Data Privacy & Security

Compliance and Risk Counseling

For many clients, the first step in becoming familiar with data privacy and security matters is to identify which laws apply to them and the data they hold, then identify what risks they may face. We can assist you by:

  • Ensuring that you have legally compliant (or industry-standard) policies and procedures to safeguard your data (e.g., HIPAA, state laws, Gramm-Leach-Bliley, FTC, TCPA, CAN-SPAM, FINRA SEC, FFIEC, NIST)
  • Assisting with issues posted by the various international data privacy and security laws governing the protection of personal data, including, without limitation, GDPR and those laws of various member states, Canadian data privacy laws (including CASL law), and other international data privacy laws and regulations
  • Evaluating basic GDPR risk and counseling (usually in partner with foreign associates) on GDPR compliance and developing compliance programs
  • Developing privacy and cybersecurity programs
  • Conducting training on the privacy and security laws relevant to your business
  • Preparing website and mobile app privacy policies as well as notices of privacy practices
  • Counseling on how data can be used, disclosed, and transferred (e.g., big data, internet of things (IoT), data monetization, medical research, marketing uses, transfer of data across jurisdictions)
  • Advising you on strategic risks (e.g., advice to Board of Directors on how to oversee cybersecurity risks)
  • Advising on cyber-insurance policies
  • Assisting with implementation of vendor management programs
  • Conducting gap assessments

Success Stories

Educating HIPAA

Our attorneys have assisted hundreds of clients with HIPAA privacy and security matters. We maintain model policies and procedures and related forms, such as business associate agreements. We have also trained clients on these rules. For example, in 2015 we conducted an in-person training session for a Midwestern client. However, this client has operations throughout the country and needed to train personnel in those locations. We took the customized training program and recorded a web seminar of the program. As a result, the client could train both current and future employees.


Our team advised a Midwestern dairy cooperative in connection with the development and implementation of its “Bring Your Own Device” technology policy and with implementation of a data retention and destruction program.

Payment Portal

You are leaving the Quarles & Brady website and being directed to the bill presentment and paying service offered by a third party provider. If you do not wish to continue to the site, click Close or use the Back button on your web browser to return the Quarles & Brady website.