Each month, we will feature a Stubbs Alderton & Markiles, LLP practice area to aid our readers in getting to know our firm, and providing insights into these areas of law that may impact your business most often. This month, we put the Spotlight on the Privacy & Data Security Practice team.
Tell us about your background as Privacy & Data Security attorneys. What spurred your interest in this area of practice?
Heather Antoine, Practice Group Co-Chair
I began my journey into privacy and data security law accidentally, when it was still a burgeoning, undefined field. A client inquired as to whether I could provide guidance on privacy issues his company was facing. I hesitated, but he pressed on, commenting, “no one knows what they are doing in this field yet, I’d rather have you learn it.” The skills I used then are the same I use now. These laws are constantly evolving and the ability to learn, and interpret, a new law quickly is both invaluable and essential. This is also what keeps me engaged. The practice of privacy and data security law requires adaptability and creativity. Every business operates differently and requires advice that suits their needs; there is no cookie cutter approach to this practice.
Kevin DeBré, Practice Group Co-Chair
I became a privacy and data security attorney by accident. I was part of the legal team that took Geocities public in 1998. Geocities was a Web 1.0 precursor to today’s social media companies. Two days after its IPO, Geocities was sued by the FTC alleging that Geocities violated its privacy policy and misled consumers by sharing their personal information with advertisers. The company’s share price dropped 15%. It was the first FTC case involving Internet privacy and my first exposure to what would become a new body of law.
I view information and data as a fifth form of intellectual property (the others being patents, copyrights, trademarks and trade secrets). Whether it’s preparing a privacy policy for a website or app, negotiating privacy and data security representations and warranties for the seller in M&A transaction or advising a client on notifying customers of a security breach, privacy and data security has become a critical component of my practice. And, its importance will continue to grow.
I think for me, my interest in privacy and data security was spurred by my interest in technology and the impact it has had in areas like business and communications. In college I studied finance and information systems and after college, I took a job in the technology risk management group of a large global bank. I was responsible for conducting various risk assessments on new applications. It was interesting to be there at a time when the bank was moving toward developing a significantly larger mobile app portfolio. As such, there was a strong emphasis on security and privacy issues. Over the course of my time at the bank, I became more closely involved in regulatory issues that impacted the bank's technology and risk department. I enjoyed the subject matter so much I decided to go to law school and become a technology attorney.
I started my career in Europe working on transatlantic issues. Right around the time I moved back to the United States, the General Data Protection Regulation (GDPR) in Europe was passed, which affected numerous US companies. Because of my transatlantic experience, my practice naturally gravitated to the GDPR and global privacy and technology. I ultimately decided to stay in privacy and technology because it is exciting to be a part of an industry with so much innovation that affects our daily lives on a global scale.
What is the difference between privacy and data security?
The difference is an important one because although they intersect, privacy and data security do not overlap completely.
Privacy is generally viewed as protecting individuals' personal information and the rights individuals have over that information. Privacy laws concern how data is collected, shared, and stored. Privacy laws are typically highly regulatory in nature and include regimes such as the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, the General Data Protection Regulation (EU/EEA), and the Personal Information Protection and Electronic Documents Act (Canada), to name a small few. These laws create a patchwork of overlapping and sometimes contradictory rules for companies to follow.
Data security is generally viewed as a broader term that relates to safeguarding the confidentiality, integrity and availability of information. Data security applies to more than just personal information - it applies to any data that a company may hold, particularly sensitive information like trade secrets or material nonpublic information. Data security standards are often less formally regulated and can vary from industry to industry and state to state. However, in the event of a data breach, the severity of damages, fines, and other remediation measures may be dependent on the data security standards implemented at your business.
Why is it important that I have an attorney draft my company’s Privacy Policy?
One of the most important things about a privacy policy is that it accurately describes your company's practices with respect to the collection, handling and disclosure of personal information. The policy needs to be drafted to not only comply with laws such as the California Consumer Privacy Act, and General Data Protection Regulation, but also be tailored to your company's specific practices. A lawyer can help to ensure your privacy policy does both of these things.
Moreover, we have seen an increased focus on privacy issues over the past decade, which will only grow in the future. There is a real risk when it comes to privacy policies. The first place regulators will often look to evaluate your privacy compliance is your website. Regulators have opened investigations and fined companies for failing to accurately describe the company’s handling of personal information and consumers have filed claims, including class action suits, when companies fail to handle personal information in the manner described in a privacy policy. That said, your privacy policy is just the start. Privacy must be embedded into the company’s IT, marketing practices, and security. Otherwise, it is just window dressing.
If I think there has been a data breach or cyber incident at my company – what are the first steps that I need to take?
This is a tough question to answer as cyber incidents or breaches come in many forms. The most important steps should be taken even before an incident occurs. Company's should be thinking about developing an incident response plan and creating an incident response team – the team may include members from the IT, operations, HR and communications functions as well as a digital forensics team and outside counsel. The company should also test the incident response plan so that when an incident occurs, it is set up to respond quickly and efficiently.
If a company has experienced a breach, one of the first steps is to assemble of team to respond to the incident. For various reasons, this team should include outside counsel. The next steps after that can vary and may require a few different workstreams, including forensics, remediation, developing and updating a communications plan, and assessing legal obligations and notification requirements. In the event of a suspected breach, please do not delay in taking action.
For more information about our Privacy & Data Security practice at Stubbs Alderton & Markiles, contact Heather Antoine at or Kevin Debré at