Practices & Industries

Contact

Darin M. Sands
Office: 503.778.2117 Cell: 971.998.4751 (available after-hours for emergencies)
sandsd@lanepowell.com

See all Privacy and Data Security Attorneys

Back to all Practices

Practices

Privacy and Data Security

Abbott, Barry A.

Abbott, Barry A.

Counsel to the Firm
Seattle
206.223.7988
abbottb@lanepowell.com
Backus, Kara

Backus, Kara

Attorney
Portland
503.778.2181
backusk@lanepowell.com
Baker, Gabriel

Baker, Gabriel

Shareholder
Seattle
206.223.7964
bakerg@lanepowell.com
Day, Craig A.

Day, Craig A.

Counsel to the Firm
Seattle
206.654.7819
dayc@lanepowell.com
Degginger, Grant S.

Degginger, Grant S.

Shareholder
Seattle
206.223.7390
deggingerg@lanepowell.com
Harrington, Michael B.

Harrington, Michael B.

Counsel to the Firm
Seattle
206.223.7050
harringtonm@lanepowell.com
Hosenpud, David G.

Hosenpud, David G.

Shareholder
Portland
503.778.2141
hosenpudd@lanepowell.com
Jensen, Steve D.

Jensen, Steve D.

Shareholder
Seattle
206.223.7732
jensens@lanepowell.com
Mehrbani, Parna A.

Mehrbani, Parna A.

Shareholder
Portland
503.778.2127
mehrbanip@lanepowell.com
Reilly, D. Michael

Reilly, D. Michael

Shareholder
Seattle
206.223.7051
reillym@lanepowell.com
Sands, Darin M.

Sands, Darin M.

Shareholder
Portland
503.778.2117
sandsd@lanepowell.com
Spellman, David C.

Spellman, David C.

Shareholder
Seattle
206.223.7392
spellmand@lanepowell.com
Stoetzer, James B.

Stoetzer, James B.

Shareholder
Seattle
206.223.7019
stoetzerj@lanepowell.com
Swale, Sarah

Swale, Sarah

Shareholder
Seattle
206.223.7946
swales@lanepowell.com
Winters, Steven B.

Winters, Steven B.

Shareholder
Seattle
206.223.7740
winterss@lanepowell.com

Information privacy and data security issues involve nearly every facet of an organization’s activities. With the rapid development of digital and information technology, most organizations — big and small — now handle and process sensitive personal information, including employee data, medical records, financial information, consumer information, social security numbers, credit card numbers, dates of birth, and other types of information that relate to identified or identifiable individuals.

The handling and processing of sensitive personal information is subject to laws and regulations that are numerous and complex, vary by location, and are constantly changing. If an organization does not take appropriate care to protect against prohibited access to or loss of personal information, it can be subjected to significant fines and, more importantly, considerable damage to its reputation.

Lane Powell’s Information Privacy and Data Security attorneys include members of the International Association of Privacy Professionals.

Lane Powell’s attorneys help our clients manage a host of concerns relating to privacy and data security, including:

  • Complying with federal, state, and international privacy and security laws.
  • Developing internal privacy policies, including policies and procedures for employee privacy and social media.
  • Preparing website privacy notices and terms of use.
  • Preparing privacy-related notices to consumers.
  • Handling data breach responses and notifications.
  • Litigating disputes relating to data breach, privacy, security, and consumer protection.
  • Developing programs and policies governing storage, access, transfer, use, disclosure, and disposal of information.
  • Navigating trade secret protection and enforcement.

