to children’s online privacy requirements:
  • Analyzing whether our clients’ online services are required to comply with COPPA and its implementing regulations
  • Drafting COPPA privacy policies and direct notices to parents that meet regulatory requirements and advising on their placement and delivery
  • Counseling regarding compliant mechanisms for obtaining “verifiable parental consent” under COPPA
  • Developing internal policies and procedures for ensuring COPPA compliance
  • Monitoring the Federal Trade Commission’s enforcement actions and guidance related to COPPA implementation
North American Electric Reliability Corporation (NERC) 

Ice Miller's Data Security and Privacy Practice serves clients’ general information security needs and assists with North American Electric Reliability Corporation (NERC) compliance, including Critical Infrastructure Protection (CIP) standards and Operations & Planning (693) standards. Our NERC CIP and 693 clients span the eight Regional Entities. Our familiarity and direct client experience with many of the eight Regional Entities allows us to evaluate the varying interpretations of CIP and 693 standards to ensure our clients' needs are properly considered.
  
We also advise clients on the NERC enforcement process, including pre-audit and audit preparation, spot checks and self-reports. We have sat as first chair attorneys representing clients during multiple audits, and we have helped our clients gather evidence, prepare subject matter experts and generally prepare for these audits. Our experience also includes conducting gap analyses and mock-audit preparation and assistance, compliance with reliability standards and post-audit activities, including negotiations with NERC and regional entities.
 


International Issues

International Issues

International Issues

Clients seek and receive our counsel on the collection and processing information under international legal frameworks and changes to the same, including PIPEDA, Canada Anti-Spam Legislation and upcoming requirements found in the EU General Data Protection Regulation ("GDPR"). This work includes assistance with transferring information outside of the EU through binding corporate rules, standard contractual clauses and tracking of international agreements for transfer, like EU/US Privacy Shield. 


M&A Due Diligence

M&A Due Diligence

M&A Due Diligence

The collection, processing, transfer and retention of information may create issues in business-to-business transactions, including mergers, acquisitions, joint ventures, outsourcing, licensing and commercial agreements. Identifying and addressing privacy and data security issues in a deal prior to execution is critical for some deals. We work closely with Ice Miller’s Business Services team to help build successful transactions for our clients. 


Insurance

Insurance

Insurance

We regularly advise clients in insurance coverage matters arising out of data and network security matters, managing claims and advocating policy construction that maximizes insurance recovery. We handle claims and obtain reimbursement for clients experiencing data breaches, wire transfer fraud, cyber extortion and other security events.
 
We also provide policyholders with counseling on pre-loss issues, ranging from assessments of coverage for particular risks to help with securing favorable coverage terms under specialty technology and cyber-liability insurance policies. We have also prepared dozens of cyber-insurance “gap” analyses. More broadly, the Firm has appeared as counsel of record in over 300 reported opinions in cases involving insurance coverage or insurance issues and has recovered hundreds of millions on behalf of policyholders.
 


 


Click here to learn more about our technology-experienced lawyers and here to learn more about our diverse practice group.

Practice Areas of Concentration

Litigation and Investigations
 
  • Data Breach and Incident Response, Investigation and Litigation
  • Regulatory Agency Investigations into Data Privacy and Security Standards and Best Practices
  • Government Agency Data Requests
  • HIPAA-based Audits by the HHS Office for Civil Rights 
  • Online Defamation, Right of Publicity
  • North American Electric Reliability Corporation Audits
  • PCI-DSS Compliance Audits
Counseling
 
  • EU Data Protection Issues
  • Cybersecurity and Network Intrusion Issues
  • Ransomware and Cyber Extortion Response, Prevention, and Remediation
  • Insurance Coverage Analysis and Loss Recovery
  • Global Data Protection and International Data Transfers
  • Public and Private School and University Data Privacy Compliance
  • Legal Compliance and Information Security Assessments
  • Issues with Collection and Use of Employee Information
  • Implementation of Industry Best Practices in Data Privacy and Security
  • Information Management and Governance
  • Data Analytics and Big Data Concepts
  • Proper Collection and Use of Financial Information, including Credit Card Information
  • Online Privacy Policies and Terms of Use
  • Data Mapping
  • HIPAA Security Rule Risk Assessments
  • HIPAA Privacy Rule, and Breach Notification Rule Compliance
  • Advising several clients in preparing for both NERC Operations & Planning and CIP audits, including acting as a lead mock auditor
  • Assisting in Gap, Mock-audit and audit for both CIP and Operations & Planning NERC audits
  • General Data Protection Regulation (GDPR) compliance
  • Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA) compliance
  • Illinois Biometric Privacy Act (BIPA) compliance

 

Representative Experience

Incident Response
  • Assisted Fortune 100 information technology provider in analysis of fraud activity and management of forensic vendors, fraud loss analysis team, and insurance.
  • Assisted consumer software and device company in response to active data breach and extortion situation, including coordination between multiple forensics vendors, insurance, and company IT resources.
  • Assisted a retail brand, large data provider, investment firm and other entities in navigating insurance policies and litigation opportunities to recover losses from data breaches, including forensic and legal expenses and losses attributable to the breaches.
  • Represented a large data provider in identifying the scope of and responding to a data breach where a malicious third party utilized a distributed denial of service attack as a cloak over data exfiltration and a wire fraud attack.  Our work included handling public-facing communications, evaluating contractual obligations, and assessing federal and state legal obligations.
  • Advised a private businesses ranging from a small-town restaurant to a multi‑national manufacturer in evaluating legal obligations across federal and state laws related to data breach notification requirements and response.
  • Assisted a multi-state landlord in addressing international laws as they relate to data breach response for foreign visitors.
  • Counseled a direct-mail marketing company in assessing whether misdirected mailings constituted a reportable security incident under Indiana law.
Health Care
  • Ongoing advice to health care providers in assessing and responding to a patient privacy complaint and determining whether a HIPAA breach of unsecured PHI had occurred.
  • Assisted a health care provider in determining whether handling of paper medical records constituted a HIPAA breach of unsecured PHI.
  • Representation of clients under audits of HIPAA compliance during audits from the Office for Civil Rights at the U.S. Department of Health and Human Services.
Employer Protections
  • Advised domestic and international clients in developing employee policies to protect corporate and customer data, including bring-your-own-device (BYOD), acceptable internet/e-mail use, mobile access and secure travel protocols.
  • Provided managerial and key staff training on the importance of data security and corporate security policies, as well as what constitutes a breach and how to appropriately respond if a breach occurs.
Litigation
  • Defended, and continue to defend, litigation filed by several plaintiffs based on a reported data breach.
  • Defended clients in class action litigation due to privacy related matters including claims under the Telephone Consumer Protection Act (TCPA).
  • Pursued and defended claims under the Computer Fraud and Abuse Act (CFAA).
Transactions
  • Advised many IT service providers, including IaaS, PaaS, and SaaS providers on development and implementation of information security and privacy programs designed to assess risk and/or comply with industry standards and frameworks.
  • Assisted a real-time operator and vertically integrated utilities in preparation of and acted as lead counsel during federally mandated cyber security audits.
  • Evaluated contracts with a lens towards data security and privacy during the IT procurement process.
  • Developed and implemented consumer-facing privacy statements and contracts that provide privacy commitments, acceptable use, and a privacy complaint process.
  • Evaluated and responded to consumer privacy complaints on behalf of IT service providers.
  • Developed, implemented, and been involved in testing of incident response plans.
 

Ice TV

Firm Publications

News

Blog Posts

View Full Site View Mobile Optimized