services & industries that add up

Privacy and Information Security

We know information is a vital asset of any business. Among the information of greatest value to organizations is data regarding customers, employees, and business contacts. The rapid proliferation of privacy and information security law that applies to that data should not prevent you from getting the benefit of your valuable information. Likewise, privacy concerns should be addressed in a practical, strategic manner that allows your organization to thrive, rather than restraining your use of this information. The attorneys in our Privacy and Information Security practice area understand these concerns and bring a practical approach to privacy and information security compliance.

Privacy and information security is a diverse area that impacts organizations in virtually all industry sectors. To address that diversity in a comprehensive fashion, we have assembled a team of professionals who understand privacy law from two vantage points: (1) as an independent body of law viewed across multiple industry sectors and (2) as a crucial part of a larger practice in an underlying area, such as health carefinancial services, employment, emerging technologies, litigation and international.

Our team is ready to assist you with privacy and information security law matters, including the following specific areas of concern.

Information Security 

Information security requirements stem from an increasingly divergent number of sources, many of which may be relevant to your business.  These include the HIPAA Security Rule, agency guidance related to the HITECH Act, the Gramm-Leach-Bliley Safeguards Rule, the Red Flags Rule, the Payment Card Industry Data Security Standard, and various state laws and regulations specifying appropriate information security controls.  We assist clients in understanding the various and disparate information security requirements that apply to them, and synthesize these into a single, streamlined information security program. 

Breach Response

Forty-seven states, the District of Columbia, Guam, Puerto Rico, the Virgin Islands, and some federal agencies now require that affected individuals (and, in some cases, government agencies) be notified when their personal information is impacted by an information security breach.  Unfortunately, the result is often a lawsuit or a government enforcement action against the organization that experienced the breach. Consequently, a security breach can temporarily derail your business, undermining customer, employee, management and shareholder confidence.  Managing these incidents appropriately is crucial to mitigating their impact and minimizing the likelihood of lawsuits and government enforcement actions.  We assist our clients in preventing, preparing for and responding to actual and suspected information security breaches.

Health Privacy

We counsel clients on their responsibilities with regard to health information, whether they are acting as an employer, a health plan sponsor, a health care provider, an insurer, a business associate, a vendor of personal health records, or otherwise.  In so doing, we regularly advise on HIPAA, the HITECH Act, the underlying federal regulations and state law variations governing the use and disclosure of health data.

Financial Privacy

We counsel clients on compliance with the Gramm-Leach-Bliley Act and underlying Privacy and Safeguards Rules, the Fair Credit Reporting Act and underlying Red Flags Rule, Affiliate Marketing Rule and FTC Disposal Rule, as well as various state laws governing the use and disclosure of consumer financial information that may be more stringent than federal requirements, such as the laws of California and Vermont.

Workplace Privacy

Where information is concerned, employees can be a risk, often causing security breaches through ignorance, mistake or theft.  But well-trained employees are also the first line of defense against a security breach.  We work with employers to address privacy in the workplace, such as advising them on compliant monitoring of employee Internet and email usage, provision of appropriate privacy notices, implementing HIPAA-compliant group health plans, FCRA compliance in using consumer reports, and supplying appropriate employee training on privacy and information security.

Online Privacy

A variety of privacy requirements and considerations are raised by online operations, including compliance with the Children’s Online Privacy Protection Act and the California Online Privacy Protection Act, implementation of appropriate website privacy notices, minimizing legal risk in the use of social networking tools or behavioral advertising to promote the business, and application of international privacy law to websites.


We assist our clients to help ensure their direct marketing does not run afoul of the disparate federal regulations pertaining to direct marketing, including email marketing and mobile marketing via SMS or Mobile Service Commercial Message.

Vendor Management 

When a service provider handles personal information about your customers or employees, you continue to be responsible for the privacy and security of your information.  As a result, an effective vendor management program is essential (and, in some cases, legally required) to ensure risks posed by these vendors is managed and minimized.  We assist our clients in developing these programs, including vetting tools and contract language.  We also assist with diligence efforts and contract negotiations with respect to vendors.

Records Management

We assist our clients in creating and implementing records management programs, including preparation of policies, procedures, implementation plans, and records retention schedules.


Organizations with customers or employees overseas may have obligations under international privacy laws.  Organizations with websites may attract users from overseas and face similar obligations.  We assist our clients in understanding the requirements and risks, and developing a compliance program that addresses both.  This work includes identifying and implementing a mechanism for legalizing data flows from the European Union using model clauses, relying on data subjects’ consent, or implementing the U.S. Safe Harbor program and certifying compliance to the Department of Commerce.

Communication Agreement

I understand and agree that Poyner Spruill LLP will have no obligation to keep confidential the information that I am now sending to the firm.