Home About Us Practice Areas Resources News & Events Tools

Numerous laws and industry standards have recognized that adequate information systems security is crucial for the protection of personal information that companies collect about or from their employees, clients, and other contacts. It is also necessary to ensure the integrity, authenticity, and confidentiality of companies' records, and trade secrets. Without adequate security, companies are vulnerable to attacks by insiders or outsiders, and misuse, theft, modification or destruction of critical data and resources.

For an increasing number of companies, the implementation of adequate data security is mandated or required by laws. The regulations under the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or the Children Online Privacy Protection Act (COPPA), for example, require the implementation of specific security measures to protect the privacy of personal information held by the regulated companies and their subcontractors.

Several states, such as California, require ALL companies that hold certain types of personal information to ensure the security of this information while in their possession and that of their subcontractors.

The Security Breach Disclosure laws require businesses to notify third parties that a breach of security has occurred. Such disclosures have serious implications for the organizations that must make them. They are public acknowledgement of security weaknesses. This is likely to expose a company to loss of goodwill, brand tarnishment, loss of customers, and public embarrassment. Poor handling of the incident might have even more catastrophic effect. Thus, it is essential to have in place an adequate incident response plan, and the related structures and training.

We can assist companies in evaluating their information security needs, design compliant security policies, and prepare for addressing a security breach that requires disclosures. Our services include the following:

 

  • Information Security Legal Audit
    • Review existing information security policies and practices to evaluate their compliance with applicable laws, such as financial information security laws (GLBA and related regulations), health information security laws (HIPAA and related regulations), children information (COPPA)
    • Implementation of the FACTA Document Destruction Regulations

 

  • Corporate and Commercial Transactions
    • Conduct of privacy and data protection focused due diligence of M&A target, potential outsourcing or other service provider
    • Review and evaluation of target’s privacy policies, privacy practices, and compliance with applicable privacy laws
    • Evaluation of restrictions to the transfer of personal information to the purchaser or other third party
    • Assessment of the privacy obligations for the successor entity
    • Drafting, structuring and negotiation of privacy and security focused provisions to complement the master contract
    • Combination of the privacy policies of two entities after an acquisition
    • Data use agreements
    • Personal Information Transfer Agreements

 

  • Contracts
    • Personal information transfer agreements
    • Data use agreements
    • Contracts with personnel; notice to personnel
    • Contracts with third party providers or subcontractors to ensure compliance with the company’s security policy
    • Contracts for disaster recovery, contingency planning, and business continuity services
    • Third party service agreements
    • Outsourcing and BPO agreements

 

  • Compliance with Security Breach Disclosure Laws
    • Responses to a data security breach
    • Preparation of security incident response plans
    • Contracts with third party providers and others with respect to security breach notification obligations, and security measures

 

  • Document Management
    • Document retention programs
    • Data destruction programs

 

  • Training, Education and Security Awareness
    • Counseling and training on information security laws and regulations
    • Education on the effects of security policies and procedures on the creation, maintenance, and use of databases, on the transmission of data to third parties, and on the processing of personal data by third parties

 

  • Assessment
    • Asset assessment: identifying the systems and information that need to be protected
    • Risk assessment: assessing the risks faced by the company with respect to these assets

 

  • Procedures and Policies
    • Development, drafting, and implementation of company security procedures and policies
    • Review of existing security policies to ensure compliance with applicable laws

 

  • Evaluation of Information Security Practices
    • Review and evaluation of company's security management process, workforce security, information access management, facility access controls, workstation and equipment use, security, and controls
    • Review and evaluation of company's information and document management practices, and disaster recovery and business continuity
Services4
Outsourcing
Compliance
Information Security
Information Privacy
International
IT Contracts
IT LAW GROUP

Information Security

© 2008 IT Law Group.

All Rights Reserved.

Site Map
Privacy Policy
Notices
Directions
Home About Us Practice Areas Practice Areas Resources News & Events Tools