Each month, we will feature a Stubbs Alderton & Markiles, LLP practice area to aid our readers in getting to know our firm, and providing insights into these areas of law that may impact your business most often. This month, we put the Spotlight on the Privacy & Data Security Practice team.
Heather Antoine, Practice Group Co-Chair
I began my journey into privacy and data security law accidentally, when it was still a burgeoning, undefined field. A client inquired as to whether I could provide guidance on privacy issues his company was facing. I hesitated, but he pressed on, commenting, “no one knows what they are doing in this field yet, I’d rather have you learn it.” The skills I used then are the same I use now. These laws are constantly evolving and the ability to learn, and interpret, a new law quickly is both invaluable and essential. This is also what keeps me engaged. The practice of privacy and data security law requires adaptability and creativity. Every business operates differently and requires advice that suits their needs; there is no cookie cutter approach to this practice.
Kevin DeBré, Practice Group Co-Chair
I became a privacy and data security attorney by accident. I was part of the legal team that took Geocities public in 1998. Geocities was a Web 1.0 precursor to today’s social media companies. Two days after its IPO, Geocities was sued by the FTC alleging that Geocities violated its privacy policy and misled consumers by sharing their personal information with advertisers. The company’s share price dropped 15%. It was the first FTC case involving Internet privacy and my first exposure to what would become a new body of law.
I view information and data as a fifth form of intellectual property (the others being patents, copyrights, trademarks and trade secrets). Whether it’s preparing a privacy policy for a website or app, negotiating privacy and data security representations and warranties for the seller in M&A transaction or advising a client on notifying customers of a security breach, privacy and data security has become a critical component of my practice. And, its importance will continue to grow.
I think for me, my interest in privacy and data security was spurred by my interest in technology and the impact it has had in areas like business and communications. In college I studied finance and information systems and after college, I took a job in the technology risk management group of a large global bank. I was responsible for conducting various risk assessments on new applications. It was interesting to be there at a time when the bank was moving toward developing a significantly larger mobile app portfolio. As such, there was a strong emphasis on security and privacy issues. Over the course of my time at the bank, I became more closely involved in regulatory issues that impacted the bank's technology and risk department. I enjoyed the subject matter so much I decided to go to law school and become a technology attorney.
Mallory Petroli:
I started my career in Europe working on transatlantic issues. Right around the time I moved back to the United States, the General Data Protection Regulation (GDPR) in Europe was passed, which affected numerous US companies. Because of my transatlantic experience, my practice naturally gravitated to the GDPR and global privacy and technology. I ultimately decided to stay in privacy and technology because it is exciting to be a part of an industry with so much innovation that affects our daily lives on a global scale.
The difference is an important one because although they intersect, privacy and data security do not overlap completely.
Privacy is generally viewed as protecting individuals' personal information and the rights individuals have over that information. Privacy laws concern how data is collected, shared, and stored. Privacy laws are typically highly regulatory in nature and include regimes such as the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, the General Data Protection Regulation (EU/EEA), and the Personal Information Protection and Electronic Documents Act (Canada), to name a small few. These laws create a patchwork of overlapping and sometimes contradictory rules for companies to follow.
Data security is generally viewed as a broader term that relates to safeguarding the confidentiality, integrity and availability of information. Data security applies to more than just personal information - it applies to any data that a company may hold, particularly sensitive information like trade secrets or material nonpublic information. Data security standards are often less formally regulated and can vary from industry to industry and state to state. However, in the event of a data breach, the severity of damages, fines, and other remediation measures may be dependent on the data security standards implemented at your business.
One of the most important things about a privacy policy is that it accurately describes your company's practices with respect to the collection, handling and disclosure of personal information. The policy needs to be drafted to not only comply with laws such as the California Consumer Privacy Act, and General Data Protection Regulation, but also be tailored to your company's specific practices. A lawyer can help to ensure your privacy policy does both of these things.
Moreover, we have seen an increased focus on privacy issues over the past decade, which will only grow in the future. There is a real risk when it comes to privacy policies. The first place regulators will often look to evaluate your privacy compliance is your website. Regulators have opened investigations and fined companies for failing to accurately describe the company’s handling of personal information and consumers have filed claims, including class action suits, when companies fail to handle personal information in the manner described in a privacy policy. That said, your privacy policy is just the start. Privacy must be embedded into the company’s IT, marketing practices, and security. Otherwise, it is just window dressing.
This is a tough question to answer as cyber incidents or breaches come in many forms. The most important steps should be taken even before an incident occurs. Company's should be thinking about developing an incident response plan and creating an incident response team – the team may include members from the IT, operations, HR and communications functions as well as a digital forensics team and outside counsel. The company should also test the incident response plan so that when an incident occurs, it is set up to respond quickly and efficiently.
If a company has experienced a breach, one of the first steps is to assemble of team to respond to the incident. For various reasons, this team should include outside counsel. The next steps after that can vary and may require a few different workstreams, including forensics, remediation, developing and updating a communications plan, and assessing legal obligations and notification requirements. In the event of a suspected breach, please do not delay in taking action.
