Billions are lost every year by corporations, universities, municipalities, school districts, public agencies, and other entities due to attacks on their confidential data, ranging from sensitive financial and personnel information to closely guarded trade secrets and other intellectual property. Barclay Damon’s cybersecurity team understands the pressing need to assure the integrity of data and protect it against threats posed by criminals, unscrupulous marketplace participants, inadequate security measures, and simple mistakes.
Our team provides counseling on preventing and managing risks, including through the negotiation of appropriate contractual safeguards and the development of audits and training materials; advises clients on appropriate cyber liability coverage and claims procedures; asserts and defends claims regarding breaches in state and federal courts; and represents clients in arbitration and in response to government investigations. We are available 24 hours a day, 365 days a year to help clients respond to a cyber event.
Prevention, Policy Review, and Training
We have extensive experience helping clients develop internal cybersecurity policies, incident-response plans, cybersecurity requirements, and indemnification and insurance-procurement provisions for inclusion in vendor contracts. Our deep knowledge of compliance, information security, privacy, regulatory investigations, and litigation allows us to evaluate plans and other documents for compliance with federal, state, and international privacy and information-security laws.
Our attorneys regularly conduct training seminars on a wide range of cyber risk subjects, including best practices for reducing the risk of a breach; legal requirements relating to breach events; limiting the risk of class-action and other lawsuits arising from cyber events; mitigating risk through first- and third-party cyber liability insurance; and federal and state government investigations relating to cyber events.
We leverage our relationships with data-security firms to help clients obtain vulnerability assessments, penetration testing, and other network assessments to identify and reduce cyber risks and exposures.
As “breach coaches” available 24 hours a day, we work with clients and other stakeholders to determine the nature and extent of the breach and the appropriate response, including assisting with notices required under federal or state breach notification laws. We draw on our relationships with trusted forensic-investigation firms, enabling clients to respond quickly and comprehensively, which helps limit their potential exposure to damages, fines, penalties, and other costs.
Our representation spans multiple sectors and breach scenarios, including malware and ransomware attacks; social-engineering scams; internal malicious conduct; and inadvertent disclosure. Examples include:
- An advertising company whose employee data was hacked through a vulnerable internet connection.
- A service company whose employee data was made public due to a faulty website design.
- A health and human services provider whose patient data was exposed due to a defective link on an intranet program.
- A professional-services firm that inadvertently disclosed the personal data of a party involved in litigation.
- A medical-services provider whose patient data was breached and made available on the internet.
- A hospitality company following the hack of customer credit card and personal information using malicious software on the point-of-purchase terminals.
- A computer-hardware service provider that had sensitive personnel information hacked and distributed throughout the company.
- A vending-machine operator in relation to a breach involving a supplier.
Federal and state laws require certain data breaches to be reported to government agencies that include, for example, state attorneys general, the NY Department of Financial Services, and, for certain breaches involving information protected under HIPAA, the NY Department of Health and Human Services. These agencies often conduct detailed investigations into the circumstances surrounding a breach. In the event of a government investigation, our experienced team responds quickly and strategically, communicating with agency investigators, ascertaining the facts related to the incident, and helping avoid or lessen potential fines, penalties, and corrective actions.
Examples of our work include responding to:
- Investigations initiated by the NY Attorney General’s Office arising from an event that required notice under the state’s breach notification statute, General Business Law 899-aa, and negotiating resolutions to reduce assessed penalties.
- Investigations initiated by the federal Office of Civil Rights arising from breaches requiring notice under HIPAA and negotiating resolutions to those investigations to reduce assessed penalties.
A breach or other cyber event often results in allegations of liability and litigation. The claims come from many sources, including employees, customers, vendors, banks, credit-card processors, and the government. We evaluate clients’ exposure and work to resolve disputes quickly. If necessary, we vigorously represent our clients in court, arbitration, and other adversarial proceedings. Disputes we’ve handled include:
- Addressing potential claims, liabilities, and contractual issues.
- Dealing with customers who have been or may be impacted by a breach.
- Obtaining a judgment against a hacker responsible for disseminating personnel information to unauthorized recipients.
- Addressing investigations instituted and claims asserted by banks and credit-card processors in matters involving breaches of payment systems or account information.
- Working with suppliers and vendors, including outside IT departments and hardware or software suppliers, involved in the breach––either as a potential source of the breach or impacted by the breach––to facilitate investigation and containment and to address potential contractual, statutory, and common-law liability issues.
Cyber Liability Insurance
The potentially devastating financial impact of a data breach can include costs to investigate and remediate the breach; litigation-defense costs; potential judgments or settlements; government fines and penalties; and losses from business interruptions. These costs may not be covered by traditional forms of insurance, including most general, management, and professional liability policies.
Barclay Damon’s insurance coverage attorneys have extensive experience with both traditional insurance forms and policies covering cyber risks. Our team works with clients to help identify coverage and to recover insurance proceeds for clients.
Blockchain Technology, Cryptocurrency, and Software Licensing
Our attorneys stay on top of developments and evolving applications of blockchain technology, the cryptocurrency marketplace, and numerous other innovations and assist clients with a variety of related matters, including software licensing.