Privacy, Security & Data Protection


To succeed in today’s business world, it is critical that companies strategically prioritize digital assets, navigate an ever-expanding web of nuanced privacy rules, and protect confidential information from the onslaught of malicious cyberattacks, breaches, and other threats.

Blank Rome’s national team of experienced privacy, security & data protection attorneys have spent decades at the cutting edge of technology helping clients navigate the patchwork of data privacy laws and myriad of issues posed by digital technologies, IT, outsourcing, marketing, and data rights transactions in a variety of sectors from healthcare, pharmaceutical, and medical devices to the e-commerce, consumer goods, financial services, and FinTech industries.

Our multidisciplinary team of leading cybersecurity and data privacy professionals advises clients on the potential consequences of cybersecurity threats and how to implement comprehensive measures for mitigating cyber risks, prepares customized strategy and action plans, and provides ongoing support and maintenance to promote cybersecurity awareness.

We not only know the law, we know the businesses and industries in which our clients operate. This helps us understand and achieve their business objectives by taking a holistic approach that seamlessly integrates the firm’s comprehensive services in corporate, intellectual property and technology, maritime, aviation, healthcare and life sciences, insurance recovery, government contracts, and litigation.

What Sets Us Apart

Our privacy, security & data protection team understands business and technology. We draw on a bench of attorneys with significant experience in a variety of industries who understand the challenges faced by our clients. We are able to assist clients to structure and execute strategies that solve problems, seize opportunities, and achieve business goals while addressing data privacy and security compliance issues. We anticipate trends to structure business deals and position innovative products to best position our clients in the market amidst a challenging regulatory landscape.

Members of our privacy, security & data protection team are certified as information privacy professionals in the United States and Europe by the International Association of Privacy Professionals (“IAPP”).

How We Can Help

  • Draft and negotiate complex technology and cloud transactions, data licensing, and strategic IT commercial agreements and develop vendor management policies and playbooks.
  • Develop, draft, and implement privacy, security, and data protection agreements, policies, and “best practices.”
  • Administer internal compliance and risk assessments.
  • Evaluate and enhance cyberinsurance policies and respond to attempts by insurers to deny coverage for cyber losses.
  • Handle data breach response and litigation.
  • Assist government contractors in protecting Unclassified Controlled Technical Information (“UCTI”), Covered Defense Information (“CDI”), export-controlled information, and trade secrets.
  • Provide breach and security incident response coaching to assist in mitigating cyber risk.
  • Advise companies on administrative and regulatory audits and handle governmental agency inquiries and investigations.
  • Advise companies on data governance and privacy regulations in connection with product launches.
  • Advise on privacy, security, data management, and online advertising issues.
  • Advise clients on data privacy and security risks in mergers and acquisitions.
  • Assist with leveraging and protecting the value of data in e-commerce arrangements, strategic alliances, and joint ventures.
  • Develop privacy statements and advise on privacy issues relating to behavioral and targeted advertising.
  • Prepare online and in-person training modules.
  • Prosecute and analyze patents that relate to data privacy and cybersecurity systems.

We assist clients to inventory data collection and use practices, identify relevant legal frameworks, and ascertain and remediate gaps in compliance to develop data-centric compliance programs that anticipate regulatory enforcement and litigation issues and are consistent with business needs. The privacy, security & data protection team counsels clients on compliance with state, federal, and international laws and regulations, as well as pending legislation, related to data governance and personally identifiable information, including:

  • Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”)
  • State laws governing use and disclosure of personal health information
  • Gramm-Leach-Bliley Act (“GLBA”)
  • California Consumer Privacy Act of 2018 (“CCPA”)
  • Virginia Consumer Data Protection Act (“VCDPA”)
  • EU General Data Protection Regulation (“EU GDPR”)
  • EU Privacy and Electronic Communications Directive (“ePrivacy Directive”)
  • Illinois Biometric Information Privacy Act (“BIPA”) and other state laws governing the collection and use of biometric information
  • CAN-SPAM Act of 2003 (“CAN-SPAM”)
  • Children’s Online Privacy Protection Act (“COPPA”)
  • Federal Trade Commission Act (“FTC”)
  • Fair Debt Collection Act (“FDCA”)
  • The Common Rule
  • Fair Credit Reporting Act (“FCRA”) and Fair and Accurate Credit Transactions Act (“FACTA”)
  • Drivers Privacy Protection Act (“DPPA”)
  • Video Privacy Protection Act (“VPPA”)
  • Telephone Consumer Protection Act (“TCPA”)
  • Family Educational Rights and Privacy Act (“FERPA”)
  • Electronic Communications Privacy Act (“ECPA”), Stored Communications Act (“SCA” and state recording laws


