SmithAmundsen’s Data Privacy and Security Practice is comprised of a multidisciplinary team of lawyers, who understand that companies, large and small, are constantly trying to navigate the legal implications of data, or cyber security and data privacy. Our attorneys counsel clients, in a variety of industries and sectors, on privacy matters, which can include data mapping and privacy audits and the tailoring of both internal and outward facing policies. We partner with our clients on risk mitigation; data security and PCI compliance; GDPR compliance; HIPAA and HITECH compliance; CCPA compliance; BIPA compliance; employee privacy requirements; record retention and electronic discovery assessments; click-wrap agreements; and compliance with consumer statutes that include the CAN-SPAM Act and the TCPA.
At the same time, we are trusted advisers for incident response plans and serve as breach coaches in the wake of data incidents. Our team has collectively spent years helping clients prepare for, respond to and litigate data breaches. We have built up a network of forensic experts and privacy professionals to ensure that we not only advise our clients on developing vulnerabilities, tactics and cyber threats but also counsel on how to respond to data incidents swiftly, efficiently and with an eye toward getting the business back up-and-running securely. We understand that while data incidents, like ransomware attacks, happen at an alarming pace, the experience for our clients is personal and a chief concern can be preserving your brand post-incident.
We also counsel our clients on cyber incidents that aren’t cyber attacks but rather internal, employee missteps that can harm the company financially and/or trigger notification requirements because a mistake in sharing information could mean “unauthorized access.” Our team has handled virtually all types of incidents across diverse industries including healthcare, financial services, public companies, non-profits, technology support services and small to mid-size organizations.
Our team also defends businesses in high stakes situations, from class action lawsuits grounded in alleged violations of federal, state and local statutes, to claims of breach within the healthcare industry, and alleged failure to comply with HIPAA and HITECH.
Our team has a global network of privacy professionals, which allows us to develop effective, widespread strategies for addressing cybersecurity, data, and privacy matters worldwide.
A sample of our experience includes:
- Defense of clients against class action data breach litigation based on alleged unauthorized releases of data and misuse of data based upon alleged breaches.
- Review and revision of current security policies and procedures in connection with data collection and data review. We evaluate vulnerabilities and ensure compliance with applicable laws and regulations.
- Assistance in the development of internal policies and procedures that are consistent with consumer protection regulations, data privacy practices, notification requirements, state and federal privacy laws and whistleblower laws to navigate the best methods for the collection and storage of company data.
- Assistance in consumer facing policies and agreements to reflect the cyber-hygiene practices of the company, as required by law, and developing mechanisms for obtaining necessary opt-in and consent for collection of data.
- Audit existing procedures and practices consistent with industry standards and legal requirements to reduce the risk of a data breach.
- Serving as a breach coach: coordinating and implementing the incident response plan or data breach plan, which includes a team of forensic, security, public relations and insurance professionals.
- Crafting a data incident response tailored to our clients’ needs and brand, including notifying affected customers, employees, business partners and regulators in accordance with state and federal laws.
- Data incident response to a disclosure of protected health information maintained by a vendor for multiple HIPAA covered entities. This work included full investigation of the matter to determine the extent of the breach and the types of information exposed. From there, the disclosed records were reviewed and analyzed to ensure the company met its reporting and notification requirements under the various federal and state laws applicable to the personal and health information.
- Data incident response to a web server that inadvertently exposed social security numbers and payroll information to the public via Internet search engines. This work involved investigation of the matter to determine the extent of the breach and analysis of all applicable state and federal laws to determine notification and reporting obligations for the company.
- Data incident response plan for a small company, whose hardware was stolen and which hardware allowed access to centralized databases which contained encrypted PII. This work involved investigation into the Personal Information Protection Act of certain Midwestern states to confirm whether notification of the potential breach was required and reporting obligations and best practices, moving forward, for the company.
- Data incident response plan for a small company, whose customers’ accounts were accessed by persons located overseas. This work involved the following: forensic examination, with licensed analysts, into the breach; assessment of the scope of the breach; investigation into the Personal Information Protection Act of certain Midwestern states to confirm notification of the potential breach was required; working with the client and public relations specialists on notice; notifying federal officials; and, crafting a response plan and best practices, moving forward, for the company.
- Data incident investigation of a matter where a company discovered that some of its mailings inadvertently disclosed customer social security numbers that could be viewed in the address window of the envelopes it mailed. This work involved full investigation of the mater to determine the number of individuals who may have been affected by the breach, the types of information involved, and a review of applicable state and federal laws to determine notification and reporting requirements.
- Revision and implementation of a record retention program for multi-state nursing, rehabilitation, and retirement facility. This work consisted of creating a record retention program for multiple facilities across twelve states. The facilities operated by the company maintained different types of electronic medical records and were subject to different state laws, and therefore, our team developed a record retention program that applied to all facilities, across all states.
