• Print

HIPAA Privacy

The global economy is becoming more fast-paced and mobile, challenging businesses to manage greater volumes of data. Cybersecurity and data privacy top the lists of most important issues concerning corporate general counsel. While consumer data breaches grab headlines, privacy and data security issues arise in an array of different contexts under a wide spectrum of laws and legal theories. Cyber attacks are being aimed at organizations of all types and sizes, and the financial and reputational costs to a vulnerable target can be catastrophic.

But privacy and data security is about much more than just data breaches. There are a dizzying number of regulatory regimes, both domestically and internationally, governing a wide variety of personal data. A holistic view, by a group of professionals with a complete skillset, is required in today’s complex and rapidly changing privacy and data security environment.

LeClairRyan’s Privacy & Data Security team has the breadth of understanding and experience necessary to help organizations across a full spectrum of industries.  Select team members also cover the gamut of issues for the firm's privacy and data security law blog, Information Counts

Our distinctive strengths include:

  • Privacy and data security counseling and compliance
  • Data incident preparedness and rapid response
  • An integrated approach
  • Litigation, enforcement actions and investigations

Counseling and Compliance
Our attorneys provide compliance advice regarding all federal, state and international privacy and information governance laws, regulations and rules. Under Federal law, we regularly counsel clients on compliance with the following:

  • Gramm-Leach-Bliley Act (GLB)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH Act)
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • CAN-SPAM Act
  • FTC’s Telemarketing Sales Rules and Online Behavioral Advertising Guidelines
  • Telephone Consumer Protection Act (TCPA)
  • Driver's Privacy Protection Act (DPPA)
  • The Children's Online Privacy Protection Act (COPPA)
  • Stored Communications Act (SCA)
  • Electronic Communications Privacy Act (ECPA)
  • Federal Trade Commission Act, Section 5

We also advise clients under myriad of potentially applicable state laws such as:

  • California Security Breach Information Act
  • California Online Privacy Protection Act
  • Massachusetts Regulation 201
  • State law data breach notification statutes 

Additionally, we assist clients in regard to compliance with foreign privacy laws such as:

  • Canadian Personal Information Protection and Electronic Documents Act 
  • EU General Data Protection Regulation and Privacy Shield
  • The Hong Kong Privacy Data Ordinance

We also commonly assist clients in reviewing their agreements with third parties to ensure appropriate data security controls are in force with regard to any outsourced data processing. Further, we help clients develop and implement robust and comprehensive information security programs and privacy policies to govern and guide the collection, use, storage and disposal of sensitive personal data.

Data Incident Preparedness and Rapid Response
Planning the response to a data incident should not begin in the midst of a crisis. Some of the most serious data breaches over the past decade have been made worse by management’s reactionary response. Our team regularly helps clients draft and implement incident response plans that anticipate a crisis and measure out the response in advance so that reason prevails if the worst case scenario happens. Our plans help clients identify the right team, spot vulnerabilities, develop pre-crisis messaging and communications strategies and tactics, and practice table top exercises that test the plan when there is nothing on the line.

If a data crisis does materialize, members of our team are first responders – regardless of location. We work as part of our clients' broader team and assist in conducting onsite crisis assessments to help contain the breach, mitigate potential damages, fix the problems, determine the necessity of notification, and implement the notification strategy. We also perform post-breach assessments, allowing for the development of corrective action plans and minimization of future risk.

Integrated Approach
Our team includes attorneys who work closely with the data-sensitive business functions within our clients’ organizations to identify integrated privacy, data security and liability solutions. We help clients implement sound information security policies designed to avoid liability in regard to not only data breaches, but other emerging laws, legal theories and issues, such as DO NOT TRACK, social media protection laws, BYOD, Big Data, geolocation, information sharing, and the Internet of Things. Our lawyers have deep subject matter knowledge in a variety of industries that are data sensitive, such as retail, energy, financial services and healthcare. Our objective for each engagement is a company-specific approach aimed at understanding the privacy and data security challenges each particular client faces.

Litigation and Enforcement Actions
We represent clients in adversarial matters arising from data breaches and other privacy-related claims, including consumer class actions, actions against responsible vendors, securities class actions or derivative actions, and payment card cases brought by issuing banks against merchants or others in the payment stream. We also represent clients in connection with government and regulatory inquiries, investigations and enforcement actions brought by state Attorneys General, the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Office of Civil Rights (U.S. Department of Health and Human Services).


  • 804.343.4061