Lead by example.

what we do / Privacy & Data Security

keep close watch on evolving standards to minimize risk

View Complete PDF

overview

Our Privacy & Data Security Group understands that the effective protection and management of information is critical for an organization to operate successfully. Businesses must comply with an increasingly complex web of state, federal, and international laws and regulations designed to protect commercially sensitive data and personally identifiable information. Our inter-disciplinary group of attorneys provides clients with practical solutions to comply with the requirements governing the gathering, storage, transfer, and use of information.

Our attorneys counsel clients regarding legal and practical techniques intended to maximize protection and minimize or avoid risks that may compromise sensitive and proprietary business information. In the event of a breach, we work closely with clients and internal and external response teams, including forensic investigators and accountants, computer consultants, press and media advisors, and other crisis management providers, to efficiently and effectively address the company’s immediate and long-term needs.

Our trial attorneys have the courtroom experience needed to address our clients’ privacy and data security litigation needs. We also provide the skills and experience in dealing with obligations of immediate disclosure, response, and remedial measures in the face of a data privacy or security breach. Our attorneys have handled internal investigations, government agency investigations, regulatory reporting, media communications, litigation, and customer/stakeholder service recovery when a breach has occurred.

For a description of our HIPAA and Medical Privacy Practice, click here.

areas of emphasis

Tucker Ellis assists clients of all sizes across industries in data privacy incidents that implicate:

Business Litigation (individual and class action litigation)
Financial Services Counseling (Gramm-Leach-Bliley Act/Sarbanes-Oxley)
General Data Protection Regulation (GDPR)
HIPAA/HITECH Enforcement and State Medical Privacy Laws
OCR Audit Preparation
Insurance Coverage
Information Technology (storage, use, and access to personal and confidential information, both internal
and external)
Risk Avoidance (technological and legal initiatives)
Regulatory Compliance Reporting
Biometric Data Analysis
State and Federal Cybersecurity Laws
PCI-DSS
Trade Secrets
White Collar Criminal Defense
Internal Corporate Investigations and Counseling

