Information Security and Data Breaches
Our lawyers have significant experience with cutting-edge information security issues from both a counseling and litigation perspective. Our extensive practice for technology-focused companies has allowed us to build a depth of knowledge about the rapidly evolving legal standards for information security arising throughout the United States – at the federal and state level – and in the EU.
Sidley frequently advises companies who are assessing, responding to and litigating over breaches of information security. Sidley advises clients in industries such as financial services, healthcare, communications, consulting, travel and leisure and transportation, in connection with investigating and responding to data breaches and information security incidents. These representations have included interaction and advocacy before federal and state regulators and the Federal Trade Commission. This work tends to be confidential unless litigation is filed, a public settlement is announced or data breach notice obligations are triggered.
Sidley has closely followed and helped to shape the development of law in this area as courts have sought to assess whether the mere fact of a data breach – in the absence of actual identity theft or other concrete and particularized harm – is sufficient to establish the harm element of the cause of action and/or to support standing. For example, Sidley represented a financial services company in a significant data breach that is often cited for the precedent that loss or theft of personal data that involves no more than a speculative threat of invasion of privacy, identity theft or fraud does not state a claim and is not justiciable.
Whether advising on the formulation of data breach response policies or in the application of the policy after an information security incident, Sidley has the experience to rapidly address all of the major issues presented by a data breach including the assessment of the extent and nature of the breach, the requisite notifications, development of appropriate documentation, crisis communication management and the preparation for potential litigation.