Data Privacy and Information Security

Businesses small and large across all industries increasingly rely upon digital resources and the secure sharing of data internally as well as with third parties around the globe. This reliance is accompanied by a simultaneously growing risk of data privacy and cybersecurity compliance breaches. The legal and regulatory landscape is continually evolving to combat expanding digital threats, and companies that do not take a proactive approach to implementing appropriate privacy and security measures are at risk of being unable to continue operating in today's digital marketplace.

Porzio assists companies in developing and implementing proactive data privacy and cybersecurity policies and practices, and counsels clients in the aftermath of security breaches. Our attorneys leverage decades of experience and relationships with government agencies, industry experts and policy groups to provide our clients with complete solutions, from assessment to implementation and training to incident response. We help create and launch data privacy and security programs, train corporate boards and company representatives, conduct internal investigations, and counsel corporations following security breaches.

Sample services include:


    • Incident and breach response
    • Preparation and review of vendor agreements; Contract negotiations; Assessment and management of vendor risks
    • Privacy and cyber breach insurance coverage assessments
    • Information asset assessments and cybersecurity compliance "gap" analyses
    • Identification of company specific risks and guidance to senior management and board as to legal and regulatory obligations, best practices and corporate governance
    • Development and implementation of privacy breach and cybersecurity incident response plans
    • Development, implementation and updating of data privacy and security programs
    • Employee training as to security policies and procedures


Representative Areas of Focus

HIPAA Business Associate Compliance

The Health Insurance Portability and Accountability Act (HIPAA) governs the standards by which companies must protect patient health information and identifiable details. Companies that handle sensitive information and any affiliated personnel with patient access, including contractors and subcontractors, must ensure that all necessary physical and process security measures are in place to protect patient confidentiality.

We assess privacy practices and develop HIPAA compliance programs for companies throughout the life sciences and related industries. These services typically include:

  • Review of company policies and procedures, including practices related to the review, collection and storage of patient information; 
  • Working with company stakeholders to understand how the company collects, shares, sees, uses, stores, sends and/or maintains patient identifiable information;
  • Preparing documentation required for a HIPAA Compliance Program tailored to company activities, which may include preparation of a Privacy Policy, Security Policy, Business Associate Relationship Policy, Auditing/Risk Analysis Policy, Training Policy, and Breach Notification Policy, among others;
  • Creating business associate and affiliate agreement templates, patient consents and authorizations; and
  • Preparing training programs to address HIPAA obligations, the company's HIPAA-related policies and individual responsibilities.
Incident Response

Porzio assists companies of all sizes when faced with the possibly devastating consequences of a data privacy or cybersecurity breach.  Our interdisciplinary team of attorneys is poised to handle, when necessary, crisis  management and litigation arising from data breaches.  Our attorneys also create incident policies and procedures, and train corporate personnel on best practices to minimize risk of data and compliance breaches and contain losses when an incident occurs.

Insurance Coverage Assessments

Porzio attorneys conduct insurance audits to examine current coverage of privacy and cyber related matters and determine potential areas of loss not covered under standard policies and/or requiring specialty coverage. We also counsel clients in regards to coverage disputes. 

Internal Investigations

To provide the most comprehensive investigative services, Porzio brings together a diverse team of data privacy and cybersecurity attorneys—including a long-time Assistant U.S. Attorney and Trial Attorney for the U.S. Department of Justice and former in-house counsel at NYSE-listed companies—with experience conducting investigations for corporations, Boards of Directors, governmental agencies, and other entities. Porzio’s clients also benefit from the firm's multi-disciplinary approach to each matter, with access to experienced attorneys across various industries and related practice areas.

Our attorneys have handled investigations and cases in a variety of substantive legal fields, including cybersecurity, antitrust, fraud, securities fraud, intellectual property, and corporate governance.

Privacy and Cybersecurity Risk Assessments

Privacy and cybersecurity breaches are a pervasive threat to all businesses, regardless of size, industry and location. Legal and regulatory frameworks continue to evolve as state, federal and international legislators and agencies struggle to apply myriad existing regulations to physical and electronic data. Based on a company's locations, customers' locations and data locations, a single company can be subject to a complex patchwork of data privacy and security laws and regulations. As new examples of privacy and security breach consequences arise nearly daily, the business risk from loss of data is real. 

Porzio attorneys assists companies in developing a proactive approach to privacy and cybersecurity policies and practices. We provide guidance on broadly recognized standards including the NIST cybersecurity framework as well as industry-specific regulations. We help to create secure and compliant organizations throughout various industries.

Privacy Shield Compliance

Governing European Union (EU) data protection law generally provides that data transfers cannot be made to non-EU countries that do not ensure adequate levels of protection, including the US. The EU-US and Swiss-US Privacy Shield Frameworks serve as one exception to this regulation. The Privacy Shield program is often regarded as the most efficient and effective way to facilitate the transfer of personal data between the EU and the US or Switzerland and the US. These Frameworks were designed by the US Department of Commerce, the European Commission and the Swiss Administration.  

We provide guidance relating to the assessment and implementation of policies and procedures necessary to meet the requirements for joining either Privacy Shield Framework including self-certification and public commitment disclosures, and for adhering to the regulations of the Privacy Shield programs.

Related Information

Related Industries