Data Security & Data Privacy Law

The state, federal and international laws and regulations surrounding data security and privacy are ever evolving. What’s more, they’re struggling to keep pace with technological innovation. And if you are not prepared or don’t have the right guidance on your side, this can impact your company in a number of ways.

The Phillips Lytle Data Security & Privacy Team has firsthand, real-world experience as both technology entrepreneurs and advisors to our nation’s intelligence, military and law enforcement leaders who are immersed in the technology industry. We not only provide the legal expertise you need, we also understand data security law and are uniquely positioned to provide the business perspectives necessary to develop sound data privacy plans.

We employ a multidisciplinary approach, engaging the expertise of attorneys with perspectives in a variety of areas to bridge the gap between IT and management. Our team focuses on a variety of legally mandated privacy obligations, and we also evaluate privacy concerns as they relate to employees and consumers.

Our Data Security & Privacy Team has expertise in a variety of areas, including policy drafting, defensible record retention and destruction methods, crisis planning, and data breach response and notification; we can also evaluate how your organization uses, stores and transfers data. And if litigation or government investigations arise, we have the courtroom experience to pursue and protect your interests. All the while monitoring state, national and international regulations to ensure our team is aware of the latest data security laws and regulations.

Because we’re familiar with data security litigation and regulatory matters, we can respond to cyberattacks, government inquiries and intellectual property cases. Our team can help you protect against trade secret theft, ransomware, phishing and other technology threats; evaluate your insurance needs and policies; and work to develop data security and privacy best practices unique to your business.


We help develop policies; draft, negotiate and review contracts; address auditing and compliance; and establish best practices as they relate to:

  • Record retention and destruction
  • Data sharing and transfer
  • Data breach response, mitigation and notification
  • Data residency
  • Risk management evaluation, including insurance matters
  • Audit compliance
  • Crisis planning
  • Workforce and employee relations with data security issues, such as those in confidentiality agreements, non-disclosure agreements and bring-your-own-device (BYOD) policies
  • Relationships with third parties, including vendors, suppliers, manufacturers and customers

The Data Security & Privacy Team has extensive experience in business litigation, white collar criminal defense and government investigations in response to – and in pursuance of – litigation and investigations related to:

  • Cyberattacks
  • Data breaches and inadvertent data disclosures
  • Theft of intellectual property by unknown parties, competitors or disloyal employees
  • Cyberstalking and harassment
  • Cybersquatting
  • Government investigations
  • Class action defense
  • Subpoena responses
  • Misappropriation of trade secrets
  • E-discovery
  • Record retention and spoliation issues
  • Computer abuse or other misconduct, including ransomware, phishing, malware and identity theft
  • Notices to customers, clients, government authorities/agencies and others concerning unauthorized disclosure or use of personal health information or personally identifiable information


The Data Security & Privacy Team offers a wide range of services, including evaluating and drafting policies, drafting contracts, auditing and establishing best practices as they relate to a variety of laws, rules and regulations, including but not limited to:

  • Federal Trade Commission (FTC) issues
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • Children’s Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Gramm-Leach-Bliley Act (GLBA)
  • EU General Data Protection Regulation and Privacy Shield
  • Defend Trade Secrets Act (DTSA)
  • New York State Department of Financial Services, Cybersecurity Regulation (23 NYCRR 500)

Privacy concerns cross several industries, including but not limited to:

  • Health care
  • Insurance
  • Education
  • Banking
  • Consumer finance
  • Internet and e-commerce
  • Manufacturing
  • Energy
  • Food
  • Workforce solutions
  • Legal and accounting

In each of these sectors, the Data Security & Privacy Team works with our clients’ websites and mobile applications to develop comprehensive terms and conditions, privacy policies, email policies and other disclaimers concerning their online presence. We also pursue and defend clients’ interests when privacy issues result in or require litigation.

Significant Domestic and International Data Security Experience

We have represented many small and large businesses and institutions in internal data breach investigations as a result of actions by competitors, disgruntled employees and others.

  • Assisted with extensive litigation surrounding a cyberattack and its aftermath for a national organization
  • Assisted an international company with Privacy Shield compliance related to the transfer and processing of personal data obtained from European residents
  • Developed crisis response policies specifically related to data breaches and inadvertent data disclosures
  • Assisted covered entities and third-party providers in taking steps to comply with the New York State Department of Financial Services, Cybersecurity Regulation (23 NYCRR 500), including evaluating practices and creating and updating policies

We send our clients regular updates on pending legislation and regulations, new decisions in high-profile litigation and cases involving novel issues. We also present with other industry leaders at CLE and other programs, as well as regularly publish on these topics. For ongoing updates and guidance, please visit our blog at

Data Security & Data Privacy Law