Cybersecurity & Data Privacy

We’re a team of privacy wonks and security experts who look locally and globally for data driven risk.  We combine the nimble energy and innovation of a startup with the experience and resources of a 128+ year old law firm. 

Whether responding to a data breach, building a privacy program, negotiating tech-centric issues in contracts, or guiding a company through a regulatory investigation the Woods Rogers Cybersecurity & Data Privacy team assists clients in navigating the increasingly complex landscape of data privacy and cybersecurity laws to help develop value-maximizing business strategies.

We possess an exceptionally wide range and depth of experience in the areas of data privacy and cybersecurity matters across sectors such as energy, healthcare, technology, manufacturing, local government, government contracting, and financial services. We often work with businesses building emerging technology and have experience working with artificial intelligence (AI), autonomous vehicles and drones, biotech, and software built on blockchain.

We understand what it takes to protect data across your business and know how to navigate from the server room to the boardroom. 

How We Help

Here are a few examples of how we help businesses with cybersecurity and data privacy risk: 

• Reviewing technology contracts, including negotiation of complex data protection addendums and information security agreements
• Planning for and responding to data security incidents, including the entire notification process from individual notices to 8-K public disclosures
• Drafting and reviewing website privacy policies and procedures, including cookie compliance and ad tech concerns 
• Drafting cybersecurity policies to effectively manage cyber-related risk, including in the context of SEC related disclosures
• Reviewing cybersecurity insurance policies and providing relevant counsel, including incident concierge advice to help businesses navigate the complex arena of incident response vendor selection  
• Determining whether personal data is “sold” or “shared” in nuanced compliance scenarios  
• Reviewing and responding to data subject/consumer access requests  
• Drafting and reviewing transfer impact assessments and data protection impact assessments
• Assessing risk in mergers and acquisitions, including drafting cyber/privacy representations and warranties related to acquisitions and assisting counsel with privacy related diligence review  
• Advising on Payment Card Industry (PCI) Compliance, including card manufacturer-based compliance obligations  
• Advising on regulatory compliance concerns, including obligations under numerous federal, state, and international laws including but not limited to GLBA, HIPAA, GDPR, NERC-CIP, CCPA/CPRA, and CDPA 
• Assisting publicly traded companies in their risk factor determinations and notification obligations in their 10-Qs or with urgent 8Ks. 

What Sets Us Apart

The Woods Rogers Cybersecurity & Data Privacy Team stands out from other law practices due to our extensive experience, responsiveness, subject matter expertise and thought leadership.  Our entire core attorney team is certified by the International Association of Privacy Professionals (IAPP), including Certified Information Privacy Managers (CIPM), a Privacy Law Specialist (PLS), and multiple Certified Information Privacy Professionals versed in both U.S. and international data privacy laws and regulations including Europe. In addition, a member of our team is designated as a Certified Information Systems Security Professional (CISSP). Another member of our team is Certified in Healthcare Privacy Compliance (CHPC) by the Health Care Compliance Association.

Data Privacy

Whether it’s considering a new data privacy law or applying existing regulations to new technologies (such as artificial intelligence), the Woods Rogers Cybersecurity & Data Privacy team helps clients by analyzing and offering salient guidance on novel and complex data privacy issues. We tailor our advice and guidance to meet the unique needs and priorities of your organization. Our objective is to assist you in reducing your company’s data privacy exposure and accomplishing key business objectives. For example, we regularly help examine clients’ vendor management processes to ensure that appropriate steps are in place to assess data privacy and security risk in the client’s supply chain.

Our team is also well versed in drafting, negotiating, and reviewing our client’s third-party vendor agreements, including cross-border data processing addendums, data sharing agreements, and global supply chain contracts. In addition, we assist clients with the handling of outsourcing transactions and ongoing contract governance. Other examples of data privacy matters we manage on a regular basis include:

• The development and implementation of privacy and security policies in accordance with applicable laws and business objectives.
• Conducting compliance and due diligence investigations for acquisitions and investments.
• Representing clients in regulatory investigations and litigation.
• Identifying and implementing solutions for complex cross-border data flows.
• Providing guidance on company-wide compliance, risk management, and business strategy in the areas of data privacy and governance.

Advising businesses on compliance with domestic and international data privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), California Consumer Privacy Act (CCPA). the New York Department of Financial Services Cybersecurity Regulations, the Illinois Biometric Information Protection Act, and the General Data Protection Regulation (GDPR) in the EU and UK. We also advise on compliance with federal consumer privacy regulations, including requirements under the FTC Act, HIPAA, FCRA, GLBA, CAN-SPAM, COPPA, FERPA, VPPA, TCPA, and so forth.

