Privacy & Data Security

Whether arising out of trade secrets, personal data, or other sensitive confidential information, privacy and cybersecurity issues affect every business and require the expertise of seasoned attorneys. And with the proliferation of information technologies and the growth of the Internet, they touch every part of an organization, including operations, customer service, finance, marketing/sales, HR and IT.

To ensure that clients obtain the best practical advice on complex issues such as record retention, breach notification, privacy policies, information safeguarding, e-discovery, regulatory compliance and other privacy and cybersecurity issues, we have assembled a cross-disciplinary team with both legal and industry expertise, combining our knowledge of intellectual property, technology, financial services, healthcare, energy, employment, and litigation with relevant expertise in privacy and data security issues to help clients solve problems and get deals done.


Privacy Compliance

We’re helping companies of all sizes to navigate the privacy and data security issues that arise in connection with big data and partnering with data brokers.

Electronic Payment Systems Breach

We successfully defended a major retailer in parallel federal multi-district and state level class actions after a data security breach resulted in exposure of electronic payment card data.

We’re on the Leading Edge

As members of the International Association of Privacy Professionals we have access to a comprehensive global information privacy community, an invaluable resource that helps us stay ahead of changes in the evolving field of privacy and data security.


Licensing Big Data

We developed a licensing program and supporting agreements for a holder of health care claims data in connection with out-licensing de-identified data sets to universities and organizations for research purposes.

Building a Bank’s Critical Information Systems

We served as lead counsel for a top-ten North American bank in connection with acquisitions of mission critical information systems involving the exchange of highly regulated personal information.

Areas of Expertise

Counseling & Compliance

Privacy and data security compliance is a minefield, requiring businesses to navigate a rapidly changing, overlapping, and sometimes conflicting array of obligations. We regularly help clients navigate this landscape, providing guidance on regulatory compliance and risk management. We have helped clients in a wide variety of industries, including healthcare, financial services, retail, and manufacturing. The advice we offer is practical, efficient and provides well-rounded and cost-effective solutions.

We work closely with clients on the front end to help prevent data breaches.  We have extensive experience helping clients structure contracts with vendors and customers to help prevent compromise of data and systems and ensure third-party compliance with privacy and data security requirements.  In the event of a data incident, we work closely with clients to develop the best strategy going forward and counsel and assist clients with breach notification compliance, managing litigation risks and responding to litigation if it arises.

At Pierce Atwood, we take the time to listen to our clients and understand the underlying relevant technologies. We routinely develop end user license agreements, privacy policies and terms and conditions specifically tailored for technologies with nuanced privacy and data security considerations such as mobile apps and websites.

Privacy and data security regulations are complex and often apply to specific types of activities and industries. We have experience counseling clients in the highly-regulated healthcare and financial industries, as well as with regard to specific activities such as marketing and behavioral advertising. We understand the pressures businesses are currently facing and are committed to providing sound legal advice that is both comprehensive and practical.

We also routinely counsel clients on privacy and data issues that arise in the employment context. Maintaining the privacy and security of sensitive information in the workplace has never been more difficult. With the proliferation of smart phones, most employees have the ability to bring cameras and video recordings into the workplace, and disclosure of confidential information is now a click away. We regularly work with clients to develop employee agreements, policies and procedures to help prevent the disclosure or misuse of proprietary and personal information. We also assist employers with a myriad of other employment related privacy issues, including HIPAA privacy and security policies, employee background checks, drug testing, medical examinations, and workplace monitoring.  We understand the pressures businesses are currently facing and are committed to providing sound legal advice that is both comprehensive and practical.

Licensing & Transactional Matters

Transactions that involve the exchange of sensitive business, technological, or personal information raise important privacy and data security issues. Pierce Atwood’s privacy and data security team is closely integrated with our licensing and technology transactions practice to ensure that privacy and cybersecurity considerations are addressed at every stage of a transaction. Importantly, our clients include buyers of technology solutions as well as software licensors and software-as-a-service vendors. With a 360-degree perspective, we know how to find pragmatic solutions to privacy and data security challenges.

Our attorneys combine a practical and business-centric understanding of information technology with a deep knowledge of the complex and multi-layered regulatory landscape. In the early stages of procurement, we assist clients with pre-contract due diligence and review of the counter-party's information security practices. Based on the nature of the transaction and the sensitivity of the information involved, we negotiate appropriate contract terms designed to manage and mitigate information-related risks, including audit rights, information security requirements, data breach response and mitigation obligations, regulatory compliance warranties, indemnification, insurance requirements, and appropriate liability limits and risk allocation provisions.

