Wilson Elser places a high premium on taking proactive steps designed to prevent or forestall cyber-events − whether maliciously intended or accidental − taking into account all manner of actors, including nation-states, criminal entities, terrorists, “hacktivists” and well-meaning employees. As the situation dictates, we consider underlying intent and the various methods each employs, including denial of service, destruction, ransomware and theft. We carefully monitor trends and changes to cyber “attack vectors” including social engineering, helping to ensure that our clients’ risk management guidelines are up to date, practical and effective.

With respect to risk management, our practice attorneys routinely:

• Advise clients on regulatory compliance with state and federal laws, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, payment card industry data security standards, Children’s Online Privacy Protection Act, Fair Credit Reporting Act, Computer Fraud and Abuse Act, New York State Department of Financial Services Cybersecurity Regulation, National Association of Insurance Commissioners Model Law, General Data Protection Regulation, Privacy Shield and many others
• Advise and assist clients with preparing information security policies and programs
• Advise and assist clients with the emerging risks posed by anticipated malware trends for connected devices (the Internet of Things)
• Advise clients on the proper methods of collecting and monitoring employee personal information, including drafting acceptable-use policies for internet, email, social media, “bring your own device” policies and applicable laws pertaining to workplace privacy
• Draft or revise incident response plans and run response scenarios to help ensure that businesses take appropriate actions to protect privileged information and enhance credibility in the wake of a cyber-event
• Draft document management and retention policies
• Advise clients on the risks associated with cloud computing and assist with related contract negotiations
• Advise on and negotiate third-party contracts to help ensure compliance with state and federal laws and appropriate protection of client and customer data
• Provide training at every level within an organization, from frontline employees to senior management and members of boards of directors.

Decisions made immediately following a data breach can significantly impact outcomes. For well over a decade, Wilson Elser’s core team of talented partners, assisted by associates and paralegals, has handled breach response and other sensitive situations arising from the misuse of computers and related technology. We understand that data intrusions – real and perceived – require decisive and appropriate action.

Following reports of a breach, our practice team members begin a “triage” process designed to immediately reduce exposure. Every breach has a distinctive set of characteristics and surrounding circumstances. Our experience allows us to respond swiftly and categorically to each.

We regularly oversee forensic analyses, engaging experts specially chosen to enhance protection of privileged and confidential communications, determine the cause of the breach and identify what data was at risk. Results guide the implementation of measures designed to comply with legal obligations and prevent additional data intrusion.

Depending on the situation, we can pursue other protective steps, such as:

• Communicating with operational, legal and executive leaders regarding the breach
• Advising when and how to involve law enforcement and, where appropriate, engage law enforcement in a responsible way
• Crafting notification letters based on the varying requirements of states and countries
• Providing options and recommendations on the structure and kinds of assistance provided to individuals whose sensitive information may have been exposed
• Deploying tested public relations strategies in communicating with stakeholders and the press.

Class actions are increasing in complexity, especially in the cyber space. Cases are becoming more duplicative and overlapping, with motions filed in multiple jurisdictions during the same time period.

With its national network of offices, Wilson Elser is well positioned to launch a coordinated multi-front defense in these situations. Our attorneys are experienced in simplifying the most complicated cases by bringing motions either for federal multidistrict consolidation or state and federal coordination. Class actions can quickly move from distracting to unmanageable to crippling – or worse – so our attorneys work diligently across disciplines to counter these claims, in many cases obtaining early dismissals of the named plaintiffs or defeating motions for class certification. 

Our strategies for defending class action litigation are varied and are developed to be individualized in keeping with our clients’ objectives. Examples of these strategies include: 

• Pursuing of early dismissals of the named plaintiffs’ claims through motions to dismiss based on such defenses as the statute of limitations, lack of standing or injury, or failure to state a claim
• Moving early for summary adjudication and/or proactively defeating class certification through effective, focused early discovery
• Obtaining early stays of the proceedings under the doctrines of primary jurisdiction and federal preemption
• Removing class actions from state to federal court
• Moving to consolidate and transfer multiple class action filings to the U.S. Panel on Multidistrict Litigation when appropriate, rather than opposing a class action format. 

We also have experience conducting class- and merit-based discovery, pursuing interlocutory appeals of certification rulings and administering class action settlements.

Wilson Elser maintains a national team of experienced insurance attorneys who serve as coverage and monitoring counsel for carriers handling cyber-related claims under cyber liability and technology/media/advertising policies as well as traditional (non-cyber) policies, including commercial general liability, property, directors & officers, and errors & omissions. Our attorneys also routinely:

• Draft cyber liability policy wording and endorsements
• Analyze coverage
• Draft coverage opinions and letters
• Litigate complex coverage issues involving cyber and technology claims.

