Practice GroupData Privacy & Security

Print this page

The world is changing and so is the way that people and companies conduct business. Businesses routinely collect the personal information of others for many purposes, including provision of sales and services, human resources, operation of a website, engaging in social media, analytics, and marketing. Maintaining the personal information of others always presents a risk of a data breach leading to the unauthorized use or disclosure of that information. Maintaining such information in the cloud, and even simply using the Internet to conduct business, creates additional potential vulnerabilities that did not exist in a simple brick and mortar environment with private servers maintained in-house and dedicated exclusively to your own use. We are able to advise and assist you regarding compliance with various data privacy and security laws, including GDPR and state laws. We also work collaboratively with IT security specialists to help businesses undertake appropriate data privacy/protection risk assessments and formulate practical data privacy and security policies and procedures.

It has been said that it is not a matter of whether a data breach will occur but rather when. We are here to help you prepare for, mitigate and manage any data breaches, including complying with regulatory notice requirements. Furthermore, one of the best ways you can protect yourself when doing business that involves personal information of others, particularly where the Internet is involved, is to obtain appropriate cyber liability and other liability insurance. We are able to offer advice with regard to the same. We also provide detailed training to your employees, as they are a significant data vulnerability even if you implement the most robust technical security measures.

Where specific areas of privacy and security are involved, such as with regard to protected health information/HIPAA, or the Right to Know laws involving the public sector, thanks to our robust practice areas, we are able to call upon the experience of other attorneys in the firm working in those specialized areas as needed.

Data Mapping and Retention

In order to comply with the various data privacy laws, you have to know what personal data you collect, how and why you collect it, where it comes from, and what you do with it (including who you share it with) and why. We can help walk you through this often complex process.  An important aspect of managing this risk is to reduce the volume of data, thereby reducing what needs to be protected.  We have counseled companies of all sizes with regard to crafting user-friendly data and record management plans. If litigation ever ensues and you are obligated to preserve information, we can assist in implementing targeted litigation holds with as little disruption to your business as possible.

Data Privacy and Security Compliance

Are you compliant with applicable data privacy and security laws?

There are numerous state, federal and foreign laws mandating that businesses undertake certain privacy and security measures. These laws may:

  • require businesses to have in place adequate physical, technical and administrative security measures
  • require certain notices to be given to individual data subjects prior to collecting/processing of their personal information
  • provide certain rights to individual data subjects, including the right to access, to modification and deletion of their personal information, and to prevent sale of that information
  • require that a data privacy/protection impact assessment be undertaken
  • require appointment of a data protection officer and European representative (under the GDPR)
  • impose substantial financial and other penalties, as well as private rights of action
  • require registration if you are a data broker

Unfortunately the ostrich approach to compliance is not a good one. Even if you have missed the actual compliance date deadlines, it is not too late to get compliant, protect your data subjects, and minimize your exposure. We can help you meet the above requirements, including assisting with internal data compliance audits to determine where compliance is lacking, and assisting with training of your personnel to help facilitate appropriate compliance, including how to respond to data subject requests.

Data Breaches

Sheehan Phinney provides comprehensive advice to its clients to minimize the risk of a data breach including how to manage electronic data and implement recognized best practices. When a breach occurs, we efficiently and effectively handle all aspects of sending notifications to affected individuals across the country, regulators, and credit bureaus. Leveraging our Lex Mundi membership, we can also coordinate legal services around the globe, if affected individuals are located outside the United States. If claims arise from a breach, our litigation group adeptly and tactfully defends clients to protect them from liability. Sheehan Phinney is frequently appointed by clients’ cyber insurance carriers to provide these and other services.

Data Management in Litigation

Sheehan Phinney provides efficient and practical advice to its clients to process and mine the large volumes of electronic data that is part of nearly every litigation matter.  First, we counsel companies to implement data and record management plans to cull unnecessary data.  When litigation strikes, we advise clients how to implement reasonable litigation holds to satisfy preservation obligations without disrupting day-to-day operations.  We have also invested in state-of-the-art technology to process and mine data to find what is most important to the litigation as quickly as possible so that our clients can be ahead of the case and make informed decisions well before their opponents. Find out more about our electronic discovery capabilities here: https://www.sheehan.com/practice-area/electronic-discovery/ 

Recording Communications

From time to time businesses may find it useful to record certain communications with customers or potential customers. There are laws governing when recording such communications is permissible. We can advise and assist you in connection with complying with such laws.

Freedom of Information/Right to Know

There are various laws dealing with one’s right to access certain information held by government authorities. These laws are typically referred to as “freedom of information” or “right to know” laws. We work with public sector employers to help them understand the nature of such laws, and to appropriately handle responses to such requests.

Representative Matters:

  • Representation of various businesses with regard to privacy and security law compliance, including a data broker and a US company with multiple subsidiaries including subsidiaries outside the US
  • Representation of a major health information exchange, including with regard to data privacy issues
  • Representation of a nonprofit with regard to processing of teacher and student data, including analysis of various federal and state laws and drafting of related agreements
  • Representation of online retailer victim of malware attack stealing customer credit card information necessitating notice to customers in 47 states and 10 countries
  • Representation of non-profit victim of phishing attack compromising employees’ W-2 information requiring notice to 250 current and former employees in 3 states
  • Representation of client whose employees discovered unauthorized persons filed tax returns on their behalf necessitating notice to 200 employees in 11 states
  • Drafted notices for clients to provide to state attorneys general, regulators and other law enforcement personnel upon the occurrence of a data breach
  • Representation of various public sector employers with regard to freedom of information/right to know requests
  • Representation of hospitals and other health care facilities and practices in connection with HIPAA privacy issues, including drafting of patient privacy notices, business associate agreements and policies, training staff on HIPAA Privacy, Security and Breach Notification Rule compliance, and responding to breaches
photo of chair for print purposes

Practice Chair


James P. Harris

A member of Sheehan Phinney since 2002, J.P. brings his litigation experience to the firm’s data privacy and security group, a group he co-chairs. In his litigation practice, he represents 

photo of chair for print purposes

Practice Chair


Douglas G. Verge

Doug is co-chair of the firm’s Data Privacy and Security Law Practice Group.  He also is an integral member of Sheehan Phinney’s intellectual property law practice, having previously chaired the