Security Incident Preparedness, Testing and Risk Assessments

Our team conducts privileged risk assessments and incident response exercises to analyze and evaluate institutional practices, policies and procedures. Our assessments are performed against industry security standards, such as the NIST Cybersecurity Framework and the Payment Card Industry Data Security Standards (PCI DSS). We also provide strategic guidance and counsel clients on improving, hardening and maturing security and incident response programs.

• Program development and implementation. Advise on developing, improving and implementing corporate security programs.
• Exercises and war games. Develop and lead tailored cybersecurity exercises and war games designed to evaluate the comprehensiveness and effectiveness of response protocols and to identify and remediate legal and enterprise risks.
• Assessments and testing. Conduct assessments mapped to industry standards and frameworks to evaluate risk, identify gaps in controls and benchmark against industry peers. Partner with security firms to oversee and advise on penetration testing, threat hunting and compromise assessments.
• Incident response plans and security policies. Draft and revise internal corporate security policies and procedures, such as incident response plans, written information security policies (WISPs), acceptable use policies, threat and vulnerability management, adequate disclosures addressing new laws and emerging case law, and bug bounty programs and procedures.
• Vendor relationships. Manage and direct the vendor process, liaising and establishing strategic engagements with incident response vendors—forensic firms, credit monitoring and identity protection service providers, call center support, and public relations firms—so vendors are ready to provide on-call support in the event of a security incident.
• Threat intelligence briefings. Partner with security experts and law enforcement to provide industry-specific threat intelligence briefings and presentations.

Cybersecurity and Privacy Compliance, and Data Management

Our team has substantial experience developing and counseling clients on novel and complex privacy compliance matters across a range of industries and jurisdictions. We help clients navigate an ever-changing, and at times conflicting, privacy regulatory landscape with business-focused and pragmatic strategies designed to minimize risk and potential liability. We have extensive experience counseling clients on state, federal and international privacy regulatory regimes, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and its successor the Consumer Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), federal and state wiretap laws, the Computer Fraud and Abuse Act (CFAA), state data protection laws (e.g., New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act and its Department of Financial Services cyber rule), data breach notification laws and obligations, and the Telephone Consumer Protection Act (TCPA).

• Program development and implementation. Advise on developing, improving and implementing corporate privacy programs and related compliance obligations, including developing, managing and analyzing data mapping and inventories, and project management and consulting for program initiatives.
• Privacy and data protection policies and procedures. Develop, update and counsel on internal corporate privacy policies and procedures, such as data classification, the handling of data subject rights requests, the preparation of privacy impact assessments and data protection impact assessments, and internal escalation and reporting mechanisms regarding privacy risks.
• Privacy disclosures and controls. Develop and counsel regarding public-facing privacy notices and disclosures, including strategies related to user controls, choices and consent mechanisms.
• Data transfer and storage. Advise on data retention and destruction obligations and complex cross-border data transfer requirements and strategies.
• Government and regulatory requests. Counsel and assist in responding to regulatory examinations as well as government and regulatory requests and subpoenas, including disclosures pursuant to the ECPA, SCA and related state wiretap statutes.

Our team has substantial experience designing and implementing global data governance and enterprise risk management strategies. We regularly counsel boards of directors and executive leadership regarding emerging and evolving privacy, security and technology risks; fiduciary obligations; and related risk avoidance and mitigation strategies.

• Board counseling, risk reporting and executive presentations. Counsel boards regarding privacy- and security-related fiduciary obligations and risk management strategies, including educating and presenting to boards of directors and executive management regarding cybersecurity and privacy risks and related reporting obligations.
• Information governance framework, staffing and budgeting. Counsel organizations regarding corporate governance structures, budget allocations and staffing strategies for privacy and security functions, including placements—both geographically and organizationally—of chief information security officers (CISOs) and data privacy officers.
• Public disclosures. Counsel clients on public disclosure and Securities and Exchange Commission (SEC) reporting and filing obligations related to cybersecurity and privacy risks.

Our team has substantial experience counseling organizations across a range of industries on information security, privacy and incident response training programs.

• Training program development. Develop and counsel on information security, privacy and incident response training programs and procedures.
• Department-specific training. Develop and conduct training programs and presentations tailored to individual corporate departments, such as legal, marketing, information security, compliance and audit, as well as to boards of directors and executive management teams.
• White papers and educational presentations. Produce tailored privacy and security white papers and conduct presentations designed to educate and provide guidance related to industry-specific challenges, threats and risk mitigation strategies.

Our team develops and counsels clients on vendor management programs and risk management strategies designed to assist companies in assessing, prioritizing and mitigating risk presented by vendors with access to client data or technologies.

• Diligence and onboarding. Develop and counsel on vendor diligence assessments, onboarding procedures and vendor risk ratings designed to identify and mitigate privacy and security risks, including development of data mapping exercises to identify and centrally manage the data life cycle across vendors.
• Vendor contracts and policies. Develop and counsel on contracting structures and draft contract provisions and privacy and security addenda, including developing and counseling on internal contracting guidelines, requirements and escalation protocols.
• Audits. Advise on policies and procedures to audit and assess vendors for privacy and security risks and compliance with applicable laws and contractual obligations.