  • Structured outsourcing transactions (some exceeding one billion dollars) to transfer all mainframe, server, desktop, LAN-WAN equipment, application development, and IT personnel supporting such technology to major outsourcing vendors (including offshore), developing service levels to facilitate optimum performance and providing privacy and security advice relating to offshore processes.
  • Structured a variety of e-commerce arrangements, including web development and hosting agreements, electronic marketplaces, lead generation, and electronic data interchange (“EDI”), including regulatory advice in privacy; security; CAN-SPAM; COPPA; and state, federal, and international legislation.
  • Advised a large manufacturer of consumer electronics developing and commercializing technology innovations with a vendor of remote access technology to allow home monitoring for healthcare and other purposes. Such advice included structuring strategic alliances and licenses protecting intellectual property and resolving issues involving complex ownership and licensing rights, as well as negotiating agreements for the licensing, maintenance, support, and acquisition of computer hardware, software, databases, telecommunications, and networking.
  • Drafted complex commercial transactions for a leading manufacturer of consumer electronics involving product launch and product life cycle, including 1) combining licensed works into a solution and defining the parties’ respective ownership rights; 2) structuring original equipment manufacturer (“OEM”) and original design manufacturer (“ODM”) manufacturing agreements to build the product; 3) drafting end-user customer licenses; 4) developing supply agreements for product resale; and 5) structuring channel distribution agreements.
  • Counseled largest independently-owned food processor in the eastern United States with respect to security breach by payroll processor resulting in unauthorized access to human resources data about employees in 10 states, including negotiating for settlement with payment processor, reviewing individual notices, and interacting with insurance carrier. 
  • Advised top U.S. accounting firm regarding loss of sensitive customer data, including notifying and negotiating with customers, preparing individual notices, arranging for identity theft protection service, interacting with insurance carrier, and counseling on communications plan.
  • Developed and implemented global privacy and security compliance program for Fortune 500 international pharmaceutical, medical device, and consumer company, including working closely with the client’s internal privacy team to assess the company’s business practices, develop a company-wide privacy policy, draft business-unit level policies and procedures, create and negotiate privacy language in contracts and permission documents, and train company personnel.
  • Represented health care provider in evaluating possible unauthorized access to electronic medical records system through investigation of electronic medical record provider.
  • Advised client with respect to response to ransomware attack where sensitive personal information was the subject of the attack, including engaging for independent forensic investigation. 
  • Represented vendor to online retailers regarding response to a breach involving the inadvertent misconfiguration of a firewall that was taken advantage of by attackers and resulted in release of payment card information, including advising on notices to payment card companies, individual notifications, and notifications to regulatory bodies.
  • Counseled employer regarding response to spam phishing attack involving malicious e-mail resulting in theft of W-2 forms from employees in several states.
  • Assisted major shipping company with cyber-breach response regarding receipt of fraudulent e-mails and payment to cybercriminal.
  • Successfully arbitrated on behalf of one of the world’s leading suppliers of bunker fuel regarding failure to receive funds/payment due to cyber breach and payment to cybercriminal.
  • Provide annual cybersecurity compliance training and policy review for one of the largest transportation and distribution companies in the United States. 
  • Provided a Global 500 professional services firm with strategic advice regarding insurance coverage for cybersecurity and privacy risks. The firm analyzed the entire suite of insurance policies that the company holds, detailing where there may be coverage for cybersecurity and privacy risks. The firm also provided strategic advice to the company regarding the purchase of cyberinsurance policies. As a result of the work that the firm performed to customize the off-the-shelf cyberinsurance policies for this client’s risks, $90 million in losses from a breach were covered by insurance that would not have otherwise been covered. 
  • Performed top-to-bottom review of a Fortune 500 company’s insurance policies to identify gaps in coverage for cyber risks in response to boardroom-level inquiry. The firm also helped the company review and select proposed cyberinsurance policies and recommended changes to selected cyberinsurance policy with respect to costs arising from a cyber or privacy event, business interruption, regulatory actions, liability, and cyber extortion.
  • Provided comprehensive review of Fortune 100 manufacturing company’s cyberinsurance policies to identify areas for improvement and customization to the company’s unique risk profile. 
  • Represented manufacturer that suffered monetary losses after hackers infiltrated a vendor’s network and sent fraudulent e-mails to the manufacturer directing it to send payment to fraudulent accounts. The firm assisted the chemical manufacturer with providing notice to its insurer and responding to insurer’s coverage positions. 
  • Represented a company that suffered a data breach after hackers sent fraudulent e-mails to company. The firm assisted the company with providing notice to its insurers and the FBI and complying with breach notification requirements.
  • Represented government contractor with providing its insurer with notice of a data breach and advising it on the scope of coverage available under its insurance policies.
  • Advised consumer-facing web-based service company with the purchase and renewal of cyberinsurance policy.
  • Advised pharmaceutical company with recommendations and advice concerning the purchase and renewal of cyberinsurance policy.
  • Handled a suspected cyber incident targeting a defense contractor’s IT system, including managing the incident response and recovery, notifications, and insurance coverage issues.
  • Reviewed and revised security policies for global manufacturer and retailer of chocolates.
  • Advised global company with respect to worldwide data protection strategy, including transfer of data from Europe to United States.


News & Views

See all News and Views