A Data Security and Privacy Orientation for Deal Lawyers
It has become increasingly necessary for deal lawyers, including those not specializing in data privacy or security, to have at least a high-level understanding of the laws and best practices around these topics.
June 12, 2015 at 05:20 PM
5 minute read
This is part of a series of articles on transactional contracts issues by Prof. Michael L. Bloom and students in the Transactional Lab at the University of Michigan Law School.
In today's hyper-technical world, more and more businesses are required, whether by law or contracts incorporating industry standards, to provide some level of security for sensitive data and other information under their control. In addition, recent high-profile data breaches have elevated data security and privacy to top-of-mind status for businesspeople and lawyers alike. Accordingly, it has become increasingly necessary for deal lawyers, including those not specializing in data privacy or security, to have at least a high-level understanding of which laws may be governing and what industry publications are leading sources of best practices.
You Might Not Have to Reinvent the Wheel
An important start in orienting to the world of data privacy and security is realizing that there are published and widely followed industry standards for data protection and privacy. There are two main types of published standards: (1) statutory law and (2) third-party publications.
These provide substantive guidance for understanding what protocol and practices are expected for compliance with industry standards. In addition, deal lawyers may consider incorporating third-party publications by reference into their agreements, if seeking counterparty compliance with good data security practices.
Statutory Data Security and Privacy Laws
Some primary sources of data security and privacy laws include:
|- U.S. federal law, such as the Health Insurance Portability and Accountability Act (HIPAA), regulating certain health-care providers, health-care clearinghouses and health plans' handling of health information; and the Gramm-Leach-Bliley Act, regulating financial institutions' handling of sensitive data.
- U.S. state laws that regulate the handling of personally identifiable information (i.e., information that can be used to identify an individual) and notification upon data breaches.
- Non-U.S. regulation, such as the European Union Data Protection Directive, which regulates the collecting and processing of personally identifiable information stored in the European Union.
In the U.S., much of data security and privacy law is state law. Most state data privacy laws cover requirements for responding to unauthorized access to personally identifiable information. A few states, such as Massachusetts, Texas, and California, have implemented requirements for implementing security procedures to protect personally identifiable information. See 201 Mass. Code Regs. 17.00 – 17.05 (2013); Tex. Bus. & Com. Code Ann. § 521.052 (West 2013); Cal. Civ. Code § 1798.81.5(c) (Deering 2013).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
New Merger-Review Process Could Doom Some Deals, Add Headaches, Subjectivity to Others
7 minute read
FTC Bans Exec From Chevron Board—Exercising Authority It Doesn't Have, GOP Dissenters Say
5 minute read
$5.3 Billion Sale of MotoGP's Parent Hammered Out by Lawyers From Around Globe
Trending Stories
- 1'Erroneous Assumption'?: Apple Challenges DOJ Antitrust Remedy in Google Search Monopoly Case
- 2A Jury to Determine Whether Stairs Were Defectively Designed in Injury Case, State Appellate Court Rules
- 3Baker & Hostetler Names 24 New Partners
- 4Test
- 5Am Law 200 Firm Steps In to Defend Boston Transportation Company in Trademark Dispute
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
