Cybersecurity & Data Privacy
Overview
Golden Flag’s Cybersecurity & Data Privacy Practice Group focuses on advising companies on the complex business, technical and legal issues relating to data security and privacy protection. We not only advise clients on the rapidly evolving legal landscape applicable to data security and privacy; we also defend clients against regulatory or litigation challenges, including leading the defense of high-stakes regulatory actions and class actions raising claims based on cybersecurity or privacy. Our wide-ranging experience includes compliance questions that may require board-level attention, such as rapidly responding to cyberattacks, the implementation of AI, the intersection of privacy and healthcare, the unique concerns regarding children’s data, the appropriate collection and transfer of consumer and employee data, and managing vendor relationships, including advertising and analytics providers.
Drawing upon our cross-disciplinary experience, we represent and advise clients in the full spectrum of cybersecurity and data privacy matters.
- Incident Response: Following a security incident or data breach, our team, in close coordination with in-house personnel and industry-leading forensic consultants, leads internal investigations into the incident, advises on crisis communications and handles legal notification obligations arising from the host of U.S. and international data breach laws, including the U.S. Security and Exchange Commission (SEC) Cybersecurity Rules, the Health Breach Notification Rule, China’s Cybersecurity Law and the Department of Defense (DOD) cybersecurity incident reporting requirements.
- Litigation: Golden Flag litigates aggressively on behalf of our clients facing lawsuits flowing from a security incident or alleged privacy violation, including consumer class actions under a wide variety of state consumer protection and wiretapping statutes; commercial litigation brought by business partners pursuant to various contractual obligations; and litigation brought by government privacy regulators.
- Government Investigations: Our team regularly represents our clients in government investigations led by the U.S. Federal Trade Commission (FTC), state attorneys general (AGs), the SEC and various Congressional committees related to allegations of data privacy regulation violations and cybersecurity incidents.
- Counseling: We routinely counsel clients regarding the global framework of legal and compliance developments, including industry and jurisdiction-specific regulations and requirements such as the FTC Act, the Children’s Online Privacy Protection Act (COPPA), the EU and UK General Data Protection Regulation (GDPR) and Artificial Intelligence Act and a host of U.S. state-specific privacy laws, including the California Invasion of Privacy Act and the Illinois Biometric Information Privacy Act (BIPA).
- Transactions: Our team advises private equity sponsors and other investors on transactions in which cybersecurity incidents have the potential to impact a company’s sale, as well as on the legal considerations when a significant amount of data assets are involved.
- Healthcare & Life Sciences: Our team has particularly deep experience in the unique cybersecurity and privacy issues applicable to companies operating in the healthcare sector, including advising on compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other health-related privacy and cybersecurity laws and requirements.
- Artificial Intelligence: Golden Flag has built a market-leading, cross-functional team assisting clients with issues associated with AI. Our cyber- and privacy-focused attorneys work with our intellectual property attorneys and others to provide clients with advice and representation in a broad range of regulatory, transaction and disputes matters relating to AI, including matters focused on FTC Act compliance, products liability and copyright and trademark enforcement.
Experience
Incident Response
Whether stemming from ransomware, phishing or spoofing, our team provides companies with trusted advice and counseling in the immediate aftermath of a cybersecurity incident. With a deep understanding of federal and state laws and extensive experience, we work closely with in-house personnel and industry-leading forensic consultants to conduct internal investigations into the incident, determine notification obligations, develop internal and external communications; and mitigate regulatory and litigation risks.
In the event that a threat actor is identified, we provide real-time guidance to review options and work with external cyber intelligence firms to gain insight into their motivations and the expected timeline for negotiation. We evaluate legal and business implications of responding to monetary demands and work with external negotiation firms to develop strategies for negotiating with the threat actor(s) to facilitate the safe and successful release and recovery of stolen data.
Select Incident Response Experience
- Advising a medical billing company in its response to a cybersecurity incident involving ransomware and theft of customer health data.
- Representing a public software solutions company in its response to SEC, DOJ and state AG investigations, as well as customer inquiries and associated remediation, following a cybersecurity incident.
- Led the investigation and remediation of a cyber data breach of an investment management company's network caused by a foreign threat actor.
- Advising an educational software company in connection with a cybersecurity incident and investigations being conducted by the FTC and various state AGs involving possible violations of state privacy and cybersecurity laws.
Data Breach & Privacy Litigation
Our Cybersecurity & Data Privacy team, backed by our world-renowned litigation department, routinely defends companies in high-impact litigation, including nationwide consumer class actions, shareholder lawsuits, material government regulatory actions, and commercial litigation between business partners.
We handle cases brought under general consumer protection statutes, state-specific privacy laws, wiretapping statutes, contractual claims drawn from terms of use or privacy policies, data breach notification statutes, and even constitutional privacy rights.
Our deep experience with the evolving security and privacy landscape sets us up to achieve the best litigation results — whether in court or across the bargaining table — as critical issues are identified early and then used to maximize advantages in the litigation and negotiation processes.