presentations

“Bracing for the New Normal in Data Privacy: GDPR, CCPA, and Other Initiatives Impacting the Business World in 2020 and Beyond," 2019 In-House Counsel Summit, Tucker Ellis LLP, Cleveland, Ohio (November 2019) "
“Preservation, Discovery, and Presentation of Cyber Evidence,” IADC Webinar (June 2019)
“GDPR and International Compliance” and “Health Care Sector Deep Dive,” Cybersecurity & Privacy Protection Conference 2019, Cleveland, Ohio (May 2019)
“Global Security Risk Management Update: Impact on Cyber, Intellectual Property, Personal and Corporate Physical Security,” Cleveland Metropolitan Bar Association, Cleveland, Ohio (May 2019)
“The Impact of GDPR on Enforcing Intellectual Property Rights on the Internet,” Harvard Law School, Cambridge, Massachusetts (March 2019)
“Avoiding Legal Liability,” The Information Security Summit, Cleveland, Ohio (October 2018)
“Workplace Privacy: Developments in Monitoring and Use of Genetic Information,” Ohio State Bar Association WebCast (September 2018)
“Cyber Ohio Business Summit on Cyber Risk Assessment,” Office of Ohio Attorney General Mike DeWine, Columbus, Ohio (March 2018)
“Technology in the Workplace: Data Protection in Practice,” Warren Regional CLE, Ohio State Bar Association, Warren, Ohio (May 2017)
“Regulating Information: A Candid Conversation About HIPAA and Privacy,” Cleveland-Marshall College of Law, Cleveland, Ohio (April 2017)
“Healthcare Cybersecurity and Privacy Litigation,” Health Care Law Update & Medical/Legal Summit 2017, Cleveland Metropolitan Bar Association/Academy of Medicine Education Foundation/The Academy of Medicine of Cleveland & Northern Ohio, Cleveland, Ohio (March 2017)
“HIPAA Best Practices and Audit Readiness,” Health Action Council Webinar (February 2017)
“Understanding & Navigating Cyber Liability Policies,” Advanced Issues in Insurance Coverage Law, Akron Bar Association, Akron, Ohio (December 2016)
“Healthcare Update – Regulations, HIPAA, and Risk Avoidance," 2016 In-House Counsel Summit, Tucker Ellis LLP, Cleveland, Ohio (October 2016)
“Cyber Security Month – Security Panel,” Case Western Reserve University, Cleveland, Ohio (October 2016)
“A Practical Guide to Your Incidence Response Plan,” Practical Tips and Tools to Deal with Cybersecurity Challenges, Tucker Ellis LLP, Cleveland, Ohio (July 2016)
“Identifying, Calculating, and Mitigating Covered Loss under New Cyber Liability Policies,” Cleveland Metropolitan Bar Association Insurance Law Section, Cleveland, Ohio (November 2015)
“Surviving the Breach: Immediate Steps and Responses,” and “What Are the Risks: An Introduction to Exposures, Costs, and Trends,” Tucker Ellis Privacy and Data Security Risks: Are You Prepared?, Cleveland, Ohio (July 2015)
“Protecting the Net: Cybersecurity,” Tucker Ellis/McGladrey Marching Through the Madness: Making Your
Financial Services Team a Winner in Risk and Compliance, Cleveland, Ohio (March 2015)
“Data Security: Managing the Crisis,” 2014 In-House Counsel Summit, Tucker Ellis LLP, Cleveland, Ohio
(October 2014)
“HIPAA HITECH Compliance Seminar: What Organizations and Their Business Associates Need to Know,”
sponsored by Tri-C and Jurlnnov (July 2013)
“Technology and Cyber Risks – Exposures and Coverage Options,” Public Agency Risk Managers Association (May 2012)
Webinar: “Great Ideas for Media and Technology in Schools.” Available online at:
http://training.sia-jpa.org/Academy/ViewCourse.aspx?CourseID=24
Speaker at seminars on “Data Breach: Understanding the Risk and Managing a Crisis”
Presented “Data Security Risks and Crisis Management” to individual firm clients
“Navigating the Stringent Legal e-Discovery Requirements and Patient Confidentiality Concerns Associated with Electronic Documentation,” Advanced Forum on Healthcare Provider Disputes & Litigation, American Conference Institute, Chicago, Illinois (July 2012)
“The Risks and Rewards of EMR: Meaningful Use or Tool for Abuse?,” 7th Annual National Medical Liability Insurance ExecuSummit, Mohegan Sun, Connecticut (September 2011)

