Skip to main content
Top Button

Data Security and Privacy

Ice Miller’s Data Security and Privacy Team: Technological and security experience focused on solutions for clients' real world legal needs.

Cybersecurity and data privacy represent serious business risks. Our team of attorneys strives to turn these into manageable business issues and opportunities.

Our lawyers are intimately familiar with technology and security—our team includes information technology professionals; systems, network, and security engineers; software developers; and former CIA and defense department intelligence officers. We are well-versed in dealing with integration of technologies and software into business processes and enterprise systems, which enables our team to guide our clients to realistic and practical solutions to complex legal and regulatory issues.

With experience that spans information security, data privacy, personnel and physical security, our team can help clients implement end-to-end coverage of privacy and data security issues. We have successfully designed and implemented information privacy and security programs that reflect a client’s business and legal imperatives. When problems arise, our incident response capabilities range from dealing with ransomware and malware events to managing the complex regulatory demands of breach notification and defending clients in state and federal courts.

Our attorneys include thought leaders in many key areas of information security and privacy. This includes lawyers who take leading roles in developing best practices in data security, others who speak frequently to international audiences on issues such as cyberthreats, and others who serve as instructors for leading security and privacy organizations.

Click the icon below to learn more about each area of practice.  

Incident Response

Privacy & Data Protection

Risk Assessments / Compliance

Insurance

Incident Response

Incident Response

Incident Response

Incident response is a 24/7, high-velocity challenge. In the initial 24-48 hours, an effective response to a ransomware attack, an attempted fraud event or an industrial espionage compromise can prevent long-term financial, reputational, operational and legal crises. Our team’s experience, gained in handling hundreds of incidents for companies and in U.S. intelligence community and law enforcement, allows us to prioritize practical and responsive approaches to serious incidents.

We strive to continually monitor the evolution of threats and the vulnerabilities that are exploitable to inform our response protocols. Our team is well versed in the complex issues around federal and state breach laws and has developed relationships with regulators, law enforcement, and the intelligence community around the world to call upon when a client is in need. We are also experienced at the collateral and downstream implications that may arise with legal claims and regulatory enforcement.

Our team is adept at building and testing incident response plans and frameworks, conducing simulations and tabletop exercises and training executives, boards of directors, engineers, and anyone involved in response. We have also handled incident response for defense contractors and companies operating in the critical infrastructure sector.


Privacy & Data Protection

Privacy & Data Protection

Privacy & Data Protection

Providing counsel in the rapidly evolving legal landscape in privacy requires attorneys who have their pulse to the ground in this space. Our team has developed an integrated approach to data privacy and protection for clients across multiple sectors, many of them operating internationally. We strive to develop practical solutions that allow companies to demonstrate compliance with the EU’s General Data Protection Regulation (GDPR) to state-by-state laws in the United States. We approach privacy and data protection by focusing not only on what the laws and regulations require, but also understanding the myriad options for companies to calibrate business processes to comply with these requirements. Our team is adept at examining broader data “supply chain management” that is essential to an effective data privacy program.

Our attorneys stay up-to-date on federal and state data breach laws and have experience working alongside internal client data security and privacy teams or outside vendors to find and understand the issues resulting from an incident based on these laws. Ice Miller also helps clients develop a practical strategy in an incident situation that includes accessing insurance coverage, responding to media inquiries, addressing consumer expectations, evaluating ransom demands against company information and reacting to the incident as it evolves.

Clients also seek and receive our counsel on the collection and processing information under international legal frameworks and changes to the same.


Risk Assessments / Compliance

Risk Assessments / Compliance

Risk Assessments / Compliance

Risk assessments are the starting point for effective cybersecurity and data privacy programs. Our team is able to apply knowledge and frameworks to these enterprise risk management challenges. We are knowledgeable and experienced in using frameworks such as those of the National Institutes of Standard, the CIS Framework, and newer models such as the CMMC for defense contractors. As part of our risk assessments our team helps clients to develop tailored and often detailed response plans, conducing simulations and tabletop exercises and training client teams. Our experience is strong across many industries and sectors and covers private businesses ranging from restaurants, online retailers, investment firms, hospitals, and universities to housing complexes and multi‑national manufacturers.

Energy Infrastructure
Our team has extensive experience working on compliance with North American Electric Reliability Corporation (NERC), including Critical Infrastructure Protection (CIP) standards and Operations & Planning (693) standards.

Health Sector
Our team is experienced in building and structuring HIPAA compliance programs, including preparing tailored policies and procedures to implement the HIPAA Rules. We regularly help clients prepare for OCR’s HIPAA audit program by conducting mock audits and issuing reports identifying compliance gaps and recommendations for remedying them.


Insurance

Insurance

Insurance

We regularly advise clients in insurance coverage matters arising out of data and network security matters, managing claims and advocating policy construction that maximizes insurance recovery. We handle claims and obtain reimbursement for clients experiencing data breaches, wire transfer fraud, cyber extortion and other security events.
 
