- CFIUS Foreign Investment Reviews & FOCI Mitigation
- National and Homeland Security
- Data Breach Toolkit
- Steptoe Cyberblog
- China Advisories
- Export Control Reform
- International Law Advisory
- Russia/Ukraine Sanctions
- Steptoe Cyberlaw Podcast
- Miscellaneous Issues
- View All
Subscribe to Our RSS Feeds
Cybersecurity, Privacy & National Security
Steptoe advises companies across a broad range of industries on data protection and privacy laws, including obligations under the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Electronic Communications Privacy Act (ECPA), CAN-SPAM, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act, Sarbanes-Oxley, breach notification laws, and other federal and state laws. We regularly advise companies on complying with applicable foreign laws, including European Union directives, laws, and regulations on data protection, privacy, and data retention. In addition, we regularly help companies formulate or revise privacy policies to comply with new laws or take account of new technologies or changes in business operations. We also advise companies on the data privacy and security implications of mergers and acquisitions, outsourcing arrangements, and other transactions.
Data Breach Prevention, Response, and Litigation
Steptoe works to protect companies both before and after a data breach. This includes helping companies develop or improve data privacy practices and incident response plans through privacy and security assessments, in order to minimize the risk of a data breach and to put the company in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response under the protection of the attorney-client privilege. Our team’s extensive government and law enforcement experience makes us uniquely effective in investigating breaches and coordinating the company’s engagement with law enforcement and with both federal and state regulators.
We have advised numerous companies in response to breaches, including management consulting, health care, and financial institutions. We have assisted these companies in determining the source and scope of the breach, assessing regulatory compliance requirements, managing notifications and call centers, and conducting after-action review.
To assist companies in assessing their preparedness, we have prepared a Data Breach Toolkit. Companies can use the Toolkit on their own, or with Steptoe’s assistance, to review their policies and practices and to take any necessary steps to put themselves in the best possible position to prevent a breach or to respond effectively to, and minimize the damage from, any breach that might occur.
With our highly respected litigation and regulatory practices, ranked as among the best by Chambers and The Legal 500, we also represent companies in the regulatory investigations and civil litigation that increasingly follow a data breach.
As one of the first US law firms to begin practicing in the area of cybersecurity, Steptoe is a recognized pioneer in the field. The lawyers in our cybersecurity practice understand the emerging threats to the security of IT systems, and related cyber-regulatory efforts by governments that pose unique business and legal challenges to companies serving private sector or government customers. Several of the lawyers on our team have served in high-ranking US government positions, including the former director of the Federal Bureau of Investigation’s National Infrastructure Protection Center, the assistant secretary for policy at the Department of Homeland Security (DHS) and former general counsel of the National Security Agency, and the deputy assistant attorney general responsible for cyber investigations. As a result, our team has experience working with every US government agency involved in cybersecurity issues, and we understand the government cybersecurity requirements at the regulatory and policy level in great detail.
We assist clients in a broad range of industries, including financial services, healthcare, electric power, telecommunications, technology, Internet services, and government contracting to comply with applicable US and international laws and regulations, institute security systems and procedures to minimize the chances of a cybersecurity incident, assist with incident response after a data breach, resolve disputes, and adopt strategic solutions to business problems posed by cyber threats.
We also have extensive legal and technical experience in data encryption technology, an essential tool for reliable and confidential e-commerce. Steptoe offers unique experience in helping manufacturers and large multinational users of encryption technology comply with US and international requirements governing the import, export, sale, and use of encryption.
Critical Infrastructure Protection
The US government is increasingly focused on protecting the nation’s critical infrastructure (including companies in the communications, energy, financial, and medical industries) from destructive cyber and physical attacks and ensuring security within its own supply chain. Steptoe advises companies across the critical infrastructure and companies seeking government contracts on compliance with existing legal requirements relating to critical infrastructure protection, as well as on prospective new regulations emanating from Congress and the Executive Branch. Drawing on our experience in government, we also provide strategic counseling on opportunities for security and telecommunications companies seeking to adapt their technologies for use by the Department of Defense, DHS, and law enforcement and security agencies.
National Security and Law Enforcement Investigations
Government investigations often require businesses in the technology, communications, e-commerce, Internet service, and financial industries to provide information about their customers and subscribers, thereby forcing them to navigate sometimes conflicting legal obligations arising out of multiple privacy and security laws worldwide. We advise numerous companies regarding law enforcement and intelligence access to communications and information under a variety of applicable laws, including Title III, ECPA, the Communications Act, the Foreign Intelligence Surveillance Act, FCRA, and the USA PATRIOT Act. We also regularly advise companies on compliance with foreign government demands for information. With our extensive government experience, Steptoe lawyers are able to provide direct interface and engagement with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Justice (DOJ), and DHS, as well as state, local, and foreign agencies.
Businesses that are the victims of cyberattacks (whether denials of service, thefts of money or property, espionage, or other malicious acts) also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice, as well as members of Steptoe’s National and Homeland Security practice, have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies.
Additionally, Steptoe’s criminal defense practice is nationally recognized, enabling us to provide both counseling and representation where the threat of prosecution may arise.
CFIUS and Export Controls
Through the Committee on Foreign Investment in the United States (CFIUS), the United States Government monitors investments by foreign entities in US businesses that provide products and services relevant to national security. Drawing on the experience of lawyers that have served on CFIUS while in government, we advise clients on how to navigate the CFIUS process and have unique capabilities relating to cybersecurity questions that might be raised by regulators, and we have extensive experience representing clients on issues relating to ITAR, EAR, and OFAC before relevant regulatory bodies.
- Currently representing and advising the VTech Group of companies in managing the response to a hack of customer information, which has resulted in class action lawsuits against the company; investigations by the Federal Trade Commission, state attorneys general, and foreign data protection authorities; and congressional inquiries.
- Currently helping a global insurance firm assess and improve their data privacy and cybersecurity policies and practices, including breach response.
- Currently advising an insurance broker and consultant on its data security and privacy policies and drafting an incident response plan.
- Currently assessing the cybersecurity policies and incident response plan of a leading data-mining and Internet advertising company and recommending changes, and developing and leading a “tabletop” data breach exercise to assess and improve the company’s data breach response posture.
- Regularly advise defense contractors on Defense Department supply chain and service provider cybersecurity requirements.
- Regularly advise some of world’s largest financial institutions, communications firms, hardware and software manufacturers, and others on data security requirements, and data privacy and encryption laws and regulations domestically and worldwide.
Select News & Events
- SC Magazine Quotes Alan Cohn on Wassenaar Arrangement Revisions
- Cybersecurity Docket Names Michael Vatis to ‘Incident Response 30’ List
- LA Times Quotes Michael Vatis on Technical Vulnerability in FBI Hacks
- Stewart Baker ‘Makes Waves’ at SXSW Apple/FBI Privacy Debate
- ‘Data Privacy and Cybersecurity: A New Legal and Enforcement Landscape,’ University of Chicago Law School
- "War in the 21st Century: Cyberterrorism, Cybersecurity, and the Law of War," Penn State Law
- "Security vs. Security: In Defense Of Government Access to Data," WHD.global
- “Detecting & Preventing Security Breaches: The Application of Emerging Technologies,” Skytop Strategies