Companies collect and process large amounts of personal information about employees and customers and increasingly rely on the assistance of third parties with core functions. The consequences of a loss or inadvertent disclosure can be grave. Our cross-disciplinary team of attorneys helps clients around the world mitigate risk, respond in the event of a crisis, and recover.


Ballard Spahr’s privacy and data security attorneys work closely with our clients, leveraging industry vendors when needed, to effectively map data, identify potential vulnerabilities, and draft protective compliance policies and procedures. When required, we stand ready to address network intrusions and respond to data breaches.

from design to implementation

Day-to-Day Counsel and Information Risk Management: Our attorneys advise clients on privacy and security considerations in designing and implementing their products and services throughout their data life cycles. We conduct information asset inventories and asset mapping, design and execute comprehensive risk assessments, and help clients develop data security policies and programs that comply with federal and state laws and self-regulatory rules.

We also assist clients in preparing for third-party assessments and audits and design information governance plans. As part of our advice on corporate governance, we help formulate presentations on privacy and security issues and initiatives to clients’ boards of directors and deploy training and awareness programs throughout their workforce. We also assist clients with drafting securities law disclosures relating to information risks and risk-management practices.

Transactions and Vendor Management: Engaging third-party vendors who have access to sensitive data or systems or acquiring an entity in the course of an M&A transaction adds privacy and security risks to a company. We help clients assess their vendors and target entities by conducting privacy and data security-specific legal due diligence and developing vendor risk management programs. Following the diligence process, we assist in drafting and negotiating the deal documents, handling post-closing issues, and monitoring compliance with the contract provisions.

Privacy and Consumer Marketing Compliance: The legal issues surrounding the collection and use of consumer information have expanded with the continuing evolution of mobile technology and the “Internet of Things” and with the increasingly global nature of business. Mobile and online marketing messages have been targeted based on online behavior and “big data” programs.

We draft and review consumer-facing disclosures and marketing materials. We also counsel clients on the collection and processing of information under international legal frameworks, like the EU Data Protection Directive and its implementing laws, as well as on privacy and data security issues arising from cross border transfers, including compliance with the U.S.-EU Safe Harbor framework.

Data Incident Response Plan: Careful planning is the best way to ensure an efficient and defensible response to a data incident. To help clients prepare, we create Data Incident Response Plans — detailed blueprints allocating responsibilities for investigating and responding to a data incident among a cross-functional team. Ballard Spahr has established a 1-800 hotline number that enables clients to reach a team member any time they suspect that a data incident may have occurred. We also help clients assess cyber-insurance coverage to mitigate the impact of data incidents.

Crisis Response

Network Intrusions and Data Breaches: In the event of an information security breach, we can quickly and effectively launch a comprehensive and tailored response under the protection of attorney-client privilege. We work with our clients’ internal teams and external advisers to address and assess the situation and — if necessary — to notify and respond to consumers as well as state, federal, and international law enforcement and regulators.

Recovery after a Crisis

Privacy Litigation and Investigations: Our team assists with pre-litigation planning, E-Discovery, intellectual property matters, contract analysis, insurance coverage issues, as well as governmental and internal investigations.

Often, regulatory investigations lead to or accompany private-party class action litigation involving privacy policy statements, consumer protection laws prohibiting unfair or deceptive acts, and the collection and disclosure of user information. We have handled federal criminal investigations into computer violations, cyberspying, and Internet fraud. And our attorneys are often called upon to conduct internal investigations and represent clients facing actual or threatened government enforcement.

Plan Assessment and Improvement: At the conclusion of the investigation, breach, and litigation, we work with the client to conduct a privacy impact assessment and to improve policies and procedures to address any faults exposed in the breach and become better prepared going forward.