Steptoe counsels and represents clients on global privacy and cybersecurity issues, ranging from compliance with the ever-expanding laws and regulations concerning individual privacy and data security, to advising companies on preventing or responding to data breaches, to defending companies facing class action lawsuits or regulatory investigations emanating from a breach or a failure to comply with applicable laws. Steptoe's lawyers also bring a unique depth of experience in these issues from their time as senior officials in the federal government, where they helped create policies and programs to address cybersecurity and held key leadership positions in law enforcement, intelligence, and security.
Our Team's Experience at a Glance
- Head of the FBI's cybercrime and infrastructure protection program
- Associate Deputy Attorney General for national security matters
- Assistant Secretary for policy at the Department of Homeland Security
- General counsel of the National Security Agency
- Deputy Assistant Attorney General responsible for cyber investigations
Steptoe's lawyers regularly advise companies on how to comply with the burgeoning field of onerous new laws and regulations in the field, ranging from relatively new ones (such as the California Consumer Privacy Act (CCPA), the European Union's General Data Protection Regulation (GDPR), and the New York Department of Financial Service's Cybersecurity Regulation), to more longstanding ones (such as the FTC Act, the Gramm-Leach-Bliley Act and implementing regulations, the Health Insurance Portability and Accountability Act (HIPAA) and its regulations, and the 50 US State and 4 territorial data breach notification laws).
Steptoe understands the high stakes involved when sensitive data is at risk. Our lawyers work to protect companies both before and after a data breach. We provide assistance in the development or improvement of data privacy practices and incident response plans to ensure our clients' data is secure. Our goal is to always minimize our client's risk of a data breach and to put our client in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response.
The US government is increasingly focused on protecting the nation's critical infrastructure (including companies in the communications, energy, financial, and medical industries) from destructive cyber and physical attacks and ensuring security within its own supply chain. Steptoe advises companies that are related to the nation's critical infrastructure as well as those seeking government contracts on the existing legal requirements that govern critical infrastructure protection, as well as on prospective new regulations emanating from Congress and the Executive Branch. Drawing on our experience in government, we also provide strategic counseling on opportunities for security and telecommunications companies seeking to adapt their technologies for use by the Department of Defense, DHS, and law enforcement and security agencies.
Government investigations often require businesses in the technology, communications, e-commerce, Internet service, and financial industries to provide information about their customers and subscribers, thereby forcing them to navigate sometimes conflicting legal obligations arising out of multiple privacy and security laws worldwide. We advise numerous companies regarding law enforcement and intelligence access to communications and information under a variety of applicable laws, including Title III, ECPA, the Communications Act, the Foreign Intelligence Surveillance Act, FCRA, and the USA PATRIOT Act. We also regularly advise companies on compliance with foreign government demands for information. With our extensive government experience, Steptoe lawyers are able to provide direct interface and engagement with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Justice (DOJ), and DHS, as well as state, local, and foreign agencies.
Businesses that are the victims of cyberattacks (whether denials of service, thefts of money or property, espionage, or other malicious acts) also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies.
Additionally, Steptoe's white-collar defense practice is nationally recognized, enabling us to provide both counseling and representation where the threat of prosecution may arise.
Our team has extensive legal and technical experience in data encryption technology, and offers our clients guidance in complying with US and international requirements governing all aspects of encryption, including encryption export and import licensing matters in the United States, France, China, Russia, Hong Kong, and other countries.
Our web-based Country-by-Country Guide to Encryption Regulations is the leading resource on global encryption import, use and export controls, covering more than 130 countries. We counsel both developers and users of encryption products on global licensing and distribution strategies. In addition, we have one of the broadest and most sophisticated public key infrastructure (PKI) practices of any law firm, and are among a very small number of law firms worldwide that regularly practice in this area. Our work includes advising clients on developing and implementing industry PKIs in the insurance, mortgage finance, healthcare, financial services, and natural resources industries. We also advise many clients on developing and implementing enterprise PKI solutions and other secure business solutions that incorporate PKI technology.
Representative Matters
-
Represented the VTech group of companies regarding a breach of its customer information, including advice on managing the response to the breach, settlement negotiations with the FTC and international data protection authorities, and dismissal of consolidated class action claims.
-
Represented best-selling author in suit claiming violation of federal and state privacy and computer crime laws.
-
Represented Verizon and other communications and technology companies in amicus briefs challenging government's authority to obtain communications content stored abroad.
-
Advising numerous retail companies, financial institutions, and others on compliance with CCPA, GDPR, and other laws.
-
Helping a global insurance firm assess and improve their data privacy and cybersecurity policies and practices, including breach response.
-
Advising an insurance broker and consultant on its data security and privacy policies and drafting an incident response plan.
-
Assessing the cybersecurity policies and incident response plan of a leading data-mining and Internet advertising company and recommending changes, and developing and leading a "tabletop" data breach exercise to assess and improve the company’s data breach response posture.
-
Advising defense contractors on Defense Department supply chain and service provider cybersecurity requirements.
-
Advising some of world's largest financial institutions, communications firms, hardware and software manufacturers, and others on data security requirements, and data privacy and encryption laws and regulations domestically and worldwide.
News & Publications
Client Alerts
The California Attorney General's CCPA Regulations: Clarity or More Questions?
October 18, 2019
Press Releases
Steptoe Expands International Regulation and Compliance Group with Zoe Osborne in London
October 8, 2019
Client Alerts
New York Adopts New Data Breach Law, Including Data Security Requirements
August 7, 2019
Client Alerts
More States Move to Restrict Companies' Use or Sale of Personal Information
June 10, 2019
Press Releases
Steptoe Receives 30 Practice, 149 Individual Mentions in Legal 500 US 2019
June 5, 2019
Events
Webinars
Data Privacy for Retailers: Recent Developments in CCPA and GDPR
December 10, 2019
Speakers: Paul Hughes, Daniel W. Podair, David O'Sullivan
Webinars
The Long Arm of the New EU Data Protection Jurisdiction
December 6, 2017
Speakers: Stewart A. Baker, Maury Shenk, Philip Woolfson
Seminars & Events
November 7, 2017
Speaker: Stewart A. Baker
Steptoe
1330 Connecticut Avenue, NW
Washington, DC 20036
Seminars & Events
Emerging Cyber Attack Trends and Technical and Legal Remedies
February 24, 2016
Speakers: Stewart A. Baker, Steven K. Davidson, Michael Campion Miller
The Harvard Club
35 W. 44th Street
New York, NY 10036
Webinars
Digitizing Financial Services in Europe: Managing Risks, Maximizing Benefits
June 25, 2015
Speaker: Philip Woolfson
The Cyberlaw Podcast
The Cyberlaw Podcast
Episode 295: The line between deepfake legislation and deeply fake legislation
January 13, 2020
The Cyberlaw Podcast
Episode 294: Examining the DOJ Inspector General's FBI-FISA Report
December 18, 2019
The Cyberlaw Podcast
Episode 291: Ethical Algorithms with Michael Kearns and Aaron Roth
December 5, 2019
The Cyberlaw Podcast
Episode 289: Brad Smith on Microsoft's Journey from Hubris to Humility
November 25, 2019