Global Privacy, Cybersecurity & Data Protection

In collaboration with the Minnesota Department of Employment and Economic Development, Gray Plant Mooty has prepared A Legal Guide to Privacy and Data Security.

The guide offers a detailed review of federal, state, and global data privacy and security laws, along with best practices and key questions every business should ask related to privacy and data security issues relevant to their business.

Additional Resources

Visit the entreVIEW blog >>

Businesses and organizations of all sizes collect, store, and share personal information about individuals with whom they interact. While new technologies and easy access to information allows for greater innovation and enhanced delivery of products and services, the protection of data maintained on consumers and employees requires a broad range of legal compliance activities.

Gray Plant Mooty’s Global Privacy, Cybersecurity and Data Protection team brings special expertise in laws and regulations relating to information technology, employment, health care, insurance, and financial institutions, as well as certifications in both United States and European data privacy law (CIPP/US and CIPP/E) from the International Association of Privacy Professionals that allow the team to provide exceptional legal services in:

Privacy and Cybersecurity Readiness

Data breaches, biosensors, “big data,” the “internet of things,” credit card fraud, stolen data, and data monetization efforts are all pushing the limits of privacy advocates, regulators, consumers, and lawyers who advise businesses on the use of information technology, data privacy, and security issues. It is not a question of whether unauthorized access, an incident, or a data breach will occur, but when. Gray Plant Mooty helps clients become ready for any unauthorized incident or data breach and offers proactive best practices to mitigate risk. The team's experience includes:

  • Comprehensive privacy audits and assessments, including preparation of data flow maps and privacy policies and procedures
  • Legal risk assessment, information governance review and mitigation strategies
  • Privacy by Design advising to build privacy practices into the company culture including data privacy concerns, reasonable data collection limits, sound retention and disposal practices, data accuracy, and adequate information security
  • Coordination with information security consultants to provide counsel on data security safeguards and certifications such as PCI-DSS, NIST, HIPAA, ISO, SSAE, and SOC

Privacy Policies and Procedures

There is no single comprehensive data privacy law in the United States. There are more than 25 federal laws and 110 state laws that govern privacy and data security. Gray Plant Mooty's Privacy team helps clients navigate data privacy regulation and establish effective privacy policies and procedures that further their governance culture and objectives. We advise clients regarding:

  • Corporate privacy policies and procedures
  • Information management and life-cycle policies
  • Website privacy policies and terms of use
  • Information technology usage policies
  • Information governance policies
  • Document retention and destruction policies
  • Policies to safeguard confidential and proprietary information
  • Advising regarding best practices for use of behavioral advertising, search engine optimization (SEO), geolocation, “cookies,” and other tracking technologies
  • Advising regarding SMS text messaging campaigns
  • Advising regarding vendor management programs, including information security policies and procedures, vendor information security, and privacy contracts and addendums
  • SaaS and related software and technology agreements notices, online licenses, and terms of use including special requirements for mobile devices and applications, vendor agreements, and HIPAA business associate agreements

Social Media, Privacy, and Technology in the Workplace

Well-crafted social media, privacy, and technology policies that balance company needs and concerns against employees’ legal rights are important tools for any business. Gray Plant Mooty's Social Media team is experienced in managing these competing legal risks. GPM attorneys advise clients regarding:

  • Compliance with FRCA
  • Monitoring of employee communications
  • Video surveillance
  • Pre-employment background checks
  • Post hire investigations
  • Investigations of employee misconduct and theft
  • "Bring your own device" (BYOD) policies
  • Use of social media as a business tool
  • Social media usage policies

Cybersecurity Insurance

GPM attorneys have significant experience navigating the unique and complex issues related to the cybersecurity insurance market. The team helps clients mitigate losses from cyber incidents through:

  • Evaluation of various types of cybersecurity coverages and coordination with other traditional coverages
  • Preparation of contract provisions with appropriate insurance obligations to address privacy and data security exposures
  • Representation of clients in pursuing claims for coverage

Global Privacy Compliance

Every second, personal data is collected, used, processed, or moved across borders. As an increasing number of foreign laws attempt to protect personal data, differing country-specific requirements create a maze of global privacy considerations for any business operating across borders.

The Privacy team advises clients regarding compliance with international data protection laws, including the EU Data Directive and the new General Data Protection Regulation (GDPR) (including model contracts, binding corporate rules, Privacy Shield, and other EU data transfer mechanisms), as well as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada’s stringent new anti-spam law.

Incident and Data Breach Planning

The Privacy team works closely with clients to establish and implement data breach response plans that enable them to comply promptly with legal requirements and reduce the risk of serious reputational and financial harm. The team's experience includes:

  • Breach incident management and planning for data breaches
  • Preparation of incident response teams and plans
  • Analysis of incidents and unauthorized access, data breach notifications
  • Coordination with information security, computer forensics, law enforcement, and public relations consultants to mitigate risk and limit reputational harm
back to top