Today's digital world presents both great opportunity and risk. From a discrete deal to the most complex incident response, Ballard Spahr's cross-disciplinary team helps clients achieve their objectives and mitigate cyber risk.


Our team of attorneys across the country works with clients—leveraging industry vendors when needed—on the development and implementation of programs and training protocols to identify and avoid risk. We offer comprehensive guidance on compliance and information governance, help clients assess and manage vendors, and advise on the many privacy and data security-related issues that can arise during transactions.

Should an incident occur, our attorneys are prepared to move quickly. We have deep experience in cyber-related internal investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and both civil and criminal litigation.

Privacy and Cybersecurity Counseling

Day-to-Day Counsel and Information Risk Management: Our attorneys advise on the critical privacy and security considerations that accompany the design and implementation of products and services throughout their data life cycles. We conduct information asset inventories and data mapping, design and execute comprehensive risk assessments, and help clients develop data security and cyber-incident response policies and programs that comply with federal and state laws, self-regulatory rules, and industry best practices.

We assist clients in preparing for third-party assessments and audits and design information governance plans. We create customized presentations to boards of directors and senior officers on important privacy and security issues and deploy workforce-wide training and awareness programs. We also assist in the drafting of legal disclosures relating to information risks and risk management practices.

Transactions and Vendor Management: Engaging in transactions where others will have access to sensitive data or systems multiplies the privacy and security risks to an organization. We provide due diligence focused on privacy and data security that helps clients assess vendors, business partners, and other external entities—and we develop risk management programs to govern those relationships. We also assist in drafting and negotiating transactional documents, handling post-closing issues, and monitoring contractual compliance.

Cross-Border Transfer: We counsel on the privacy and data security aspects of cross-border transactions and data flows. We help clients map cross-border data transfers and assist in designing and implementing cross-border data transfer mechanisms, including those pursuant to the EU-US Privacy Shield. Our attorneys work with clients on compliance with the EU Data Protection Directive, the EU "Cookie Directive," and the General Data Protection Regulation (GDPR). Our attorneys are well-versed in the GDPR and and its impact on U.S. multinational companies. We have assisted a wide array of clients with GDPR and EU data protection compliance and with certification for the EU-U.S. Privacy Shield and Switzerland-U.S. Privacy Shield.

Regulatory Compliance: We help clients comply with state, federal, and international laws, regulations, and industry standards relating to privacy and data security. We assist in the development and maintenance of privacy and data security policies and programs needed to comply with the GDPR, California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA), Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), CAN-SPAM Act, Children's Online Privacy Protection Act (COPPA), New York Department of Financial Services (NYDFS) cybersecurity regulations, state and federal unfair, deceptive, or abusive acts or practices (UDAAP) laws, as well as self-regulatory rules.

We draft consumer agreements and disclosures; negotiate and draft commercial agreements with third parties; advise on advertising and marketing requirements; represent clients in examinations, rulemakings and regulatory enforcement actions; and assess the impact of evolving federal, state and international laws and judicial decisions on privacy and data security compliance.

Privacy and Consumer Marketing Compliance: Our team works with clients on deploying advanced marketing solutions, such as brand loyalty programs, social media channels, and behavioral advertising. We help design corporate and IT initiatives that comply with applicable privacy and data security laws without compromising a client's business needs or culture. We understand a range of specific data environments, allowing us to advise on: point of sale payments, e-commerce practices, online privacy practices, telemarketing policies, website and mobile accessibility, identity and access management, and physical security practices. We also draft and review consumer-facing disclosures and marketing materials.

Cyber Incident Response

Cyber Incident Response Planning: Careful planning is the best way to ensure an efficient and defensible response to a cyber incident. Key components of our proactive approach include:

  • Privileged and periodic cybersecurity assessments
  • The creation and refinement of data security and cyber incident response plans
  • Employee/vendor training to implement a holistic information security program
  • Exercises involving simulated cyber incident scenarios
  • Periodic updates on the evolving threat landscape
  • "Lessons learned" reviews from cyber incidents around the globe

We leverage our relationships with law enforcement, cybersecurity and forensic investigators, breach notification vendors, and communications/crisis management professionals to help clients develop turnkey response solutions before they are needed.

Cyber Incidents and Data Breaches: We have handled a multitude of cyber incidents in a variety of areas, with a significant concentration in the financial services, media and entertainment, health care, hospitality, insurance, manufacturing, technology, and education industries. We are available around-the-clock, every day, to quickly mobilize a scalable response to any cyber incident. Our team can be reached 24/7 via our emergency response hotline: 800.864.8266. We handle incidents from garden-variety data breaches to national security threats, seamlessly integrating into our clients' internal and external teams to craft a comprehensive and tailored response under the protection of attorney-client and other applicable privileges. We assist in:

  • Directing investigations and responses to cyber incidents
  • Interacting with law enforcement and intelligence communities, as well as privacy and cybersecurity regulators at the federal, state, and international levels
  • Devising strategies and preparing materials for cyber incident notifications
  • Implementing post-incident remediation plans

We help clients prepare for and manage all contingencies that may follow such notifications and the public release of information about cyber incidents.

Investigations and Litigation: Our team members have engaged in hundreds of internal investigations covering every major type of cyber incident, including network intrusions; identity and intellectual property theft; ransomware, and internet-facilitated fraud. We also have significant experience in responding to non-malicious cyber incidents, such as the lost device, operational error, inadvertent electronic transmission, or technological glitches that result in data exposure.

We handle pre-litigation planning and negotiation, eDiscovery and pre-trial litigation, as well as trial and appellate advocacy on a full range of privacy-related disputes. We have experience in privacy class action litigation across various industries, including financial services, insurance, life sciences, education, health care, communications, and technology.