Privacy and Data Security

Today's digital world presents both great opportunity and risk. From a discrete deal to the most complex incident response, Ballard Spahr's cross-disciplinary team helps clients achieve their objectives and mitigate cyber risk.

Our team of attorneys across the country works with clients—leveraging industry vendors when needed—on the development and implementation of programs and training protocols to identify and avoid risk. We offer comprehensive guidance on compliance and information governance, help clients assess and manage vendors, and advise on the many privacy and data security-related issues that can arise during transactions.

Should an incident occur, our attorneys are prepared to move quickly. We have deep experience in cyber-related internal investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and both civil and criminal litigation.


Incident Response

  • Defending a Las Vegas casino and resort in data breach class action litigation.
  • Counseling public and private companies in responding to spear-phishing attacks resulting in the weaponization of their networks and compromise of personal and other confidential information
  • Representing an online retailer in a malware attack impacting consumers in every state

Transactional and Regulatory Compliance

  • Counseling dozens of organizations in the life sciences, manufacturing, media, hospitality, medical services, technology, financial services, higher education, and retail industries on GDPR compliance. Services included legal guidance on amending privacy notices, preparing data processing agreements, structuring cross-border transfers, data and process mapping, cookie and email consents, data breach response, data processing impact assessments, legitimate interests analysis, privacy governance, and privacy by design.
  • Advising banks and other financial services companies on compliance with NYDFS cybersecurity regulations
  • Counseling a national bank in the preparation of an enterprise-wide consumer telephone contact policy for both bank-owned and third-party call centers, including a strategy for outbound calls. The policy creation required a full system analysis and assessment of any TCPA compliance gaps.

HIPAA Breach Notifications – A Question of Timing

Read More