Cybersecurity and Data Privacy

Electronic data fuels innovation and productivity for the global economy. The same connectivity that has revolutionized workplace collaboration also creates unprecedented vulnerability to data theft, loss, and disclosure.

Our goal is to help our clients minimize cybersecurity risk as a threat to customer goodwill, corporate intellectual property, and shareholder confidence.
Effective data security must protect the privacy rights of customers and employees and the intellectual property of the company, while preserving the data accessibility the marketplace demands. Schiff Hardin's Cybersecurity and Data Privacy Client Service Team mobilizes attorneys from across the firm's practice groups and offices to provide our clients with a multidisciplinary, national team to address these challenges.


Because Breaches Will Happen, Risk Management Means More than Breach Prevention.

In the current environment, perfect data security and perfect legal compliance are unlikely. Technology provides malefactors, both foreign and domestic, with the upper hand, and the laws governing data security in the United States are a patchwork of inconsistent state and federal statutes and regulations that fall short as a reliable roadmap for corporate best practices. The overlay of an evolving body of global data privacy law only complicates the compliance landscape. For even those companies with the most sophisticated framework, recurring cyber breaches are inescapable. In the investigation that must follow each such breach, it is likely that at least some corporate compliance issues will come to light.

When a Breach Happens, Neutralizing the Business Risk Requires Skilled Advocacy.

Schiff Hardin recognizes that meaningful risk management requires much more from outside counsel than a checklist of cyberlaw do's and don'ts. Certainly that discussion is an important starting point, but our goal, and how we measure success, is helping the client minimize cybersecurity risk as a threat to customer goodwill, corporate intellectual property, and shareholder confidence. The company must be able to demonstrate that a breach is an isolated incident and not the result of deficient risk management and compliance practices. Our firm's goal is to help the client develop and communicate a persuasive company narrative that places a cyber breach in the proper context and demonstrates to all of the client’s relevant constituencies – regulators, shareholders, customers, employees, and the courts – that they can and should continue to have confidence in the company’s data security and culture of corporate compliance.

The building blocks for this narrative should already be in place before a breach occurs. An integrated data security strategy views legal compliance as an important element but not the final measure of success. Our team is uniquely positioned to help the client neutralize data security as a business risk both before and after a breach occurs.

Our Firm Stands Ready With a Multidisciplinary National Team.

To meet our clients' cybersecurity challenges, Schiff Hardin's team combines the skill sets of trial advocates, subject matter experts, and compliance counsel. Our Cybersecurity and Data Privacy Team reflects our firm's depth of experience in both trade secrets litigation and corporate internal investigations. Long before "cybersecurity" became a buzzword of corporate boardrooms, our trade secrets litigators already had substantial experience investigating and bringing to trial complex claims for theft of electronic data with the assistance of sophisticated computer forensic analysis. Although cyberbreaches involving consumer information may receive substantial public attention, the breaches of greatest economic value remain thefts of trade secrets and other sensitive commercial information. While a dishonest employee who transmits sensitive data to a foreign competitor may now be a cybercriminal, the civil remedies under the trade secrets laws, the company's obligation under those same laws to diligently protect the security of its trade secrets, and the strategies for developing and proving the facts supporting the company's claims remain the core focus of our firm's trade secrets team.

Our multidisciplinary team includes members of our firm's energy practice, including a former Director of Compliance Enforcement for the North American Electric Reliability Corporation (NERC) and nationally recognized authority on reliability standards in the electric industry. These attorneys regularly advise on cybersecurity issues for this critical infrastructure industry and have developed a broad understanding of how participants in the electric industry safeguard both cyber and physical security. Our attorneys advise and comment on new reliability standards, aid clients during audits and investigations, develop compliance programs, represent clients in enforcement actions, and regularly blog on the topic of cybersecurity issues.

At the heart of our Cybersecurity and Data Privacy Team are the attorneys who grapple daily with the challenges of translating legal compliance into policies and procedures and negotiating appropriate contracts to protect and share confidential business and personal information. Our attorneys provide counsel on compliance with industry-specific standards such as the Payment Card Industry (PCI) Data Security Standards and industry-specific privacy laws, such as those applicable to medical (HIPAA) and financial (Gramm-Leach-Bliley) data. We also advise clients on online data collection and crafting website privacy policies.

Heightened law enforcement awareness of cybercrime has expanded the investigation and enforcement options available to our clients, and effective response to cyber breach now often requires the company to liaise with the FBI and the U.S. Attorney. Our white collar criminal defense team includes six former assistant U.S. attorneys, including a former Chief of the Criminal Division of the U.S. Attorney's Office in Chicago. Our corporate, investigations and white collar team understands that corporate investigations do not occur in a vacuum and that an effective investigation and response require sensitivity to the interests of each of the client's relevant constituencies.

To learn more about our capabilities, please contact any member of Schiff Hardin's Cybersecurity and Data Privacy Client Service Team.