Home | Privacy & Data Security

Privacy & Data Security

Davis Graham & Stubbs LLP partners with clients to craft approaches for the responsible handling of personal information in a way that upholds business objectives. Whether dealing with employee, customer, supplier, or business partner data, Davis Graham understands the goals of the organization and works with stakeholders in the legal, compliance, IT, and business sectors to streamline data protection compliance. We recognize the complex challenges that organizations can face when addressing the patchwork of laws – both in the U.S. and internationally – governing the collection, use, storage, transfer, and disposal of sensitive information. We have established a reputation for helping clients navigate and reconcile the different frameworks. 

Our team members hold advanced certifications in privacy, including the CIPP/E, CIPP/U.S., CIPM, and FIP designations.  To keep abreast of the latest data trends and technologies, our attorneys are involved in numerous industry and standard-setting activities, including the International Association of Privacy Professionals’ Education Advisory Board, the Colorado Technology Association, and the Forum on International Privacy.  

Privacy & Data Security Legal Services

Davis Graham counsels clients in a full suite of privacy and data security legal issues, both proactively and reactively. 

Proactive Services

Compliance

The laws governing the handling of personal information are constantly changing. By familiarizing ourselves with our clients’ businesses, we are positioned to determine how we can help them comply with applicable statutes, regulations, and other legal obligations. We also proactively identify emerging trends that will affect our clients in the future. Our compliance capabilities range from counseling on federal and state privacy and data security laws, including the CCPA, CPRA, CalOPPA, CPA, HIPAA, COPPA, TCPA, CAN-SPAM, and state security and breach notification laws, to international data protection laws, such as the GDPR, ePrivacy Directive, PIPEDA, LGPD, and industry standards like PCI-DSS. 

Data Inventory & Privacy Risk Assessment

Organizations must have a handle on the personal information that they collect, use, and share. We help clients perform both systems level and portfolio level inventories. We also help them prepare risk assessment protocols to identify privacy and data security risk for systems and/or business activities using personal information and mitigation plans to address and manage the identified risk. 

Policy Drafting

Organizations are held accountable for their personal data handling practices based on the language in their online privacy notices. We draft notices for clients that capture current practices and address specific regulatory disclosure requirements. We also draft internal privacy policies, records retention policies, mobile device policies, and internet use policies. 

Information Security Policies & Assessments

The implementation of appropriate safeguards underpins any robust information security program. We help our clients draft and implement internal information security policies addressing administrative, technical, and physical safeguards. We also engage third-party forensic service providers to undertake information security assessments to evaluate compliance with safeguards. 

Incident Response Planning

To minimize risk when a data incident occurs, a company must respond swiftly. We draft incident response plans to help our clients quickly escalate and respond to an incident involving personal information. This includes understanding applicable jurisdictional requirements, both nationally and internationally, and developing notification protocols and templates.  

Vendor Management

The sharing of personal information with third parties brings added risk to an organization’s operations.  We work with clients in all phases of vendor management to minimize such risks by preparing due diligence questionnaires, conducting risk assessments and implementing mitigation measures, drafting and negotiating contractual terms, and monitoring ongoing compliance. 

Contract Drafting & Negotiation

Data processing and transfer agreements have become a baseline security measure, but they differ greatly in form and complexity. We help companies draft and negotiate template or matter-specific data processing agreements. We also prepare data transfer agreements specific to a particular jurisdiction’s requirements, such as the model clauses in the EU, or to a particular organization’s needs, such as a global intra-company transfer agreement. 

Due Diligence

Any form of merger or acquisition should involve an analysis of the target’s privacy and data security practices. Companies engage our team to evaluate the privacy and data security legal risks by preparing questionnaires, analyzing responses, reviewing existing policies and procedures, and drafting representation and warranty clauses appropriate to the transaction. We also help companies with post-transaction integration measures. 

Employee Training

One of the most effective ways to minimize the risk of a data breach is to educate employees and raise awareness about privacy and data security issues. Our team prepares enterprise-wide training modules as well as role-based training for senior management and front-line employees, among other potentially implicated individuals.  

Cyber Insurance Coverage Analysis

The average cost of a data breach can have a significant impact on an organization’s bottom line, and companies increasingly purchase cyber and privacy liability insurance to shift some of the risk. We work with our clients and insurance brokers to evaluate and advise on proposed insurance policies for privacy and other data incidents. 

Reactive Services

Data Breach Response

When a company suffers a suspected data breach, our team leads the response efforts, working with our forensic, law enforcement, and other partners, to identify the nature and scope of the incident and to advise on any legal obligations arising from the incident. In leading the investigation to advise our clients on their legal obligations, we maximize applicable work product and attorney-client privilege protection. 

Litigation

Companies that suffer data breaches or that collect sensitive consumer information are often targets for the plaintiffs’ lawyers. Our team works with the Davis Graham Trial Department, which is composed of seasoned litigators and trial attorneys, to provide subject matter expertise for the defense of organizations facing individual or class action litigation related to privacy and data security practices or personal data breaches. 

Regulatory Inquiries

Sometimes data handling practices draw scrutiny from government officials. Our team has experience in counseling clients through a response to a regulatory inquiry. 

OUR PROFESSIONALS
Privacy & Data Security

Related News & Events

Ready to Help

Connect with us to learn more about how we can help you reach your goals.