publications

“Are You Ready for the California Consumer Privacy Act?”, Tucker Ellis Client Alert (July 2019)
“Ohio Joins Growing Trend Requiring Cybersecurity Standards and Reporting Obligations for Insurance Industry,” Tucker Ellis Client Alert (February 2019)
“Illinois Supreme Court Rules in Favor of Consumers in Landmark Biometric Data Case,” Tucker Ellis Client Alert (January 2019)
“The Future Is in the Palm of Your Hand and in the Details of Your Eyes, Face, and Fingerprints as Businesses Handling Biometric Data Face a New Wave of Class-Action Litigation,” DRI’s The Business Suit (Vol. 22, Issue 4)
“Cybersecurity Safe Harbor Against Data Breach Lawsuits Becomes Ohio Law,” Tucker Ellis Client Alert (August 2018)
“California Passes Landmark Law Creating Broad Data Privacy Rights for California Residents,” Tucker Ellis Client Alert (July 2018)
“GDPR Update: Your Questions About GDPR – Answered,” Tucker Ellis Client Alert (July 2018)
“‘Injury in Fact’ Standing After Cambridge Analytica,” Law360 (June 2018)
“GDPR Focus: How the European Union’s New Cybersecurity Measure Will Impact Your American Manufacturing Business,” Manufacturing Today (May 2018) “Assessing the Fine (Finger) Print: Biometric Data Is the New Frontier in Data Security and the Next Wave of Litigation,” Cleveland Metropolitan Bar Journal (May 2018)
“Roundtable: Cyber Risk & Security,” Financier Worldwide (May 2018)
“The SEC’s Latest on Disclosures: New Guidance Mandates Greater Attention to Cybersecurity Planning,” Corporate Compliance Insights (April 2018)
“Countdown to the GDPR,” Manufacturing Business Technology (March 2018)
“Countdown to the GDPR: What You Need to Know About the Impact of the European Union’s New Cybersecurity Measures on Your American Business,” Tucker Ellis White Paper (March 2018)
“Proposed Legislation Seeks to Safeguard Ohio’s Election System Against Cyberattacks,” Tucker Ellis Client Alert (February 2018)
“Lessons for Data Breach Lawyers from Product Liability,” Law360 (January 2018)
“Ohio Bill Proposes Safe Harbor Against Breach Suits to Businesses Maintaining Recognized Cybersecurity Programs,” Tucker Ellis Client Alert (December 2017)
“Data Security Breaches Land General Counsel on Chopping Block; Lessons from Yahoo!,” Tucker Ellis Client Alert (March 2017)
“Don’t Let a Data Breach Derail the Deal,” Crain’s Cleveland Business (January 2017)
“Enhancing Board Oversight of Cyber Risk – The Board’s Increasingly Important Role,” Corporate Compliance Insights (December 2016)
White Paper and associated Proposed Internal Policies and Guidelines regarding proper use, access, and protection of technology, Internet, personal digital assistants (PDAs), and cellular telephones, and individual Technology User Agreements
“Think Fast: The Potential for Tension Between Insureds and Data Security Insurers,” Bloomberg BNA’s Privacy and Security Law Report (August 2016)
“The Greatest Cybersecurity Risk Comes From Within,” Law360 (September 2015)
“Data Security Plans: Why Financial Institutions Must Continuously Assess and Update Their Data Security Plans,” Bloomberg BNA’s Corporate Law & Accountability Report (June 2015)
“The ‘Heartbleed’ Bug and Responding to a Data Security Breach,” Tucker Ellis Client Alert (April 2014)
“Data Security: What You Don’t Protect Can Cost You,” published in FOCUS, quarterly newsletter of the Association of Corporate Counsel Northeast Ohio Chapter (1Q2013)

media quotes

“Why You Should Create a Forward-Thinking Privacy Policy,” InformationWeek (August 2019)
“Banks Feeling the Heat Over Fintech Partners’ Cyber Risks,” Law360 (June 2019)
“DC Circ. Piles Onto Standing Split With Data Breach Ruling,” Law360 (June 2019)
“Data Breach Legislation Proposes Jail Time for CIO, HR Execs,” TechTarget (April 2019)
“CCPA Compliance Begins with Data Inventory Assessment,” TechTarget (December 2018)
“Legal Tech’s Predictions for 2019 in Cybersecurity and Privacy,” Legaltech News (December 2018)
“Lawyers Weigh In on the Loews Hotel Biometric Data Misuse Case,” Hospitality Technology (October 2018)
“The Coca-Cola Hack and Who’s on Hook for Office Cybersecurity,” Bloomberg BNA (January 2018)
“Cloud Archiving: The Benefits of Super-Fast Email Searches,” Mimecast Blog (December 2017)
“5 Reasons Your Archive Data Solution Will Do You Wrong,” Mimecast Blog (November 2017)
“Not Just a Nice to Have. 7 Reasons an All-in-One Cloud Archive Is a Business Necessity,” Mimecast Blog (October 2017)
“The 5 Biggest Challenges of Mobile Email Management,” Mimecast Blog (September 2017)
“Scottrade Wins Dismissal of Data Breach Suit,” Westlaw Journal Computer & Internet (July 2016)

