Holland & Knight's Data Breach Team by Holland & Knight

Holland & Knight Data Breach Team Holland & Knight understands the havoc a data breach can cause. Rather than provide our clients with a narrow range of legal advice in this area, we offer thorough guidance from a highly knowledgeable, multidisciplinary team, one that stands ready – from the first phone call onward – to address the full range of legal, technological, public policy and public relations challenges a data breach presents. Holland & Knight's Data Breach Team is comprised of attorneys and professionals from four practice areas: Privacy and Data Security, Litigation, Public Policy and Regulation, and High-Stakes Communications. Working as a collaborative team enables us to provide our clients with the 360-degree support and counsel they require when a data breach occurs. We assist in the following critical areas:

        

preparedness | compliance | policy drafting | coaching and tabletop/simulation exercises response | mitigation | notifications technology analysis and suggested remediation regulator inquiries | investigations | lawsuits class action litigation defense board of directors corporate governance and defense strategies counsel regarding insurance issues crisis management | high-stakes communications | public relations public policy and congressional advocacy

PREPAREDNESS When a breach occurs, one of the first things regulators ask to see is the company's information security program and incident response policy. Having written and developed countless programs and policies for companies in a variety of industries, Holland & Knight's Data Breach Team can help ensure that your firm's policies are well-articulated and sound. We conduct tabletop mock breach response exercises, assist with training, select top-shelf vendors (one of our team members worked in-house in the credit monitoring industry), and can even help you select an appropriate insurance policy. TABLETOP / SIMULATION EXERCISES Testing your policies in advance and conducting preparedness practice runs to ensure sound, response processes is critical to avoiding severe financial consequences, increased legal liability and unfavorable press. Regulators will want to know if you were prepared. Since every member of your Incident Response Team has unique responsibilities with unique interests, we have found preparation/testing exercises to be extremely valuable for ensuring that your team is ready. Our tabletop breach simulation exercises can help you evaluate your response plan by:



      

ensuring your response policies are adequate and complete, including that legal response policies work with IT/InfoSec policies; incidents are appropriately and timely escalated; definitions are consistent; the determination of whether an incident is a "breach" is made by your legal department; the responsibility to retain outside third-party assistance is clearly vetted and managed by a particular person or persons, regardless of whether the third-party assistance is in the form of an independent forensic firm or law enforcement ensuring you have appropriate communication protocols with IT and InfoSec ensuring you have appropriate vendor oversight and management protocols ensuring adequate board or senior management oversight helping to establish important relationships with identity protection and credit monitoring vendors, forensic firms and law enforcement ensuring you are ready for press coverage from a public relations/customer relations standpoint with coaching and media training from the Holland & Knight High-Stakes Communications Team ensuring you are ready for congressional hearings or regulatory inquiry testing your litigation readiness

  

assessing your training and awareness programs evaluating your internal privacy and security programs, including evaluating the organization, reporting structure, and the ability to keep apprised of emerging privacy and security issues sharing lessons learned from having handled hundreds of incidents and security breaches

We tailor our exercises to your organization and audience. Our team has conducted exercises at the board level and for senior management and entire incident response teams, including members of departments such as legal, compliance, privacy, communications, public policy, government affairs, information technology, InfoSec, marketing and human resources; created exercises for smaller companies; and tailored break-out sessions for focus groups.

RESPONSE (INVESTIGATION, MITIGATION, NOTIFICATION) Our lawyers are highly experienced in handling data breaches. Our team includes partners with the following experience:

    

the former in-house counsel at the company that reported the first data breach, at a time when only one notice law (CA) was in effect; this incident sparked all other states to action the former prosecutor of the TJX breach a HIPAA attorney with experience handling countless protected health information (PHI) incidents a fellow emeritus at Princeton University's Center for Information Technology Policy and published author in peerreviewed literature by the IEEE a former prosecutor with both federal and state government experience, having served as both a federal cybercrimes prosecutor and the second highest-ranking prosecutor in the New Jersey Attorney General's office with oversight over data beach investigations and prosecutions

This core group of Holland & Knight partners has handled countless incidents and breaches and is supported by several highly experienced associates. The breaches we handle range from small matters to those involving millions of records. The clients we represent span the spectrum of Fortune 500 companies and include a wide variety of industries, including B-to-B service providers, luxury and discount retailers, communications companies, financial service providers, healthcare entities, institutions of higher education and insurers. Our team has assisted with every data problem imaginable: hacks and network intrusions; lost and stolen laptops, thumb drives and backup tapes; DDoS; SQL injection; Zeusbot intrusions; unauthorized access from anonymizing proxies and Tor; ransomware; anonymous bad acts by competitors; phishing; extortion demanding BitCoin payment; theft; coding errors; and inadvertent and good faith disclosures.