- Drafting, reviewing, and revising numerous HIPAA Business Associate Agreements on behalf of covered entities, business associates, and sub-business associates
- Obtained ruling from the Seventh Circuit affirming dismissal of a lawsuit against a national testing agency in which plaintiffs alleged claims on behalf of a putative class of 16 million persons that their personal identifiable information had been sold without authorization
- Retained to defend hospital from class action arising from data breach involving protected personal information
- Retained to represent business in class action for alleged violations of Illinois Biometric Information Privacy Act
- Obtained judgment and defeated class certification in FACTA class action lawsuit. The court held that although the plaintiff was personally liable under the cardholder agreement, the entity cardholder was the “consumer”; therefore, there was no private right of action for purposes of the business transaction alleged in the complaint
News & Press Releases
- December 27, 2021
- SmithAmundsen, November 18, 2021
- SmithAmundsen Welcomes Sofia Valdivia to Class Action, Data Privacy & Security, and Commercial Transportation Practice GroupsNovember 10, 2021
- February 22, 2021
- St. Louis Small Business Monthly , February 9, 2021
- SmithAmundsen, November 16, 2020
- ITSPMagazine, June 8, 2020
- Law Firms Weigh in on Privacy Rules for Biometrics for Online Work and School- BiometricUpdate.com Quotes Molly ArranzBiometricUpdate.com, April 28, 2020
- February 24, 2020
- Cook County Record, February 5, 2020
- CNBC, June 26, 2019
- Law360, May 28, 2019
- Crain's Chicago Business, October 25, 2018
- Law360, May 28, 2018
- Molly Arranz Quoted in Chicago Lawyer Article, “Cyber Insurance: Are Insurers’ New Digital-Attack Policies Worth the Hype?”Chicago Lawyer , June 4, 2018
- October 27, 2017
- Crain's Chicago Business, September 15, 2017
- Equality Illinois, August 1, 2017
- Crain's Chicago Business, September 10, 2016
- The American Lawyer, August 2016
- Equality Illinois, July 8, 2016
- Above the Law, April 18, 2016
- Above the Law, April 13, 2016
- Employers’ Rights Under the Computer Fraud and Abuse Act (CFAA) Narrowed after Supreme Court Decision in Van BurenNovember 8, 2021
- Ready or Not: New Wisconsin Cybersecurity Law—Act 73—Imposes Cybersecurity Requirements on Insurance ProvidersJuly 16, 2021
- June 2, 2021
- February 24, 2021
- October 9, 2020
- September 28, 2020
- A National Biometric Privacy Law? Laws Protecting “Biometric” Identifiers Continue to Cut a Blazing TrailAugust 19, 2020
- Emails Seemingly Sent from the Small Business Administration Regarding COVID-19 Loan Relief Could Be Phishing Emails: Exercise Caution!August 14, 2020
- April 16, 2020
- April 7, 2020
- March 30, 2020
- March 26, 2020
- October 24, 2019
- April 26, 2019
- August 3, 2018
- May 21, 2018
- October 21, 2016
- May 16, 2016
- April 8, 2016
- A Fast-Moving Train Coming Into the Insurance Company Station? The Cybersecurity Model Rule for CarriersUSLAW Magazine, July 25, 2019
- The Transportation Lawyer, April 2019
- Indiana Bankers Association, December 8, 2017
Presentations & Events
- SmithAmundsen; Webcast, November 16, 2021
- Wisconsin Association of Mutual Insurance Companies, Leadership Retreat; Lake Geneva, WI, October 20, 2021
- 2021 ATA Litigation Center Trucking Legal Forum, Seminar; Washington, DC, July 28, 2021
- Wisconsin Association of Mutual Insurance Companies (WAMIC); Stevens Point, Wisconsin, July 13, 2021
- Your Employee Asked to Work Remotely Indefinitely (or Short Term): Important Legal Considerations Before You Say YesSmithAmundsen, Webcast, June 23, 2021
- SmithAmundsen, Webcast, June 16, 2021
- Attention All In-House Lawyers and GCs: Missteps Before Or After A Data Incident Could Land You In Professional Hot WaterSmithAmundsen, Webcast, June 2, 2021
- Illinois Manufacturers’ Association, Webcast, November 5, 2020
- SmithAmundsen, Webcast, October 29, 2020
- USLAW Network, Webcast, September 30, 2020 - October 9, 2020
- 2020 American Trucking Association Litigation Center Trucking Legal Forum, Webcast, July 23, 2020
- USLAW Network, Inc, Webcast, June 2, 2020
- Illinois College of Law and the Law Alumni Board, Seminar; Chicago, IL, February 20, 2020
- USLAW Network In-House Counsel Forum, Seminar; Minneapolis, MN, October 30, 2019
- Seminar; Chicago, IL, October 30, 2019
- 2019 IBA Security Conference; Carmel, IN 46032, October 2, 2019
- CyberSecure My Business Workshop, Seminar; Madison, WI, September 24, 2019
- National Cyber Security Alliance; Chicago, IL, May 9, 2019
- EBANI Meeting, February 27, 2019
- Illinois Chamber of Commerce; Webinar, April 12, 2018
- 3rd Annual Financial Services Cybersecurity Conference, Indiana Infragard Members Alliance; Carmel, IN, March 22, 2018
- Better Business Bureau; Chicago, IL, May 2, 2017
- Illinois Chamber of Commerce; Webinar, March 2, 2017
- 2016 USLAW Network Data Privacy Security Book Camp, Dallas, TX, November 2016
- Illinois Chamber of Commerce, Webinar, July 13, 2016