For more information about our Privacy & Data Security practice at Stubbs Alderton & Markiles, contact Heather Antoine at or Kevin Debré at
Stubbs Alderton & Markiles attorneys Mallory Petroli and Heather Antoine were featured in the Daily Journal for their article "CCPA Enforcement and Final Regulations." Since the California Consumer Privacy Act went into effect on Jan. 1, many businesses have been eager to receive the promised accompanying regulations. Without the final version of regulations, varying interpretations of the CCPA, and the need to revise policies and procedures on a rolling basis, have been quite burdensome. But the wait is over.
To read the full article "CCPA Enforcement and Final Regulations” visit here.
Mallory Petroli is an Associate in the Firm’s Privacy & Data Security and Intellectual Property & Technology Transactions practice groups. Mallory’s practice focuses on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. She focuses on these issues in the context of: (i) advisory matters, such as new privacy and security laws and regulations around the globe (e.g. GDPR, CCPA, COPPA, PIPEDA, GLBA and others) including the enforcement of foreign judgments, as well as (ii) domestic and international technology transactions related to IoT, blockchain, mobile, cloud, data monetization, and other initiatives, including mergers & acquisitions, sourcing, distributor, business partner, and other third party arrangements. Mallory also counsels companies in crisis matters, such as data security events, regulatory and governmental inquiries related to privacy and security issues, internal investigations, litigation-related matters, and prevention measures. Mallory also regularly assists clients on transactional intellectual property matters such as structuring and negotiating technology commercialization deals and IP license agreements. These include strategic alliances, research and development collaborations, trademark licensing and brand merchandising agreements and manufacturing, distribution and marketing arrangements.
Heather A. Antoine is a Partner and Chair of the Firm’s Trademark & Brand Protection practice and Co-Chair of the Privacy & Data Security practice group. Heather’s practice focuses on protecting a company’s intellectual property; a fundamental feature of every business. Heather’s practice includes trademark clearance and selection, domestic and foreign trademark prosecution, enforcement, proceedings before the Trademark Trial and Appeal Board (TTAB), licensing, trade secret protection, copyright, rights of publicity, domain names disputes, and general client counseling. Heather believes in supporting companies at each stage – from due diligence when choosing a name, to ongoing brand management, to ensuring portfolios are safeguarded and ready for sale. Heather is also focused on guiding businesses through the ever-expanding maze of privacy laws, both domestically and internationally. This includes drafting website policies, compliance with specific privacy laws (such as the General Data Protection Regulation (GDPR), the Children’s Online Privacy and Protection Act (COPPA), and the California Consumer Privacy Act (CCPA)). Heather works with companies to design and strengthen their privacy and data security policies and practices, to help them prevent data security breaches, and to minimize the risks associated therein.
For more information on our Privacy & Data Security Practice contact Heather Antoine at
Stubbs Alderton & Markiles Partner Heather Antoine will be featured as the moderator for a panel at the 2019 World Technology Law Conference on "GDPR and its Progeny: Lessons Learned and What to Expect Globally." It has been a year since GDPR went into effect. Was it the start of a data protection revolution or a data protection catastrophe? How have data and security practices changed, and what have we learned? How are data protection laws are changing around the globe? Join as Heather poses these questions and learn how these laws affect clients, how to comply, and how to survive.
The event will be May 17th, 2019 in Boston, Massachusetts.
For more information about the event visit here.
Heather Antoine is a Partner and Chair of the Firm’s Trademark & Brand Protection practice and Co-Chair of the Privacy & Data Security practice group. Heather’s practice focuses on protecting a company’s intellectual property; a fundamental feature of every business. Heather’s practice includes trademark clearance and selection, domestic and foreign trademark prosecution, enforcement, proceedings before the Trademark Trial and Appeal Board (TTAB), licensing, trade secret protection, copyright, rights of publicity, domain names disputes, and general client counseling. Heather believes in supporting companies at each stage – from due diligence when choosing a name, to ongoing brand management, to ensuring portfolios are safeguarded and ready for sale. Heather is also focused on guiding businesses through the ever-expanding maze of privacy laws, both domestically and internationally. This includes drafting website policies, compliance with specific privacy laws (such as the General Data Protection Regulation (GDPR), the Children’s Online Privacy and Protection Act (COPPA), and the California Consumer Privacy Act (CCPA)). Heather works with companies to design and strengthen their privacy and data security policies and practices, to help them prevent data security breaches, and to minimize the risks associated therein. Heather serves as Vice Chair of the California Lawyers Association Intellectual Property Section. Heather frequently speaks and writes about IP, Internet, tech, and privacy issues. She has been quoted in publications such as the Los Angeles Times and CNBC. Heather has been recognized by her peers for excellence in her practice, having been selected as Southern California Super Lawyers Rising Star® multiple times.
For more information about our Trademark & Brand Protection Practice contact Heather Antoine at
Jeremy Beutler: