Data Protection, Privacy, and Security: Cybersecurity Risk and Response

Cybersecurity Risk and Readiness

Under the protections of privilege, our team uses its in-depth understanding of the cybersecurity regulatory and threat landscapes to assess the risks on or within their information networks and systems. With experience across data security regimes, including the GDPR and DORA, HIPAA, and the US Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule, we help adapt and integrate clients’ cybersecurity practices into their overall governance and enterprise risk management programs. Our holistic approach allows clients to navigate the various aspects of cybersecurity risk while supporting and enabling enterprise objectives.

Policies and Procedures

Our team uses its assessments of your organization’s information networks and systems to draft internal policies and procedures for safeguarding your organization’s information technology and, when required, responding to a cybersecurity attack. Regulators are now requiring relevant entities to maintain a number of up-to-date cybersecurity policies and procedures, ranging from incident response plans to cybersecurity governance. We will work with your organization to build organizational policies and procedures for cybersecurity, tailored to your IT infrastructure and organization’s requirements.

Cybersecurity Training

Our Cybersecurity Risks and Response team can assist in training an organization’s workforce to identify cybersecurity risks and respond to cyber-attacks. Whether to senior management, information security teams, or individuals on the front line of day-to-day operations, our team will analyze and communicate your organization’s cybersecurity risks in a digestible format to enhance awareness at every level.

We offer cyber tabletop exercises, or TTX, tailored to your organization, which provide an opportunity for the enterprise to prepare and refine their procedures for responding to a cyberattack.  A TTX facilitates conceptual understanding of the organization’s cybersecurity policies, practices, and procedures through a privileged, low-stress environment. Participants become acquainted with personnel roles in responding to a cyberattack, and leadership is able to ensure coordination in action and communication across functions. Our team’s TTX will address the regulatory and, potentially, contractual notification requirements which heighten the need for a coordinated response.

Lobbying and Policy

We work to ensure that government cybersecurity standards and mandates are industry-led and technology-neutral and that legislation broadening and strengthening criminal penalties for cybercrimes is enacted. In the United States, we led the effort to liberalize export controls on American encryption products and to prevent US-domestic limitations on the use of encryption. In Europe, we have assisted clients in cybersecurity initiatives at regional and local levels, notably with the European Commission and various member states. 

Incident Response Team

In the event of a data security incident, our Cybersecurity Risk and Response group works with organizations to formulate and execute any necessary incident response, in light of the specific regulatory, enforcement and dispute implications specific to the client and underlying incident. The group includes an experienced policy team, cyberforensic investigators with extensive experience in successful internet tracking, a rapid response team to handle active attacks, and experienced insurance coverage counsel, among others. 

Digital Crisis Management

Our Digital Crisis Planning and Response practice helps corporations, educational institutions, and high-profile individuals proactively plan for and manage any digital crisis by considering your unique business needs and designing a personalized action plan. We approach a crisis from every angle, working diligently on implementing our multifaceted process to counteract the speed at which information travels online. This work, coupled with our elite cybersecurity and forensic tools, ensures that you are well positioned to address any digital threat.

Regulatory Enforcement Actions and Investigations

Multiple federal agencies require that organizations meet specific standards for safeguarding their information systems. Through the US Department of Justice’s Civil Cyber Fraud Task Force or administrative remedies, the US federal government is pursuing those who they believe do not comply with these new standards. Our team has significant experience representing clients faced with such inquiries and allegations, anchored by several members who previously filled roles in those same agencies. We also have navigated post-incident response notifications and follow-up inquiries from a range of other federal agencies, including the US Department of Homeland Security’s Office of Civil Rights. 

At the state level, an ever-expanding array of notification requirements and increased state attorney general enforcement activity confront organizations responding to a cybersecurity incident. We efficiently meet these statutory requirements and manage any follow-up inquiries across multiple jurisdictions, leveraging our firm’s geographic reach and breadth of experience.

Litigation 

With the threat and even likelihood of putative class action litigation following the wake of data security incident, early engagement and proactive planning is critical to reducing the risks of such litigation, and to reaching a strategic and cost-effective outcome. Our litigators defend our clients in some of the most challenging venues, using our platform’s capacity to defend litigation in virtually any US venue. We actively coordinate with the incident response team so as to mitigate risks posed by such litigation, while meeting critical business objectives.