The legal assistance we provide to our privacy and data security clients covers all of the following federal and state laws:

  • State data breach notification laws — 46 states require an organization to notify individuals whose personal information maintained by the organization has been subjected to unauthorized acquisition. Requirements regarding the contents, form (e.g., email or written notice), and timing of the notice, and specific circumstances requiring notice, vary from state to state. For example, some states require notification only if the breach is likely to result in misuse of the information or harm to the individual whose information was acquired, whereas other states require notification regardless of whether harm is likely to occur. Additionally, several states require that a data breach be reported to the state’s Attorney General or other enforcement agency.
  • Federal Trade Commission Act (“FTC Act”) — Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in interstate commerce. Failure of an organization to comply with its own privacy policy can constitute a deceptive trade practice.
  • Unfair and Deceptive Trade Practices (“UDTP”) — Most states have UDTP laws. Specific requirements of these laws differ from state to state, but many state UDTP statutes are modeled after the FTC Act and deem an organization’s failure to comply with its own privacy policy to be a deceptive trade practice.
  • Fair Credit Reporting Act (“FCRA”) — The FCRA regulates the collection, use, and disclosure of consumer report information. Consumer reporting agencies and users of consumer report information (e.g., prospective employers) are subject to the FCRA.
  • Fair and Accurate Credit Transactions Act of 2003 (“FACTA”)  FACTA is an amendment to the Fair Credit Reporting Act that contains provisions to prevent identity theft. For example, FACTA requires each of the three nationwide consumer reporting companies (Equifax, Experian, and TransUnion) to provide a free credit report once every twelve months to any consumer who requests it, and allows individuals to place alerts on their credit histories if identity theft is suspected.
  • Children’s Online Privacy Protection Act (“COPPA”) — COPPA regulates operators of websites, online services, and mobile apps that are targeted to or collect information from children under the age of 13. For example, COPPA requires such websites to post a clear and comprehensive online privacy policy and to obtain verifiable parental consent before collecting personal information online from children.
  • Health Insurance Portability and Accountability Act (“HIPAA”) — HIPAA applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. HIPAA regulates the collection, use, and disclosure of protected patient information by covered entities and also requires such entities to maintain administrative, physical, and technical safeguards to protect the security of electronic protected information.
  • Health Information Technology for Economic and Clinical Health Act (“HITECH”) — The HITECH Act was signed into law in 2009 to promote the adoption and meaningful use of health information technology. It contains incentives designed to accelerate adoption of electronic health record systems among providers and also expands the scope of privacy and security protections available under HIPAA.
  • Graham-Leach-Bliley Act (“GLBA”) — GLBA, also known as the Financial Services Modernization Act of 1999, repealed part of the Glass-Steagall Act of 1933 and removed restrictions to vertical integration of certain types of financial institutions. It also requires financial institutions, a term broadly defined under GLBA, to provide a privacy notice to each consumer at the time the consumer relationship is established and annually thereafter. The privacy notice must satisfy certain statutory requirements, including containing information about the consumer’s right to opt out of certain information being shared with third parties.
  • Family Educational Rights and Privacy Act (“FERPA”) — FERPA is a federal law that protects the privacy of student education records. The law applies to schools that receive certain types of funding under U.S. Department of Education programs. Among other requirements, the law requires schools to allow parents or eligible students the right to inspect their education records and restricts schools from releasing education record information unless they have permission from the parent or eligible student.
  • Telephone Consumer Protection Act (“TCPA”) — The TCPA regulates the use of telephones for the purpose of making commercial solicitations. Among other requirements, the TCPA requires telemarketers to honor registrations with the National Do-Not-Call Registry, to maintain its own “do not call list” and honor any request not to be called again, to have a written policy available to anyone upon request, and to train employees in compliance.
  • Combating the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) — The CAN-SPAM Act regulates use of email for commercial purposes, and applies to “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Among other requirements, senders of commercial emails must give recipients the right to opt out of receiving further emails from the sender and honor such opt out requests promptly.
  • Junk Fax Prevention Act (“JFPA”) — The JFPA is an amendment to the Telephone Consumer Protection Act (“TCPA”), which, in addition to regulating telemarketing, generally prohibits unsolicited facsimile advertisements. The most notable change made by the JFPA to the TCPA is that unsolicited faxes to persons with whom the sender has an established business relationship are now exempt from the provisions of the TCPA.
  • Telecommunications Act of 1966 — The Telecommunications Act is the first major overhaul of U.S. telecommunications law in more than 60 years. The law restricts telecommunication carriers’ collection, use, and disclosure of information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.
  • Video Privacy Protection Act (“VPPA”) — VPPA generally prohibits any video tape service provider from disclosing the title, description, or subject matter of video tapes obtained or requested by a consumer.
  • Cable Communications Privacy Act (“CTVPA”) — CTVPA regulates cable operators’ collection, use, and disclosure of subscribers’ personally identifiable information.
  • Electronic Communications Privacy Act (“ECPA”) — The ECPA consists of the Wiretap Act and the Stored Communications Act. These acts regulate when electronic communications can be monitored or reviewed by third parties, including Internet Service Providers. Generally, it is a crime for persons to intercept or acquire electronic communications, including email, unless certain exceptions apply.
  • Communications Assistance to Law Enforcement Act (“CALEA”) — CALEA requires telecommunication carriers to cooperate in law enforcement investigations that require wiretapping of digital telephone networks. For example, the law requires telecommunication carriers to make it possible for law enforcement to tap phone conversations carried over their networks and to make certain call records available to law enforcement.
  • USA Patriot Act — The USA Patriot Act expanded the scope of the Foreign Intelligence Surveillance Act (“FISA”) of 1978, which regulates electronic and wire surveillance, physical searches, and government access to and surveillance of certain other types of information and communications that involve foreign powers.
  • Genetic Information and Non-Discrimination Act (“GINA”) — GINA contains amendments to the Employee Retirement Income Security Act of 1974 and the Internal Revenue Code, and restricts the use of genetic information in health insurance and employment.