Key Contact

Robert J. Hanna

Partner

attorneys

experience

Developed HIPAA-compliant best practices policies and training for covered employers and providers
Audited compliance with data privacy and security laws and regulations
Represented large multinational corporations in data breach investigations
Defended large pharmaceutical manufacturer in a trade secret case involving alleged theft of clinical data
Negotiated technology license and use agreements, off-site data storage and security agreements, and data evaluation and manipulation agreement with client vendors
Counseled clients and provided emergency response services and disclosures with respect to inadvertent
disclosures and access to confidential consumer, employee, and customer information
Defended individuals and executives in response to allegations of actual or potential criminal conduct arising from data breaches and security related issues
Prosecuted Qui Tam actions in the healthcare industry resulting in the federal government’s interventions and recovery of funds against multi-state healthcare providers and medical device manufacturers
Defended organizations and individuals against False Claims Act litigation brought by the federal government and Qui Tam relators in the construction, healthcare, transportation, and government procurement industries
Defended healthcare providers, hospitals, and insurance coverage providers in response to claims of alleged HIPAA and state medical privacy law violations
Represented business claimants in allegations that other businesses and individuals have misappropriated and/or misused proprietary or confidential information
Engaged in a FINRA investigation arising from a violation of Reg SP, an SEC promulgated privacy regulation
Represented an international company in prosecuting a theft of trade secrets case relating to its Brazilian operations
Representations in connection with restrictive terms of use relative to electronic information access, including electronic files and electronic documents
Counseled clients in connection with electronic document security, including watermarking, glyphs, encryption, and tracking
Represented businesses and their employees alleged to have engaged in theft of trade secret claims