Corporate Transactions, Product Development and Contracting

Our team helps organizations navigate complex privacy and security considerations in connection with transactions, purchases and product development. We partner with clients to help them achieve business goals while ensuring privacy and security interests are protected and related risks are appropriately mitigated in key transactions and initiatives.

• M&A and corporate transactions. Assess privacy and security programs of target companies, counsel buyers on purchasing risks and transaction strategies, and advise sellers regarding diligence disclosures and compliance obligations.
• Technology purchasing. Provide strategic counseling regarding privacy and security risks and considerations in the selection, purchase and deployment of third-party technologies and related products and services.
• Product development. Counsel clients on complex and novel privacy and security issues that arise in developing new and innovative products and services, including conducting privacy impact assessments, developing user controls and consent frameworks, and advising on privacy and security considerations in a company’s go-to-market strategy.
• Contracting. Draft and negotiate vendor, supplier and customer contracts to address privacy and security obligations, risks, and liability considerations.
• Insurance. Advise clients on cyber insurance policies and related risk management strategies.

Our team works to advance clients’ legislative agendas and ensure industry perspectives on privacy and security regulations are presented to and understood by key policymakers.

• Legislative tracking and strategic counseling. Provide strategic counseling to clients on pending and emerging privacy and security regulations and legislative initiatives and on potential business, operational and legal impacts.
• Advocacy and public policy. Engage in lobbying and advocacy in strategic state and local jurisdictions, including preparing clients to provide oral and written testimony before state legislatures.

Our team routinely leads clients through security and privacy crises and challenges. We have managed responses to myriad sophisticated and complex data security threats and cyberattacks, including incidents involving theft of proprietary information and protected data; network intrusions; state-sponsored attacks; competitive and corporate espionage and theft; lost and stolen electronic devices; ransomware and extortion; business email compromises and phishing attacks; white, black and grey hat security disclosures; insider threats and employee misuse; and coding errors and inadvertent disclosures. Our end-to-end practice spans the full spectrum of proactive and reactive data security services.

• Security incident response. Direct and manage investigations and incident response related to security incidents and cyber risks—including retaining and partnering with forensic firms and security teams—to mitigate financial, legal, operational and reputational risks.
• Internal investigations. Conduct and counsel clients on internal investigations related to alleged or suspected privacy and security complaints and violations, including insider threats.
• Crisis management and public relations. Develop and implement comprehensive communications strategies designed to mitigate potential liability and reputational and economic damage related to security and privacy incidents.
• Regulatory and law enforcement engagement. Engage and liaise with state, federal and international regulators and law enforcement as to cybersecurity incidents and related threats.

Some disputes are unavoidable. When those occur, the privacy and data security team at Manatt can help: Not only are we privacy and cybersecurity lawyers, we are seasoned trial attorneys as well, with decades of experience. We understand the technology, and we understand how to position disputes for the best resolution. This work sometimes starts as an internal investigation to identify facts and mitigate risk even before litigation begins. We also regularly consult on proactive and reactive incident response work to optimally position our clients in the event disputes arise.

Our track record of success speaks for itself. Every litigator should be prepared to take a case through trial, and we have won many jury and bench trials for our clients over the years in data theft, trade secret, copyright and related cases. Of course, most cases do not go to trial, but the best result may still be obtained from proceeding as though they will. In addition to our successful trial work, our team has achieved many successes at pretrial stages.

Our experience in privacy, technology and security matters includes representing the following:

• A multinational media conglomerate in trial court and appellate proceedings in connection with a purported class action lawsuit alleging violations of a state Social Security Number Privacy Act (SSNPA), invasion of privacy and negligence. Following oral argument, the court of appeals affirmed the trial court’s decision to dismiss the complaint because the plaintiffs had failed to meet the SSNPA’s pleading elements, and it opined that our client had not publicly displayed the Social Security numbers through its products as alleged.
• A major healthcare insurer in defending against putative class action claims in a high-profile case following the dissemination of more than 12,000 letters to members that potentially and allegedly disclosed the term “HIV Medications.” The insurer faced multiple class actions and government inquiries. Manatt was successful in consolidating numerous class actions into a single venue and in negotiating a settlement of the consolidated class actions, avoiding protracted litigation.
• A healthcare facility in successfully defending a purported class action, on an issue of first impression in the U.S. Court of Appeals for the Eleventh Circuit concerning Article III standing and requirements adequately to plead harm, alleging patient data had been accessed, stolen and posted to the Internet.
• A video game company in a data theft case involving “virtual reality” intellectual property, obtaining a $500 million jury verdict against the subsidiary of a global media conglomerate and its executives.
• A global technology company in a trade secret misappropriation case, obtaining a multimillion-dollar jury verdict, damages award and permanent injunction.
• A global consumer software company in successfully defending Lanham Act and unfair competition claims brought by a competitor over the company’s characterization of the competitor’s products.
• A global consumer software company in successfully defending its SaaS/subscription model for consumer software against threatened class action litigation.
• A global consumer software company in successfully defending a purported class action over representations about the company’s computer optimization software as part of a run of litigation against computer optimization software developers, securing a settlement that represented a significantly lower cost for the company than the settlements reached in other cases.
• Multiple individual defendants in a federal court action involving alleged violations of the CFAA and the SCA in connection with an alleged scheme to clone a state-owned petrochemical company’s electronic infrastructure.