Capabilities / Data Privacy & Cybersecurity
Empowering organizations to protect and maximize their information assets.
At Husch Blackwell, our Data Privacy & Cybersecurity law team partners with clients to unlock the value of their information while ensuring compliance, reducing risk, and advancing long-term data security goals. We help organizations safeguard against cybertheft and unauthorized disclosures, proactively assess cybersecurity risks, and implement best practices to prepare for security incidents. When a data breach is suspected, our data privacy and cybersecurity attorneys respond immediately—minimizing damage to business operations and reputation.
We provide strategic counsel on compliance with data privacy and cybersecurity laws, including the federal laws applicable to the educational, financial, healthcare, and telecommunication sectors, as well as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and other state and international privacy frameworks, including the European Union’s General Data Protection Regulation (GDPR).
Our team of data privacy lawyers also includes a team with significant experience defending clients in privacy litigation, including claims related to the use of cookies, pixels, session replay technology, website chat functionality, and other common website marketing tools that may implicate state privacy, wiretapping, and pen register and trap and trace laws.
Stay ahead of the latest legal trends—subscribe to our Byte Back blog for updates on data privacy and cybersecurity developments.
Data Privacy
Our data privacy services include:
- Preparing data processing agreements, privacy notices, and terms of use
- Providing large-scale privacy and information management training for corporate personnel
- Preparing and negotiating privacy-compliant business agreements
- Representing clients in privacy litigation and regulatory investigations
- Responding to federal and state regulators in the face of enforcement actions and class actions
- Designing and implementing records retention schedules, file plans, and legal hold processes for organizations across industries, including financial services, energy, healthcare, and utilities
In addition to advising on comprehensive international and state privacy laws, we advise clients on compliance with sector-specific regulations, including:
- Health Insurance Portability and Accountability Act (HIPAA) for healthcare
- Gramm-Leach-Bliley Act (GLBA) for financial services
- Family Educational Rights and Privacy Act (FERPA) for colleges and universities
- Telephone Consumer Protection Act (TCPA) for communications
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) for marketing
- Electronic Fund Transfer Act (EFTA) for financial transactions
- Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA) for credit reporting
- Children’s Online Privacy Protection Act (COPPA) for children’s data
- Other state and federal privacy regulations
Cybersecurity
Our team draws on decades of government, military, national intelligence, and industry experience to help clients address complex cybersecurity and emerging technology challenges. We have experience supporting highly regulated sectors and critical infrastructure, including energy, mining, aviation, utilities, and the Defense Industrial Base (DIB). Our attorneys guide organizations through compliance with statutory, regulatory, and industry cybersecurity standards. We also offer practical insights into federal expectations, enforcement actions, and information-sharing initiatives.
We provide comprehensive services, including:
- Developing and implementing information security compliance programs
- Quarterbacking Incident Response efforts, through every phase of the response
- Coordinating third-party resources to aid clients in risk analysis activities
- Performing cyber risk and vulnerability assessments tailored to operational technology and critical infrastructure
- Implementing compliant security controls and employee training on industry best practices
- Assisting DIB contractors with Cybersecurity Maturity Model Certification efforts
- Conducting data security tabletop exercises, cyber liability insurance evaluation, and records retention policies
- Delivering strategic advice on AI integration; cybersecurity; due diligence for M&A opportunities, procurement decisions, and product development; and global regulatory requirements
Breach Response
When protected information is compromised or lost, our breach response attorneys act swiftly to assess legal obligations, identify next steps, and minimize operational and reputational harm. We guide clients through every critical activity after a data breach—including notification, insurance coverage, regulatory reporting, and communications—ensuring these steps are handled with minimal confusion, cost, risk, and delay during a high-stakes crisis.
Representative Experience
Records Management & Information Governance
- Developed records retention schedules, file plans, and information management policies for:
- An $83 billion asset management and financial planning firm.
- A financial services and national bank holding company with $33 billion in managed assets.
- Multistate power and gas utilities and pipelines.
- A Fortune 100 pharmacy benefits management company.
- Developed legal hold processes for organizations in the energy, retail, and manufacturing industries.
- Validated records retention schedules for hospitals, health systems, pharmaceutical and biotechnology companies, pharmacy benefit management companies, and medical equipment manufacturers.
- Delivered processes and presented training on compliant records management and disposal for organizations undergoing corporate headquarters moves.
- Provided information management training to over 900 corporate personnel at a professional services company.
- Advised on records retention and information management policies, procedures, and implementation for various clients.
- Advised regarding legacy data remediation for a regulated public utility.
Privacy & Security Compliance
- Drafted medical staff bylaws, rules, and regulations, including HIPAA-compliant policies and procedures.
- Performed HIPAA Security Rule risk assessments for covered entities and business associates, including long-term care facilities and third-party administrators.
- Counseled a large pharmaceutical client on HIPAA de-identification practices and developed guidelines for transmitting de-identified information to third parties.
Incident Response & Breach Counseling
- Represented clients in health information data breaches involving more than a half-million patients’ medical records; advised on breach response and best practices to protect patient data.
- Coordinated the assistance from federal resources to assist clients limit the consequences of data breach incidents.
- Represented lending institutions in analysis of phishing scams and Adversary-in-the Middle attacks, as well as in ensuing investigations by NYDFS and other state banking/licensing commissions that resulted in zero adverse actions or penalties by those state agencies.
- Represented a specialty physician group practice after a compromise of patient records, leading to the return of records and full HIPAA/HITECH compliance.
- Defended numerous healthcare clients in HIPAA investigations, including breaches involving 500 or more individuals; provided expert testimony in court cases.
- Served as breach counsel and handled all aspects of a phishing attack experienced by a large state university.
- Served as breach counsel for a state university foundation after a third-party data breach, working with the CISO to coordinate regulatory response.