With arguably more senior litigating partner years than any other law firm in the United States, our litigators handle the most challenging and technical cyber cases. We sort through the complex technical and legal issues that characterize this practice, often serving as defense or coverage counsel on matters such as:

• Cybersecurity preparedness
• Data breach
• Business-to-business litigation
• Violations of privacy rights
• Technology errors and omissions
• Web-based media issues
• Breach of contract
• Fraud
• False advertising
• Defamation
• Advertising and media injury
• Negligence
• Unfair trade practices/consumer protection violations.

In the context of data security and privacy incidents, we routinely represent clients in connection with related government investigations commenced by various state and federal authorities and agencies, including state attorneys general, the Department of Health and Human Services Office of Civil Rights, the Internal Revenue Service, and the Federal Bureau of Investigation, among others.

We seek cost-effective results for our clients through early assessment and negotiations, alternative dispute resolution methods or summary judgment motions. When early resolutions are not possible, we have the skill and experience to resolve cases in court. In fact, we count among our ranks some of the finest trial attorneys in the country.

Should a matter present as a class action, our team is armed with the experience to mount a vigorous defense in state or federal court. Class actions can quickly move from distracting to unmanageable to crippling − or worse − so our attorneys work diligently across disciplines to counter these claims, in many cases obtaining early dismissals of the named plaintiffs or defeating motions for class certification.

Wilson Elser’s multidisciplinary Data Use & AI Governance attorneys partner with clients to develop, implement, and defend robust AI risk management programs that meet evolving legislative mandates and stakeholder expectations. Leveraging deep experience in intellectual property, technology, cybersecurity, employment, product liability, and class-action defense, we routinely counsel boards, business owners, product managers, and in-house counsel on how best to translate emerging AI statutes, standards, and risk management frameworks into practical policies and controls to satisfy regulators, investors, and consumers.

Our national platform and extensive network of specialists position us to guide proactive compliance initiatives from inception and to respond quickly when disputes arise.  Indeed, team attorneys bring a proven record of success defending complex, high-stakes AI-related claims across industries and jurisdictions.

Our integrated capabilities include:

• Evaluating corporate AI needs and concerns
• Drafting and auditing enterprise-wide AI governance policies, risk management frameworks, and codes of conduct
• Advising on compliance with the EU AI Act, federal industry-specific privacy laws, state consumer privacy and biometric laws, FTC Section 5, the NIST AI Risk Management Framework, and ISO/IEC 42001
• Conducting AI system impact assessments
• Counseling on copyright, trademark, patent, and rights of privacy/publicity issues implicated in generative AI training data, prompts, and outputs, and DMCA takedowns related to AI-generated content
• Structuring and negotiating AI vendor, licensing, data sharing, and joint development agreements, including indemnity, confidentiality, IP ownership, and model risk provisions
• Designing bias, fairness, and disparate impact risk assessment protocols
• Advising on defamation, false light, and right of privacy/publicity risks
• Defending claims (including class actions) alleging deceptive trade practices, unfair competition, defamation, false light, right of privacy/publicity, automatic renewal violations, and privacy intrusions arising from AI-enabled personalization and tracking technologies
• Supporting insurers and insureds in underwriting, coverage analysis, and claims handling for AI-related E&O, D&O, cyber, and media liability policies
• Guiding organizations through internal investigations, government inquiries, and enforcement actions.

Learn more.

While most small and mid-sized organizations do not have dedicated privacy officers, their risks associated with data breaches and the need to comply with privacy laws are no less important. Indeed, they may even be greater if a smaller organization’s IT systems are not consistently updated or subject to the base designs of bad actors. A smaller-scale business model also may be less likely to withstand the outsized costs associated with breach-related liabilities and sanctions. 

Wilson Elser is pleased to offer these clients a full suite of Virtual Privacy Officer Services that can be customized to fit an organization’s distinct cybersecurity and data privacy requirements. We engage on a continuous or as-needed basis in any number of jurisdictions – across the United States or worldwide. 

Drawing on collective decades of related experience, our practice attorneys offer a wide range of cybersecurity and data privacy services, including: 

• Incident response plans
• Tabletop exercises
• 24/7 incident response hotlines
• Written information security programs
• HIPAA policies and procedures
• Response to HHS audits and investigations
• Website privacy policies and terms of use
• Data mapping, data retention and data destruction policies
• Employee training, handbooks and policies
• Compliance with privacy laws including California Consumer Privacy Act (CCPA), Biometric Information Privacy Act (BIPA) and EU’s General Data Protection Regulation (GDPR)
• Advice on cross-border data transfers
• Review of vendor contracts and business associate agreements.