Cybersecurity & Data Privacy

Data ranks among a company’s most important assets, accompanied by an ever-increasing potential for liability. It is important to prioritize and protect sensitive, confidential and proprietary information. If a breach or data loss occurs, it immediately places a company’s reputation and bottom line at risk. 

Lathrop Gage has a tradition of excellence in this evolving area of the law, and routinely guides clients through the high-paced investigation, notification and response involved in a data breach or loss. Once these immediate obligations are resolved, we help our clients face any ongoing regulatory scrutiny and seize upon opportunities for improvement.   

With an eye toward prevention, our multidisciplinary team of attorneys and data specialists can assess regulatory requirements, identify risk and develop strategies to protect personally identifiable information (PII), personal health information (PHI) and proprietary data. In addition, our insurance lawyers in the practice group can assist in considering appropriate cyberinsurance coverage.

Our data privacy and security experience extends to public and private organizations across industries such as healthcare, insurance, finance, technology, media, and education. We engage in a wide variety of data litigation and regulatory matters, from class actions under the Telephone Consumer Protection Act to individual claims. We deal with the more than 50 laws enforced by the Federal Trade Commission and state attorneys general, as well as the EU and other international data protection authorities.   

Our attorneys are nationally recognized speakers and authors on topics such as HIPAA, HITECH, cybersecurity, data breach, cyber insurance coverage, and social media. We assist with the drafting of privacy policies, terms of use for websites and mobile applications, service level agreements and other key documents. We help our clients navigate the patchwork of state, federal and international regulation that has emerged to govern data privacy and security.

A sample of some of our core competencies:

Data Breach Response 

  • Incident and breach risk assessment
  • Management of data breach response
  • Individual and regulatory notifications
  • Regulatory investigation response
    • Office for Civil Rights
    • Federal Trade Commission
    • State Attorneys General
    • State Insurance Commissioners
  • Media notification
  • Insurance tender and response


  • Individual data and privacy litigation
  • Class-action litigation defense
  • TCPA litigation defense

Data Protection

  • Assessment of obligations
    • Gramm-Leach-Bliley
    • Insurance regulations
    • FDIC and banking regulations
    • State privacy/security laws
    • PCI DSS compliance
  • Key Data Policies & Documents
    • HIPAA/HITECH policies
    • Business associate agreements
    • Confidentiality agreements
    • Terms of use, privacy statements
  • Insurance coverage analysis
  • Training and education

Representative Experience

  • We have managed a wide variety of data loss and data breach incidents such as:
    • Thefts of laptops, mobile phones and other devices containing PII and/or PHI
    • Infiltrations of company databases for corporate or government espionage
    • Thefts of credit card information and subsequent improper charges
    • Postings of key trade secret information on social media and other websites
    • Employee transfers of proprietary data to personal email, external drives, cloud, etc.
    • Dedicated Denial of Service attacks upon company websites
  • Representation of a hospital in the coordination of data breach investigation and response following a vendor’s inadvertent internet publication of financial information of over 8,000 individuals.  The subsequent investigation by Office for Civil Rights was resolved without fines or penalties through demonstration of voluntary compliance including timely notification, mitigation of harm to individuals, and revision of policies and procedures.
  • Resolution of multiple Office for Civil Rights investigations of healthcare providers related to HIPAA complaints related to patient access, accounting of disclosures, access to electronic systems, inadvertent disclosures, and loss of paper records.
  • Investigation and coordination of a healthcare facility’s response of a complaint involving improper access to patient data by an employee. Our representation included investigation and termination of the employee, development and coordination of breach notification in compliance with HIPAA and state requirements, and mandatory reporting to the Office of Civil Rights and state licensure board.
  • Counseling numerous health care providers, health plans, and business associates in the development and implementation of more robust HIPAA Compliance programs to integrate requirements of the Omnibus HIPAA regulations promulgated in January 2013.

Speaking Engagements



Press Releases

Legal Alerts