TECHNOLOGICAL KNOW‐HOW Looking at the complexity of the data breach-related issues our clients face, the Holland & Knight team realized we needed to be as skilled as the bad actors involved. We also determined that to provide outstanding legal advice, we would offer a deep understanding of the range of network and file system technologies implicated in breach cases (and not just to say we do). As a result, we built our own in-house Data Privacy Testing Lab. Our lab conducts under-the-hood, technical reviews of websites, mobile apps and network-aware products and services. We use an array of tools taken from the security and penetration testing fields to identify – for any website, app, or product – every server that it communicates with on the Internet, the entity that controls those servers and the nature of the information shared. We identify these behaviors at the packet level, if the occasion warrants. Our approach to litigation defense, as well as compliance, is to use the technical facts-on-the-ground to empower our clients. Steve Roosa, a partner in our New York office, directs Holland & Knight's Data Privacy Testing Lab. Mr. Roosa spent three years as a fellow at the Center for Information Technology Policy at Princeton University where he participated in research regarding privacy and security issues, including the legal and technical infrastructure that supports transport security (SSL/TLS) for Internet communications. He is backed by members of our firm's internal IT group as well as select attorneys and paralegals. Our technology background is extremely useful when determining legal obligations pertaining to access and acquisition issues or when dealing with transmission and encryption issues.

REGULATORS Holland & Knight's Data Breach Team has extensive experience in responding to state and federal inquiries, civil investigative demands, and investigations and complaints in relation to data breaches. We have negotiated settlements and resolved other matters without incident. Our attorneys have professional working relationships with state and federal authorities (as well as key law enforcement contacts) and have dealt with every part of the regulator investigative and lawsuit process. In fact, one of the partners on the Data Breach Team was formerly the second highest-ranking prosecutor at the New Jersey Attorney General's office, where he supervised numerous investigations and civil lawsuits involving large-scale data breaches.

LITIGATION Holland & Knight's Litigation and Dispute Resolution Team is one of the largest in the United States. In addition, our class action team has a large footprint, with more than 50 attorneys located throughout our numerous U.S. offices. Our class action litigators have received top rankings by national legal publications, and have handled a number of data breach-related and other consumer-driven, privacy-related class actions. This team also has experience handling resulting third-party litigation and indemnification claims. Our clients include companies of all sizes that operate in the United States and around the world in fields such as banking, retail, transportation, technology and publishing. We work collaboratively with your company to determine how best to respond to a class action lawsuit, including strategies for potentially avoiding or limiting the suit, whether it be a consumer action brought by affected consumers or a derivative action brought by shareholders. The team strategically analyzes the complaint in an effort to dispose of claims through early and effective motion practice, usually on grounds that the plaintiffs lack standing and the pleading fails to state a claim. We also advise boards with respect to corporate governance and strategy in defending litigation. Our goal is to limit your exposure and cost through meticulous planning, careful budgeting and staffing, as well as steady reevaluation throughout the course of the matter. Our focus is on trying to achieve the best business result for you, whether that entails litigating the matter through trial and appeal or achieving a prompt and advantageous settlement.

PUBLIC POLICY Our Washington, D.C.-based bipartisan Public Policy & Regulation Group includes more than 60 lawyers and senior policy professionals. It includes former policy officials from both major political parties, former executive branch officials, former members of Congress, a former governor and former state executives. Our group has significant experience with data breach response, congressional investigations and hearing testimony preparation. Data breaches of national retailers have received significant scrutiny from Congress and federal regulators. As a result, executives of major retail brands have been called to Washington to testify under oath on Capitol Hill regarding their company's preparation for and response to these breaches. Having the appropriate response to this type of high-stakes congressional inquiry is imperative to protect your company's brand and prevent further legal consequences. Our Public Policy & Regulations Group has represented major parties involved in the recent high-profile retailer breaches before Congress and the executive branch. This includes educating members of Congress and their staffs regarding the details of the breach, preparing witness testimony, training executives to testify before Congress, conducting mock hearings, counseling witnesses during the hearing, drafting responses to supplemental questions for the record and lobbying on specific legislative responses to data breaches to protect our clients' interests. We have existing professional relationships with each congressional committee that has jurisdiction over data breaches. In fact, congressional staff have told our team that Congress is one major data breach away from the necessary momentum needed to enact a significant federal overhaul of data security standards in the retail community. Clearly, lobbying and public policy capabilities are a necessary component of any data breach response team. The services Holland & Knight provides in this area are fully integrated with our litigation, privacy and high-stakes communications efforts. Our clients appreciate this seamless approach as it simplifies what it takes to assist companies proactively or in the midst of a crisis.

