Bradley’s deep knowledge of, and multidisciplinary approach to, cybersecurity and privacy matters, combined with experience in advising regulated industries, provides our clients with practical, real-life insights and solutions to reduce risk, limit liability, and address their thorniest IT security challenges.

Led by one of the nation’s first board-certified privacy and information security attorneys, our team members have worked both in regulatory agencies and in-house at financial institutions. Our team includes American National Standard Institute (ANSI) certified privacy professionals as well as members of state bar committees who help shape the laws that govern cybersecurity. We leverage this background to provide advice that not only pulls from current legal frameworks but anticipates and adapts to the changing landscape of the business, legal, technology, and regulatory environment in which our clients operate.

Composed of attorneys from various practice groups and that are based in offices in multiple states and the District of Columbia, we quickly and efficiently assemble the right team to provide tailored counsel to clients of all sizes in various industry sectors and regulatory schemes at each point of the data management life cycle. We help our clients keep pace with and look ahead in the rapidly evolving and complex legal world of cybersecurity and privacy.

Bradley’s Cybersecurity & Privacy team is ready to assist our clients at any point in their business cycle. Learn how we can help your business today.

Identify Privacy/Cyber Obligations

Bradley’s Cybersecurity and Privacy team has deep experience in privacy and information security law. Based on a client’s needs, industry, and location, we assemble the right team quickly and efficiently to provide tailored counsel to ensure all legal obligations and compliance requirements are met throughout the data management life cycle.

We counsel our clients in the following federal data privacy requirements:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Gramm-Leach-Bliley Act (GLBA)
  • Fair Credit Reporting Act (FCRA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Computer Fraud and Abuse Act (CFAA)
  • Defense Federal Acquisition Regulation Supplement (DFARS)
  • Federal privacy obligations
  • ADA website compliance

Our team also has deep experience with numerous state laws and privacy requirements related to:

  • Internet of Things (IoT)
  • Commercial websites
  • Consumer data privacy
  • Children’s online privacy
  • e-Reader privacy
  • Biometric data
  • Health data
  • Financial data

We Know the CCPA. Our privacy team is at the forefront of the latest developments and amendments of the CCPA. Our attorneys are thought leaders in this area and regularly speak on CCPA issues at major industry conferences.

We Are Deeply Involved with Our Clients’ CCPA Compliance. We are currently representing a broad assortment of companies across industries with CCPA compliance issues. As the implementation date approaches, CCPA work constitutes a vast portion of the ongoing privacy work for our clients, and we are discussing amendments and new developments with clients on a daily basis.

CCPA Experience

Bradley assists clients with minimizing their exposure under the CCPA in several ways, starting with helping clients analyze their data collection activities to determine whether they are subject to or exempt from CCPA compliance under certain federal data privacy rules. Bradley’s team currently assists many clients with building out enterprise-wide CCPA compliance programs and advising on strategic implementation.

You can view a representative list of companies for which we are currently providing CCPA advice by viewing the team's experience listings.

The General Data Protection Regulation (GDPR) harmonizes EU data privacy laws to protect EU citizens’ data privacy rights and mitigate data breach incidents; regulate organizational data privacy practices; and reflect realities of the current data-driven world. It currently is the most robust data privacy regulation in the world and levies fines accordingly for violators -- up to €20 million or 4 percent of a company’s annual global revenue, whichever is greater. The GDPR also provides for tiered fines based upon multiple compliance violations and applies to both controllers and processors of consumers’ personal data.

The GDPR applies to companies processing personal data of data subjects residing in the EU, regardless of the company’s location, as well as to processing personal data by controllers and processors in the EU, regardless of where the processing takes place. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU. This has particular significance for U.S. companies that hire employees, contractors, or subcontractors based in an EU nation and applies to all employment-related agreements, policies, and procedures.

Bradley can assist clients in understanding all GDPR requirements and offers a variety of services that will help ensure compliance. We also advise on how to maximize efficiencies and costs when dealing with conflicting privacy laws in multiple jurisdictions.

The members of our health technology and privacy practice have extensive experience in health IT, information security, and privacy, including electronic health records (EHRs), HIPAA, software and technology licenses and lease agreements, data sharing agreements for health information exchanges (HIE), and vendor dispute resolution. We apply our practice to a number of areas, including a broad range of medical privacy and security laws, such as federal and state privacy and security breach laws; outsourcing; and software licensing and other technology transactions on behalf of hospitals, long-term facilities, health plans, health information organizations, physicians, group purchasing organizations, employers, consultants, and technology companies.

