Cybersecurity Prevention, Preparation & Compliance

What We Do

Listed below are a few key services provided by our team.

Jump to:

• Data Privacy & Security Assessments
• Incident Response Preparedness
• Data Privacy and Information Security Policies and Procedures
• Marketing Information Policies
• Data Retention & Destruction Policies
• Employee Information Policies
• Data Privacy and/or Network Security Awareness Training
• Third-Party Contract Review and Management
• Facilitating Third-Party Technology Projects
• Due Diligence for Mergers and Acquisitions
• Data Transfer and Data Processing Agreements
• HIPAA Compliance

Data Privacy & Security Assessments

Our team conducts comprehensive assessments of applicable laws, cyber preparedness, and data privacy programs. We provide practical and cost-effective recommendations on strategies to improve compliance and reduce risk. As part of a compliance-focused assessment, our team will:
●Review how data privacy is handled throughout the business model, including the policies, practices, and documentation related to data collection, transmission, and storage
● Assess compliance with applicable laws and identify gaps and opportunities for improvement
● Recommend actions to improve an organization’s compliance posture, mitigate risk, and better protect critical data

Incident Response Preparedness

We advise clients on best practices for responding to cybersecurity incidents, including drafting incident response plans, engaging critical vendors, and providing practical advice on how to mitigate the risk of cybersecurity threats. Our incident response plans are mapped to the National Institute of Standards and Technology (NIST) cybersecurity framework, including Special Publication (SP) 800-61 Rev. 2, and incorporate industry best practices to mitigate risk and limit liability. Our team also facilitates incident response trainings and tabletop exercises. The tabletop exercises involve simulated cybersecurity events that include key personnel and organizational decisions to be made in response to data security incidents.

Data Privacy and Information Security Policies and Procedures

We work with clients to develop and implement data privacy and information security policies and procedures to mitigate risk and limit liability. The policies are tailored to laws, regulations and industry standards applicable to each client. The policies are generally mapped to the NIST cybersecurity framework, including NIST SP 800-53 Rev. 5 “Security and Privacy Controls for Information Systems and Organizations” and SP 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” as well as the Critical Security Controls, which are now managed by the Center for Internet Security.

Marketing Information Policies

Our attorneys work with marketing teams to understand an organization’s data collection and processing activities and whether they are in compliance with applicable data privacy laws, including data subject rights such as the right to “opt out” or otherwise control how individuals’ data is used. We help create and maintain up-to-date policies pertaining to the use of tracking technology and user tracking practices. We also work with clients on strategies for mitigating risk posed by information-sharing practices and third-party providers.

Data Retention & Destruction Policies

Organizations can manage risk and improve compliance through strong document retention and destruction practices. There is a myriad of laws and regulations relating to this specific area of data privacy and cybersecurity. Our attorneys regularly help clients create and implement document retention and destruction policies that focus on complying with regulatory frameworks and limiting potential liability.

Employee Information Policies

Organizations collect and process a vast amount of personal information about their employees. State, federal, and international laws require rigid data protection and disclosures about how private information will be used and disclosed by the organization. With our depth of knowledge of data privacy cybersecurity law, complemented by one of the country’s leading labor and employment law practices, the Constangy Cyber Team can help navigate this complex environment in a way that no other firm can match.

Data Privacy and/or Network Security Awareness Training

The Constangy Cyber Team offers customized training for employees, executives, board members, and information technology/security personnel on network security awareness, including best practices for safeguarding data, recognizing threats, and mitigating data security risks. We create programs that fit each organization’s specific needs and can be delivered in person, via webinar, or through pre-recorded formats. We can tailor training programs to the needs of a full organization or to a specific department, location, or employee role.

Third-Party Contract Review and Management

Contractual obligations with third parties create some of the most significant areas of liability when it comes to information security. This liability is often related to minimum information security standards, incident reporting obligations, the accuracy of representations and warranties, insurance law requirements, and provisions pertaining to indemnification and limitations of liability. The Constangy Cyber Team develops a deep understanding of an organization’s business needs, the complexity of its data privacy and information security requirements, and the legal and practical business relationships that must underly policies and procedures. This involves a review of data shared with business partners and third-party vendors and their information security practices. We develop and revise agreements and develop third-party vendor management systems to manage liability and ensure compliance with information handling and incident notification/management requirements.

Facilitating Third-Party Technology Projects

To help protect client data, the Constangy Cyber Team can help develop and execute confidential third-party technology engagements such as system vulnerability assessments, system penetration testing, and forensic investigations. We can help identify appropriate vendors, determine the appropriate scope of an engagement, negotiate contracts, provide task and budget oversight, and provide guidance on any required reports to ensure they are accurate and formatted appropriately if they need to be provided for regulatory purposes. These confidential engagements may be subject to the attorney-client privilege and work product doctrine as permitted by applicable law.

Due Diligence for Mergers and Acquisitions

When companies are involved in a merger, acquisition, or sale, it is critical that due diligence be conducted by both sides to ensure that critical data will be protected and that accurate representations and warranties about the security of information systems are included. Our attorneys understand these complex dynamics and advise clients throughout the process.

Data Transfer and Data Processing Agreements

In a globally connected world, sharing data with third parties and across borders can present a unique set of challenges. Data transfer can be particularly complex between the US and the EU and UK, which have particularly stringent security requirements. The Constangy Cyber Team provides guidance on transfer impact assessments and helps develop data transfer agreements to ensure all compliance obligations are met when transferring data from one country to another. We also advise clients on essential provisions that companies should include in Data Processing Agreements to mitigate risk under state, federal, and international laws.

HIPAA Compliance

The Constangy Cyber Team regularly advises covered entities and business associates in the healthcare sector about their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Protected Health Information (PHI) is some of the most highly regulated data an organization can collect about an individual. HIPAA requirements create additional complexity for businesses that process PHI, including documentation of technical, administrative, and physical controls to protect PHI; requirements to conduct periodic risk analyses, contracting protocols, and policies and procedures to demonstrate compliance with applicable provisions of HIPAA. Our team has significant experience with HIPAA compliance and can guide clients through the legal requirements and industry standards required to effectively protect PHI.