K&L Gates Data Security Breach Practice
The speed of business, the nature and complexity of software and hardware, the realities
that employees make mistakes, and the fact that laws and standards are ever-changing
can all create unintended consequences. At times, this results in losses of, or unauthorized
access to, personal or other information (such as device-related information) that entities or
their employees maintain. These occurrences can implicate a variety of international and
United States federal and state laws related to reporting data security breaches.
Knowledgeable counsel is needed to assist
a business with analyzing whether such
occurrences constitute a data security breach
under applicable law, guiding the business
in its data security breach response, acting
as counsel in related regulatory enforcement
and class actions, and structuring business
practices to help mitigate or address past and
future breaches. We have detailed knowledge
and experience in international and United
States federal and state laws, and internally
track the unique, and often conflicting, laws of
the 50 U.S. states. Building and maintaining
a successful business in today’s economy
requires companies to collect, process,
and store a variety of information about
employees, customers, and other individuals.
Regarding data transfers to and from Europe,
our European partners will help you to
avoid conflicts with the strict requirements of
European data protection law. The K&L Gates
Data Security Breach Practice helps clients
to recognize a data security breach under
applicable U.S. and foreign laws, minimize
associated risks, properly respond, and to seek
or defend legal and other redress.
Representative Capabilities
and Experience
• Investigating Incidents. We assist clients
in investigating the possibility that security
has been compromised. Our experience
can help clients investigate incidents in
an efficient manner that helps to preserve
evidence and reduce legal exposure.
• Analyzing Breaches. While many laws
require a business to notify individuals and
regulators after a data breach, not every
breach triggers a duty to provide notice.
Indeed, notice is sometimes precluded.
We are experienced in analyzing each
breach in light of each relevant statute
to determine whether or not notice is
required, advisable, or inadvisable. We
do this for breaches occurring locally,
nationally and internationally.
• Internet Safety. We are able to assist
clients in investigating and responding
to online attacks and other malicious
acts. We have an in-house cyberforensic
group equipped with sophisticated tools,
including an onsite lab. We also have
lawyers with computer science and
electrical engineering degrees who have
technical knowledge helpful in this area.
We can assist clients in ascertaining
the scope of a data breach, and we
are experienced in working with client
IT staff, regulators, consultants, and
law enforcement to help investigate,
remediate, and minimize liability. We
work with, and often can assist more
quickly than, forensic firms ultimately
retained for long-term investigations.
• International data transfers. We
assist you in all cases of international
data transfers and advise you on
the requirements that must be met. In
particular, we help you to avoid violations
of the strict requirements of European data
protection law when transfering data to
and from Europe.
“We have detailed knowledge and experience
in international and United States federal and state laws”
• Data Breach Responses. We
help clients draft internal policies for
responding to potential data security
breaches. It is impossible to avoid
all breaches, so we have extensive
experience helping clients respond to data
security breaches large and small, when
they occur. This includes breaches with
varying kinds of sensitive information that
are subject to varying laws. We analyze
applicable notification obligations, draft
notices to affected individuals based on
applicable federal, state, or foreign law,
and help clients protect their brand and
reputation when providing notice. We
assist in making required disclosures to
regulators and law enforcement agencies
and recommend precautionary measures
to reduce related risks. We also help
clients to negotiate, ascertain and
comply with contractual breach response
and notification obligations, including
payment card organization and merchant
contract rules.
• Government Enforcement Actions.
We assist clients if they become subject
to a regulatory enforcement investigation
or action, including those by federal
regulators such as the FTC or state
attorney generals. Knowledgeable
legal counsel often helps to minimize
the repercussions of such proceedings,
and to avoid pitfalls that can arise when
proceeding without legal counsel.
• Insurance Coverage for Data
Security Breaches. We counsel clients
regarding insurance coverage for data
security breach liability, including when
insurers dispute their obligation to cover
such incidents. We also provide counsel
regarding the types of coverages that
are advisable to protect against risks
associated with data security breaches.
