Data Privacy and Security

Click here to listen to Prince Lobel’s Data Privacy team discuss the importance of safeguarding company information.  From an internal Prince Lobel webinar.



Our Data Privacy and Security Group brings a multi-disciplinary approach to the protection, regulatory compliance, and monetization of our clients’ data practices and assets.  Our attorneys draw upon their broad and diverse experience across various industries, including information technology, advertising and marketing, banking and financial services, payments, life sciences and health care, nanotechnology, public policy, non-profits and charities. We partner with clients to develop effective data privacy and security strategies, facilitate compliant processing, licensing, data transfers, and coordinate and manage data breach or data incident responses. We assist our clients with any regulatory inquiries or enforcement actions, as well as defend in private civil litigation actions, including putative class action litigation.  Our industry-specific expertise enables us to take into account an organization’s business needs to bring data processing activities into compliance with federal, state and international laws, implement industry “best practices”, and add value to the overall privacy program.

The increasing sophistication of data-driven technology and new business models must confront a complex legal and regulatory regime that requires careful analysis for any organization wishing to protect and capitalize on its data assets. Prince Lobel’s team will guide your organization through a data-mapping process to identify your assets, conduct risk and vulnerability assessments, review your data privacy and security policies and procedures, and structure a program to optimize value, and implement legal and regulatory compliance. This includes providing strategic advice regarding product development, data processing, and data-sharing agreements, it also includes vendor and customer contract review and third-party contract privacy and security compliance.. We also advise them on appropriate risk management and risk transfer strategies, including counseling on cyber insurance coverage assessments and cyber insurance policy guidance amidst a complex array of insurance agreements.


The Data Privacy and Security group advises clients on business compliance requirements in several industries whether they are local, national, or global. These include laws and regulations such as:

  • The rules and regulations of  The Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), U.S. Securities & Exchanges Commission (SEC), & Financial Industry Regulatory Authority, Inc. (FINRA)
  • The Gramm-Leach-Bliley Act of 1999 and related rules and regulations
  • The California Consumer Privacy Act (CCPA) and The California Privacy Rights and Enforcement Act (CPRA)
  • The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the underlying Privacy, Security, and Breach Notification Rules
  • The Health Information Technology for Economic and Clinical Health Act (HITECH)
  • The General Data Protection Regulation (GDPR)
  • Data security law and regulations in Brazil, Singapore, Hong Kong, Russia, and the APEC Cross-Border Privacy Rules (CBPR) System
  • Regulations of the United Kingdom’s Financial Services Agency
  • EU Payment Services Directive
  • The US-EU Privacy Shield Framework, Post-Schrems II and the several model Standard Contractual Clauses (SCCs)

Additional services provided by the Data Privacy and Security Group include the following:

  • Advising clients on industry “best practices” for data privacy preservation and protection in support of corporate risk management and compliance programs
  • Consultation on implementation and updating of current Privacy-by-Design in accordance with applicable law and regulatory guidance
  • Advising, structuring, and negotiating complex deals involving, Advertising & Marketing Technologies (“AdTech & MarTech”) and the applicable compliance issues when processing data using AdTech & MarTech
  • Counseling clients regarding the impact of data privacy on marketing and advertising strategies and deployment, including online behavioral advertising, cross-device tracking, geolocation issues, and direct marketing
  • Negotiate and structure agreements and transactions involving data transfers, sharing, licensing and sales
  • Advising clients on compliance with cybersecurity laws, domestic policy directives, and the utility and process for obtaining desired Privacy and Security Certifications
  • Review and negotiation of Cyber liability insurance policies and coverages
  • Providing training and compliance guidance with the Written Information Security Plan (WISP) requirements of Massachusetts and with other similar state laws.
  • Drafting and updating HIPAA policies and procedures, including review and negotiation of Business Associate Agreements (BAAs) for providers, and provider’s personnel and contractors.
  • Representing clients which have experienced potential or actual security breaches themselves, or through their vendors and service providers regarding:
    • Notification Requirements under applicable breach notification laws
    • Forensic Investigation of potential or actual security breaches
    • Communication and Cooperation with Federal, State, Local, Law Enforcement and other Investigative personnel
    • Support of crisis response efforts including customer relations guidance, call center establishment, and public relations and crisis communications

For more information please contact Data Privacy and Security co-chairs Bill Rogers or Peter McLaughlin, or any member of our team.