Privacy and Cybersecurity
Steptoe advises companies across a broad range of industries on data protection and privacy laws, including obligations under the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Electronic Communications Privacy Act (ECPA), CAN-SPAM, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act, Sarbanes-Oxley, breach notification laws, and other federal and state laws. We regularly advise companies on complying with applicable foreign laws, including European Union directives, laws, and regulations on data protection, privacy, and data retention. In addition, we regularly help companies formulate or revise privacy policies to comply with new laws or take account of new technologies or changes in business operations. We also advise companies on the data privacy and security implications of mergers and acquisitions, outsourcing arrangements, and other transactions.
Data Breach Prevention, Response, and Litigation
Steptoe works to protect companies both before and after a data breach. This includes helping companies develop or improve data privacy practices and incident response plans through privacy and security assessments, in order to minimize the risk of a data breach and to put the company in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response under the protection of the attorney-client privilege. Our team’s extensive government and law enforcement experience makes us uniquely effective in investigating breaches and coordinating the company’s engagement with law enforcement and with both federal and state regulators. With our highly respected litigation and regulatory practices, ranked as among the best by Chambers and The Legal 500, we also represent companies in the regulatory investigations and civil litigation that increasingly follow a data breach.
As one of the first US law firms to begin practicing in the area of cybersecurity, Steptoe is a recognized pioneer in the field. The lawyers in our cybersecurity practice understand the emerging threats to the security of IT systems, and related cyber-regulatory efforts by governments that pose unique business and legal challenges to companies serving private sector or government customers. Several of the lawyers on our team have served in high-ranking US government positions, including the former director of the Federal Bureau of Investigation’s National Infrastructure Protection Center, the assistant secretary for policy at the Department of Homeland Security (DHS) and former General Counsel of the National Security Agency, and the Deputy Assistant Attorney General responsible for cyber investigations. As a result, our team has experience working with every US government agency involved in cybersecurity issues, and we understand the government cybersecurity requirements at the regulatory and policy level in great detail.
We assist clients in a broad range of industries, including financial services, healthcare, electric power, telecommunications, technology, Internet services, and government contracting to comply with applicable US and international laws and regulations, institute security systems and procedures to minimize the chances of a cybersecurity incident, assist with incident response after a data breach, resolve disputes, and adopt strategic solutions to business problems posed by cyber threats.
We also have extensive legal and technical experience in data encryption technology, an essential tool for reliable and confidential e-commerce. Steptoe offers unique experience in helping manufacturers and large multinational users of encryption technology comply with US and international requirements governing the import, export, sale, and use of encryption.
Critical Infrastructure Protection
The US government is increasingly focused on protecting the nation’s critical infrastructure (including companies in the communications, energy, financial, and medical industries) from destructive cyber and physical attacks and ensuring security within its own supply chain. Steptoe advises companies across the critical infrastructure and companies seeking government contracts on compliance with existing legal requirements relating to critical infrastructure protection, as well as on prospective new regulations emanating from Congress and the Executive Branch. Drawing on our experience in government, we also provide strategic counseling on opportunities for security and telecommunications companies seeking to adapt their technologies for use by the Department of Defense, DHS, and law enforcement and security agencies.
National Security and Law Enforcement Investigations
Government investigations often require businesses in the technology, communications, e-commerce, Internet service, and financial industries to provide information about their customers and subscribers, thereby forcing them to navigate sometimes conflicting legal obligations arising out of multiple privacy and security laws worldwide. We advise numerous companies regarding law enforcement and intelligence access to communications and information under a variety of applicable laws, including Title III, ECPA, the Communications Act, the Foreign Intelligence Surveillance Act, FCRA, and the USA PATRIOT Act. We also regularly advise companies on compliance with foreign government demands for information. With our extensive government experience, Steptoe lawyers are able to provide direct interface and engagement with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Justice (DOJ), and DHS, as well as state, local, and foreign agencies.
Businesses that are the victims of cyberattacks (whether denials of service, thefts of money or property, espionage, or other malicious acts) also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice, as well as members of Steptoe’s National and Homeland Security practice, have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies.
Additionally, Steptoe’s criminal defense practice is nationally recognized, enabling us to provide both counseling and representation where the threat of prosecution may arise.
CFIUS and Export Controls
Through the Committee on Foreign Investment in the United States (CFIUS), the United States Government monitors investments by foreign entities in US businesses that provide products and services relevant to national security. Drawing on the experience of lawyers that have served on CFIUS while in government, we advise clients on how to navigate the CFIUS process and have unique capabilities relating to cybersecurity questions that might be raised by regulators, and we have extensive experience representing clients on issues relating to ITAR, EAR, and OFAC before relevant regulatory bodies.
Select News & Events
- Stewart Baker Appears on NPR to Debate: ‘Does Spying Keep Us Safe’
- Michael Vatis Appears on FOX Business to Discuss Cybersecurity
- All Things D Covers Stewart Baker's PRISM Debate with Guardian Editors
- Corporate Counsel Features Q&A with Stewart Baker on Privacy Protections
- Democracy Alliance Debate
- Arizona State University Town Hall Debate
- “The Growing Threat: State-and Private—Sponsored Cyber—Espionage and Trade Secret Theft Growing,” International Anti-Counterfeiting Coalition Fall Conference
- “Anatomy of a Data Breach from the Attorneys General Perspective,” HB Litigation Conferences NetDiligence ® Cyber Risk & Privacy Liability Forum