• Contracting with Customers,
Service Providers and Affiliates.
We advise clients on how to address
the risks of data security breaches in
contracts with service providers, vendors,
and affiliates having access to covered
information owned or maintained by a
client. This includes advice regarding laws
mandating particular provisions for service
contracts, as well as drafting, reviewing,
and negotiating contracts to protect
our clients’ rights, limit their liability,
and allocate and address logistics of
responding to breaches.
• Litigating Data Security Breach
Actions. We represent clients in lawsuits,
including class action defenses, arising
out of data security breaches. As one
example, we successfully litigated the
class action case of Kahle v. Litton Loan
Servicing LP, 486 F. Supp. 2d 705 (S.D.
Ohio 2007), one of the important, early
cases holding that speculative theories
of injury could not support a class action
against an entity suffering a data security
breach. We have also successfully filed
“John Doe” lawsuits to identify computer
hackers and others whose identities are
shielded by Internet service providers.
• Internal Policies. We help clients
draft and implement internal policies
and procedures for handling personally
identifying or other sensitive information,
including updating those policies in light
of breaches experienced. According to
some studies, insiders such as employees
with access to data are the largest source
of data security breaches. We adapt such
policies to different jurisdictions and to
the requirements of different national data
protection laws.
• Employment Issues. We routinely
advise clients on how to handle
investigations and disciplinary actions
when employees are implicated in data
breach investigations. This includes
drafting employment procedures to
anticipate data breaches. We also
advise on obligations and practices for
educating employees on how to handle
and protect covered data of employees
and customers.
• Mergers and Acquisitions. When
evaluating whether to enter into a
merger, acquisition, or other significant
business transaction, it is important
to conduct due diligence regarding
the target’s data protection position.
Standard due diligence checklists do
not deal adequately with data security.
We provide relevant supplements while
also assisting with methods for assessing
and minimizing risks presented by the
target, including prior data breaches
and inadequate data security, access
controls, authentication and other data
protection obligations.
• Privacy, Data Protection and
Information Management More
Generally. We assist clients with
developing and managing information
assets while containing costs and
maintaining operational efficiencies. We
help develop and implement privacy and
information security policies, procedures
and contracts; deploy new technologies;
develop innovative business practices;
improve customer understanding,
confidence and consent; and prevent or
mitigate regulatory enforcement actions.
Our lawyers have experience with many
technologies and methodologies. The size
and breadth of the firm’s experience also
allows us to provide critical substantive
counseling in the myriad of areas
implicated by a data breach, including
laws regarding employment, financial
institutions, payment cards, educational
institutions, and government contractors.
To learn more about our Data Security Breach practice, please contact one of the
lawyers listed below or visit www.klgates.com.
United States
Holly K. Towle
Tel +1.206.370.8334
holly.towle@klgates.com
Europe
Tobias Bosch
Tel +49.(0)30.220.029-410
tobias.bosch@klgates.com
Henry L. Judy
Tel +1.202.778.9032
henry.judy@klgates.com
Anchorage Austin Beijing Berlin Boston Brussels Charlotte Chicago Dallas Dubai Fort Worth Frankfurt Harrisburg Hong Kong London
San Diego
Miami
Moscow
San Francisco
Newark
Seattle
New York
Shanghai
Orange County
Singapore
Palo Alto
Paris
Spokane/Coeur d’Alene
Pittsburgh
Taipei
Tokyo
Portland
Raleigh
Research Triangle Park
Warsaw Washington, D.C.
K&L Gates includes lawyers practicing out of 37 offices located in North America, Europe, Asia and the Middle
East, and represents numerous GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in addition to growth
and middle market companies, entrepreneurs, capital market participants and public sector entities. For more
information about K&L Gates or its locations and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to
any particular facts or circumstances without first consulting a lawyer.
©2011 K&L Gates LLP. All Rights Reserved.
110113_4956
Los Angeles