Privacy and Data Security

In light of growing concerns about identity theft, personal privacy and data integrity resulting from numerous high-profile episodes and market fallout, and the sea change wrought by the EU’s General Data Protection Regulation (“GDPR”), businesses today are facing an increasing array of legal obligations with regard to their use and handling of sensitive information.

Communicating with customers; compliance with federal and state privacy and data breach laws; managing employees, independent contractors and outside vendors; designing an IT infrastructure; transmitting data across borders – these are just some of the examples of core business functions that raise legal issues related to data privacy and information security.

Combining expertise in core subject areas such as technology and employee matters with long-term experience in data privacy and security regulation, FisherBroyles’ attorneys are able to help their clients navigate this rapidly-developing area of the law using the careful yet practical approach that FisherBroyles brings to every engagement.

FisherBroyles attorneys have helped clients with widely varying circumstances assess and minimize exposure for cyber-risk and have guided clients in effective responses to data breaches. Our expertise includes the following areas:


  • Input regarding computer / digital forensics
  • Individual notification
  • Government / Regulatory notification
  • PCI investigations
  • State and Federal regulatory investigations
  • Third party liability
  • Digital / Cyber extortion
  • Business Interruption


  • Initial and ongoing guidance for US-based companies in complying with evolving requirements of EU General Data Protection Regulation (“GDPR”)
  • Gramm-Leach-Bliley and Financial Privacy/Safeguards Rule
  • New York Department of Financial Services Cyber Security Requirements
  • FTC Practice/Unfair and Deceptive Trade Practices
  • HIPAA & HIPAA Business Associates
  • Children’s Online Privacy Protection Act
  • Affiliate Marketing and “Red Flag” Requirements under FCRA and FACTA
  • State Regulation of Online Privacy and Social Security Numbers
  • Pending Federal Legislation
  • Electronic Marketing (e-mail and text Marketing; TCPA and CAN-SPAM)
  • Direct Mail and Telemarketing
  • Data Breach Statutes
  • Contractual and Compliance Issues/Contractual Apportionment of Responsibility
  • Privacy Policies/Terms of Use (Internal and Public – Customers and Vendors)
  • Internet Usage Policies
  • PCI Compliance
  • Data Retention and Destruction Policies


  • Initial and ongoing guidance for US-based companies in complying with evolving requirements of EU GDPR (“General Data Protection Regulation”)
  • Data Transfers to and from the U.S. and EU; Privacy Shield certification
  • Data Controller Registration Requirements
  • Employee Data Handling


  • Monitor claims for excess insurers on cyber insurance towers
  • Draft cyber insurance policies and endorsements
  • Consideration of existing ISO cyber forms
  • High level counseling of companies regarding available coverages


  • Banking & Financial Services
  • Healthcare & Pharmaceuticals (Covered Entities & Business Associates)
  • Professional Services
  • Retail
  • Technology
  • Manufacturing
  • Energy & Utilities
  • Media & Entertainment
  • Online Marketplaces
  • Education / Learning Sciences
  • Travel & Hospitality
  • Insurance
  • Fin-Tech / Blockchain
  • Privacy-Enhancing Technologies