Data Privacy and Protection

Shipman & Goodwin’s Data Privacy and Protection Practice Group holds a unique position among cybersecurity teams. Taken together, our group has extensive, first-person experience in each of the key domains —privacy and technology law, law enforcement and in-house corporate leadership — necessary to mount an effective defense against and response to data breaches, information theft, cyberterrorism and related threats; ensure compliance with the rapidly growing matrix of data privacy and notification laws; and enable businesses to pursue market growth and innovation.

Drawing on our blend of legal, law enforcement and industry experience, we guide clients across sectors and jurisdictions through each step of the data privacy and protection lifecycle, from initial information collection, management, protection and disposal, through regulatory compliance, to post-breach responses, notifications and litigation. Our practice is national; we represent clients across the United States — from New England to Silicon Valley — as well as multinational corporations with a truly global footprint.

Legal and Technological Acumen

Our data privacy lawyers are well-versed in the underlying technologies that have contributed to today’s business growth as well as the global, national and local legal frameworks being developed to regulate these tools and platforms. For example, practice co-chair William Roberts has advised clients in more than 100 national and international data breach matters and is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP). He has extensive experience with the specific privacy and security challenges faced by health care providers, insurance technology (InsurTech) and financial technology (FinTech) companies. He also has advised numerous other public and private entities, including startups and Fortune 50 companies, operating in the manufacturing, software and hardware, mobile application development, education and other sectors.

Law Enforcement Experience

Prior to joining the firm, practice co-chair George Jepsen served for eight years as Connecticut’s Attorney General and partner Perry Zinn Rowthorn served for five years as the state’s Deputy Attorney General. During their tenure in that office, they made the pursuit of data privacy and protection matters one of their top priorities. Among other initiatives, they collaborated on the development of an innovative Privacy Task Force that became the Connecticut Privacy & Data Security Department. Partner Matt Fitzsimmons served as head of the department, the first such organization within a state attorney general’s office in the nation. That department led nationwide multi-state investigations into a number of the nation’s largest data breaches, resulting in sizeable settlements. Their work in office was as cooperative as it was adversarial: they met regularly with business leaders to establish practical, enforceable privacy best practices and standards and continue to advise industry groups on data security matters.

In-House Corporate Leadership

After co-leading national, bipartisan multistate investigations by the Connecticut Attorney General’s office into many of the country’s most severe data breaches, in 2017 Matt Fitzsimmons joined global health service company, Cigna. There, he served as the company’s U.S. Privacy Officer and lead cybersecurity counsel. In this role, Matt gained an in-depth, firsthand understanding of the daily challenges and strategic goals of businesses for which information is a core asset. Among other initiatives, he provided guidance on privacy aspects of the company’s acquisition of Express Scripts. Drawing on his law enforcement and in-house perspectives, Matt offers clients clear, actionable guidance that enables them to maximize the utility of their information assets and develop new technologies, products and services, while protecting the privacy of individuals and the security of proprietary data.

Our approach is proactive and comprehensive. We provide client-tailored guidance in the following:

Data Management and Protection. We counsel clients on all issues related to appropriately safeguarding data during collection, storage, maintenance and disposal, including:

• Data privacy and protection audits and risk profiles
• Strategies to build efficient privacy infrastructures
• Developing and documenting company data privacy and protection policies
• Retention, destruction and e-discovery of documentation
• Employee records
• Employee use of email and social media tools
• Licensing and data-sharing agreements

Regulatory Compliance. We work with clients to develop compliance programs to protect the confidentiality of data and spot potential issues, including development and maintenance of compliance hotlines and training of privacy and security officers, as well as staff and employees. We also advise clients on the full spectrum of applicable privacy laws and regulations, including:

• HIPAA/HITECH
• Gramm-Leach-Bliley Act (GLB)
• Telephone Consumer Protection Act (TCPA)
• EU General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• New York Department of Financial Services (DFS) Cybersecurity Regulation
• Children’s Online Privacy Protection Act (COPPA)
• Federal Trade Commission Act (FTCA)

Data Breaches and Investigations. Our team has extensive experience handling all aspects of national and international data breach matters and other security incidents, including:

• Whistleblower and internal investigations
• Post-breach notifications
• Cooperation with federal and state agency investigations, including with the U.S. Department of Health & Human Services (HHS), the Office for Civil Rights (OCR), the Federal Trade Commission (FTC), state attorneys general and state departments of insurance
• Privacy litigation in federal and state courts