related practices

business insights

Jane Davidson Makes 2021 Privacy Predictions in Legaltech News
December 2020
Tucker Ellis Wraps Up 2020 In-House Counsel Summit Webinar Series
December 2020
Jane Davidson Moderates IAPP 2020 Data Privacy Retrospective and Roundtable Discussion
December 2020
Law360 Features New Partner Ashley Brandt and His Move to Tucker Ellis
October 2020
Tucker Ellis Welcomes Partner Ashley Brandt to Business Department
October 2020
Rob Hanna Speaks at Cleveland-Marshall's 2020 Cybersecurity and Privacy Protection Conference
September 2020
The Vulnerabilities of Medical and Wearable Devices
Summer 2020, DRI's In-House Defense Quarterly
Are You Affected by the Blackbaud Ransomware Attack?
August 2020
Best Practices for Data Privacy and Cybersecurity in a Virtual Construction Work Environment
May 2020, Construction Executive
Tod Northman and Jeff Carr Contribute Two Chapters to First Edition of Driverless Cars Publication
April 2020, Driverless Cars, Urban Parking and Land Use, 1st Edition, Chapters 4 and 5
Secure Your Home Workspace During the COVID-19 Pandemic
March 31, 2020
Dan Messeloff Addresses Northeast Ohio Chapter of the Association of Certified Fraud Examiners on Data Privacy
February 2020
Sandy Wunderlich and Caroline Tinsley Present at DRI's Women in the Law Seminar
January 2020
The Supreme Court of Ohio to Consider What Constitutes an Unauthorized Disclosure of Protected Health Information in the Context of Collecting a Medical Debt
January/February 2020, Northern Ohio Physician
Ray Krncevic Quoted on the Future of Health Care Law in Law360
January 2020, Law360
Dan Messeloff Makes Data Privacy Predictions for 2020 in Legaltech News
January 2020
Dan Messeloff Comments on Effect of European Cybersecurity and Data Privacy Regulations on U.S. Companies and Regulators
December 2019
Jane Davidson Addresses New Privacy Issues at Cybersecurity Forum
December 2019
David Steele Contributes to WTR Roundtable on Trademark Enforcement
October 2019, World Trademark Review
Rob Hanna Shares Data Privacy Insights with InformationWeek
August 2019
Are You Ready for the California Consumer Privacy Act?
July 2019
Law360 Quotes Avril Love on D.C. Circuit Data Breach Ruling
July 2019
Sandy Wunderlich Participates in IADC Cyber Evidence Webinar
June 2019
Law360 Quotes Rob Hanna on Cyber Risks in Online Banking
June 2019, Law360
Ray Krncevic Explores Potential for Blockchain Technology in Health Care at OHA Annual Meeting
June 2019
Messeloff Speaks at C|M|LAW Cybersecurity Conference
May 2019
Just the Facts: AV Legislation Is Necessary, but It Can't Happen Without Research
Winter 2019, Inter Alia, Federal Bar Association Northern District of Ohio Chapter
Dan Messeloff Speaks at CMBA's Global Security Risk Management Seminar
May 2019
TechTarget Quotes Rob Hanna on Warren's Data Breach Bill
April 8, 2019
David Steele Addresses Harvard Law School Digital Privacy Class on GDPR's Impact on Enforcing IP Rights on the Internet
April 2019
Stop, Drop, and Think: A Futurist's Plea for Caution in the Age of AI
March 2019, Legaltech News, New York Law Journal
Illinois Supreme Court Rules in Biometric Information Privacy Act Case
Winter 2019, ABA Section of Litigation, Class Actions & Derivative Suits
Executive Order on Artificial Intelligence Seeks to Maintain Global Leadership for United States
February 2019
Ohio Joins Growing Trend Requiring Cybersecurity Standards and Reporting Obligations for Insurance Industry
February 2019
Illinois Supreme Court Rules in Favor of Consumers in Landmark Biometric Data Case
January 2019
How Blockchain Can Help Secure Connected Devices
January 2019, Law360
The California Consumer Privacy Act of 2018: How Can Businesses Use Consumer Data?
January/February 2019, Nutrition Industry Executive
Dan Messeloff Offers Insights into CCPA Compliance in TechTarget
December 2018, TechTarget
Rob Hanna and Elisa Arko Make Cybersecurity and Privacy Predictions for 2019 in Legaltech News
December 2018, Legaltech News
Emily Knight Quoted in Hospitality Technology on Biometric Data Misuse Case
October 2018, Hospitality Technology
Carl Muller and Paul Janowicz Address Workplace Privacy Issues in OSBA WebCast
September 2018
Marc R. Greenberg Joins Tucker Ellis as Counsel in Los Angeles
September 2018
The Future Is in the Palm of Your Hand and in the Details of Your Eyes, Face, and Fingerprints as Businesses Handling Biometric Data Face a New Wave of Class-Action Litigation
Volume 22, Issue 4, DRI's The Business Suit
Cybersecurity Safe Harbor Against Data Breach Lawsuits Becomes Ohio Law
August 2018
Tucker Ellis Welcomes Raymond Krncevic as Trial Department Counsel
July 2018
California Passes Landmark Law Creating Broad Data Privacy Rights for California Residents
