Privacy & Cybersecurity
Best Best & Krieger LLP (BBK) takes an interdisciplinary approach to privacy and cybersecurity, integrating attorneys from across practice groups with backgrounds and training in relevant areas, such as health privacy and security, employee data privacy, business and customer records, and government records.
Serving multiple sectors, including health care, business, local government, and education, BBK attorneys work closely with clients to understand their organizations and provide timely and responsive advice on privacy policies and approaches to real-world problems that arise. We bring a depth of experience in the law, litigation, and information technology to assist clients with drafting policies related to privacy and cybersecurity, public record disclosure and retention, personnel issues, and technology agreements.
The BBK team works with businesses and public agencies on issues related to online privacy, including compliance with the California Consumer Privacy Act (CCPA) and the European Union General Data Protection Regulation (GDPR). We develop website privacy policies and advise on data disclosure, user consent, and data storage and retention in relation to personal and financial information collected through websites or applications.
We also help clients draft online privacy policies and disclosures to meet the requirements of the California Online Privacy Protection Act (CalOPPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the Telephone Consumer Protection Act (TCPA), the Stored Communications Act and federal fair information practices.
Data Incident Preparedness and Response
BBK attorneys counsel clients on data breach reporting responsibilities, data breach responses, responses to ransomware and other hacking incidents, and investigations by federal and/or state regulators. When an incident occurs, we assist with forensic investigations and crisis management activities, press releases, notifications to affected individuals, communications with regulators and credit card issuers, and responding to federal and state regulatory inquiries and investigations.
Health Care Industry and Health Data
BBK attorneys are well-versed in, and routinely advise both public sector and private sector clients on, health privacy laws, including HIPAA, the California Confidentiality of Medical Information Act, federal Substance Abuse Confidentiality regulations, and California laws governing sensitive records, such as HIV test results and mental health records subject to the Lanterman-Petris-Short Act. Our attorneys also have experience with health care security standards, including those from the National Institute of Standards and Technology.
Supply Chain Issues and Technology Contracting
BBK attorneys work regularly with management and staff of private companies and public agencies on the drafting and negotiation of contracts for services, technology and the development and financing of critical infrastructure and capital projects, including the replacement of major software systems. This work includes taking the lead role in the drafting and negotiation of software and hardware agreements, technology licensing, and other related technology contracts. Further attention is given to examining security issues in vendor agreements and protection of trade secrets in the supply chain.
Employees and Remote Working
BBK attorneys counsel employers on the cybersecurity risks presented by remote working and “bring your own device” (BYOD) policies. We counsel employers on creating a culture of cybersecurity within their organization through the use of administrative, technical, and physical safeguards. We also counsel employers on the privacy implications of employee monitoring and obligations imposed on employers by legislation, such as the Stored Communications Act.
Public Agency Experience
With one of the largest public agency-focused practices in the U.S., BBK attorneys are distinctly qualified to counsel public entities on privacy and cybersecurity issues that are unique to the public sector, including:
- Confidentiality of police department and criminal records
- Transportation records and smart city privacy and data-sharing issues
- Customer records held by local government (e.g., related to utilities)
- Employee privacy issues, including laws regulating the collection, use and/or handling of applicant data and personnel records, privacy policies and record retention
- Data breach reporting laws, including the California Information Practices Act
- Ways that the CCPA and GDPR may impact government records
BBK provides privacy and security services including the following:
- Conducting and overseeing Privacy Impact Assessments, compliance audits, and security risk assessments
- Providing day-to-day privacy compliance counseling
- Developing and presenting training on privacy and security compliance
- Developing and reviewing customized privacy, security, and incident-response policies
- Guiding data breach response and reporting
- Developing IT contracts, including negotiating licensing agreements and privacy and security contract provisions for vendor agreements
- Counseling on privacy of government records and providing CPRA guidance and response
- Developing data-sharing and information-exchange agreements for health care functions
- Developing website privacy policies and data retention and storage strategies
- Counseling on cyber insurance coverage issues and claims
Privacy and Security of Health and Personal Information
- Developed and reviewed privacy policies for national health providers, California hospitals, Medi-Cal health plans, education-related service providers, and telemedicine, digital health and medical device companies and mobile applications.
- Assisted a Louisiana state hospital system to disaffiliate data systems and information, and developed contractual agreements related to data ownership, data access and custody and compliance with federal and state law.
- Advised Los Angeles County and the California Association of Public Hospitals on data-sharing arrangements and approaches for Whole Person Care and related programs.
- Counseled California county hospitals and a major national health system on health information exchange participation strategy, developed privacy policies and participation agreements for regional data exchanges and county Social Services and Health Information Exchange and negotiated data-sharing agreements.
- Assisted California counties and businesses with analysis of breach reporting options, assisted with breach reporting and investigations by, and response to, the Office for Civil Rights.
- Counseled on cybersecurity “red flags,” including signs of an attempt to breach system security or obtain confidential information.
Employee Data Privacy
- As an appointee to the California Fair Employment and Housing Act, BBK attorneys worked on the so-called “ban-the-box” regulations governing an employer’s use of criminal history records.
- Served as a workplace investigator for public employers, which implicated the Stored Communications Act and case law concerning reasonable expectation of privacy in workplace electronics.
- Helped more than 20 law enforcement agencies traverse a significant change in the laws governing the privacy of peace officer personnel records.
- Regularly assist public agencies in the applicability of the Marken case to personnel records, including a disclosure procedure that protects employee privacy rights.
- Advised the Orange County Social Services Agency on confidential welfare matters, including reviewing the agency’s contracts.
- Advised the Orange County Sheriff’s Department on litigation matters, including a case involving Special Masters.
- Advised the cities of Redwood City and Palm Springs and the Santa Clarita Valley Water Agency on the implementation of new financial and Enterprise Resource Planning software projects.
- Reviewed and advised a client about the terms of a cybersecurity liability insurance policy.
Online Data Privacy
- Represented an email marketing company involved in a significant data breach. The representation involved responding to multiple state attorney generals, who inquired about potential violations of state data breach laws. It also involved the client’s response to several false publications that were harmful to its reputation and business.
- Drafted privacy policies and disclosures for clients conducting business online and advised on data collection, use and storage practices, including compliance with the CCPA, TCPA and GDPR.
- Conducted privacy impact assessment and advised on privacy and security approach for an online educational business.