Incident Response and Data Breach Management

When you are confronted with a significant cyber incident, every moment counts. From pulling together the professional teams you need to working with law enforcement to notifying affected individuals, relevant state and federal agencies and departments, and the media, the Woods Rogers Cybersecurity & Data Privacy team knows how to help. We stand ready with 24/7 support and counsel. Email us at incidentresponse@wrvblaw.com if you need support during a cyber incident.

If your organization is impacted by a significant cyber incident, our team provides end-to-end support, with the help of a trusted network of renowned forensic experts. In responding to a cyber incident, our team will proactively and efficiently work to take the following remedial actions:

• Preserve legal privilege and other protections through the oversight of communication channels and retaining independent experts to maintain the confidentiality of sensitive information in the event of future litigation or enforcement proceedings.
• Investigate the incident and collaborate with both internal and external stakeholders, with the goal of fully understanding the scope and impact of the incident.
• Ensure the investigation is conducted in a legally defensible manner.
• Ensure effective communication with the media, vendors, customers, regulators and internal staff, by helping to manage communication lines and maintain clear, consistent messaging, to minimize the possibility of legal or reputational risk.
• Manage notice obligations and coordinate notifications under relevant statutory, regulatory, and contractual frameworks.
• Manage the increasingly demanding, intricate, and often conflicting requirements to notify authorities at the state and federal level.
• Incorporate lessons learned into cybersecurity preparedness policies and programs.

In addition to helping clients in the midst of a cyber incident, the Woods Rogers Cybersecurity & Data Privacy team regularly works with boards, C-level executives, and management teams to identify, assess and prepare for cyber risks before a ransomware attack or other breach occurs. For example, we offer the following preventative cybersecurity services to clients:

• Develop custom incident response plans and cyber legal playbooks to implement throughout the organization, including a robust governance framework.
• Conducting gap assessments to identify weaknesses and ensure the company’s current practices are in line with cybersecurity best practices.
• Develop and facilitate realistic cyber “war games” and tabletop exercises to assess and enhance the organization’s level of preparedness and resilience for an actual incident and inform potential updates to its incident response plan and playbook.
• Collaborate with insurers, drawing on our extensive experience with leading cyber insurance brokers and carriers, to support clients as they prepare for and respond to cyber incidents.

Artificial Intelligence

The Woods Rogers Cybersecurity & Data Privacy team can provide strategic guidance related to AI system development and deployment. We possess a deep knowledge of policy and regulatory activity paired with a close familiarity of AI technology and novel legal issues. We advise clients ranging from startups to critical infrastructure providers to government contractors on legal and regulatory risks associated with the privacy, safety, security, fairness, transparency, and accountability in the deployment of AI systems and applications. We can assist in developing corporate policies, principles, and governance approaches for organizations implementing AI systems and applications, including public companies.

Our team also advises clients on legislative and enforcement developments, along with guidance on AI-based algorithmic decision-making. In addition, we have the capacity to advise clients on intellectual property considerations in the development and deployment of AI systems and applications.

We have a deep bench of experience in the privacy and cyber field, with our core team devoting 100% of its practice to this space.  Below are a few examples of how we assist our clients:

• Drafted a streamlined information security and data protection addendum for a Fortune 200 manufacturing company for use globally.
• Drafted the cross-border data transfer agreements and transfer impact assessments for a Fortune 200 manufacturing company with more than 250 legal entities across 35 countries.
• Collaborated with in-house counsel of a Fortune 200 company to design and implement a privacy program across the parent company and all subsidiaries.
• Served as local North American privacy counsel to a Fortune 200
• Represented an agricultural distribution company with operations in eleven states during a ransomware attack from the same cyber gang involved in the Colonial Pipeline attack.
• Represented a publicly traded bank during its investigation into several cyber incidents stemming from cyber-crime perpetrated against the bank including working with the Office of the Comptroller of the Treasury.
• Conducted an in-depth review of cyber insurance coverage for a publicly traded high technology manufacturer.
• Engaged a cybersecurity incident response team and took quick action to contain the threat, secure systems, and restore affected servers for a city police department that was the victim of a ransomware attack.
• Designated as cybersecurity and privacy panel legal counsel for VACorp, which insures local government entities and agencies in the Commonwealth of Virginia. We also provide legal counsel to government entities in West Virginia, Washington (state), and Oregon.