Cybersecurity & Data Privacy

In the modern economy, businesses and organizations of all sizes must effectively protect and manage information. Nearly every organization has valuable or sensitive information and trade secrets to protect from unauthorized use and disclosure by insiders or outside actors, and companies that store or process third party information (such as payment card information, patient medical records, customer information, user data, personal information, and human resources and employment records) are required to take reasonable measures to safeguard that information. In addition, organizations must comply with a growing number of data privacy laws and regulations at the state, national, and international levels, as well as contractual obligations imposed by business partners, clients, and service providers.

Our cybersecurity and data privacy lawyers work closely with our clients to help them identify, understand, and address the data security and privacy challenges that their organizations face, including guidance regarding compliance with state, federal, and international laws and regulations, industry standards and best practices, and contractual obligations. We are able to provide our clients with a wide range of services to manage their risks related to data loss and security breaches, including risk management counseling, incident response planning, drafting and reviewing policies and procedures, guidance regarding tabletop exercises, training, and breach simulations, and technology contract review and negotiation (including data protection addendums and information security agreements).

When disaster strikes and an organization experiences a security incident, data breach, or data loss, our cybersecurity and data privacy team is ready to lead and guide the organization through the incident response, investigation, and recovery process, including retaining and engaging cybersecurity experts and vendors. We help our clients navigate and comply with their data breach notification obligations under the patchwork of state, federal, and international data breach notification laws, industry regulations, and contracts with third parties.

Our cybersecurity and data privacy practice draws on the breadth of our firm’s other specializations, including intellectual property, technology, employment, health care, and business law, to advise clients throughout Virginia regarding data privacy issues across a broad ranges of industries, and our data privacy attorneys work closely with our Mergers and Acquisitions team to advise clients regarding cybersecurity risks in mergers and acquisitions. Flora Pettit's technology and data privacy attorneys also have extensive experience providing strategic advice and counseling to clients who provide interactive websites, mobile apps, and other internet-based services regarding the design of the services (including "privacy by design" and "security by design" principles) and the drafting of appropriate terms of use (terms of service), privacy policies, acceptable use policies, and other agreements.

Our services include:

  • Cybersecurity and Information Governance. Flora Pettit's cybersecurity attorneys in Charlottesville and Harrisonburg counsel companies regarding cybersecurity best practices and the proactive implementation of policies, procedures, systems, and strategies to safeguard their own information and third party information for which they are responsible. Our attorneys help clients develop and deploy information governance policies and systems to account for data security, data privacy, and contractual and regulatory compliance needs. We work with clients to ensure that appropriate contractual and technical measures are put in place to protect the security and privacy of information for which they are responsible. And when businesses use cloud-based services and other third party service providers, it is important to ensure that the vendor provides adequate protection for the business’s information, and our data security and privacy lawyers regularly review terms of service agreements and privacy policies for our clients. We also advise clients in the software and technology sector regarding privacy by design and the implementation of systems to protect privacy and minimize risks of potential data breaches.

    • Examples of these services include:

      • Incident response planning

      • Drafting and reviewing policies and procedures, including:

        • Incident Response Plans (IRP)

        • Written Information Security Programs (WISP)

        • Information Security Policies, and

        • Disaster Recovery Plans (DRP)

      • Retention of cybersecurity experts and vendors

      • Risk management

      • Guidance regarding tabletop exercises, training, and breach simulations

      • Technology contract review and negotiation, including data protection addendums and information security agreements

      • Assessing cybersecurity risks in mergers and acquisitions

  • Incident Response and Data Breach Notification. When an organization experiences a cybersecurity incident, it must react quickly and our data privacy lawyers regularly lead cybersecurity incident response investigations for our clients. We help organizations navigate the patchwork of state and federal data breach notification laws, industry regulations, and contractual obligations. When an employer experiences a data breach affecting its own employees, we draw on the expertise of our firm’s employment attorneys to address the unique challenges that such a breach creates. For clients in the healthcare industry, we work with our firm’s health care lawyers to address obligations that arise under HIPAA and the HITECH Act (including the Privacy Rule and the Security Rule).

  • Data Privacy. Flora Pettit’s experienced data privacy lawyers in Charlottesville and Harrisonburg counsel clients regarding the wide range of data privacy and security challenges that they face.

    • Our data privacy attorneys regularly counsel clients regarding compliance with a broad range of state and federal laws, including:

      • Virginia Consumer Data Protection Act (VCDPA), the California Privacy Rights Act (CPRA), the

        California Consumer Privacy Act (CCPA), and the state consumer data privacy laws in numerous other states;

      • California’s "Shine the Light" Law;

      • CAN-SPAM Act;

      • Children’s Online Privacy Protection Act (COPPA);

      • Federal Trade Commission Act, Section 5 (prohibiting unfair or deceptive acts or practices in or affecting commerce);

      • Health Insurance Portability and Accountability Act (HIPAA) (and implementing HHS regulations—the Privacy Rule and the Security Rule); and

      • Health Information Technology for Economic and Clinical Health Act (HITECH Act).

    • We also advise clients regarding compliance with international privacy and data protection regulations, such as the EU General Data Protection Regulation (GDPR) and the EU-U.S. Data Privacy Framework (and the former EU-U.S. Privacy Shield).

    • For clients who provide interactive websites, mobile apps, and other internet-based services, our data privacy and technology lawyers provide strategic advice and counseling regarding the design of the services and provide assistance with the drafting of appropriate terms of use (terms of service), privacy policies, acceptable use policies, and other agreements.

    • In addition, we bring our data privacy expertise to bear when conducting due diligence for clients engaged in mergers and acquisitions.

Related Professionals