This website uses cookies to improve your experience on the site. By continuing to use this site, you agree to the use of cookies. To learn more about how we use cookies, please see our Cookie Policy.

Privacy & Data Security

Davis Graham & Stubbs LLP partners with clients to craft approaches for the responsible handling of personal information in a way that upholds business objectives. Whether dealing with employee, customer, supplier, or business partner data, DGS understands the goals of the organization and works with stakeholders in the legal, compliance, IT, and business sectors to streamline data protection compliance. We recognize the complex challenges that organizations can face when addressing the patchwork of laws – both in the U.S. and internationally – governing the collection, use, storage, transfer, and disposal of sensitive information. We have established a reputation for helping clients navigate and reconcile the different frameworks.

Our team members hold advanced certifications in privacy, including the CIPP/E, CIPP/U.S., CIPM, and FIP designations. To keep abreast of the latest data trends and technologies, our attorneys are involved in numerous industry and standard-setting activities, including the International Association of Privacy Professionals’ Education Advisory Board, the Colorado Technology Association, and the Forum on International Privacy.

Privacy & Data Security Legal Services

DGS counsels clients in a full suite of privacy and data security legal issues, both proactively and reactively.

Proactive Services

  • Compliance – The laws governing the handling of personal information are constantly changing. By familiarizing ourselves with our clients’ businesses, we are positioned to determine how we can help them comply with applicable statutes, regulations, and other legal obligations. We also proactively identify emerging trends that will affect our clients in the future. Our compliance capabilities range from counseling on federal and state privacy and data security laws, including the CCPA, CPRA, CalOPPA, CPA, HIPAA, COPPA, TCPA, CAN-SPAM, and state security and breach notification laws, to international data protection laws, such as the GDPR, ePrivacy Directive, PIPEDA, LGPD, and industry standards like PCI-DSS.
  • Data Inventory & Privacy Risk Assessment – Organizations must have a handle on the personal information that they collect, use, and share. We help clients perform both systems level and portfolio level inventories. We also help them prepare risk assessment protocols to identify privacy and data security risk for systems and/or business activities using personal information and mitigation plans to address and manage the identified risk.
  • Policy Drafting – Organizations are held accountable for their personal data handling practices based on the language in their online privacy notices. We draft notices for clients that capture current practices and address specific regulatory disclosure requirements. We also draft internal privacy policies, records retention policies, mobile device policies, and internet use policies.
  • Information Security Policies & Assessments – The implementation of appropriate safeguards underpins any robust information security program. We help our clients draft and implement internal information security policies addressing administrative, technical, and physical safeguards. We also engage third-party forensic service providers to undertake information security assessments to evaluate compliance with safeguards.
  • Incident Response Planning – To minimize risk when a data incident occurs, a company must respond swiftly. We draft incident response plans to help our clients quickly escalate and respond to an incident involving personal information. This includes understanding applicable jurisdictional requirements, both nationally and internationally, and developing notification protocols and templates.
  • Vendor Management – The sharing of personal information with third parties brings added risk to an organization’s operations. We work with clients in all phases of vendor management to minimize such risks by preparing due diligence questionnaires, conducting risk assessments and implementing mitigation measures, drafting and negotiating contractual terms, and monitoring ongoing compliance.
  • Contract Drafting & Negotiation – Data processing and transfer agreements have become a baseline security measure, but they differ greatly in form and complexity. We help companies draft and negotiate template or matter-specific data processing agreements. We also prepare data transfer agreements specific to a particular jurisdiction’s requirements, such as the model clauses in the EU, or to a particular organization’s needs, such as a global intra-company transfer agreement.
  • Due Diligence – Any form of merger or acquisition should involve an analysis of the target’s privacy and data security practices. Companies engage our team to evaluate the privacy and data security legal risks by preparing questionnaires, analyzing responses, reviewing existing policies and procedures, and drafting representation and warranty clauses appropriate to the transaction. We also help companies with post-transaction integration measures.
  • Employee Training – One of the most effective ways to minimize the risk of a data breach is to educate employees and raise awareness about privacy and data security issues. Our team prepares enterprise-wide training modules as well as role-based training for senior management and front-line employees, among other potentially implicated individuals.
  • Cyber Insurance Coverage Analysis – The average cost of a data breach can have a significant impact on an organization’s bottom line, and companies increasingly purchase cyber and privacy liability insurance to shift some of the risk. We work with our clients and insurance brokers to evaluate and advise on proposed insurance policies for privacy and other data incidents.

Reactive Services

  • Data Breach Response – When a company suffers a suspected data breach, our team leads the response efforts, working with our forensic, law enforcement, and other partners, to identify the nature and scope of the incident and to advise on any legal obligations arising from the incident. In leading the investigation to advise our clients on their legal obligations, we maximize applicable work product and attorney-client privilege protection.
  • Litigation – Companies that suffer data breaches or that collect sensitive consumer information are often targets for the plaintiffs’ lawyers. Our team works with the DGS Trial Department, which is composed of seasoned litigators and trial attorneys, to provide subject matter expertise for the defense of organizations facing individual or class action litigation related to privacy and data security practices or personal data breaches.
  • Regulatory Inquiries – Sometimes data handling practices draw scrutiny from government officials. Our team has experience in counseling clients through a response to a regulatory inquiry.

Representative Experience

  • Assist client in the life science, financial services, retail, technology, and hospitality industries in developing privacy compliance programs, both generally and with specific focus on GDPR and CCPA. This includes drafting policies; preparing and negotiating vendor agreements; developing procedures for handling individual inquiries; updating incident response procedures; and conducting employee training.
  • Advise clients on international data protection requirements, including implementing legal mechanisms for the transfer of data from the EU, Latin America, and Asia to the U.S.; addressing direct marketing requirements, including under the ePrivacy Directive; drafting individual consent requests and protocols for requesting and documenting the same; and developing procedures for data subject access requests.
  • Assist clients in developing data inventories and data maps, including designing a protocol, conducting interviews with stakeholders, and documenting data, systems, and flows.
  • Draft records retention policies and update retention schedules. Work with clients on data disposal policies.
  • Development and implement risk assessment programs, both project-specific and enterprise-wide, including creating a risk methodology, preparing questionnaires, working with stakeholders, identifying risks, and developing risk mitigation plans.
  • Draft online privacy notices addressing requirements in the U.S. and internationally; prepare layered privacy notices.
  • Develop compliance programs for the handling of biometric data.
  • Design and update vendor management programs, including due diligence procedures, contract drafting and negotiation, and monitoring of vendor compliance.
  • Prepare incident response plans for a variety of organizations and assist with response to data security incidents and breach notification in multiple jurisdictions.
  • Draft information security policies and direct information security assessments.
  • Work with clients to conduct, or respond to, due diligence inquiries for M&A transactions.
  • Conduct company-wide and targeted employee training.

Related Attorneys

S. Lee Terry, Jr.

Partner, Asset Management, Finance & Acquisitions, Mergers & Acquisitions, Private Equity, Public Companies & Capital Markets, Securities Enforcement & Litigation, Intellectual Property & Technology Transactions, Technology Company & Technology Transactions, Executive Compensation, Crisis Management

Caitlin Cronin Woodward

Associate, Finance & Acquisitions, Technology Company & Technology Transactions, Emerging Companies & Venture Capital, Mergers & Acquisitions

Attorneys

Events

Pages

Articles