Our combination of insurance and data protection experience ensures that insurers and their policy holders get the support they need from people who understand the risks and can help manage the exposures.
Our deep team of cyber lawyers relies on decades of experience providing practical, specialized business and compliance advice to insurers and companies in all vertical markets, as well as universities and other institutions. They learn and know the business before advising on data protection, risk mitigation and incident responses that serve all stakeholders.
Our lawyers have a wealth of experience addressing cyber and data incidents, including through our decades of experience working with major insurance companies and corporate policy holders. From phishing and hacking to social media storms and accidental IT failures, we have handled cyber incidents involving loss of data or money and significant business interruption. From first response and regulatory reporting to the resolution of third party claims, we rapidly identify the issues and help manage the exposures to achieve cost effective outcomes.
Our team of privacy and cybersecurity lawyers has advised clients on some of the largest data security breaches in recent years, and works with clients every day to manage compliance and response following information incidents and cyberattacks. Our breach response team offers 24/7 availability and is able to respond to incidents quickly with a well-developed plan. We can also work as part of an existing incident response team. As breach coach, we will work with you and your policy holder to effectively plan for and respond to cybersecurity incidents, retain relevant professionals such as data security specialists, identify and comply with breach notification obligations, manage crisis communications, and minimize future liability and business risk. We also represent clients facing litigation or regulatory actions related to data breaches, including under HIPAA and GDPR.
We have successfully addressed incidents in the finance, professional services, healthcare, retail, manufacturing, technology, non-profit, university, and government sectors, and are adept at working
with non-profits and regulated entities that have an additional layer of stakeholders to consider when managing an incident. Whether insider threats, data access or integrity attacks, electronically initiated fraud or traditional computer exploitation and data loss, our team understands that competence, planning, and resilience are critical to successful incident response.
Womble Bond Dickinson’s Privacy and Cybersecurity team includes data generalists and lawyers with a wealth of experience in the healthcare, financial, communications, insurance and retail industries as well as working with universities and government. This team also features a former cybercrime prosecutor of the US Department of Justice with experience investigating and prosecuting cybercrimes.
What we do
- Investigate data incidents and help coordinate the client’s response, preserving privileges and minimizing legal, reputational, and business risk
- Advise on cyber policy coverage
- Manage interactions with regulators and law enforcement
- Ensure compliance with breach notification laws, regulations, system rules and contract obligations, including GDPR and HIPAA
- Devise response plans which benefit both clients and affected third parties
- Create e-discovery strategies including preservation, collection, and review
- Manage and/or represent clients in any litigation, regulatory actions, or other investigations arising out of cybersecurity incidents
- Contribute to a lessons-learned review of the incident to mitigate future risk and minimize legal liability
- Lead data audits and analysis of how data flows and computer systems impact cyber risk and associated legal obligations
- Assist with creation of incident response plans and data policies and procedures
- Draft cyber policy wordings
- Provide data protection and incident response training to executives, risk teams, technologists and client’s employees
- Assist with creation of Incident Response Team
- Facilitate table-top training exercises for IRT, C-Suite and board of directors
- Listen to and advise clients on protections and processes built for the precise needs and obligations of that business
Examples of work
- Improved data resilience for RAI by conducting tabletop exercises and regular team meetings to examine changes in technology and regulation, and to update definitions and policies
- Advised Heartland Payment System in its response to the loss of 130 million credit card data sets
- Successfully represented the State of South Carolina in litigation involving the exposure of six million tax records
- Assisted major public university in recovery from an extensive data exposure incident
- Addressed healthcare vendor data exposures affecting employees and retirees of client companies
- Investigated and advised on liability and recovery actions after £millions diverted from law firm accounts in phishing scams leading to significant recoveries
- Advised on email fraud perpetrated on bond broker causing clients funds to be diverted to fraudsters. Obtaining partial recovery from insurance agent
- Advised on hack of insurance broker's email account and dealing with regulatory action ensuring compliance but minimization of profile of incident
- A national retailer exposed information about tens of thousands of customers on its website during a project to migrate to a new server. Working with the retailer's IT team, we determined what data had been accessed and we advised about notification to the regulator and customers. We also advised on the recovery from a negligent IT contractor
- A major security breach as a result of hard-drives, containing 3,000,000+ banking records, not being securely destroyed. We advised on how to manage the breach, worked with IT forensics to assess the accessibility of the data on the hard-drives and drafted the notification to the ICO. Our client's prompt and comprehensive response, along with the extremely detailed report submitted to the ICO, meant that the ICO took no further action
- A disgruntled employee stole a customer data and sent malicious communications to the retailer's customers. We investigated the incident and prepared responses to the ICO's request for information following a customer complaint to the ICO. We also advised on the disciplinary proceedings against the employee and a possible defamation action in relation to the malicious communications
- A large medical training provider suffered a serious email hacking incident. We advised on issues relating to proceedings against the hacker and an IT provider. We also defended an ensuing libel claim
- Client’s HR manager took home HR records (including medical information) about employees and accidentally misplaced them when the records should have been stored in a locked cabinet. We advised on pro-actively notifying the regulator. As a result, the regulator accepted that this was a one-off incident that did not require further investigation.