Clients in the financial services, healthcare, and utility industries rely upon Pierce Atwood’s expertise to stay apprised of and manage regulatory compliance obligations. For example, we regularly help banks and other financial services companies ensure that vendor contracts meet the requirements of applicable laws, regulations and industry standards, including the Gramm-Leach-Bliley Act; state laws; FFIEC, OCC, and Fed guidances; and the PCI Data Security Standard. For companies that do not face such regulatory oversight, we apply industry standards (e.g., ISO 2700 Series, NIST and OMB standards and guidelines) to hold technology vendors to a measurable standard of care with respect to information security practices.

Cyber Security & Data Breach Response

In today’s world, information is both a valuable asset and a source of risk. Now more than ever before, sensitive data can escape from nearly every corner of your organization, and the costs to your business can be high. Pierce Atwood’s privacy and data security team regularly advises companies on how to handle and secure sensitive data. Whether you are a technology company with valuable trade secrets, a start-up with an innovative approach to using information, or a heavily regulated company responsible for the protection of large amounts of personal information, Pierce Atwood can both help you develop the right policies and practices to protect your sensitive data and avoid litigation and regulatory action against your company, and guide you through the consequences of a breach.

Personal Information

Individual privacy is protected by an increasing number of laws and regulations in the U.S. and abroad. Companies seeking to navigate these regimes must contend with complexity and a rapidly changing environment. Pierce Atwood can help you with every step of the data life cycle, including collecting, securing, using, and disclosing personal information of your customers and employees.

Critical Infrastructure

Cyber-terrorism is on the rise, while criminals are becoming increasingly adept at stealing sensitive commercial or personal information. Businesses that manage critical infrastructure – including health care services organizations, financial services entities, energy utilities, and manufacturers of sensitive equipment and technologies – are particularly at risk. Sensing this, the federal government has directed increasing scrutiny toward these industries, including recently issued cyber-security regulation and proposed legislation.

By combining longstanding expertise in these areas with a deep understanding of the cyber-security landscape and connections to the cyber-security community and to Capitol Hill, Pierce Atwood can help you navigate the landscape today and prepare for the threats and regulations to come.

Incident Response and Breach Notification

Despite a company’s best efforts and planning, sometimes data breaches do occur. When they do, our legal team stands ready to see our clients through the fallout. Whether the situation involves a rogue employee dealing with a single record, a large scale loss of electronic media while in transit, cross-border unauthorized vendor access, or criminal intrusions by sophisticated hackers, we help our clients navigate the post breach landscape, from determining whether notice is required to remediation and response, including handling regulatory enforcement and class action litigation.

We have helped clients in a wide variety of industries including retail, hospitality, information management, financial services and public utilities. Our team of seasoned litigators, working in concert with our expert privacy professionals, provides the right combination of talents needed to respond swiftly and effectively when crisis hits.


The cost of a data breach is frequently in the millions of dollars. As the risks of security breaches and other cyber-incidents continue to grow, responsible companies need to manage these risks through insurance and other contractual strategies. However, unlike other types of standardized commercial insurance policies, “cyber-insurance” is a new and developing product, and the scope of coverage and exclusions varies widely from one company’s policy to another’s, frequently unrelated to price. Our experienced attorneys can help you determine whether your company needs cyber insurance and help you choose the best provider and policy for your particular situation. In addition, our team regularly leverages this expertise to help clients secure the right insurance and other protections for your company in technology and licensing transactions. Finally, when crisis strikes, we are ready to step in should disputes over coverage arise.

Litigation & Regulatory Enforcement

Privacy and data security litigation is a rapidly growing problem for companies that handle personally identifiable information. Consumer protection regulators continue to bring enforcement actions, and the plaintiffs’ bar is constantly innovating in search of large-dollar awards.

Pierce Atwood’s privacy and data security team has the skills and experience necessary to advise businesses on how best to defend claims arising from a data security incident, including alleged data breaches.  We routinely help our clients fend off private class action claims, successfully respond to regulatory investigations without formal enforcement action, and pursue indemnification from responsible parties.

Our experience ranges from serving as counsel to two major retailers in a multi-district consumer class action following a hack of the retailers’ electronic payment system to helping a major public utility respond to an FTC investigation concerning a data security incident affecting several million customers.  We also represent healthcare, education, and other business clients in investigations initiated by the Office for Civil Rights concerning alleged HIPAA violations. No matter the type of privacy or data security litigation your company faces, Pierce Atwood can help you mitigate your liability, and achieve the best result possible.

More information about Pierce Atwood’s nationally-recognized class action practice.



125 Years