Manage Information with Efficiency, Integrity and Accountability  

In an information economy, your business must protect its information assets and avoid the costly consequences of not minding legal requirements or controlling valuable electronic data. Effective information management policy and practice must integrate privacy, security and e-discovery considerations with efficient business use of the information.

The team of Cybersecurity and Data Privacy professionals at Stinson have been at the forefront of data law for more than 20 years. Our practice started with online privacy compliance in the 90's internet boom and branched into early privacy and security laws such as GLBA, HIPAA, COPPA, CAN-SPAM, and the EU Data Directive. Our experience evolved to include data breach response and compliance with the growing body of privacy laws including GDPR, the Telephone Consumer Protection Act (TCPA), the FTC Telemarketing Sales Rule, the Biometric Information Privacy Law, the California Consumer Privacy Protection Act (CCPA) and a variety of other state privacy and data security laws.

Our strong banking, health care and technology practices ensure that we are on the cutting edge of the regulatory landscape. We undertake projects with your data security in mind by limiting and controlling access and using highly developed policies, procedures and information technology.

Our team can assist your business in the following areas:

Data Security Incident Response Team

Data breach notification laws require quick response, analysis and action planning. Our team combines technology professionals experienced in handling data breaches with regulatory insight in the highly regulated fields of health care and banking. We also have a deep bench of attorneys in other regulated fields, including energy and critical infrastructure. Our compliance attorneys can help your company board or management team understand the risks and make informed decisions.

Our data security team will respond quickly to help you determine whether you are dealing with vulnerability or an actual data breach. We are well versed in data breach notification laws and at working with legal authorities and technology consultants to determine the nature and magnitude of the threat or breach. Our team will help you determine whether notice is required and how to address other possible disclosures and damage control. We also frequently help clients with data security threats that don't necessarily include personally identifiable information but can be critical to the operation or value of a business.

Our data security team works with many third party vendors for remediation and security solutions. We provide guidance on how to collect, store and transmit information in a threat situation. We also have experience drafting and implementing policies and procedures to help make the response process more efficient in the future. Our litigators frequently assist in data incident response through actions for injunctive relief and Computer Fraud and Abuse Act litigation.


Our technology and regulatory attorneys have been working hand in hand for years to help clients anticipate and prepare for cybersecurity challenges. We help your legal and information governance teams establish policies and procedures to meet regulatory requirements, manage risk and be ready for prompt and thorough response to cybersecurity threats and breaches. Our lawyers undertake data security and privacy audits, and assist with document retention, employee training and data management. Our lawyers negotiate complex technology vendor agreements on a daily basis and can help your team with vendor due diligence.

Stinson attorneys are proactive about the changing landscape in cybersecurity. Our experienced policy team in our Washington, DC office follows new developments in Congress and the executive branch to keep our advice focused on new developments and future movements in the technology industry. We track and adapt to technology industry growth into areas like big data, the internet of things (IoT), responsible disclosures, artificial intelligence, biometrics, software as a service and cloud computing.

We represent clients who acquire and operate data centers, along with clients who contract with data centers for storage and other services. This experience enables us to help clients navigate cybersecurity and privacy risks involving data storage and processing.

We frequently draft, update and analyze privacy policies under general privacy law, the FTC Act, COPPA, HIPAA the EU General Data Protection Regulation (GDPR), the Privacy Shield, GLB, CalOPPA, CCPA, PIPEDA, and other state and federal laws and guidelines. Our technology attorneys represent national brands in their privacy compliance on both the internet generally and in the context of mobile apps and social networking. In this capacity, our technology attorneys have the depth of experience to work with technology developers to understand and properly disclose privacy practices.

We understand that risk reduction must align with marketing and operational efforts. We work closely with our clients' marketing and information technology teams to ensure a proper balance between business goals and effective compliance and risk management.

Our legal team has extensive experience dealing with consumer privacy regulation. We have assisted clients in investigations under the FTC Act including proceedings before the Children's Advertising Review Unit. We have a deep understanding of unfair and deceptive trade practices, including privacy and security implications.


Stinson's national practice in the areas of financial services, FinTech, banking and payments combined with our robust technology law practice offers clients experience in the area of financial cybersecurity. Our attorneys assist clients on a daily basis in negotiating cybersecurity provisions in financial services transactions. We advise banks and other financial service companies with cybersecurity and data privacy compliance. Our attorneys guide clients in their compliance efforts relating to the Gramm-Leach-Bliley Act (GLBA) and its Safeguards Rule, the Fair Credit Reporting Act (FCRA), FDIC Guidance for Managing Third-Party Risk, OCC Guidance on Third Party Relationships, and other federal and state data security and privacy related laws and regulations. We help clients negotiate cybersecurity related market positions on core services agreements and other banking contracts as well as ventures between traditional financial service businesses and emerging FinTech companies.

Our financial services team has a particular depth of knowledge in the area of payments systems including cybersecurity and privacy issues related to wire transfers, ACH, stored value, prepaid cards, emerging payments, online payments, point of sale systems, and PCI compliance.


Stinson's robust Health Law practice features deep experience in health care related cybersecurity and privacy. Our team guides health plans, pharmacy benefit managers, medical device and pharmaceutical companies in navigating the complex web of data security compliance. Our attorneys understand the market positions on cybersecurity and privacy negotiations. We frequently advise clients on the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the U.S. Department of Health & Human Services guidance on Health Information Privacy. Our lawyers assist clients in the negotiation of Business Associate Agreements under HIPAA, cloud services agreements in the health care field and other health information privacy provisions in health care-related ventures.


Data security is a fundamental requirement for government contractors. Companies that engage in contracting with the government have been targeted by criminals, terrorists and hostile adversaries who seek to steal or tamper with their data and systems. The government has sought to address these risks with increased laws, rules and processes aimed at tightening the security of government, contractor and supplier data and the systems that are used to develop, use, store, transmit or transit such data. These rules require that contractors comply with certain specified security controls, properly identify data subject to protection, vet their supply chains and promptly investigate and report to the government where they encounter actual or suspected cyber incidents. The government now has the authority to exclude contractors from contracts if it views them or their supply chain members as posing a significant risk. Competitors also have the right to challenge a company's compliance with procurement requirements through the bid protest process. In the defense arena, the government has announced that it will be auditing contractors to confirm their compliance with the cybersecurity plans and program milestones that they have identified in the contracting process as compliant with these laws and regulations. 

Our practice group includes members with broad and deep experience across the spectrum of government contract procurement, compliance, audit, investigation and litigation matters.  We know the rules and are familiar with the way in which agencies work. Our attorneys advise clients on these and other emerging requirements, and regularly work with clients to address contracting questions and develop appropriate compliance programs. We also advise and represent clients in government audits and investigations, protests, claims and other litigation. When issues arise, we will work closely with the cyber incident response team to ensure that our clients get timely advice and support to resolve these matters quickly and efficiently.  



News & Insights

Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic and enable social media features. By continuing to use our website, you agree to our use of cookies. For more information, please see our Cookie Policy.