Cybersecurity & Data Privacy



While technology has facilitated the formation of an interconnected global economy, it also has given rise to profound risks for consumers and companies alike. An increasing number of actors—from virtually every part of the globe—have exploited cybersecurity vulnerabilities, disrupting businesses, corrupting data, co-opting personal information, and otherwise wreaking havoc on organizations and national economies. In the evolving cyber landscape, instances of neglect have led to equally devastating results. These often involve uniformed or careless leadership, employees or third-party vendors.

For well over a decade, Wilson Elser's core team of talented partners, assisted by associates and paralegals, has handled breach response and other sensitive situations arising from the misuse of computers and related technology.

An inconvenient afterthought as recently as a decade ago, the explosive growth of e-commerce and increased dependence on digitized data has catapulted cybersecurity to the forefront of business plans, legislative acts and federal regulations as companies and governmental entities deepen their presence and investment in the complex and changing digital landscape.

  • Cyber Risk Management

    Wilson Elser places a high premium on taking proactive steps designed to prevent or forestall cyber-events − whether maliciously intended or not − taking into account all manner of actors, including nation-states, criminal entities, terrorists, “hacktivists” and well-meaning employees. As the situation dictates, we consider underlying intent and the various methods each employs, including denial of service, destruction, ransomware and theft. We carefully monitor trends and changes to cyber “attack vectors” including social engineering, helping to ensure that our clients’ risk management guidelines are up-to-date, practical and effective.

    With respect to risk management, our practice attorneys routinely:

    • Advise clients on regulatory compliance with state and federal laws, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, payment card industry data security standards, Children’s Online Privacy Protection Act, Fair Credit Reporting Act, Computer Fraud and Abuse Act, New York State Department of Financial Services Cybersecurity Regulation, National Association of Insurance Commissioners Model Law, General Data Protection Regulation, Privacy Shield and many others
    • Advise and assist clients with preparing information security policies and programs
    • Advise and assist clients with the emerging risks posed by the explosion in interconnected devices (the Internet of Things)
    • Advise clients on the proper methods of collecting and monitoring employee personal information, including drafting acceptable-use policies for internet, email, social media, “bring your own device” policies and applicable laws pertaining to workplace privacy
    • Draft or revise incident response plans and run response scenarios to help ensure that businesses take appropriate actions to protect privileged information and enhance credibility in the wake of a cyber-event
    • Draft document management and retention policies
    • Advise clients on the risks associated with cloud computing and assist with related contract negotiations
    • Advise on and negotiate third-party contracts to help ensure compliance with state and federal laws and appropriate protection of client and customer data
    • Provide training at every level within an organization, from frontline employees to senior management and members of boards of directors.
  • Cyber Breach

    Decisions made immediately following a data breach can significantly impact outcomes. For well over a decade, Wilson Elser's core team of talented partners, assisted by associates and paralegals, has handled breach response and other sensitive situations arising from the misuse of computers and related technology. We understand that data intrusions – real and perceived – require decisive and appropriate action. Following reports of a breach, our practice team members begin a "triage" process designed to immediately reduce exposure. Every breach has a distinctive set of characteristics and surrounding circumstances. Our experience allows us to respond swiftly and categorically.

    We regularly oversee forensic analyses, engaging experts specially chosen to enhance protection of privileged and confidential communications, determine the cause of the breach and identify what data was at risk. Results guide the implementation of measures designed to comply with legal obligations and prevent additional data intrusion.

    Depending on the situation, we can pursue other protective steps, such as:

    • Communicating with operational, legal and executive leaders regarding the breach
    • Advising when and how to involve law enforcement and, where appropriate, engage law enforcement in a responsible way
    • Crafting notification letters based on the varying requirements of states and countries
    • Providing options and recommendations on the structure and kinds of assistance provided to individuals whose sensitive information may have been exposed
    • Deploying tested public relations strategies in communicating with stakeholders and the press.
  • Virtual Privacy Officer Services

    While most small and mid-sized organizations do not have dedicated privacy officers, their risks associated with data breaches and the need to comply with privacy laws are no less important. Indeed, they may even be greater if a smaller organization’s IT systems are not consistently updated or subject to the base designs of bad actors. A smaller-scale business model also may be less likely to withstand the outsized costs associated with breach-related liabilities and sanctions.

    Wilson Elser is pleased to offer these clients a full suite of Virtual Privacy Officer Services that can be customized to fit an organization’s distinct cybersecurity and data privacy requirements. We engage on a continuous or as-needed basis in any number of jurisdictions – across the United States or worldwide.

    Drawing on collective decades of related experience, our practice attorneys offer a wide range of cybersecurity and privacy services, including:

    • Incident response plans
    • Tabletop exercises
    • 24/7 incident response hotline
    • Written information security programs
    • HIPAA policies and procedures
    • Response to HHS audits and investigations
    • Website privacy policies and terms of use
    • Data mapping, data retention, and data destruction policies
    • Employee training, handbooks and policies
    • Compliance with privacy laws including California Consumer Privacy Act (CCPA), Biometric Information Privacy Act (BIPA) and EU’s General Data Protection Regulation (GDPR)
    • Advice on cross-border data transfers
    • Review of vendor contracts and business associate agreements
  • Cyber Coverage

    Wilson Elser maintains a national team of experienced insurance attorneys who serve as coverage and monitoring counsel for carriers handling cyber-related claims under cyber liability and technology/media/advertising policies as well as traditional (non-cyber) policies, including commercial general liability, property, directors & officers, and errors & omissions. Our attorneys also routinely:

    • draft cyber liability policy wording and endorsements
    • analyze coverage
    • draft coverage opinions and letters
    • litigate complex coverage issues involving cyber and technology claims.
  • Cyber Defense and Litigation

    With arguably more senior litigating partner years than any other law firm in the United States, our litigators handle the most challenging and technical cyber cases. We sort through the complex technical and legal issues that characterize this practice, often serving as defense or coverage counsel on matters such as:

    • Cybersecurity preparedness
    • Data breach
    • Business-to-business litigation
    • Violations of privacy rights
    • Technology errors and omissions
    • Web-based media issues
    • Breach of contract
    • Fraud
    • False advertising
    • Defamation
    • Advertising and media injury
    • Negligence
    • Unfair trade practices/consumer protection violations.

    In the context of data security and privacy incidents, we routinely represent clients in connection with related government investigations commenced by various state and federal authorities and agencies, including state attorneys general, the Department of Health and Human Services Office of Civil Rights, the Internal Revenue Service, and the Federal Bureau of Investigation, among others.

    We seek cost-effective results for our clients through early assessment and negotiations, alternative dispute resolution methods or summary judgment motions. When early resolutions are not possible, we have the skill and experience to resolve cases in court. In fact, we count among our ranks some of the finest trial attorneys in the country.

    While companies may find themselves in the crosshairs of an individual plaintiff, should a matter present as a class action, our team is armed with the experience to mount a vigorous defense in state or federal court. Class actions can quickly move from distracting to unmanageable to crippling − or worse − so our attorneys work diligently across disciplines to counter these claims, in many cases obtaining early dismissals of the named plaintiffs or defeating motions for class certification.