Steptoe counsels and represents clients on global privacy and cybersecurity issues, ranging from compliance with the ever-expanding laws and regulations concerning individual privacy and data security, to advising companies on preventing or responding to data breaches, to defending companies facing class action lawsuits or regulatory investigations emanating from a breach or a failure to comply with applicable laws. Steptoe's lawyers also bring a unique depth of experience in these issues from their time as senior officials in the federal government, where they helped create policies and programs to address cybersecurity and held key leadership positions in law enforcement, intelligence, and security.
Our Team's Experience at a Glance
- Head of the FBI's cybercrime and infrastructure protection program
- Associate Deputy Attorney General for national security matters
- Assistant Secretary for policy at the Department of Homeland Security
- General counsel of the National Security Agency
- Deputy Assistant Attorney General responsible for cyber investigations
Steptoe's lawyers regularly advise companies on how to comply with the burgeoning field of onerous new laws and regulations in the field, ranging from relatively new ones (such as the California Consumer Privacy Act (CCPA), the European Union's General Data Protection Regulation (GDPR), and the New York Department of Financial Service's Cybersecurity Regulation), to more longstanding ones (such as the FTC Act, the Gramm-Leach-Bliley Act and implementing regulations, the Health Insurance Portability and Accountability Act (HIPAA) and its regulations, and the 50 US State and 4 territorial data breach notification laws).
Steptoe understands the high stakes involved when sensitive data is at risk. Our lawyers work to protect companies both before and after a data breach. We provide assistance in the development or improvement of data privacy practices and incident response plans to ensure our clients' data is secure. Our goal is to always minimize our client's risk of a data breach and to put our client in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response.
The US government is increasingly focused on protecting the nation's critical infrastructure (including companies in the communications, energy, financial, and medical industries) from destructive cyber and physical attacks and ensuring security within its own supply chain. Steptoe advises companies that are related to the nation's critical infrastructure as well as those seeking government contracts on the existing legal requirements that govern critical infrastructure protection, as well as on prospective new regulations emanating from Congress and the Executive Branch. Drawing on our experience in government, we also provide strategic counseling on opportunities for security and telecommunications companies seeking to adapt their technologies for use by the Department of Defense, DHS, and law enforcement and security agencies.
Government investigations often require businesses in the technology, communications, e-commerce, Internet service, and financial industries to provide information about their customers and subscribers, thereby forcing them to navigate sometimes conflicting legal obligations arising out of multiple privacy and security laws worldwide. We advise numerous companies regarding law enforcement and intelligence access to communications and information under a variety of applicable laws, including Title III, ECPA, the Communications Act, the Foreign Intelligence Surveillance Act, FCRA, and the USA PATRIOT Act. We also regularly advise companies on compliance with foreign government demands for information. With our extensive government experience, Steptoe lawyers are able to provide direct interface and engagement with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Justice (DOJ), and DHS, as well as state, local, and foreign agencies.
Businesses that are the victims of cyberattacks (whether denials of service, thefts of money or property, espionage, or other malicious acts) also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies.
Additionally, Steptoe's white-collar defense practice is nationally recognized, enabling us to provide both counseling and representation where the threat of prosecution may arise.
Our team has extensive legal and technical experience in data encryption technology, and offers our clients guidance in complying with US and international requirements governing all aspects of encryption, including encryption export and import licensing matters in the United States, France, China, Russia, Hong Kong, and other countries.
Our web-based Country-by-Country Guide to Encryption Regulations is the leading resource on global encryption import, use and export controls, covering more than 130 countries. We counsel both developers and users of encryption products on global licensing and distribution strategies. In addition, we have one of the broadest and most sophisticated public key infrastructure (PKI) practices of any law firm, and are among a very small number of law firms worldwide that regularly practice in this area. Our work includes advising clients on developing and implementing industry PKIs in the insurance, mortgage finance, healthcare, financial services, and natural resources industries. We also advise many clients on developing and implementing enterprise PKI solutions and other secure business solutions that incorporate PKI technology.
