DATA SECURITY, PRIVACY + GOVERNANCE

The BurgherGray Data Security, Privacy & Governance team understands information protection from the inside out.  Data privacy compliance and risk mitigation start from within an organization, being informed by its IT infrastructure and regulatory mandates.  The attorneys at BurgherGray have spent decades developing financial services and insurance companies’ complex, global cyber risk, incident preparedness and privacy management programs.  Our experience includes data compliance and reporting, supplying C-suite support, and conducting training programs, investigations, forensics and litigation related to data breaches and regulatory enforcement.

For clients we advise and negotiate in the areas global information governance and privacy compliance, vendor and partner standards, breach notification, data rights and protection, encryption and ethical hacking, data processing agreements, spam, spyware and computer-crime issues.  We also advise public corporations, retailers, financial services firms, and other consumer-facing companies with respect to the implementation of preventive measures, as well as remedial measures after enforcement action has already been instituted.

Today, preparedness requires that an enterprise marry its cybersecurity and data protection models in a way that allows for sustainable, efficient and thorough compliance.  BurgherGray’s experienced team has led initiatives for multinationals surrounding legal compliance with US National Institute of Standards and Technology (NIST) and EU data privacy mandates, including global controller/processer agreements and obtaining Privacy Shield and other safe harbors.  With the new cybersecurity regulations from the NYS Department of Financial Services (DFS), and EU’s General Data Protection Regulation (GDPR) deadlines, we bring clear analysis and problem solving to these new, intricate requirements.

For our clients regulated by the NYS DFS cybersecurity law, we offer legal assessments, policy and procedure drafting, C-suite support and employee training.  For our clients regulated by the GDPR, BurgherGray offers the same services, as well as privacy impact assessment (PIA) and data privacy impact assessment (DPIA) support and data privacy officer (DPO) outsourcing.  Lastly, for those who are impacted by both NIST-based requirements, like those generated by the SEC/FINRA, FTC or the NYS DFS, plus GDPR, BurgherGray is uniquely equipped to create programs alongisde IT and security teams that address both of these regulatory regimes, with an eye towards proper and scalable compliance.

Representative Matters

  • Counseled national non-profit organization on GDPR compliance and related data privacy issues such as vendor assessments, legal gap analysis, and incident response procedures.
  • Advised global insurance company in its conversion of affiliates in over 70 countries onto one global technology platform regarding the normalizing of all privacy and security requirements throughout all 70+ jurisdictions, including the creation of standardized incident reporting, controller and processor templates, and supporting policies and procedures.
  • Successful defense of a global insurance conglomerate in an action brought by the Pennsylvania Attorney General’s office, which sought a preliminary injunction for unfair and deceptive practices and privacy violations involving direct mail promotions.
  • Conducted an internal investigation for a manufacturer of secure identification cards that had been the victim of a computer hack launched from south east Asia. BurgherGray attorneys lead the investigation into the source of the attack, the cause of the security vulnerability, and counseled the client on remedial measures. In addition, BurgherGray attorneys coordinated the notification of consumers, government agencies, and credit card companies. As a result, the client has not suffered any subsequent intrusions, and has not been subjected to any fines, penalties, or lawsuits.
  • Advised global insurance company and implemented worldwide cybersecurity and data privacy, GLB, SOX, HIPAA, HITECH, EU 95 Directive and other related compliance, including assessment of all third-party suppliers and partners-related compliance, and created supporting privacy and cybersecurity security policies, procedures, contractual templates and negotiation guidelines.
  • Successful defense of a large insurance company in an administrative action brought by the Social Security Administration alleging privacy violations and deceptive marketing practices in violation of the Social Security Act.
  • Conducted an internal investigation for a well-known political organization that had been the victim of a computer intrusion. BurgherGray attorneys lead the investigation into the source of the attack, the cause of the security vulnerability, and counseled the client on remedial measures.
  • Advised independent insurance sales agents on NYS Department of Financial Services Cybersecurity compliance and reporting, including security readiness, incident reporting programs and requirements and related regulatory reporting.
  • Successful defense of a global insurance conglomerate in a federal action brought by the Social Security Administration alleging privacy violations and deceptive marketing practices in violation of the Social Security Act.
  • Established privacy and/or cybersecurity programs for financial services companies, including interviewing and identification of privacy officer, establishing internal workflows, roles and responsibilities, creation of supporting privacy and cybersecurity incident reporting and other security policies, procedures, contractual templates and negotiation guidelines, and reporting related requirements of security and privacy to executive management.
  • Advised clients regarding GDPR compliance readiness, including providing legal compliance gap-analysis, data, inventory and process mapping support and related reporting obligations, drafting of terms of use, cookie, privacy, incident reporting, user consent and response policies and procedures, development of controller and processor agreements and vendor assessment and management programs, devising inter/intra-company licensing programs, working with and reporting to C-suite regarding GDPR risk management, and providing data protection officer (DPO) support.

Pin It on Pinterest

Share This