Information Privacy and Cybersecurity

Crowley Fleck’s Information Privacy and Cybersecurity practice helps clients protect sensitive business and customer data. We understand the need for businesses to ensure the confidentiality, integrity, and availability of their sensitive information, including personally identifiable information collected from customers.

Information Privacy

The information privacy aspect of our practice helps clients understand potential risks to business data by working through how information is collected, used, disclosed, and stored, and analyzing which state and federal legal requirements apply. We then draft policies, procedures, and guidelines to meet those requirements and ensure that data risks are considered for both internal and external business information workflows. Our services in this area includes data mapping, privacy assessments, creating information management programs, creating records management and retention policies, and negotiating contracts involving use or storage of data. We also evaluate human resources policies and procedures involving data, such as workplace privacy, acceptable use, and bring your own device issues.


The cybersecurity aspect of our practice works with clients to assess risk, implement safeguards to prevent data breaches, and respond to security incidents such as ransomware and other hacking efforts that may result in a data breach. Our preventative services include help performing and implementing risk assessments, developing customized plans for incident and breach response, evaluating security policies against legal requirements and best industry practices. If a data breach or cybersecurity incident does occur, we quickly identify and understand state and federal enforcement considerations triggered by potential exposure of sensitive information. Our data breach response services include assistance coordinating the organization’s incident response to ensure that notification and reporting requirements are identified from the outset and that any legal privilege applicable to response documentation is maintained.

Information Privacy and Cybersecurity Services

A representative list of services we provide to assist our clients in assessing their information privacy and security obligations, providing advice about protecting information systems and resources, and responding to adverse events is below:

  • Data Mapping and Analysis
  • Privacy Impact Assessments
  • Compliance Advice:
    • Health Insurance Portability & Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).
    • Family Educational Rights and Privacy Act (FERPA)
    • Gramm-Leach-Bliley Act (GLBA)
    • Children’s Online Privacy Protection Rule (COPPA)
    • Federal Trade Commission (FTC) Consumer Privacy and Security Enforcement
    • State laws – breach notification statutes, medical records, consumer privacy statutes
    • General Data Protection Regulation (GDPR)
    • PCI-DSS (Payment Card Industry Data Security Standards);
  • Merger/acquisition due diligence related to information practices and cybersecurity risk;
  • Cybersecurity risk management and risk assessment;
  • Analysis and drafting of information privacy and security policies;
  • Response to cybersecurity incidents and data breach events;
  • Analysis and management of Breach Notification requirements after a data breach;
  • Negotiate and advise on vendor contracts (cloud computing, business management software) for compliance with information privacy and security requirements and data protection;
  • Advice regarding information privacy and security requirements in government procurement;
  • Advice and analysis about employee data information collection and use, including workplace privacy, bring your own device, acceptable use of employer IT resources;
  • Analysis of cyber liability insurance coverage;
  • Defense of regulatory privacy and security investigations;
  • Response to claims of harm arising from privacy and security incidents.