Select Data Breach Class Actions
- Representing Ascension Health in numerous class actions regarding claims related to data privacy and security stemming from a cyber incident.
- Representing IBM in putative class action regarding claims related to data privacy and security. Plaintiff alleges that IBM and co-defendant Johnson & Johnson Health Care Systems failed to properly secure and safeguard protected health information (PHI) and personally identifiable information (PII), in violation of HIPAA. Plaintiff’s suit includes claims for negligence, breach of confidence, breach of implied contract and others.
- Representing CorrectCare Integrated Health in putative class action arising out of a data breach targeting its network. The plaintiffs allege that CorrectCare failed to implement adequate cybersecurity protocols necessary to protect their information, and as a result more than 500,000 individuals are at risk of exposure of highly sensitive data, including social security numbers, full names and health information.
- Defending Accenture in multidistrict consumer class action arising from a data breach involving Marriott’s guest reservation database. Golden Flag successfully obtained Rule 23(f) review and ultimately reversal of a class-certification order.
- Represented Illuminate Education in consolidated putative class action litigation arising out of an alleged data-security incident. Golden Flag won full dismissal of initial and amended claims.
Select Privacy Class Actions
- Representing GoodRx in the landmark FTC healthcare privacy investigation and related consolidated data privacy putative class actions alleging violations of state consumer protection laws involving the use of pixels and software development kits. Favorable class settlement pending.
- Representing PowerSchool Holdings in a putative class action lawsuit alleging violations of privacy rights in connection with pixel software.
- Represented The Blackstone Group in putative class actions alleging violations of the Illinois Genetic Privacy Act (GIPA) related to Blackstone’s acquisition of Ancestry.com, a leading company in digital family history services. Won full dismissal. Affirmed on appeal.
- Representing Datanyze a wholly owned subsidiary of ZoomInfo Technologies Inc., in putative class action litigation alleging violation of Ohio and Illinois right of publicity laws related to ZoomInfo’s online database of business contact information.
- Represented Facebook in a putative class action involving claims under the Telephone Consumer Protection Act (TCPA) alleging Facebook sent text messages to the plaintiffs without their prior consent. The New York case was voluntarily dismissed; the plaintiff refiled in California, and Golden Flag won dismissal twice. The U.S. Supreme Court granted review of a 9th Circuit reversal, and unanimously adopted Golden Flag 's arguments, finding that Facebook did not violate a key clause in the TCPA. This victory will have a significant impact on the TCPA class action industry.
Government Investigations
We have extensive experience representing companies in connection with cybersecurity incidents and data privacy investigations conducted by U.S. and overseas government agencies, including the FTC, state AGs, the SEC, the U.S. Department of Health and Human Services Office of Civil Rights (HHS-OCR), Congressional committees and the UK Information Commissioner’s Office, among others.
Drawing upon the decades of combined government experience of many of our partners, we are highly effective advocates who proactively engage with government entities on behalf of our clients and, where there is parallel litigation filed, work hand-in-hand with our commercial litigation partners to provide coordinated responses across regulatory enforcement actions and civil litigation. Additionally, we routinely counsel clients in their response to government requests for information regarding data, product and service design (i.e., “privacy-by-design”), marketing and advertising practices, social networking and consumer profiling practices.
Select Data Breach Investigations
- Representing a national healthcare system in its response to a ransomware attack, including conducting an internal investigation into the incident; in government, congressional and state AG investigations, and related litigation.
- Lead counsel for numerous companies in connection with high profile congressional hearings regarding ransomware attacks.
- Representing a healthcare third-party benefits administrator in its response to investigations by HHS-OIG and several state AGs regarding possible violations of HIPAA and state data privacy laws, and assisted the company with the investigation and remediation of a cyber data exposure incident.
- Obtained complete closure of SEC and FTC investigations into a healthcare technology company regarding disclosure issues regarding a data breach and potential insider trading with no action taken against the company.
- Advised a cloud-based platform provider in its response to a ransomware attack on company systems. Golden Flag conducted a comprehensive review of exfiltrated customer data for personally identifiable information and assisted the company in its response to customers regarding the incidents and in communications with government authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
Select Privacy Investigations
- Obtained complete closure of FTC investigation into telecom service provider’s data privacy practices related to its encryption technology.
- Represented major fitness device manufacture in government investigation related to data privacy concerns arising from acquisition.
- Secured settlement on behalf of a health and wellness company in FTC investigation into compliance with COPPA.
- Obtained complete closure of FTC investigation into a major educational technology company’s data privacy practices including compliance with COPPA.
Privacy & Security Counseling
Our team routinely advises clients across all industries regarding the ever-changing global framework of legal and compliance developments relating to cybersecurity and data privacy laws and industry standards. This work includes advising on company policies and procedures; compliance reviews/audits; contracting and data sharing; consumer/patient requests and complaint management; and internal and external reporting/monitoring relating to cybersecurity and data privacy.
