Notable Representations, Key Contacts
We partner with our clients to develop holistic and tailored strategies to mitigate and address business and legal risks in connection with advising on the privacy and data security aspects of the full range of corporate transactions (in close partnership with Weil’s Private Equity and M&A practice and Technology and IP Transactions practice), defending government investigations and other privacy-related proceedings, counseling with respect to compliance with a broad array of jurisdiction- and sector-specific privacy and data security laws, and coordinating urgent first-responder assistance in the event of a breach.
Recognizing that a cyber- or privacy-related development can expand to encompass a number of other significant legal issues, our practitioners work closely with attorneys in our White Collar Defense, Regulatory and Investigations, Securities Litigation, Complex Commercial Litigation, Business Finance & Restructuring and Employment Litigation practices, among others, to address all aspects of privacy-related risks, including those related to trade secrets theft, funding or financial issues, and disputes with vendors and other third parties.
We also maintain excellent working relationships with public relations and communications firms and other cyber-first responders and forensic experts, as well as insurance carriers and brokers, so that our clients have one-stop access to all of the resources necessary to swiftly address and resolve a crisis situation, should one develop.
Specifically, Weil lawyers routinely work with clients in the following areas:
- Conducting due diligence, drafting and negotiating transactional documents in the context of mergers, acquisitions, and private equity transactions.
- Counseling clients on the data protection and privacy aspects of contemplated or active bankruptcy filings and restructuring, and representing clients in related proceedings.
- Providing comprehensive and/or targeted counseling on compliance with laws governing data privacy and information management, including:
- EU General Data Protection Regulation (GDPR);
- California Consumer Privacy Act (CCPA);
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA);
- U.S. sector-specific data privacy laws, regulations and guidelines, including the Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), Illinois Biometric Information Privacy Act (BIPA) and other laws related to biometric data, and the Payment Card Industry Data Security Standard (PCI-DSS);
- U.S. marketing laws, such as the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act and the Telephone Consumer Protection Act (TCPA); and
- The full range of state and federal data breach notification laws.
- In connection with compliance counseling, providing services that include:
- Developing data protection and privacy policies and plans;
- Developing and conducting employee training and compliance programs;
- Advising on the implementation of data access and deletion request processes;
- Drafting and negotiating agreements with vendors and suppliers in accordance with laws governing the disclosure and transfer of personal information;
- Addressing data protection issues in the context of outsourced arrangements, including cloud providers and global HR databases; and
- Creating, reviewing and advising clients regarding strategies for international data transfers, including Standard Contractual Clauses, Binding Corporate Rules, and compliance with internationally recognized frameworks such as the EU-U.S. and Swiss-U.S. Privacy Shield Programs.
- Mobilizing and guiding responses to data breaches or other security incidents involving personal information, including working with all stakeholders in connection with internal and external investigations, vulnerability mitigation, notification, and mitigation of reputational damage.
- Representing clients in potential or active adverse postures related to privacy and data security issues, including in government investigations and consumer class action litigations;
- Advising clients regarding privacy issues that may arise in connection with conducting corporate diligence and with undertaking e-discovery in the litigation context (i.e., ensuring compliance with applicable privacy laws is maintained in the population and use of data rooms and e-discovery platforms).
- Weil has counseled on data privacy issues in hundreds of high-value, high-profile technology transactions, including advising:
- Verizon Communications Inc. in its agreement to purchase AOL Inc. for approximately $4.4 billion, in a deal that will further drive Verizon’s LTE wireless video and OTT (over-the-top video) strategy;
- Facebook in connection with privacy issues in its $16 billion acquisition of WhatsApp, a provider of a cross-platform mobile messaging application that allows a client to exchange messages without having to pay for SMS;
- Yahoo! in all technology and IP aspects of its $4.5 billion sale of its operating business to Verizon Communications Inc.;
- Yahoo! in connection with IP and privacy matters in its $1.1 billion acquisition of popular blogging site Tumblr, and its $240 million acquisition of Flurry Analytics;
- eBay on its acquisition of Shutl, the UK-based technology start-up connecting retailers with a network of local same-day carriers to provide a “super-fast” delivery service for consumer goods; and
- Twilio Inc., a cloud communications provider of application programming interfaces (APIs) for communications apps, in its acquisition of Authy, Inc., a provider of Authentication-as-a-Service for large-scale Web and mobile applications.
- In these and other transactions, Weil has advised on data privacy issues across a broad range of technologies, from high tech (Internet of Things (IoT), Global Positioning Systems (GPS), big data and analytics) to the highly-regulated (financial services, consumer credit, and health care), and everything in between (consumer goods, news aggregators, and online music services).
- Weil advised a major NASDAQ-listed media company on privacy issues arising out of its international whistle blowing policy.
- Weil advised a major international investment bank on BYOD issues and related data privacy implications.
- Weil advised Yell.com in the UK on data protection issues.
- Weil advised a major electronics and technology company on privacy issues relating to collection of television viewing data.
- Weil advised a provider of shipping and energy services on the implementation of a compliant employee monitoring policy and procedure. Our advice related to the monitoring of emails and internet usage and concerned employees located in the United Kingdom as well as a number of foreign jurisdictions where local law advice was provided.
- Weil advised a major financial institution on the data protection consideration applicable to a “Bring Your Own Device” scheme, including the recommendation of a number of practical and commercial steps to minimize the risk of a data security breach or other breach of law.
- Weil represents First Data Corp. in a dispute in federal court relating to a credit card payment processing agent’s liability in connection with cyberattacks.
- Weil obtained the dismissal of all claims brought against MovieTickets.com based on allegations that email confirmations sent to customers following their on-line purchase of movie tickets from MovieTickets.com violated the FACT Act by including a credit card expiration date.
- Weil represents Houghton Mifflin in a putative class action in the Southern District of New York alleging violations of the Telephone Consumer Protection Act (TCPA). The plaintiff, a religious entity, alleges that Houghton Mifflin distributed thousands of fax advertisements throughout New York State that were unsolicited and that lacked proper opt-out notices; the plaintiff purports to represent three sub-classes of individuals who received such faxes during a four-year window. The matter is pending.