DATA PRIVACY & COMPLIANCE

At Innova Law, we are dedicated to helping clients navigate a constantly shifting landscape of privacy and data security laws both globally and in the United States.

We recognize that compliance with data protection laws is not simply a matter of satisfying legal requirements, it is a competitive differentiator at a time when concerns about privacy and data security breaches are paramount.

Innova Law services include:

• Compliance and risk management (C-suite counsel, internal privacy and security program creation) to develop sound privacy policies, processes and global strategies while navigating the complex domestic and international privacy landscape.

• Guide and development of all corporate employee and data management policies and processes. 

• Advising clients on best practices and strategies for the development of a holistic and pragmatic approach to privacy compliance and risk management with a focus on growing business opportunity. 

• Counseling on HIPAA, CCPA, PIPEDA, GDPR, global privacy, data breach response and all data protection matters.

• Perform targeted or comprehensive gap analysis and assessment of privacy practices.

• Provide ‘data hygeine” privacy training and employee education.

• Creation of corporate and website privacy policies and procedures.

PRIVACY ASSESSMENT AND GAP ANALYSIS

• Conduct holistic privacy audits and assessments with specific attention to HIPAA and government regulatory compliance.

• Interpret and advise on the impact of COPPA, HIPAA, FERPA, the Gramm-Leach-Bliley Act and FTC enforcement actions as well as European Union and other foreign data protection laws.

• Create processes and assist with privacy impact assessments.

• Review, update or develop a comprehensive Data Breach Response Plan.

• Review insurance coverage for sufficiency in light of developing business plans and global footprint of the business.

• Review liability provisions in all vendor and third party contracts to assess impact of  breaches caused by service providers and other partners.

• Devise system for obtaining new and current consent for the processing of personal data to meet all global and domestic requirements with increased scrutiny for any anticipated processing of sensitive personal data.

• Evaluate sufficiency of systems to accommodate withdrawal of consent and “right to be forgotten”. Ensure technical and operational processes are in place to ensure data subjects’ rights to data portability can be met, e.g. right to be forgotten, data portability and the right to object.

• If data of children is involved, ensure that notices directed at subject children are “child-friendly” and that there is a mechanism to obtain parental consent.

• Provide data privacy and data loss prevention education and training for management and employees.

• Draft online and e-commerce privacy policies, data processing agreements (DPA), data transfer agreements, and corporate policies that address technology.

• Advise on the privacy implications of emerging technology, mobile devices and cross-device tracking.

EXTERNAL PRIVACY OFFICER

As businesses continue to embrace technology, and e-commerce dissolves the borders between countries, the call for data privacy has become ever more important.  Technology brings risk and many companies are struggling to catch up the continuous stream of new regulations. Most, if not all, Fortune 500 companies have tasked an internal resource with the role of Privacy Officer; however, many smaller companies have either added those duties to an existing role or have yet to formally undertake this obligation.

At Innova Law, we are able to work with our clients to act as the companies External Privacy Officer.  As External Privacy Officer we:

• Work with our clients’ senior management, security, and corporate compliance teams to develop a sound and comprehensive corporate Privacy Program.

• Develop, implement, and maintain policies and processess to ensure government and global compliance and reduce risk.

• Collaborate with our clients’ information security resources to ensure alignment between security and privacy compliance programs including policies, practices, investigations, and act as a liaison to the information technology group.

• Perform or oversee initial and periodic information privacy risk assessment/analysis, mitigation and remediation.

• Guide the investigation and response to data privacy incidents including notification to affected individuals regulatory or law enfrocement authorities when required and oversee all remedial or curative action.

• Monitor corporate complaince with all federal, state and global requirements including the development of initial and ongoing privacy training to the workforce. 

• Provide guidance for the creation of data protection impact assessments.

• Continuously work to develop sound global privacy processes internally and through cooperation with various supervisory authorities.

• Performs required breach risk assessment, documentation, and mitigation and works with the client to ensure consistent application of sanctions for privacy violations.

• Serves as information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.

DATA BREACH RESPONSE

In the event of a privacy or data breach, we are available 24/7 to provide rapid incident response, including:

• Investigation of the cause and extent of the data breach.

• Coordination of the incident response team as well as any third party service providers such as forensic services.

• Assessment of the scope of any breach to determine whether the data breach is a “reportable event”.

• Interface with incident responders in IT/IS, legal, communications, marketing and HR to guide the response.

• Data Breach Notification Process
• Determine applicable breach notification obligations and deadlines (state, federal, and global).
• Prepare notification letters based on evaluation of affected individuals and data accessed.
• Notify and interface with insurance company, law enforcement, and regulators.
• Assist with formulation and management of internal and external communications.

• Review vendor and customer agreements for obligations and determination of responsibility for costs of breach.

• Make recommendations for remediation and curative steps to be undertaken and communicated post-breach event.

• Guide responsive improvements in processes and risk reduction.

INFORMATION GOVERNANCE AND COMPLIANCE PROGRAMS

Companies that fail to create and implement sound information and data governance policies and processes are at much higher risk of compliance penalties as well as significant data privacy and security breaches and the reputational harm that follows.  Business success depends on the intelligent use and protection of information and the governance of that information warrants a dramatic and unprecedented change in practice.

We work carefully to understand our clients’ information governance profiles and tailor solutions that fit their specific needs, risk tolerances, and regulatory and industry footprints. Clients trust us to help them navigate changing information governance landscapes to reduce risk and position them for success.

We work with our clients to:

• Develop and implement policies and processes to address and manage Social Media use, Acceptable Use, BYOD (Bring Your Own Device)” and other privacy-related issues.

• Understand the complete regulatory and compliance obligation of our clients as well as the business needs to create a comprehensive data retention policy and schedule for all data types.  We will work together to ensure that the plan is implemented and achievable by the organization.