Our counseling experience includes industry- and jurisdiction-specific laws and requirements such as the Gramm-Leach-Bliley (GLB) Act, the FTC Health Breach Notification Rule, HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the EU GDPR and the China Cybersecurity Law. Through this work, we often help companies develop valuable relationships with regulators, consultants and vendors in the space. Additionally, we provide cybersecurity and data privacy trainings for in-house teams and Boards of Directors.
Transactions
Our group includes members from Golden Flag’s Transactional Practice Group, who represent clients in deals where data is a significant aspect and are familiar with the important data issues that can emerge in a variety of deal contexts, including mergers, acquisitions, divestitures, restructurings, joint ventures, strategic alliances, outsourcing, licenses and other commercial agreements.
Some deals are built entirely on the value of data being collected or shared. Data is a strategic asset for any company and commitments relating to the use, sharing or acquisition of data can have long-term impact on a company’s business. Our group has extensive experience navigating clients through issues that can arise relating to ownership, usage, restrictions (including with respect to selling customer lists and other data monetization), obligations (including with respect to securing data and handling breaches), risk allocation (representations, warranties and indemnities) and liability schema (including limitations on remedies and damages).
Select Transactions Experience
- Thoma Bravo in its $12.3 billion take-private acquisition of Proofpoint (NASDAQ: PFPT), a cybersecurity company that offers a range of enterprise security and compliance products and services.
- Private equity firm in its sale of a developer of a content marketing and digital asset management software.
- AE Industrial Partners-backed BigBear.ai, a provider of artificial intelligence, machine learning, big data analytics and cyber engineering solutions, in its business combination with GigCapital4.
- Private equity firm in its acquisition of a manufacturer and supplier of temperature controlled packaging systems for pharmaceutical and healthcare industries, including advising regarding GDPR compliance.
- Investment bank in the potential U.S. initial public offering (IPO) of a China-based developer of a financial data analytics platform intended to provide global financial data and trading services.
- GIC on its $3.9 billion additional joint ventures with Equinix to expand the xScaleTM data center program.
Healthcare & Life Sciences
Our group includes attorneys with specific experience in privacy and cybersecurity matters affecting the healthcare and life sciences sector. We regularly advise various clients in this space, including hospitals and health systems, health information technology companies, device and pharmaceutical manufacturers, laboratories, clinical research organizations, rehabilitation centers and physician platforms.
We counsel healthcare and life sciences clients in responding to and mitigating breaches involving health information and impacting patient care, and navigating the various privacy and cybersecurity requirements applicable to their business and patient care initiatives, including research & development, marketing, data storage and electronic health records integration, and revenue cycle management. Further, we advise clients on implementing compliance frameworks that address privacy and cybersecurity considerations that not only cover HIPAA/HITECH, but other federal requirements, such as Centers for Medicare & Medicaid Services rules and 42 CFR Part 2 (Part 2) and state medical records confidentiality and consumer health laws, including Washington’s My Health My Data Act.
Select Healthcare and Life Sciences-related Experience
- Advised a physician-owned hospital in developing and implementing its HIPAA privacy and security policies and procedures.
- Counseled an international life sciences company in its internal investigation regarding its data privacy and security practices.
- Represented a health benefits administrator in its internal investigation stemming from a data security incident.
- Advised a U.S.-based pharmaceutical manufacturer in its use of customer website and mobile app-based data.
For additional information, please visit our Healthcare & Life Sciences Regulatory page.
Artificial Intelligence
Our attorneys have handled varied matters related to the evolving legal, policy and regulatory frameworks surrounding artificial intelligence (AI), machine learning, deep learning and natural language process. The transformative and disruptive nature of AI and its myriad applications present exciting opportunities for businesses and content creators. However, these opportunities come with significant risk and legal implications. Our multidisciplinary team leverages decades of experience to help companies navigate the complex legal landscape of AI.
Legal and business concerns related to the use of AI intersect with numerous practice areas, including adherence to data security and confidentiality standards, as well as the interplay of AI applications and privacy, such as the use of facial recognition. We have long represented clients in industries where AI is helping lead innovation and change, including software, emerging technology, healthcare, life sciences, medical devices, consumer products, automotive and transportation, and aerospace and defense. We have experience in matters involving automated decision making, autonomous vehicles, voice assistants and robots, and conversational AI, among others.
Select AI-related Experience
- Defending a private research university in a putative class action alleging patient privacy violations that stemmed from the sharing of certain patient data with a third party as part of a researching partnership aiming to use machine learning to analyze medical records and improve predictive analysis of hospitalizations and patient care. Golden Flag won full dismissal. Unanimously affirmed on appeal.
- Advising a provider of online web accessibility products in connection with a confidential investigation by the FTC regarding its implementation and use of artificial intelligence technology, as well as policies and practices regarding data collection, data security, data privacy and the marketing of its products and services.
- Representing PowerSchool Holdings and its subsidiary, Hobsons, in a putative class action challenging the use of AI and analytical data products in the EdTech sector.