Covington represents clients on a range of matters involving the security of confidential customer, employee, business proprietary, and partner information. Our lawyers have been integrally involved in developing information security policies and conducting assessments of data security practices to comply with legal requirements, regulatory obligations, best practices, and specific agreements with third parties and governmental agencies. We are expert in the legal regimes governing data security both in the United States and the European Union (EU).
We frequently advise clients on all aspects of responding to data security breaches, including conducting investigations, taking appropriate remedial action to protect the integrity of potentially compromised information, working with law enforcement when necessary and appropriate, and notifying consumers and regulators. Our expertise also includes conducting data security audits on behalf of our clients, assessing their existing data security practices and refining their information security policies and incident response plans.
Additionally, we have been closely involved in the development of data security laws both in the US and EU, including drafting testimony on security-related issues for clients and providing comments on various proposals governing data security and breach notification requirements. In Europe, we also regularly counsel clients on the security standards arising under national and regional data privacy laws, including the detailed security regimes in Italy, Poland, and Spain, and we track developments associated with the European Network and Information Security Agency (ENISA) and European security standardization bodies.
Representative Matters
- Represented clients before Federal Trade Commission and state attorneys general investigations into data security practices. For example, we represented Microsoft in a Federal Trade Commission investigation of statements concerning the data security provided by Microsoft’s Passport identity authentication service, including negotiating and supervising compliance with an FTC consent order.
- Counseled numerous clients regarding notification and other remedial measures following breaches of security that potentially compromised personal information. For instance, we helped a leading Internet business respond to a data security incident involving more than 200,000 customers, including preparing notices to customers and regulators and establishing remedial measures in compliance with state laws and best practices.
- Performed data security due diligence for multiple clients in connection with major corporate mergers and acquisitions.
- Advised several clients respond to inquiries and investigations by the UK Information Commissioner and other EU data protection authorities in relation to data security incidents.
- Assisted clients in preparing notifications for regulators in various Asian and Central American countries, including Korea, Australia, and Japan, following data breach incidents involving citizens in those countries.
|
|