Overview

In today’s global and digital business environment, advances in technology have greatly increased the value of data as an asset, and regulation of data has increased its risk as a liability affecting individuals, businesses and governments worldwide. Ropes & Gray’s Data Practice helps clients manage the full array of issues and matters that arise from the collection, use, storage, commoditization, disclosure, transfer and disposal of data, including:

Privacy and cybersecurity compliance and counseling, including advice on the key components of relevant laws and regulations, developing tailored compliance plans, and preparing for and responding to cyber incidents.
Corporate and transactional support, including privacy and cybersecurity-related diligence for mergers and acquisitions and advice related to the buying, selling and licensing of data, as well as complex collaborations to develop or exploit data.
Regulatory investigations and litigation arising from cyberincidents and any resulting theft, loss or unauthorized use of confidential or personal information, as well as alleged violations of applicable data privacy requirements.

Compliance and Counseling

Our attorneys help clients properly comply with the law and minimize privacy and cybersecurity risks. By undertaking comprehensive privacy and security risk assessments, building global compliance programs, and providing ongoing counseling and advice, we help clients understand and meet their legal obligations and position themselves to avoid attacks on their systems. Our attorneys also provide advice to clients on how to prepare for a cyber incident and assist clients in responding after an incident has occurred. Our goal is to help clients manage information and leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, and solidify brand and consumer trust.

Corporate and Transactional

Our attorneys help clients identify privacy and cybersecurity risks that may be underlying a potential deal, performing privacy- and cybersecurity-specific due diligence to assess and address risk in the context of private equity deals, mergers and acquisitions, and other corporate transactions. They also provide support for securities offerings and issuances, review and negotiate contracts concerning data and vendor relationships, review investment disclosures, and analyze risks inherent in the investment in and use of alternative data.

Litigation and Enforcement

Even when companies prepare well and respond properly to an incident, claims of privacy violations and/or cybersecurity failures often follow. If an incident does occur, our litigation and enforcement attorneys advise on the myriad legal issues that arise, representing clients in all manner of federal, state and international regulatory and civil claims. Our team handles the class-action litigation, regulatory investigations, and related disputes and lawsuits that frequently result from these situations or accusations, drawing on our extensive knowledge and experience to master the relevant facts quickly for asserting or defending the company’s interests on all of these fronts.

Experience & Clients

Ropes & Gray has been retained by clients in many of the most complex and groundbreaking privacy and cybersecurity cases.

Counseling

Managed a global team of privacy and security experts providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, the Middle East, Africa and Asia
Rolled out a global privacy policy, terms of use and a corresponding user dashboard for a popular suite of fitness apps, using teams of local counsel spanning five continents
Performed a privacy, security and digital risk assessment for a consumer products company with operations in more than 100 countries
Developed a comprehensive suite of policies mapped to the National Institute of Standards and Technology cybersecurity framework with HIPAA Security Rule requirements layered in for a health industry client
Overhauled vendor onboarding processes and diligence of cybersecurity practices for a multinational asset management client, reporting regularly to the board committee overseeing the project
Conducted a comprehensive, global cybersecurity risk assessment a multinational analytical science and instrument development company
Advised on the privacy and cybersecurity aspects of home automation systems, wearable devices and geolocation tracking components, including privileged security assessments (testing of both hardware and software), security vulnerability remediation, and the implications of the EU’s General Data Protection Regulation, among other areas

Regulatory Enforcement & Litigation

Representing LabMD in its petition to the U.S. Court of Appeals for review of the first FTC decision holding a company liable for allegedly having unreasonable data security practices that violate Section 5 of the FTC Act
Serving as lead counsel for Arby’s Restaurant Group in defending against all third-party claims arising from a payment card incident announced in February 2017
Advised The Home Depot in responding to card brand inquiries stemming from the cyberincident that Home Depot announced in September 2014
Served as lead outside counsel for Supervalu Inc. in defending and responding to all litigation claims and regulatory inquiries stemming from the cyberincident that Supervalu announced in August 2014
Represented Target as lead outside counsel in responding to card brand inquiries and defending card issuer litigation stemming from the cyberincident that Target announced in December 2013
Represented Heartland Payment Systems in obtaining dismissal of all class-action claims, and closure of all regulatory investigations, stemming from one of the largest computer cyberincidents ever
Advised Wyndham Hotels and Resorts with regard to card brand claims and regulatory investigations stemming from cyberincidents involving a number of the independently owned Wyndham-branded hotels
Represented TJX in favorably resolving the class-action litigation, card brand claims and regulatory investigations stemming from what was then the largest cyberincident ever
Represented Genesco in the first lawsuit against Visa to challenge the lawfulness of cyberincident penalties imposed by Visa

Incident Response

Regularly advise both small and large financial institutions, health care institutions, and other companies that have experienced security breaches and other security events involving personal data
Developed a comprehensive incident response plan for large insurance and financial industry clients, addressing coordinated response and crisis management across the organization
Managed privileged cybersecurity assessments for a complex financial industry client and conducted a successful red team exercise
Provide ongoing cybersecurity advice to one of the world’s leading franchisors, with more than 19,000 locations around the globe

Financial services / asset management

Bain Capital
The Carlyle Group
TPG Capital

Health care

Athenahealth
Heartland Dental
Aurora Health Care Inc

Life sciences

Hologic
Bioventis
Pfizer

Banks and investment banks

Santander Bank

Colleges & universities

Wake Forest
NYU

A Global Network

Global Network

The use of data knows no geographic boundaries. Our global team can diagnose issues presented by regulatory regimes around the world, working closely with a network of leading privacy lawyers in many countries.