Breach Response

Fox attorneys are steadfast in the war against data thieves. If the unthinkable happens and a client suffers a breach, either in electronic or paper form, we’re poised to respond swiftly and decisively to limit additional damage and ensure full compliance with state and federal notification laws.

Fox attorneys:

  • Work closely with senior management and in-house counsel to gauge the scope and severity of the breach
  • Oversee internal incident investigation and response using early evaluation protocols, including managing forensic teams
  • Verify that a breach has been contained and identify weaknesses to prevent future breaches
  • Help clients comply with state and sector-specific consumer, government and law enforcement notification statutes
  • Leverage relationships with law enforcement and regulatory agencies such as the Federal Trade Commission and FBI to benefit the client
  • Interact with government investigators on the client’s behalf
  • Review cyber liability policies and negotiate coverage issues with carriers
  • Mount vigorous defenses against any resulting litigation

To help clients navigate the maze of state and federal data breach regulations, Fox developed the Data Breach 411 mobile app, available for download in the iTunes AppStore.

Breach Response Work:

  • Represented a fast-growing e-commerce service provider with respect to the Global Payments data breach.
  • Defended a mobile application publisher in a state action brought by the New Jersey Attorney General – the first of its kind – for alleged breaches of the Children’s Online Privacy Protection Act. The matter was settled.
  • Defended a U.S. nationwide medical debt collection company in the first P2P file sharing enforcement action brought by the FTC. Negotiated a consent decree and prepared mandatory FTC compliance reports.
  • Represented a drug and alcohol rehabilitation facility in connection with an FBI investigation of identity theft involving patients and former client employees. Provided advice related to HIPAA and 42 CFR Part 2 (substance use treatment program confidentiality requirements) compliance.
  • Served as privacy and data security counsel to a metropolitan airport authority.
  • Advised and assisted multiple small and mid-sized clients in responding to data breaches or data loss incidents, including malicious attacks and inadvertent data loss.
  • Represented an ex-U.S. e-commerce platform in a payment card breach. Resolved without enforcement action or PCI penalties.
  • Represented the buyer in an extensive breach that began before and continued after the purchase of a health care business. Retained and worked with IT and PR consultants in this matter to resolve matter to the satisfaction of our client and the other health care providers involved.
  • Represented a global merchant processor with respect to a former employee’s authorized access and downloading PII.
  • Represented a health care client in connection with an investigation of the breach of a firewall. Worked closely with a forensic team to understand and interpret the results of the investigation. Conducted a breach analysis under HIPAA. Concluded that client did not have a reporting obligation under HIPAA.
  • Represented a provider practice with respect to a breach of protected health information that occurred when a former employee retained patient names and addresses on a personal laptop and subsequently used the information to mail marketing materials to patients.
  • Represented a nonprofit health provider in the investigation of an alleged HIPAA breach by an independent contractor collection agency. The matter was resolved without the need to report the incident to the authorities.
  • Represented a consulting firm in connection with a vendor that posted the firm’s protected health care data on an unprotected server.
  • Assisted a medical school in reporting a HIPAA breach to authorities and affected persons.
  • Represented a nonprofit community clinic in connection with access to their office by unauthorized individuals and evaluated the incident with regard to HIPAA breach and reporting obligations.
  • Assisted a nonprofit agency in evaluating the impact of the theft of a computer and drafting HIPAA breach notices to affected individuals.
  • Advised an orthopedic practice with regard to the impact of a lost laptop computer and performed a HIPAA breach analysis.
  • Led an investigation by a business associate into the alleged improper access and transmission of self-insured patient data by a competitor. Secured a certification from the individual alleged to have been responsible for access and transmission that no patient data was improperly accessed or disclosed.