Privacy and Cybersecurity
In today’s information-based world, privacy and cybersecurity are critical issues for businesses of all sizes and in all sectors. Data breaches, cyberattacks, regulatory enforcement, and privacy-based litigation can expose businesses to significant financial, reputational, and operational risks. Haynes Boone’s Privacy and Cybersecurity team helps clients navigate these complex and rapidly evolving challenges with practical and strategic advice, tailored solutions, and vigorous advocacy.
We offer a multi-disciplinary team of lawyers with deep experience in privacy laws, data processing arrangements, privacy and cybersecurity policies, artificial intelligence training, crisis management, and related fields. We advise clients on compliance with federal, state, and international privacy and security regulations, such as the CCPA, GDPR, HIPAA, GLBA, and COPPA. We draft and review privacy policies, notices, consent, and data processing agreements to reflect current best practices and compliance with active contractual obligations. We implement enterprise privacy programs, conduct privacy compliance assessments, and provide trainings to identify and mitigate potential vulnerabilities and gaps.
We also assist clients in responding to and recovering from data breaches and cyber incidents. We work closely with forensic investigators and law enforcement to contain and remediate the incident, notify affected parties, and preserve evidence. We represent clients in investigations and enforcement actions by federal and state regulators, such as the FTC, DOJ, SEC, HHS, and state attorneys general. We also defend clients in privacy and cybersecurity litigation, including class actions, consumer claims, and shareholder suits.
Our Privacy and Cybersecurity team leverages its long tenure in the privacy space, broad industry knowledge, unique technical and litigation experience to provide clients with comprehensive and effective representation. We understand the business and legal implications of building a privacy program and responding to cybersecurity issues, and we focus on finding solutions that protect our clients’ interests and minimize long-term risk.
- Retained by publicly-traded cybersecurity firm to respond to SEC inquiries regarding one of the biggest cybersecurity breaches of the 21st century.
- Advised clients in a variety of industries responding to SEC enforcement sweep related to major cyberattack.
- Advising large healthcare provider regarding Change Healthcare data breach.
- Represented a specialty retailer in investigating a payment card data breach, managing customer disclosures, and successfully fighting off a card processor’s attempts to wrongfully collect card brand liability assessments.
- Investigated the suspected violation of an energy company's policy regarding employee computer activity monitoring by a high-ranking information technology executive; supervised a computer forensic investigation and advised the company regarding employee disclosure obligations and related employment law matters.
- Following a payment card breach impacting point-of-sale devices at nearly 300 restaurants and entertainment locations, Haynes Boone advised a hospitality company regarding information technology vendors' potential liability for the compromise.
- Represented major county government in investigation and disclosure of incident involving its health plan and an electronic disclosure of protected health information; analyzed reporting obligations under HIPAA and state law; assisted with disclosures and communications to the U.S. Department of Health & Human Services and affected individuals.
- Advised a hospitality company regarding a payment card breach impacting nearly 50 hotel locations when malware was installed on the company's point-of-sale devices; investigated the matter, coordinated with forensic investigators, cooperated with card brand investigations, managed consumer disclosures, responded to regulatory inquiries, and advised the company regarding potential card brand liability assessments.
- Provided guidance to an international HVAC company on privacy and data protection issues with respect to the sharing of customer data.
- Provided advice on and drafting of policies and procedures with respect to privacy and biometric matters for a remote examination software technology company.
- Provided advice and counsel to an online advertising services company in support of ongoing privacy compliance efforts in the U.S. and internationally.
- Provided advice and analysis to a fast-growing payroll software company in support of various privacy compliance efforts, cybersecurity matters, and data incident investigations.
- Represented a publicly-traded company in investigating a major cyber attack arising from a 2023 MOVEit software compromise that affected hundreds of organizations around the world; supervised a computer forensic investigation and data review, advised the company regarding SEC filings disclosing the attack to investors, and managed the company's disclosures to state regulators, clients, and end-users.
- Provided advice to an international flight services company on a variety of national, international, and cross-border privacy compliance efforts and cybersecurity matters.
- Assisted a private equity fund with three separate data security investigations affecting the fund’s portfolio companies and including phishing attacks, a business email compromise, and a ransomware attack; supervised forensic investigations, advised the client regarding disclosure obligations, and advised the client regarding policies and procedures to help strengthen the data security posture of the firm’s portfolio companies.
- Investigated an incident that resulted in the unauthorized release of more than 65,000 driver records and associated criminal histories; advised the client regarding disclosure obligations, coordinated with state law enforcement who was conducting a criminal investigation, managed disclosures to individuals and multiple state regulators, and advised the client regarding recovery of its losses through proactive legal action against various parties.
- When attackers successfully gained access to the software platform of a managed service provider and used that platform to push ransomware to the networks of that provider’s customers, we assisted one of those customers in recovering from the incident, managing a forensic investigation, advising the client regarding disclosure obligations, and securing reimbursement from the provider for all of the client’s expenses.
- Represented health systems, physician groups, home health and hospice provider, wellness company, revenue cycle management company, and other healthcare providers in investigations of potential breaches of PHI and analyses of disclosure obligations under HIPAA and state privacy laws and assisted with disclosures and communications to media, U.S. Department of Health and Human Services, state regulators, and affected individuals.
- Regularly draft and review HIPAA privacy and security policies and procedures, security risk assessments, business associate agreements, and training for covered entities and business associates.
- Regularly advise clients, including healthcare providers and mobile app/telemedicine platforms, on compliance with telemedicine laws, HIPAA/HITECH, data privacy and security matters, and permitted uses and disclosures of health information.
* All cases vary and none are predictive
George on NBC DFW: Texas AI Law Aims To Thread Needle Between Protection and Innovation
July 02, 2025
Gavin George in Texas Lawyer on Balancing Privacy Laws With AI Integration
May 13, 2025
