Cybersecurity, Data Privacy, GDPR Compliance

As personal and private data are increasingly created, shared, and stored electronically, the threats posed by cybercrime and regulatory investigations into alleged privacy and cybersecurity protection law violations have never been greater.

At Barton, we utilize our experience with the flows of information in business and professional settings to assist clients in understanding and complying with the various laws and standards that regulate the collection, use, sharing, and protection of personal data. We work with our clients to facilitate their implementation of current legal and regulatory standards and best practices when it comes to records management and information governance.

We assist our clients with fulfilling pertinent U.S. federal and state privacy and information management requirements and international data protection laws, including the security and data safeguard requirements of all countries in which the client does business or has facilities. In light of the EU’S recently effective General Data Protection Regulation (GDPR), which impacts most U.S. organizations, and the growing number of U.S. state privacy and cybersecurity laws and regulations, it is crucial for businesses dealing with sensitive and protected data to become and remain compliant with these new laws, regulations, and industry best practices.

Barton attorneys conduct compliance, risk, and management assessment audits, including preparation of data flow maps; create legal and regulatory frameworks for defensible policies and information security procedures; and prepare and deliver training materials to be used in conjunction with workforce training on privacy and information security protocols. In addition, our privacy and cybersecurity team can vet technical vendors (including IT forensics and related experts) and can negotiate and draft service agreements with customers, vendors, and other business partners who access and use protected data. The team can also, across a wide spectrum of industry verticals, prepare privacy and cybersecurity law due diligence questions for acquirers and prepare responses to such questions on behalf of target organizations.

Barton attorneys have also advised the New Jersey State Assembly on privacy and cybersecurity legislation and have testified before legislative committees as experts in privacy and cybersecurity. In addition, one of our attorneys created a law school course on privacy, cybersecurity, and technology transactions and teaches that course as an Adjunct Professor of Law at Fordham Law School.

In the event that a data breach does occur, Barton will immediately connect clients to a team member who will assess the crisis and implement the proper measures, assemble the appropriate team of professionals to handle the situation, and begin the process of remediation. Our cybersecurity team can identify theft prevention, breach response, mitigation, and notification requirements for the states and countries whose laws and regulations apply to a data/security breach. Barton attorneys have had success defending actions and regulatory proceedings brought against clients as a result of breaches and unlawful disclosures of protected information, including those brought under U.S. laws such as the Computer Fraud and Abuse Act, the Defend Trade Secrets Act, the Electronic Communications Privacy Act, and HIPAA, as well as individual state and local consumer protection laws and regulations of agencies such as the Financial Industry Regulatory Authority (FINRA) and the New York Department of Financial Services (NYDFS).

Additional services include:

  • Guidance and counsel for the performance of Security Risk Assessments, including documentation of the Assessment pursuant to HIPAA, state laws, and GDPR.
  • Facilitation of work groups comprising the relevant compliance stakeholders (i.e., Marketing, Risk/Compliance, Legal, IT, Finance, Human Resources, and Business Owners) and in-house counsel for the drafting of privacy and security policies and procedures tailored to the client’s industry, business processes, and organization culture.
  • Preparation of training materials with regard to privacy, security, and social media policies and procedures, and delivery of training sessions (in formats such as classroom, on-line, or train-the-internal-trainers).
  • Preparation for and counsel with regard to audits (i.e., by state regulatory agencies and offices of the attorney general, F.D.A., Office of Civil Rights of the U.S. Department of Health and Human Services, etc.) with connection to financial information and healthcare information management and safeguards as well as social media protocols and activities.
  • Representation in regulatory proceedings or litigation that may arise from management of financial, healthcare, and other personal information and data protected by law, and with regard to social media activities.
  • Preparation of status assessment (“gap analysis” reports, which may be protected from disclosure by attorney-client privilege) with regard to existing information privacy and security practices and social media activities and initiatives, followed by recommendations to achieve and maintain compliance under applicable laws, rules, and regulations.
Work in this Area

Cybersecurity, Data Privacy, GDPR Compliance

Representative Matters
  • Advised U.S. and Canadian Companies on GDPR Compliance
    • Advised numerous U.S.and Canadian companies on General Data Protection Regulation (GDPR)compliance, providing counsel on how to implement best practices and what steps should be taken in the case of a data breach.
  • Assisted NJ Assembly with First Data Protection Bill
    • Assisted the Deputy Speaker of the New Jersey assembly in preparation of New Jersey’s first data protection and cybersecurity bill. Also testified as a cyber security expert before the assembly’s homeland security and state preparedness committee.
  • Negotiated GDPR-Compliant Agreements for Global Media Company
    • Represented a global media company in negotiation of service level and vendor agreements pursuant to the General Data Protection Regulation of the European Union (GDPR) and provided counsel in GDPR requirements and privacy/cybersecurity requirements of multiple U.S. states.
  • Favorably Settled Suit Involving Company Data Stolen by Employees
    • Obtained a Temporary Restraining Order, and then a favorable settlement, on the client’s behalf, in a matter in which an insurance broker’s employees stole and transferred company data in an attempt to start a competing organization.
  • Counseled Organizations Regarding Cyberattack Response
    • Counseled multiple organizations—such as fashion studios, CPA firms, law firms, hospitals and technology and media companies—on cybersecurity attack investigations, breach response, and remediation initiatives.
  • Negotiated Service Agreements with Customers and Vendors
    • Has represented security consultancies, CPA firms, media companies, and life science organizations in the negotiation of service agreements with customers and vendors from multiple countries.
  • Advised Organizations on Cybersecurity Training and Compliance
    • Has represented several multi-national organizations, providing counsel and advice on privacy and cybersecurity compliance pursuant to applicable laws and regulations including facilitation of security risk assessments; preparation of policies and procedures; and delivery and presentation of corporate training materials.
  • Negotiated Contract Focusing on International Data Transfer
    • Negotiated a contract for data collection on a global basis between a consultancy and one of the largest investment banks in the world, with a particular focus on international data transfer laws and regulations.
  • Counsel to Healthcare IT App Developers Regarding Data Protection
    • Provided counsel to healthcare IT app developers regarding solutions for secure, real-time sharing of medical information among providers.
  • Prepared Cybersecurity Protocols for NY Hospital System
    • Prepared information security, privacy, and data preservation protocols and training for a five-hospital system in New York.
  • Taught Cybersecurity Curriculum at Three Academic Medical Centers
    • Delivered Grand (teaching) Rounds at three academic medical centers on patient safety, cybersecurity, and privacy risks in the design of electronic medical records systems.
  • Conducted Health Data Privacy Training at Boston Hospital
    • Advised a Boston academic hospital system on health data preservation protocols, prepared preservation policies, and conducted work force training on the protocols.