Data Security & Privacy Law

For over 20 years, Phillips Lytle has been handling complex data issues for our clients, long before “data security and privacy” was trending in the news or became a formal legal discipline. We counsel our U.S.-based clients on compliance with various statutory, regulatory and contractual requirements; insurance evaluation; best practices regarding data preservation, protection and destruction; cross-border data transfers; disaster recovery; emergency response planning; business continuity planning; digital forensic examinations; third-party/vendor risk management; data incident management; and government investigations, litigation or dispute resolutions.

Phillips Lytle’s Data Security & Privacy Team uses a multidisciplinary approach to develop comprehensive solutions that are tailored to each client’s particular needs and resources. Our seasoned cybersecurity attorneys have extensive transactional and litigation experience related to data security and privacy, including former data security and technology in-house counsel from a Fortune 500 financial institution. Our attorneys are supported by a technical team with over 20 years of experience regarding secure data management. Therefore, we are well-positioned to counsel clients regarding the evolving complexity of cybersecurity, data privacy laws and regulations amidst emerging technologies and critical business considerations.

Phillips Lytle’s Data Security & Privacy Team advises many sophisticated clients on data security and privacy issues in various industries, including health care, education, banking, manufacturing, construction, e-commerce, government contracting, and energy. Our team also represents cybersecurity service providers and cyber solution developers.

IAPP Seals

Phillips Lytle attorneys have been awarded the following ANAB-accredited credentials by the International Association of Privacy Professionals (IAPP): Certified Information Privacy Professional/Europe (CIPP/E); Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US); and Certified Information Privacy Manager (CIPM). CIPP/E and CIPP/US are preeminent certifications for advanced concentration in European data protection laws and U.S. private-sector laws, standards and practices, respectively. CIPM certification demonstrates an understanding of privacy program governance and the skills necessary to establish, maintain and manage a privacy program across all stages of its operational life cycle.

Our cybersecurity attorney team has extensive experience counseling clients regarding laws and regulations applicable to these sectors:

Health Care

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)


  • Gramm-Leach-Bliley Act (GLBA)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR part 500)

Defense and Government Contracting

  • Defense Federal Acquisition Regulation Supplement
  • National Institute of Standards and Technology Special Publication 800-171


  • New York Public Service Commission cybersecurity regulations for retail energy suppliers and distributed energy resource providers
  • Data security agreements and vendor risk assessments
  • Federal Energy Regulatory Commission cybersecurity and reliability standards


  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Children’s Online Privacy Protection Act (COPPA)
  • New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR part 500)
  • General Data Protection Regulation (GDPR), e-Privacy Directive
  • Electronic Signatures in Global and National Commerce Act
  • Family Educational Rights and Privacy Act (FERPA)
  • Defend Trade Secrets Act (DTSA)

Various State Laws and Regulations

  • California Privacy Rights Act (CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR part 500)
  • N.Y. Gen. Bus. Law § 899-aa (2013)
  • N.Y. State Tech. Law § 208 (2013)
  • Cal. Civ. Code §§ 1798.29, 1798.80 et seq. (2017)
  • California Consumer Privacy Act of 2018
  • Colorado Privacy Act
  • Various other relevant state laws

Phillips Lytle’s Data Security & Privacy Team provides a wide array of services to our clients, such as:

  • Analyzing and drafting various policies and agreements, including:
    • Record retention and destruction policies
    • Data sharing and transfer policies and agreements (including cloud computing agreements and cross-border data transfer agreements)
    • Terms and conditions of service
    • Privacy policies
    • Confidentiality agreements
    • Business continuity plans
    • Incident response plans
  • Analyzing and advising clients on cyber insurance policies and coverage
  • Assisting clients with audit compliance
  • Providing third-party risk management services, such as:
    • Designing third-party risk management systems
    • Analyzing and negotiating vendor contracts
    • Negotiating with, and acting as a liaison to, vendors, suppliers or manufacturers
  • Conducting tabletop exercises to test incident preparedness

Cybersecurity Incident Response

Data incidents can take on many forms, including trade secret theft, inadvertent data disclosure, ransomware, phishing or other cyberattacks. Our Cybersecurity Team has more than 20 years’ experience responding to data incidents, and works quickly and efficiently to respond to data incidents and mitigate suspected damages.

In the event of a cyber incident, our Data Security & Privacy Team can manage the digital forensics investigation to mitigate potential harm. We have working knowledge on when, and how best, to seek law enforcement assistance, and/or to pursue civil litigation. We can also assist with any necessary reporting and notification following a data incident, both internally to employees or investors, and externally to clients, customers, insurance carriers, government authorities/agencies, business partners or the general public.

We also have represented many small and large businesses and institutions in internal data breach investigations as a result of actions by competitors, disgruntled employees and other bad actors. Our attorneys and staff regularly conduct time-sensitive digital forensic investigations into ongoing fraud, theft of confidential information, and other improper or unlawful conduct. Our services include identification, collection and forensic analysis of electronic devices to recover or reconstruct deleted information, locate converted assets and track theft of confidential information through metadata and other tracking mechanisms.

Post-Incident Investigations and Cybersecurity Litigation

If any data security or privacy issue results in government inquiries, investigations or litigation, our Data Security & Privacy Team’s experienced litigators are ready to pursue and defend our clients’ interests. Our litigators are efficient, creative and aggressive, and possess the technical knowledge necessary to represent clients regarding a variety of issues, including:

  • Government inquiries and investigations
  • Subpoena responses
  • E-Discovery (including cross-border data transfers)
  • Uniform Dispute Resolution Policy complaints and proceedings
  • Litigation relating to, among other issues:
    • Cyberattacks
    • Data breaches
    • Inadvertent data disclosures
    • Theft of intellectual property
    • Misappropriation of trade secrets
    • Computer abuse or misconduct (such as ransomware, phishing, malware and identity theft)
    • Cyber torts
    • Defamation
    • Cyberstalking and harassment
    • Cybersquatting
  • Record retention and spoliation issues
  • White collar criminal defense
  • Class action defense

Our Cyber/Data Security & Privacy Team has extensive experience in pursuing bad actors to mitigate harm, enjoining ongoing wrongful conduct, recovering damages, securing insurance coverage and counseling clients on steps to take to avoid future problems.

We regularly review state, national and international regulations to ensure we are aware of the latest data security laws and regulations. We send our clients regular updates on pending legislation and regulations, novel issues, and/or high-profile litigation. We also present with other industry leaders at Continuing Legal Education and other programs, and regularly publish on these topics.

If you are experiencing or have experienced a data breach, cyberattack, or data-related incident, please do not hesitate to contact us. For other time-sensitive situations, we also have a dedicated Crisis Response & Management Team.

Practice Area Icon: Data Security & Data Privacy Law