To learn more about some of the Firm’s complementary practice areas, please visit:

Privacy and Data Security

Abbott, Barry A.

Abbott, Barry A.

Counsel to the Firm
Seattle
206.223.7988
abbottb@lanepowell.com
Backus, Kara

Backus, Kara

Attorney
Portland
503.778.2181
backusk@lanepowell.com
Baker, Gabriel

Baker, Gabriel

Shareholder
Seattle
206.223.7964
bakerg@lanepowell.com
Day, Craig A.

Day, Craig A.

Counsel to the Firm
Seattle
206.654.7819
dayc@lanepowell.com
Degginger, Grant S.

Degginger, Grant S.

Shareholder
Seattle
206.223.7390
deggingerg@lanepowell.com
Harrington, Michael B.

Harrington, Michael B.

Counsel to the Firm
Seattle
206.223.7050
harringtonm@lanepowell.com
Hosenpud, David G.

Hosenpud, David G.

Shareholder
Portland
503.778.2141
hosenpudd@lanepowell.com
Jensen, Steve D.

Jensen, Steve D.

Shareholder
Seattle
206.223.7732
jensens@lanepowell.com
Mehrbani, Parna A.

Mehrbani, Parna A.

Shareholder
Portland
503.778.2127
mehrbanip@lanepowell.com
Reilly, D. Michael

Reilly, D. Michael

Shareholder
Seattle
206.223.7051
reillym@lanepowell.com
Sands, Darin M.

Sands, Darin M.

Shareholder
Portland
503.778.2117
sandsd@lanepowell.com
Spellman, David C.

Spellman, David C.

Shareholder
Seattle
206.223.7392
spellmand@lanepowell.com
Stoetzer, James B.

Stoetzer, James B.

Shareholder
Seattle
206.223.7019
stoetzerj@lanepowell.com
Swale, Sarah

Swale, Sarah

Shareholder
Seattle
206.223.7946
swales@lanepowell.com
Winters, Steven B.

Winters, Steven B.

Shareholder
Seattle
206.223.7740
winterss@lanepowell.com

Privacy and Data Security

Date
06.06.2013
02.20.2013
11.16.2012
08.28.2012
08.15.2012
06.22.2011
11.11.2010
07.09.2004
09.01.2001