To address this complex and rapidly evolving area of the law, Foley has formed the Privacy, Security & Information Management (PSIM) Practice, whose members have significant experience with counseling clients in the health care, financial services, online, and telecommunications industries. Several members have authored definitive treatises on the subject, and we count as a member the former general counsel and chief of staff for the House Judiciary Committee, who helped shape the USA PATRIOT Act, the Health Insurance Portability and Accountability Act (HIPAA), the CAN-SPAM Act of 2003, and recent amendments to the Computer Fraud and Abuse Act.

A Proactive Approach to Privacy, Security, and Information Management
Foley draws on a multidisciplinary team to assist clients with developing and implementing policies to address privacy, security, and information management risks. Examples of our experience include:

• Advising companies regarding Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA), and the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)
• Providing guidance regarding international privacy and security issues, including implementing Safe Harbor, Binding Corporate Rules (BCRs), and Model Contract compliance programs
• Counseling clients regarding health information security and privacy issues, including HIPAA compliance, health record interoperability, and compliance with state health privacy laws
• Conducting security and privacy audits and assessments, including implementing incident response plans
• Advising clients regarding behavioral advertising
• Counseling clients regarding notice of security breach laws and coordinating incident responses
• Advising companies regarding privacy and data transfer issues in conjunction with mergers and acquisitions
• Conducting internal investigations regarding theft of trade secret and other proprietary information or data
• Advising clients regarding compliance with the Electronic Communications Privacy Act (ECPA) and analogous state laws, including counseling clients regarding monitoring and disclosure of customer, subscriber, and employee communications
• Assessing liability under the Computer Fraud and Abuse Act (CFAA) and state legislation related to misuse of networks, e-mail issues, “scraping,” improper linking, and intellectual property and trade secret infringement
• Providing guidance regarding the Controlling the Assault of Non-Solicited Pornography Act (CAN-SPAM), state spam laws, Do-Not-Fax and Do-Not-Call regulations, and related advertising issues
• Advising regarding compliance with the Children's Online Privacy Protection Act (COPPA)
• Counseling regarding the burdens imposed by identity theft statutes
• Advising clients regarding online gaming issues
• Counseling clients regarding pretexting liability and managing investigations to avoid liability
• Drafting terms of use and acceptable use policies (AUPs) for Web sites and Internet Service Providers (ISPs)
• Advising regarding marketing and other joint venture agreements that implicate data transfer issues and security restrictions on marketing activity
• Drafting Internet-based privacy policies
• Counseling clients on data security and destruction policies and concerns
• Advising regarding digital rights management and spyware issues

When Prevention Is Not Enough
Increased focus on information security and privacy concerns has resulted in an increase in the number of lawsuits filed on behalf of consumers whose data has been compromised. In those situations, count on the experience of the Litigation Department members who are part of our Privacy, Security & Information Management Practice. Our seasoned litigators are well-versed in the intricacies of privacy and security litigation brought by private plaintiffs and in class-action matters, including:

• An action brought by then New York Attorney General Eliot Spitzer arising out of the alleged improper sending of commercial e-mails
• The first action brought by the California Attorney General alleging a violation of the federal Do-Not-Call Act and California's Unfair Competition Law
• Actions arising from alleged violations of identity theft laws
• Responding to subpoenas and other governmental requests for information
• Actions under California's Unfair Competition Law and the Consumer's Legal Remedies Act (CLRA), which frequently serve as the basis for class action consumer claims, including privacy and security litigation
• Actions alleging intentional infliction of emotional distress (IIED) and invasion of privacy claims
• Litigation related to spyware
• Electronic discovery issues
• Internal investigations and law enforcement referrals related to security breach and privacy violations
• Discovery issues related to class action lawsuits
• Discovery issues related to privacy and disclosures of information, including disclosure of telephone, HIV, medical and financial records, and Digital Millennium Copyright Act (DMCA) requests

Developing Records Retention Policies to Mitigate Risk
The sheer quantity of an enterprise's digital records requires carefully crafted policies that define how information should be managed, preserved, and deleted. The lack of a robust record retention policy can expose an organization to new risks in an increasingly digital business environment.

Foley's proactive approach can help clients determine whether their data management policies are in compliance with the growing body of data security and privacy legislation. We routinely counsel clients on the emerging issues in privacy, security, and information management and create policies designed to help protect our clients from liability.