CRISIS MANAGEMENT A security breach can lead to a barrage of negative press, calls from panicked customers and shareholders, a regulatory and/or congressional investigation, and potential litigation. One of the biggest mistakes companies make is not how they respond to data breaches but what they say about them. If not handled properly, these statements can undermine a company’s reputation and do irreparable damage to its image in the marketplace as well as affecting its value. Holland & Knight is dedicated to helping a company's public relations when a data breach occurs. Our High-Stakes Communications Team is not a hastily assembled, random collection of lawyers – managing highstakes situations is all we do. We have handled highly sensitive issues involving data information security, including data breaches, and have dealt with congressional hearings focused on data security concerns. Our experienced team guides clients through the complex phases of a data crisis by providing comprehensive strategies to mitigate the potential damage to the reputation of our clients' organizations. We can help your company through the initial 24 to 48 hours of a data breach crisis, and then put in place a plan to protect your company's reputation for the long term. Our High-Stakes Communications Team is also well-versed in crisis and litigation communications, and possesses the know-how to develop a strategic plan that speaks to the right audiences in the right way. In addition to providing critical communications management assistance in the first hours of a security breach crisis, we also provide a communications strategy and help your in-house team with media relations; opinion research, message and credibility testing; message development; reputation protection strategy; media training; and internal and external stakeholder communications. We can also assist in crisis management preparation, including the development of protocols, practice simulations and media training.

HOLLAND & KNIGHT DATA BREACH TEAM CONTACT INFORMATION Norma Krayem Senior Policy Advisor Washington, D.C. 202.469.5195 norma.krayem@hklaw.com

Tony DiResta Partner Washington, D.C. 202.469.5164 anthony.diresta@hklaw.com

Tiffani Lee Partner Miami 305.789.7725 tiffani.lee@hklaw.com

Ieuan Mahony Partner Boston 617.573.5835 ieuan.mahony@hklaw.com

Audrey Young Senior Strategic Communications Advisor Washington, D.C. 202.469.5194 audrey.young@hklaw.com

Shannon Britton Hartsfield Partner Tallahassee | 850.425.5642 Jacksonville | 904.798.7331 shannon.salimone@hklaw.com

Stewart Gordon Strategic Communications Advisor Washington, D.C. 202.469.5196 stewart.gordon@hklaw.com

Tracy Nichols Partner Miami 305.789.7717 tracy.nichols@hklaw.com

Chris DeLacy Partner Washington, D.C. 202.457.7162 chris.delacy@hklaw.com

William Shepherd Partner West Palm Beach 561.650.8338 Washington, D.C. 202.663.7234 william.shepherd@hklaw.com

Christopher Kelly Partner New York 212.513.3264 christopher.kelly@hklaw.com

Judy Nemsick Partner New York 212.513.3514 judith.nemsick@hklaw.com

J. Allen Maines Partner Atlanta 404.817.8525 allen.maines@hklaw.com

Scott Lashway Partner Boston 617.305.2119 scott.lashway@hklaw.com

Thomas Bentz Jr. Partner Washington, D.C. 202.828.1879 thomas.bentz@hklaw.com

Eddie Williams III Partner Tallahassee 850.425.5653 eddie.williams@hklaw.com

Kimberly Case Senior Policy Advisor Tallahassee 850.425.5603 kimberly.case@hklaw.com

Joel Edward Roberson Partner Washington, D.C. 202.663.7264 joel.roberson@hklaw.com

Maximillian Bodoin Partner Boston 617.573.5819 max.bodoin@hklaw.com

Elizabeth Burkhard Partner Boston 617.573.5850 elizabeth.burkhard@hklaw.com

Kaylee Cox Senior Counsel Washington, D.C. 202.469.5185 kaylee.cox@hklaw.com