Our attorneys are there to assist our clients when potential breach reports come in by providing breach identification, response, and notice to the HHS Office for Civil Rights (OCR) and state agencies as necessary. We stand side by side with our clients to protect their interests, with resources such as onsite education, regulatory advice, and assessment. We also help with the development of policies and procedures on transactional, regulatory, and operational matters related to the HIPAA and HITECH EHR programs and to privacy and security standards. In addition, we counsel healthcare providers on data sharing agreements, consent policies, authorizations, notices of privacy practices, business associate contracts, and health plan certifications.

Risk Mitigation

Bradley collaborates with in-house counsel, privacy officers, risk managers, business units, and data breach responders to develop effective legal solutions for their unique business needs.

Bradley helps clients develop Written Information Security Programs (WISPs) and Incident Response Plans (IRPs). We also offer structured group tabletop simulation – a flexible, cost-effective exercise to test how organizations will respond to a variety of incidents in a controlled way with an emphasis on preparedness and effective communication among various stakeholders. These exercises can be focused on particularly critical areas and reveal problems or deficiencies in response plans before they can do real harm, without any disruption of systems.

We advise businesses on prospective risk avoidance through drafting, reviewing, and analyzing privacy programs, data policies, customer notices and agreements, and third-party service provider contracts. We regularly provide counsel on a variety of privacy and information security risk assessment and mitigation processes, including the identification and detection of, response to, recovery from, and prevention of data security risks. Our lawyers work with clients on internal processes and procedures designed to mitigate cyber risk and privacy threats at all levels of company operations. In addition, we help develop customer-facing privacy policies and disclosures, including website privacy policies and GLBA and FCRA notices. Finally, we assist clients with cybersecurity and privacy compliance requirements from a variety of regulatory bodies on an ongoing basis.

We work side by side with clients to advise on management, oversight, and review of third-party risks. This includes advising on vendor agreements, related regulatory guidance, and requirements for management and oversight of the use of third parties, whether based domestically or abroad.

Our team drafts and negotiates service provider agreements to help clients satisfy regulatory obligations and manage vendor risk, including SaaS, cloud computing, software licensing, bank core outsourcing, payment processing, credit card receivables and securitizations, and other information technology and service provider contracts. We also draft related confidentiality, information security, independent contractor, web development and hosting, and business associate agreements intended to shore up our clients’ ability to protect the privacy and security of their proprietary and customer information. In addition, we advise clients on the management of third-party risk through cyber-insurance coverage.

Our Cybersecurity and Privacy team partners with our corporate and M&A attorneys to provide tailored guidance in contracts, licensing, M&A, due diligence, and transactional matters. This includes identifying any risks or opportunities related to IT security or privacy issues and providing in-depth strategies to use in maximizing deal value or mitigating potential liabilities.

Crisis Assistance

In the unfortunate event of a data breach or cyberattack, we help our clients respond immediately, and we guide and protect them through the ensuing recovery and resiliency stages, including investigation, reporting, and disclosure, as well as assisting with public relations, law enforcement, and liability exposure.

Bradley vigorously advocates for our clients at each point in the process and aggressively defends against any claims or actions arising from a breach. We help our clients navigate responses to a variety of breaches, such as third-party hacks; fraudulent electronic transactions; theft or loss of databases, laptops or mobile devices; and a variety of attacks, such as phishing, ransomware and other malware

Our team has significant experience assisting clients in response to external regulatory inquiries. In the event that compliance issues are identified, whether internally by a provider or externally by a civil or criminal investigation, we help scrutinize the matter and resolve any problems with efficiency and integrity. Our multidisciplinary legal team of regulatory professionals and seasoned litigators works with clients to conduct internal investigations to discover whether a violation has occurred. In the event of  noncompliance, we help determine whether self-disclosure and repayment are required, and negotiate settlements with government agencies. Bradley also has a strong track record of defending clients against civil and criminal government investigations.

Our team has deep litigation experience in federal and state courts with data breach and other privacy-related litigation, such as biometric data, contract claims, data breach, ADA website compliance, unfair or deceptive trade practices, and other statutory and common law claims, on both an individual and class action basis. This includes working closely with Bradley’s Class Actions team, which has handled a full range of privacy, information security, and data breach claims commonly asserted on a class basis in notorious class action venues and in courts in more than 30 other states around the country. Our lawyers have successfully obtained early dismissals, summary judgments, favorable individual settlements, and denials of class certification for hundreds of clients in a variety of industries, including mortgage servicing, financial services, pharmaceuticals, retailing, manufacturing, and more