K&L Gates Data Security Breach Practice The speed of business, the nature and complexity of software and hardware, the realities that employees make mistakes, and the fact that laws and standards are ever-changing can all create unintended consequences. At times, this results in losses of, or unauthorized access to, personal or other information (such as device-related information) that entities or their employees maintain. These occurrences can implicate a variety of international and United States federal and state laws related to reporting data security breaches. Knowledgeable counsel is needed to assist a business with analyzing whether such occurrences constitute a data security breach under applicable law, guiding the business in its data security breach response, acting as counsel in related regulatory enforcement and class actions, and structuring business practices to help mitigate or address past and future breaches. We have detailed knowledge and experience in international and United States federal and state laws, and internally track the unique, and often conflicting, laws of the 50 U.S. states. Building and maintaining a successful business in today’s economy requires companies to collect, process, and store a variety of information about employees, customers, and other individuals. Regarding data transfers to and from Europe, our European partners will help you to avoid conflicts with the strict requirements of European data protection law. The K&L Gates Data Security Breach Practice helps clients to recognize a data security breach under applicable U.S. and foreign laws, minimize associated risks, properly respond, and to seek or defend legal and other redress. Representative Capabilities and Experience • Investigating Incidents. We assist clients in investigating the possibility that security has been compromised. Our experience can help clients investigate incidents in an efficient manner that helps to preserve evidence and reduce legal exposure. • Analyzing Breaches. While many laws require a business to notify individuals and regulators after a data breach, not every breach triggers a duty to provide notice. Indeed, notice is sometimes precluded. We are experienced in analyzing each breach in light of each relevant statute to determine whether or not notice is required, advisable, or inadvisable. We do this for breaches occurring locally, nationally and internationally. • Internet Safety. We are able to assist clients in investigating and responding to online attacks and other malicious acts. We have an in-house cyberforensic group equipped with sophisticated tools, including an onsite lab. We also have lawyers with computer science and electrical engineering degrees who have technical knowledge helpful in this area. We can assist clients in ascertaining the scope of a data breach, and we are experienced in working with client IT staff, regulators, consultants, and law enforcement to help investigate, remediate, and minimize liability. We work with, and often can assist more quickly than, forensic firms ultimately retained for long-term investigations. • International data transfers. We assist you in all cases of international data transfers and advise you on the requirements that must be met. In particular, we help you to avoid violations of the strict requirements of European data protection law when transfering data to and from Europe. “We have detailed knowledge and experience in international and United States federal and state laws” • Data Breach Responses. We help clients draft internal policies for responding to potential data security breaches. It is impossible to avoid all breaches, so we have extensive experience helping clients respond to data security breaches large and small, when they occur. This includes breaches with varying kinds of sensitive information that are subject to varying laws. We analyze applicable notification obligations, draft notices to affected individuals based on applicable federal, state, or foreign law, and help clients protect their brand and reputation when providing notice. We assist in making required disclosures to regulators and law enforcement agencies and recommend precautionary measures to reduce related risks. We also help clients to negotiate, ascertain and comply with contractual breach response and notification obligations, including payment card organization and merchant contract rules. • Government Enforcement Actions. We assist clients if they become subject to a regulatory enforcement investigation or action, including those by federal regulators such as the FTC or state attorney generals. Knowledgeable legal counsel often helps to minimize the repercussions of such proceedings, and to avoid pitfalls that can arise when proceeding without legal counsel. • Insurance Coverage for Data Security Breaches. We counsel clients regarding insurance coverage for data security breach liability, including when insurers dispute their obligation to cover such incidents. We also provide counsel regarding the types of coverages that are advisable to protect against risks associated with data security breaches. • Contracting with Customers, Service Providers and Affiliates. We advise clients on how to address the risks of data security breaches in contracts with service providers, vendors, and affiliates having access to covered information owned or maintained by a client. This includes advice regarding laws mandating particular provisions for service contracts, as well as drafting, reviewing, and negotiating contracts to protect our clients’ rights, limit their liability, and allocate and address logistics of responding to breaches. • Litigating Data Security Breach Actions. We represent clients in lawsuits, including class action defenses, arising out of data security breaches. As one example, we successfully litigated the class action case of Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007), one of the important, early cases holding that speculative theories of injury could not support a class action against an entity suffering a data security breach. We have also successfully filed “John Doe” lawsuits to identify computer hackers and others whose identities are shielded by Internet service providers. • Internal Policies. We help clients draft and implement internal policies and procedures for handling personally identifying or other sensitive information, including updating those policies in light of breaches experienced. According to some studies, insiders such as employees with access to data are the largest source of data security breaches. We adapt such policies to different jurisdictions and to the requirements of different national data protection laws. • Employment Issues. We routinely advise clients on how to handle investigations and disciplinary actions when employees are implicated in data breach investigations. This includes drafting employment procedures to anticipate data breaches. We also advise on obligations and practices for educating employees on how to handle and protect covered data of employees and customers. • Mergers and Acquisitions. When evaluating whether to enter into a merger, acquisition, or other significant business transaction, it is important to conduct due diligence regarding the target’s data protection position. Standard due diligence checklists do not deal adequately with data security. We provide relevant supplements while also assisting with methods for assessing and minimizing risks presented by the target, including prior data breaches and inadequate data security, access controls, authentication and other data protection obligations. • Privacy, Data Protection and Information Management More Generally. We assist clients with developing and managing information assets while containing costs and maintaining operational efficiencies. We help develop and implement privacy and information security policies, procedures and contracts; deploy new technologies; develop innovative business practices; improve customer understanding, confidence and consent; and prevent or mitigate regulatory enforcement actions. Our lawyers have experience with many technologies and methodologies. The size and breadth of the firm’s experience also allows us to provide critical substantive counseling in the myriad of areas implicated by a data breach, including laws regarding employment, financial institutions, payment cards, educational institutions, and government contractors. To learn more about our Data Security Breach practice, please contact one of the lawyers listed below or visit www.klgates.com. United States Holly K. Towle Tel +1.206.370.8334 holly.towle@klgates.com Europe Tobias Bosch Tel +49.(0)30.220.029-410 tobias.bosch@klgates.com Henry L. Judy Tel +1.202.778.9032 henry.judy@klgates.com Anchorage Austin Beijing Berlin Boston Brussels Charlotte Chicago Dallas Dubai Fort Worth Frankfurt Harrisburg Hong Kong London San Diego Miami Moscow San Francisco Newark Seattle New York Shanghai Orange County Singapore Palo Alto Paris Spokane/Coeur d’Alene Pittsburgh Taipei Tokyo Portland Raleigh Research Triangle Park Warsaw Washington, D.C. K&L Gates includes lawyers practicing out of 37 offices located in North America, Europe, Asia and the Middle East, and represents numerous GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in addition to growth and middle market companies, entrepreneurs, capital market participants and public sector entities. For more information about K&L Gates or its locations and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. ©2011 K&L Gates LLP. All Rights Reserved. 110113_4956 Los Angeles