July 2018
GDPR Update: Your Questions About GDPR – Answered
July 2018
Vicky Vance Speaks at ACI 17th Annual Advanced Forum on Obstetric Malpractice Claims
June 2018
"Injury in Fact" Standing After Cambridge Analytica
June 2018, Law360
GDPR Focus: How the European Union's New Cybersecurity Measure Will Impact Your American Manufacturing Business
May 2018, Manufacturing Today
Tod Northman Comments to Law360 on DOT UAS Initiative
May 24, 2018, Law360
Assessing the Fine (Finger) Print: Biometric Data is the New Frontier in Data Security and the Next Wave of Litigation
May 2018, Cleveland Metropolitan Bar Journal
DOT Selects 10 Drone Operations Test Sites for Pilot Program
May 2018
Tod Northman Quoted in Law360 on Air Traffic Control System
April 2018, Law360
Roundtable: Cyber Risk & Security
May 2018, Financier Worldwide
The SEC's Latest on Disclosures: New Guidance Mandates Greater Attention to Cybersecurity Planning
April 2018, Corporate Compliance Insights
Tucker Ellis Welcomes New Partner Caroline Tinsley to MedPharm Group
April 2018
Countdown to the GDPR
March 2018, Manufacturing Business Technology
Countdown to the GDPR: What You Need to Know About the Impact of the European Union's New Cybersecurity Measures on Your American Business
March 2018
2018 Healthcare Compliance Outlook for Boards of Directors
March 2018, Cleveland Metropolitan Bar Journal
Risk Management in the Air: What You Need to Know About Insuring Your Drone
March 2018, Westlaw Journal Insurance Coverage
Proposed Legislation Seeks to Safeguard Ohio's Election System against Cyberattacks
February 2018
Lessons for Data Breach Lawyers from Product Liability
January 2018, Law360
Ohio Bill Proposes Safe Harbor Against Breach Suits to Businesses Maintaining Recognized Cybersecurity Programs
December 2017
Rob Hanna Quoted in Mimecast Blog on the Importance of Email Search Speed in Client and Court Requests
October 2017
Rob Hanna Quoted in Mimecast Blog on Mobile Email Management
September 2017
FAA Regs Still Apply to "Commercial" Drone Use
August 2017, Law360
Drone Operators Beware: FAA Drone Regulations Continue to Apply to "Commercial" Uses
July 2017
Law360 Quotes Tod Northman on FAA Air Traffic Control Provisions
June 2017, Law360
Arbitration Agreements in Long-Term Care Facilities: CMS Dismisses Appeal of Injunction and Issues New Proposed Rule -- and Other Health Care Industry News
June 2017
Tom Peppard Presents at OSBA Business Law Conference
May 12, 2017
Corporate Representative Deposition Update - Traps Remain for the Unwary
Spring 2017, OACTA's The Update
Data Security Breaches Land General Counsel on Chopping Block; Lessons from Yahoo!
March 2017
Six Tucker Ellis Attorneys Speak at Health Care Law Update & Medical/Legal Summit
March 27, 2017
Don't Let a Data Breach Derail the Deal
January 14, 2017, Crain's Cleveland Business
Corporate Representative Depositions and Proportionality
Winter 2017, DRI's In-House Defense Quarterly
Enhancing Board Oversight of Cyber Risk - The Board's Increasingly Important Role
December 19, 2016, Corporate Compliance Insights
HIPAA Phase 2 Audits Are Here. Are Business Associates Ready?
September 2016
Hanna and Janowicz Quoted in Crain's Cleveland Business on Cleveland-Marshall's Cybersecurity Center
August 2016
FAA Approves Expanded Commercial Operations for Drones; Senate Version of 2016 FAA Reauthorization Makes It Out of Committee
April 2016
Tod Northman Quoted in Law360 on FAA Funding Fix
March 2016
Tod Northman Quoted in Law360 on FAA Reauthorization Bill
February 2016
Hobbyists Required to Register Drones
December 2015
Federal Task Force Recommends Drone Registration
December 2015
Drug and Device Lawyers Need to Be Mindful of Recent HIPAA and State Medical Privacy Law Developments
October 2015, DRI's RX for the Defense
Legal Update on Drones: FAA Provides Needed Guidance to Model Airplane Hobbyists
September 2015
The Greatest Cybersecurity Risk Comes From Within
September 2015, Law360
Data Security Plans: Why Financial Institutions Must Continuously Assess and Update Their Data Security Plans
June 19, 2015
Taber and Vance Speak at OHA Centennial Annual Meeting
June 2015
A Murky Trade Secret Landscape: What Employers Can Do
December 19, 2014, Law360
The "Heartbleed" Bug and Responding to a Data Security Breach
April 2014
Data Security: What You Don't Protect Can Cost You
1Q2013, FOCUS, ACC Northeast Ohio Chapter

COVID-19

News & Publications

Blogs

ERISA

Perspectives on employee benefits, executive compensation and ERISA litigation to help you attract and retain talent.

Libation Law Blog

Alcoholic beverage and cannabis regulatory and legal updates.

lingua negoti

The language of business.

Ohio Environmental

Insights and commentary for the business and legal community.