Privacy & Data Security
Davis Graham & Stubbs LLP partners with clients to craft approaches for the responsible handling of personal information in a way that upholds business objectives. Whether dealing with employee, customer, supplier, or business partner data, Davis Graham understands the goals of the organization and works with stakeholders in the legal, compliance, IT, and business sectors to streamline data protection compliance. We recognize the complex challenges that organizations can face when addressing the patchwork of laws – both in the U.S. and internationally – governing the collection, use, storage, transfer, and disposal of sensitive information. We have established a reputation for helping clients navigate and reconcile the different frameworks.
Our team members hold advanced certifications in privacy, including the CIPP/E, CIPP/U.S., CIPM, and FIP designations. To keep abreast of the latest data trends and technologies, our attorneys are involved in numerous industry and standard-setting activities, including the International Association of Privacy Professionals’ Education Advisory Board, the Colorado Technology Association, and the Forum on International Privacy.
Privacy & Data Security Legal Services
Davis Graham counsels clients in a full suite of privacy and data security legal issues, both proactively and reactively.
Proactive Services
Compliance
The laws governing the handling of personal information are constantly changing. By familiarizing ourselves with our clients’ businesses, we are positioned to determine how we can help them comply with applicable statutes, regulations, and other legal obligations. We also proactively identify emerging trends that will affect our clients in the future. Our compliance capabilities range from counseling on federal and state privacy and data security laws, including the CCPA, CPRA, CalOPPA, CPA, HIPAA, COPPA, TCPA, CAN-SPAM, and state security and breach notification laws, to international data protection laws, such as the GDPR, ePrivacy Directive, PIPEDA, LGPD, and industry standards like PCI-DSS.
Data Inventory & Privacy Risk Assessment
Organizations must have a handle on the personal information that they collect, use, and share. We help clients perform both systems level and portfolio level inventories. We also help them prepare risk assessment protocols to identify privacy and data security risk for systems and/or business activities using personal information and mitigation plans to address and manage the identified risk.
Policy Drafting
Organizations are held accountable for their personal data handling practices based on the language in their online privacy notices. We draft notices for clients that capture current practices and address specific regulatory disclosure requirements. We also draft internal privacy policies, records retention policies, mobile device policies, and internet use policies.
Information Security Policies & Assessments
The implementation of appropriate safeguards underpins any robust information security program. We help our clients draft and implement internal information security policies addressing administrative, technical, and physical safeguards. We also engage third-party forensic service providers to undertake information security assessments to evaluate compliance with safeguards.
Incident Response Planning
To minimize risk when a data incident occurs, a company must respond swiftly. We draft incident response plans to help our clients quickly escalate and respond to an incident involving personal information. This includes understanding applicable jurisdictional requirements, both nationally and internationally, and developing notification protocols and templates.
Vendor Management
The sharing of personal information with third parties brings added risk to an organization’s operations. We work with clients in all phases of vendor management to minimize such risks by preparing due diligence questionnaires, conducting risk assessments and implementing mitigation measures, drafting and negotiating contractual terms, and monitoring ongoing compliance.
Contract Drafting & Negotiation
Data processing and transfer agreements have become a baseline security measure, but they differ greatly in form and complexity. We help companies draft and negotiate template or matter-specific data processing agreements. We also prepare data transfer agreements specific to a particular jurisdiction’s requirements, such as the model clauses in the EU, or to a particular organization’s needs, such as a global intra-company transfer agreement.
Due Diligence
Any form of merger or acquisition should involve an analysis of the target’s privacy and data security practices. Companies engage our team to evaluate the privacy and data security legal risks by preparing questionnaires, analyzing responses, reviewing existing policies and procedures, and drafting representation and warranty clauses appropriate to the transaction. We also help companies with post-transaction integration measures.
Employee Training
One of the most effective ways to minimize the risk of a data breach is to educate employees and raise awareness about privacy and data security issues. Our team prepares enterprise-wide training modules as well as role-based training for senior management and front-line employees, among other potentially implicated individuals.
Cyber Insurance Coverage Analysis
The average cost of a data breach can have a significant impact on an organization’s bottom line, and companies increasingly purchase cyber and privacy liability insurance to shift some of the risk. We work with our clients and insurance brokers to evaluate and advise on proposed insurance policies for privacy and other data incidents.
Reactive Services
Data Breach Response
When a company suffers a suspected data breach, our team leads the response efforts, working with our forensic, law enforcement, and other partners, to identify the nature and scope of the incident and to advise on any legal obligations arising from the incident. In leading the investigation to advise our clients on their legal obligations, we maximize applicable work product and attorney-client privilege protection.
Litigation
Companies that suffer data breaches or that collect sensitive consumer information are often targets for the plaintiffs’ lawyers. Our team works with the Davis Graham Trial Department, which is composed of seasoned litigators and trial attorneys, to provide subject matter expertise for the defense of organizations facing individual or class action litigation related to privacy and data security practices or personal data breaches.
Regulatory Inquiries
Sometimes data handling practices draw scrutiny from government officials. Our team has experience in counseling clients through a response to a regulatory inquiry.