Privacy & Data Security

With the new US state data privacy laws coming quickly in 2023, the MSF Privacy & Data Security team is ready to assist businesses operating throughout the U.S. with expanding compliance obligations and prepared this questionnaire to help clients determine whether these laws are applicable to their businesses.

Data Privacy and Security Compliance is an ongoing effort and requires continued engagement from legal and business teams alike.

We work collaboratively with our clients to understand how they collect, use, store, share, retain, and otherwise process personal information and then support our clients in cost-effective development and implementation of privacy and security compliance programs tailored to the client’s specific business, risk tolerance, goals, and budget.

We help our clients to understand and comply with specific federal and state laws and regulations that touch common business practices, including:

• California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), the Connecticut Privacy Law, known as An Act Concerning Personal Data Privacy and Online Monitoring (CT DPA), and the Utah Consumer Privacy Act (UCPA)
• Federal Trade Commission (FTC) Regulations, Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), Telephone Consumer Protection Act (TCPA), and Chat-Bot laws in connection with customer communications
• Children’s Online Privacy Protection Act (COPPA) and California’s Age-Appropriate Design Code Act (AADCA) in connection with collection, use and processing of the personal information of minors
• Payment Card Industry Data Security Standard (PCI-DSS) in connection with the collection and use of payment/credit card information
• Various biometric data laws, including Illinois’ Biometric Information Privacy Act (BIPA), in connection with collection, use and processing of biometric data and facial recognition/detection
• Family Education Rights and Privacy Act (FERPA) in connection with the collection, use and processing of student personal information

Services include:

• Compliance Assessments, including identification of laws and regulations applicable to the business
• Contract Review & Negotiation (Including Data Processing Agreements)
• Data Broker Registration Compliance
• Vendor Compliance (Including Contract Review and Amendment, Policies and Procedures)
• Internal and Customer-Facing Policies & Procedures
• Website Privacy Policies & Disclosures
• Opt-Out Compliance (e.g., Do Not Sell/Share My Personal Information and Global Privacy Controls)
• Cookie Policies
• Disclosures
• Data Privacy Impact Assessments
• Data Subject Request Procedures & Response
• Cyber security industry frameworks and certifications (e.g., CIS Controls, NIST 800-53, ISO 27,000, SOC2)
• Develop Incident Response Policies & Procedures

Where possible, we work with our clients’ business teams and consultants on data mapping, internal data privacy impact assessments, policy and procedure development, insurance, and training programs among other things. This approach helps to ensure a pragmatic, tailored compliance approach and has the added benefit of controlling legal overhead.

We interface with local counsel in non-U.S. jurisdictions to ensure compliance with applicable laws and regulations (e.g., the EEA’s and UK’s GDPR, Canada’s PIPEDA, China’s PIPL, Brazil’s LGDP, etc.) in connection with cross border data transfers and business expansions to develop international data transfer solutions that make sense and mitigate risk as much as possible. As needed, we leverage our strong and long-standing relationships with colleagues worldwide to secure local expertise.

We advise companies on all manner of commercial transactions and strategic collaborations in which data is either ancillary to or core to the deal, including software development, cloud services, platform and application program interface (API) development and/or integration, joint development, data purchase/sales, data processing, and licensing transactions.

Our experience uniquely positions MSF to handle all aspects of these transactions, from intellectual property ownership and protection to data privacy and security compliance. We are able to assess appropriate compliance responsibilities for each party and to negotiate and draft agreements that reflect appropriate allocations of responsibility and liability

Our team works closely with the MSF Corporate Group on various M&A transaction structures, including mergers, purchases and sales of stock and assets, leveraged buy-outs, recapitalizations and other corporate restructuring and joint ventures. Increasingly, data is becoming integral to these deals as a valued asset and, in some cases, an unforeseen liability. Our team is skilled at conducting data privacy and security compliance, information security and intellectual property due diligence, drafting and negotiating appropriate representations and related disclosure schedules. We advise and counsel our clients on privacy and security-related compliance gaps, provide risk assessments, and recommend mitigation measures. We also work with our clients to secure appropriate representations and warranties insurance and respond to the insurer’s requests for information.

Our team works with clients to develop, implement, and maintain Incident Response Policies & Procedures. When our clients face a data incident or breach, we call upon an established network of trusted cybersecurity professionals to steer our clients through the situation.