Advances in information technology over the past two decades have enabled companies and institutions of all types to compile increasingly detailed profiles on customers, employees and other individuals.  As these databases have grown, governments have seen the need to enact new laws and regulations to protect individual privacy and ensure adequate data security.  Navigating through this sea of state, federal and foreign laws is a challenge presented to all businesses that collect, have access to or use personal information.

The Privacy and Data Security Team at Drinker Biddle & Reath assists clients in understanding and complying with laws restricting data access and uses across a range of industries.  Our clients include leading providers of financial services, health care and technology.  Our goal is to provide practical, actionable advice and tools that are based on a thorough understanding of the client’s business needs and perspectives.  In addition, through coordination with Drinker Biddle’s government relations professionals, we can assist businesses in shaping the course of privacy legislation before its adoption. We have represented clients before Congress, federal agencies and state legislatures.

Drinker Biddle provides a full range of services designed to meet our clients’ privacy law needs – from assisting in the creation of data privacy/security governance programs to drafting privacy and security policies, forms and contractual provisions to developing strategies for legal compliance.

Some of the specific areas we provide counsel include:

  • Auditing of existing policies, procedures and practices for data privacy and security law compliance;
  • Advice on data collection activities (e.g., data mining, the use of cookies and other web-based technologies) and on the use of personal data in e-mail, postal mail, telephone or fax direct-marketing campaigns;
  • Assistance in structuring contracts for outsourcing, offshoring, co-development or co-promotion;
  • Assessment of the most suitable means for transferring personal data across borders, in particular transfers between the United States and the European Union;
  • Help in development and implementation of employee policies, for example, policies concerning background investigations of job applicants, drug testing, employee monitoring and use of employee health records;
  • Advice on agreements between educations entities and third-party providers of services that involve sharing or use of personal student data;
  • Developing privacy program implementation plans, including overseeing specific timelines and milestones, and providing online training tools and other presentations to management and employees;
  • Integration of data security and privacy programs;
  • Guidance on protecting trade secrets and confidential business information;
  • Investigation of data security incidents and determination of whether and how to provide notice to affected individuals;
  • Assessment of the current state of privacy worldwide, the emerging trends and where other industries and companies are in terms of best privacy compliance practices; and,
  • Dispute resolution, including defending enforcement actions brought by regulators and private litigants, and working through contractual claims by business partners.

Our consortia management professionals have assisted whole industries in developing best practices for data privacy and security, as well as in advocating an industry’s positions before government officials.  In particular, Drinker Biddle helped create and now serves as the secretariat of the International Pharmaceutical Privacy Consortium (IPPC), an association of 14 research-based pharmaceutical companies that provides a forum for industry dialogue and consensus-building on privacy issues.

We can assist in complying with the following and other U.S. federal, state and international data protection laws:

  • The FTC Act
  • The Children’s Online Privacy Protection Act (COPPA)
  • The Telephone Consumer Protection Act (TCPA)
  • The CAN-SPAM Act
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The Family Educational Rights Privacy Act (FERPA)
  • The Gramm-Leach Bliley Act (GLBA)
  • The Fair Credit Reporting Act
  • State security breach notification laws
  • State social security use and disclosure laws
  • State marketing requirements and restrictions
  • Confidentiality requirements under HHS and FDA human subject protection regulations.
  • The EU Data Privacy Directive and member state implementing laws (including U.S. safe harbor requirements, model contracts, Binding Corporate Rules and industry codes)
  • The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)