Privacy & Cybersecurity

Steptoe's lawyers regularly advise companies on how to comply with the burgeoning field of onerous new laws and regulations in the field, ranging from relatively new ones (such as the California Consumer Privacy Act (CCPA), the European Union's General Data Protection Regulation (GDPR), and the New York Department of Financial Service's Cybersecurity Regulation), to more longstanding ones (such as the FTC Act, the Gramm-Leach-Bliley Act and implementing regulations, the Health Insurance Portability and Accountability Act (HIPAA) and its regulations, and the 50 US State and 4 territorial data breach notification laws).

In the European Union, the privacy and cybersecurity landscape is evolving more rapidly than ever before. New services and technologies are challenging boundaries of existing frameworks, such as the GDPR, the Directive on security of network and information systems (NIS Directive), and the Cybersecurity Act, while also prompting new legislative proposals such as the ePrivacy Regulation, and the Digital Services Act package. Increased accountability toward users requires organizations to test new responses such as broader use of standards or certification mechanisms. Steptoe is uniquely positioned to assist organizations facing these challenges, as we have experience dealing with the sometimes conflicting challenges raised by multiple regulatory frameworks and enforcement agencies.

Steptoe understands the high stakes involved when sensitive data is at risk. Our lawyers work to protect companies both before and after a data breach. We provide assistance in the development or improvement of data privacy practices and incident response plans to ensure our clients' data is secure. Our goal is to always minimize our client's risk of a data breach and to put our client in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response.

The US government is increasingly focused on protecting the nation's critical infrastructure (including companies in the communications, energy, financial, and medical industries) from destructive cyber and physical attacks and ensuring security within its own supply chain. Steptoe advises companies that are related to the nation's critical infrastructure as well as those seeking government contracts on the existing legal requirements that govern critical infrastructure protection, as well as on prospective new regulations emanating from Congress and the Executive Branch. Drawing on our experience in government, we also provide strategic counseling on opportunities for security and telecommunications companies seeking to adapt their technologies for use by the Department of Defense, DHS, and law enforcement and security agencies.

In the European Union, the NIS Directive is one set of frameworks targeting key industries (such as finance, insurance, utilities, and transportation) and actors (including digital service providers), and imposing high security thresholds for companies across the supply chain. Steptoe advises organizations to meet these requirements.

Government investigations often require businesses in the technology, communications, e-commerce, Internet service, and financial industries to provide information about their customers and subscribers, thereby forcing them to navigate sometimes conflicting legal obligations arising out of multiple privacy and security laws worldwide. We advise numerous companies regarding law enforcement and intelligence access to communications and information under a variety of applicable laws, including Title III, ECPA, the Communications Act, the Foreign Intelligence Surveillance Act, FCRA, and the USA PATRIOT Act. We also regularly advise companies on compliance with foreign government demands for information. With our extensive government experience, Steptoe lawyers are able to provide direct interface and engagement with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Justice (DOJ), and DHS, as well as state, local, and foreign agencies.

Businesses that are the victims of cyberattacks (whether denials of service, thefts of money or property, espionage, or other malicious acts) also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies.

Additionally, Steptoe's white-collar defense practice is nationally recognized, enabling us to provide both counseling and representation where the threat of prosecution may arise.

Our team has extensive legal and technical experience in data encryption technology, and offers our clients guidance in complying with US and international requirements governing all aspects of encryption, including encryption export and import licensing matters in the United States, France, China, Russia, Hong Kong, and other countries.

Our web-based Country-by-Country Guide to Encryption Regulations is the leading resource on global encryption import, use and export controls, covering more than 130 countries. We counsel both developers and users of encryption products on global licensing and distribution strategies. In addition, we have one of the broadest and most sophisticated public key infrastructure (PKI) practices of any law firm, and are among a very small number of law firms worldwide that regularly practice in this area. Our work includes advising clients on developing and implementing industry PKIs in the insurance, mortgage finance, healthcare, financial services, and natural resources industries. We also advise many clients on developing and implementing enterprise PKI solutions and other secure business solutions that incorporate PKI technology.