Privacy Compliance

In today’s climate of increasing federal audits and regulatory oversight, our clients rely on Seyfarth’s Global Privacy & Security (GPS) Team to ensure compliance with major privacy laws and avoid costly penalties.

In the age of the security breach, it is no longer enough to be reactive to threats to privacy and security. By understanding the need to be proactive in demonstrating compliance, we assist our clients in analyzing their practices with respect to data collection and use, transfer and retention, including maintaining information in the cloud. By mitigating the risks associated with managing the capital asset which is data, we support our clients in implementing state-of-the-art, cutting-edge compliance programs to preserve and protect personal information, as well as training clients on proper practices. Looking at an organization’s practices holistically enables us to help our clients establish internal controls designed to maintain the security of a business’ vital information. Such steps help our clients to avoid privacy glitches and security breaches and the costly litigation, fines, audits and loss of goodwill and/or trust that they can cause.

International Privacy Compliance

Members of our team have experience in developing policies and procedures for clients doing business in Europe, Asia, the Middle East, Africa, Latin America and Canada, as well as, of course the United States.

We have considerable experience in creating and implementing strategic international privacy compliance programs for multinational organizations with respect to the collection, use, and transfer of personally identifiable information of consumers, vendors, employees and other individuals. These include compliance with laws in the European Union, Asia, Latin America and other countries with stringent data protection requirements.

In undertaking these projects, we have prepared global, regional and country-specific privacy policies, monitoring and electronic use policies, whistleblower policies, intra-company contracts, and contracts for service providers to process personally identifiable information on behalf of our clients. We have coordinated filings, notifications, and registrations related to privacy compliance with local data protection authorities, and self-certification with the United States Department of Commerce for Safe Harbor.

We closely monitor recent developments in global privacy laws, for example, individual consent to processing, eDiscovery, whistleblowing, collection of diversity data / sensitive personal information, and background screenings.

EU Data Protection Directive. On a daily basis, we assist clients to manage their data protection obligations stemming from the European Union’s 1995 Directive regulating the privacy and protection of personally data throughout Europe (“European Data Protection Directive”). We are familiar with the myriad of issues that arise as a consequence of each European Economic Area member state adopting its own legislation interpreting the European Data Protection Directive, and the different approaches that the data protection authorities have to registrations, notifications, audits, enforcement, and penalties. We have worked with local counsel throughout Europe to determine compliance requirements for our clients. We also advise our clients on how to transfer personal data out of the EU to countries that have not been deemed to have “adequate protections” as required by the European Data Protection Directive.

Employee Privacy and Employer Compliance

BYOD and Social Media Policies. We monitor compliance with quickly changing and evolving social media privacy laws and regulations, and we develop compliant policies and best practices regarding social media use, including employee-use privacy policies that follow National Labor Relations Board (NLRB) guidelines. We also help clients manage where and how electronic information is stored and establish information governance programs that ensure compliance with litigation discovery, data security, and privacy obligations, as well as manage risks associated with the implementation of new technologies. 

FCRA. Attorneys on our team have a special emphasis on the Fair Credit Reporting Act (FCRA) and state laws effecting background screening.  We counsel both employers and providers (resellers and consumer reporting agencies) of background information on compliance requirements under the FCRA and related state laws, and have been involved in litigation regarding these issues.

Internal Investigations. Management of employees often entails investigating and reviewing conduct. Our attorneys have significant experience in both developing monitoring and review programs, and helping our clients manage any internal investigations which may be necessary. 

HIPAA Privacy and Security

Whether large or small, healthcare plans count on Seyfarth to provide a range of services that includes implementing and enforcing how the group health plan, the employer and plan providers can use and disclose protected health information, as well as communicate with plan participants, the U.S. Department of Health and Human Services (HHS) and sometimes the media, in the event that protected information has been erroneously disclosed. Additionally, we bring a wealth of experience in amending healthcare plans, compliance policies and procedures, and provider agreements. Apart from reviewing and revising policies, we ensure that employees are accurately trained and that health care participants are properly notified of their individual rights. 

Our attorneys work with clients to identify compliance issues before they become a problem, help them establish systems for thorough record-keeping, minimize disruptions to human resources and benefits, and provide practical advice and guidance backed by comprehensive administrative policies. Along the way, we help our clients adjust their policies in accordance with changes in the laws. Throughout, our attorneys bring the same unique level of innovation and problem solving for which Seyfarth is known.

Seyfarth’s cutting-edge approach has allowed us to develop a number of tools that clients can use to achieve compliance, including our flat-fee HIPAA subscription service that provides automatic updates for new regulatory developments. Additionally, we provide personalized on-site consultation, training and interviews to determine the location and uses of protected health information. We also help our clients formulate comprehensive policies that provide guidance on day-to-day operations and the processing of requests and complaints. Finally, we provide a customized set of frequently used regulatory forms and business associate agreement templates.    

Likewise, our benefit plan clients gain from Seyfarth’s astute guidance in computer and technology contracts, e-health initiatives, intellectual property, medical records retention and compliance for insurers, providers, vendors and other third parties, and with state-to-state privacy laws.

Gramm-Leach-Bliley Act Privacy and Security

Banks and other financial services companies have specific obligations under the Gramm-Leach-Bliley Act (GLBA) to protect the non-public personal information of their consumers from disclosure to unauthorized parties. Additionally, any company that accesses or stores such information will also have privacy and security obligations. Our attorneys have experience with building and implementing GLBA privacy and security programs. We work with our clients to develop and implement policies, standards, and procedures necessary to comply with the panoply of legal requirements. We also defend banks and other companies accused by government authorities or private litigants of violating such legal requirements.

Consumer Privacy Law

Most companies are expected to post privacy policies on their websites and mobile applications. California actually requires the posting of a privacy policy for websites and mobile applications. Under both state and federal law, companies must comply with the promises set out in these publicly facing policies. We help companies draft these policies, as well as put in place processes and controls to comply with these policies. Additionally, when a company wants to develop a new line of business, or a new way to monetize personal data it has collected via its websites or mobile applications, our attorneys provide valuable advice on what kind of privacy and security risks may be present, and how to mitigate such risks.

Along with privacy law, many states have started including affirmative security requirements on companies who process personal information. Massachusetts incorporated the Payment Card Industry’s Digital Security Standard (“PCI-DSS”) into its regulatory implementation of its security breach statute. We advise our clients, across a number of industry sectors, on what is required for compliance with these security requirements. Our attorneys understand not just the process controls, but also the technical controls (like encryption) necessary for a compliant privacy and security program.  

Our Capabilities