Debevoise & Plimpton provides clients with advice on a broad range of privacy, data protection and data security issues.

We are a cross-border and interdisciplinary team of lawyers who offer regulatory counseling in both the United States and Europe, defend clients in government enforcement actions, litigate data security and privacy-related matters and are involved in financial services transactions where data protection and security matters arise. We assist clients in navigating issues under the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Children’s Online Privacy Protection Act, Health Insurance Portability and Accountability Act, Federal Trade Commission Act, state statutes on data security and duties to disclose security breaches, as well as the common law rights of privacy and publicity. In Europe, we advise on the EU Data Protection Directive and national implementing legislation, including the U.K. Data Protection Act, the U.K. Human Rights Act and the U.K. Financial Services Authority Handbook.

Our clients include firms in the financial services, telecommunications, media and entertainment, internet, publishing, consumer goods, technology and consulting sectors. We work with them to develop appropriate data security policies and compliance procedures, as well as privacy policies and website terms of service. We counsel clients on best practices for prevention of data breaches and assist them with post-breach remediation, including public notices and regulatory responses. We also advise clients on the legal limits applicable to data use, transfer (including cross-border) and mining. We have in-depth experience with internal investigations regarding security events and data thefts, and we have represented clients in class actions, government investigations and other litigation arising out of data safekeeping and related technology issues. When conducting a cross-border internal investigation, we have particular experience in establishing effective, workable methodologies that overcome potentially debilitating restrictions on sharing results from internal compliance investigations with public authorities in conformity with data protection laws of EU member states, in particular in Germany and the United Kingdom. We also have substantial experience with complex disputes that involve emerging technologies and trigger simultaneous private litigation, governmental inquiries and internal reviews.