Representative Matters
-
Represented the VTech group of companies regarding a breach of its customer information, including advice on managing the response to the breach, settlement negotiations with the FTC and international data protection authorities, and dismissal of consolidated class action claims.
-
Represented best-selling author in suit claiming violation of federal and state privacy and computer crime laws.
-
Represented Verizon and other communications and technology companies in amicus briefs challenging government's authority to obtain communications content stored abroad.
-
Advising numerous retail companies, financial institutions, and others on compliance with CCPA, GDPR, and other laws.
-
Helping a global insurance firm assess and improve their data privacy and cybersecurity policies and practices, including breach response.
-
Advising an insurance broker and consultant on its data security and privacy policies and drafting an incident response plan.
-
Assessing the cybersecurity policies and incident response plan of a leading data-mining and Internet advertising company and recommending changes, and developing and leading a "tabletop" data breach exercise to assess and improve the company’s data breach response posture.
-
Advising defense contractors on Defense Department supply chain and service provider cybersecurity requirements.
-
Advising some of world's largest financial institutions, communications firms, hardware and software manufacturers, and others on data security requirements, and data privacy and encryption laws and regulations domestically and worldwide.
News & Publications
Publications
As Cyberattacks Loom, So Does Regulators' Increased Scrutiny of Utilities' Cybersecurity Systems
Energy Law Report
May 7, 2019
By: Charles R. Mills, Daniel A. Mullen, Steven J. Ross, Wesley J. Heath, Shaun Boedicker, Natty Brower, Karen Bruni
Press Releases
Steptoe Receives 20 Practice, 63 Individual Mentions in Chambers USA 2019
April 29, 2019
Publications
Companies Are Ready and Willing to Comply with CCPA – But First, They Need to Know How
CPO Magazine
April 12, 2019
By: Meegan Brooks
Client Alerts
As Cyberattacks Loom, So Does Regulators' Increased Scrutiny of Utilities' Cybersecurity Systems
February 20, 2019
By: Charles R. Mills, Daniel A. Mullen, Steven J. Ross, Wesley J. Heath, Shaun Boedicker, Natty Brower, Karen Bruni
Press Releases
Steptoe Receives 13 Practice, 25 Individual Mentions in Chambers Global 2019
February 14, 2019
Media Mentions
CyberInsecurity News Features Stewart Baker in Q&A on History of Cybersecurity
February 12, 2019
Media Mentions
Washington Post Quotes Stewart Baker on Trump Administration's Hacking Plan
February 11, 2019
Events
Webinars
The Long Arm of the New EU Data Protection Jurisdiction
December 6, 2017
Speakers: Stewart A. Baker, Yves Melin, Maury Shenk, Philip Woolfson
Seminars & Events
November 7, 2017
Speaker: Stewart A. Baker
Steptoe
1330 Connecticut Avenue, NW
Washington, DC 20036
Seminars & Events
Emerging Cyber Attack Trends and Technical and Legal Remedies
February 24, 2016
Speakers: Stewart A. Baker, Steven K. Davidson, Michael Campion Miller
The Harvard Club
35 W. 44th Street
New York, NY 10036
Webinars
Digitizing Financial Services in Europe: Managing Risks, Maximizing Benefits
June 25, 2015
Speaker: Philip Woolfson
The Cyberlaw Podcast
The Cyberlaw Podcast
Episode 264: Unpacking the Supreme Court's decision in Pepper v. Apple
May 20, 2019
The Cyberlaw Podcast
Episode 262: Udderly indefensible facial recognition scandal may drive new privacy mooovement
May 6, 2019
The Cyberlaw Podcast
Episode 259: Why France understands Chinese policy better than the rest of us
April 15, 2019
The Cyberlaw Podcast
Episode 257: How we know the North Korean Embassy break-in wasn't the work of the CIA
April 1, 2019
The Cyberlaw Podcast
March 18, 2019