We also provide policyholders with counseling on pre-loss issues, ranging from assessments of coverage for particular risks to help with securing favorable coverage terms under specialty technology and cyber-liability insurance policies. We have also prepared dozens of cyber-insurance “gap” analyses. More broadly, the Firm has appeared as counsel of record in over 300 reported opinions in cases involving insurance coverage or insurance issues and has recovered hundreds of millions on behalf of policyholders.

Click here for more information on our insurance practice.
 


Certified Team Members Graphic
Click here to learn more about our technology-experienced lawyers and here to learn more about our diverse practice group.

Practice Areas of Concentration

Litigation and Investigations
 
  • Data Breach and Incident Response, Investigation and Litigation
  • Regulatory Agency Investigations into Data Privacy and Security Standards and Best Practices
  • Government Agency Data Requests
  • HIPAA-based Audits by the HHS Office for Civil Rights 
  • Online Defamation, Right of Publicity
  • North American Electric Reliability Corporation Audits
  • PCI-DSS Compliance Audits
Counseling
 
  • EU Data Protection Issues – General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  • Cybersecurity and Network Intrusion Issues
  • Ransomware and Cyber Extortion Response, Prevention and Remediation
  • Insurance Coverage Analysis and Loss Recovery
  • Global Data Protection and International Data Transfers
  • Public and Private School and University Data Privacy Compliance
  • Legal Compliance and Information Security Assessments
  • Issues with Collection and Use of Employee Information
  • Implementation of Industry Best Practices in Data Privacy and Security
  • Information Management and Governance
  • Data Analytics and Big Data Concepts
  • Proper Collection and Use of Financial Information, Including Credit Card Information
  • Online Privacy Policies and Terms of Use
  • Data Mapping
  • HIPAA Security Rule Risk Assessments
  • HIPAA Privacy Rule and Breach Notification Rule Compliance
  • Preparation for both NERC Operations & Planning and CIP Audits, Including Acting as a Lead Mock Auditor
  • Assisting in Gap, Mock-Audit and Audit for both CIP and Operations & Planning NERC Audits
  • General Data Protection Regulation (GDPR) Compliance
  • Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA) Compliance
  • Illinois Biometric Privacy Act (BIPA) Compliance

Representative Experience

Incident Response
  • Assisted Fortune 100 information technology provider in analysis of fraud activity and management of forensic vendors, fraud loss analysis team, and insurance.
  • Assisted consumer software and device company in response to active data breach and extortion situation, including coordination between multiple forensics vendors, insurance, and company IT resources.
  • Assisted a retail brand, large data provider, investment firm and other entities in navigating insurance policies and litigation opportunities to recover losses from data breaches, including forensic and legal expenses and losses attributable to the breaches.
  • Represented a large data provider in identifying the scope of and responding to a data breach where a malicious third party utilized a distributed denial of service attack as a cloak over data exfiltration and a wire fraud attack.  Our work included handling public-facing communications, evaluating contractual obligations, and assessing federal and state legal obligations.
  • Advised a private businesses ranging from a small-town restaurant to a multi‑national manufacturer in evaluating legal obligations across federal and state laws related to data breach notification requirements and response.
  • Assisted a multi-state landlord in addressing international laws as they relate to data breach response for foreign visitors.
  • Counseled a direct-mail marketing company in assessing whether misdirected mailings constituted a reportable security incident under Indiana law.
Health Care
  • Ongoing advice to health care providers in assessing and responding to a patient privacy complaint and determining whether a HIPAA breach of unsecured PHI had occurred.
  • Assisted a health care provider in determining whether handling of paper medical records constituted a HIPAA breach of unsecured PHI.
  • Representation of clients under audits of HIPAA compliance during audits from the Office for Civil Rights at the U.S. Department of Health and Human Services.
Employer Protections
  • Advised domestic and international clients in developing employee policies to protect corporate and customer data, including bring-your-own-device (BYOD), acceptable internet/e-mail use, mobile access and secure travel protocols.
  • Provided managerial and key staff training on the importance of data security and corporate security policies, as well as what constitutes a breach and how to appropriately respond if a breach occurs.
Litigation
  • Defended, and continue to defend, litigation filed by several plaintiffs based on a reported data breach.
  • Defended clients in class action litigation due to privacy related matters including claims under the Telephone Consumer Protection Act (TCPA).
  • Pursued and defended claims under the Computer Fraud and Abuse Act (CFAA).
Transactions
  • Advised many IT service providers, including IaaS, PaaS, and SaaS providers on development and implementation of information security and privacy programs designed to assess risk and/or comply with industry standards and frameworks.
  • Assisted a real-time operator and vertically integrated utilities in preparation of and acted as lead counsel during federally mandated cyber security audits.
  • Evaluated contracts with a lens towards data security and privacy during the IT procurement process.
  • Developed and implemented consumer-facing privacy statements and contracts that provide privacy commitments, acceptable use, and a privacy complaint process.
  • Evaluated and responded to consumer privacy complaints on behalf of IT service providers.
  • Developed, implemented, and been involved in testing of incident response plans.
 

Ice TV

Firm Publications

News

Blog Posts

View Full Site View Mobile Optimized