Cybersecurity and Data Privacy
I advise businesses, professionals, and individuals on protecting their sensitive data and complying with privacy laws. I have assisted organizations in formulating or revising data protection and privacy policies to comply with federal and state statutes and regulations. This includes – but is not limited to – bringing clients into compliance with the Massachusetts Standards for the Protection of Personal Information, as well as the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other state and federal legislation. I also counsel businesses and professionals on compliance with the EU General Data Protection Regulation. I assist in responding to inquiries from federal and state regulators, including the Center for Medicare and Medicaid Services, the Federal Trade Commission, and state attorneys general.
My technical colleagues and I work to protect clients both before and after a data breach. This includes helping companies prevent a breach by conducting risk assessments, and helping clients design and implement a cybersecurity program or modify an existing program to meet new conditions. We also develop incident response plans to put our clients in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response, including handling communications with cyber insurance carriers and performing after-action analysis.
I also perform contract reviews for clients to ensure that vendors protect clients’ data, and maintain the confidentiality, integrity, and availability of data stored offsite with vendors or in the cloud. I also assist in reviewing cyber insurance policies to ensure that clients receive the best coverage at the lowest cost.
Counseled a public company after a data breach involving a recently-purchase subsidiary.
Represented a mid-sized company in responding to a suspected breach of customer credit card information due to Russian hackers. We handled reporting to state regulators and negotiations with the client’s vendors.
Counseled a major medical center on suspected computer intrusions.
Assisted a large medical facility in revising existing data privacy and security policies and in adopting new policies to keep current with changing regulatory requirements.
Chaired the U.S. delegation to the G8 Sub-Group on High-Tech Crime in Moscow (2006) and Berlin (2007).