Privacy and Data Security, Nutter McClennen & Fish LLP Photo
Print PDF

Privacy and Data Security


In 1890, Samuel Warren and Louis Brandeis, the founders of our firm, published “The Right to Privacy” in the Harvard Law Review. The article is credited with creating the doctrine of privacy law and has been hailed as one of the most influential law review articles ever. Nutter is proud of its place in the history of privacy law and remains at the forefront of this cutting-edge area.   

What We Do
We work closely with our clients, immersing ourselves in their business so that we can provide the best possible value and strategic guidance. This approach allows our clients to stay focused on core business activities, minimize potential risks, and respond effectively to data security incidents. Our attorneys have an exceptional track record in a broad array of privacy and data security matters, ranging from compliance with HIPAA, GDPR, CCPA, and banking regulations, to preparation for and responses to data breaches.

Cyber Incident Response and Data Breaches
Cyberattacks and other types of data breaches are becoming increasingly common and can be devastating for businesses. They present a minefield of technical, legal, and public relations challenges. We have extensive experience in investigating network intrusions, hacking, ransomware attacks, cyber extortion, and other types of data breaches. We help clients coordinate with regulatory authorities, meet public disclosure requirements, evaluate remedial measures, and defend against civil litigation or government enforcement actions.

Cybersecurity Assessments and Incident Response Planning
Our experience in advising clients in the wake of cyberattacks gives us key insights in advising clients on how to mitigate cyber risks. Our team is skilled in its ability to understand our client’s unique business needs and to work with their IT and security professionals to assess their legal obligations and help guide their decision-making in assessing, seeking to prevent, and preparing for cyberattacks. We specialize in working with cybersecurity vendors, digital forensic experts, and penetration testers to help draft and test defensible security plans.

Board Advisory
In the wake of data breaches, regulators, litigants, and shareholders routinely ask, “Where was the Board of Directors?” Few boards of directors have the skills or experience to provide the necessary oversight for cyber risk issues. Our team is uniquely positioned to advise boards of directors on how to structure cybersecurity governance and how to fulfill their cybersecurity oversight obligations.

Privacy Compliance Counseling
Privacy regulations in the U.S., Europe, and all over the world are rapidly changing. Our team is expert in advising companies dealing with privacy laws, including HIPAA, CCPA, data breach notification statutes, and the European Union’s GDPR. We are skilled at asking the right questions, mapping and understanding the flow of sensitive data through an organization, spotting compliance issues, and drafting policies and recommended practices to safeguard data. We help clients develop training programs and website privacy policies, and represent clients when they face issues involving global compliance, cross-border data transfers, and compliance audits.

Insider Threats
Though headlines tend to focus our attention on data breaches caused by outside hackers, the majority of data breaches and intellectual property thefts are actually caused by insiders – employees, contractors, or customers who abuse their legitimate access to sensitive data. Our team is skilled in helping clients prepare for, investigate, and respond to insider incidents.

Digital Data and Litigation
Litigation today inevitably raises complicated issues relating to digital data. In addition to the now routine issues around electronic discovery, litigants grapple with problems concerning, for example, rights to data stored in other countries, data in the cloud, or data accessed by third parties. This, in turn, can create extremely complicated conflicts of laws, pitting one country’s data protection regime against another country’s discovery requirements. Our deep knowledge of the relevant technical issues, combined with our legal skills, allow us to help clients navigating issues such as these at the intersection of law and technology.

Our Team
Our interdisciplinary Privacy and Data Security team has years of experience providing counsel, regulatory advice, and litigation services to businesses and institutions, and includes a Certified Information Privacy Professional (“CIPP”), the preeminent credential in the field.

We have the knowledge and experience to help businesses understand and comply with the evolving laws and standards that regulate the collection, use, sharing, and protection of personal data. In addition, we stay abreast of the latest developments in the industry by participating in organizations such as the International Association of Privacy Professionals (“IAPP”).

The interdisciplinary nature of our team—comprised of transactional and litigation attorneys—makes Nutter adept at counseling clients across a broad range of industries on compliance with, and defending against, alleged violations of privacy and data security laws.

View Practice Team

Representative Matters

Representative Matters

  • Palisade Corporation

    Represented Palisade Corporation, an Ithaca, New York-based provider of risk modeling and decision analysis software, in its recapitalization by Thompson Street Capital Partners (TSCP), a private equity firm based in St. Louis, MO.

  • Medical Insurance Company

    Advised medical insurance company dealing with a cyberattack impacting its customers’ Personal Identifying Information (PII) and Protected Health Information (PHI). Representation of this client included managing its response to the resulting United States Department of Health and Human Services (HHS) investigation and negotiating with numerous state Attorneys General regarding the incident.

  • Large Corporation

    Represented large corporate client facing ransomware demand from foreign hackers. Worked with client to investigate attack and interface on its behalf with law enforcement.

  • Client Facing SEC Inquiry

    Represented client facing an SEC inquiry into the adequacy of its public disclosure regarding a cyber security incident.

  • International Pharmaceutical Company

    Led investigation for international pharmaceutical company that discovered key intellectual property had been stolen and was offered for sale. Investigation ultimately disproved the company’s initial theory that an insider had stolen the data and demonstrated that their systems had been penetrated by a state-sponsored hacker.

  • Health Care Provider

    Led investigation for health care provider whose email system was breached in a major phishing attack. Worked with the company to understand what data had been implicated, ultimately finding that no PII or PHI had been accessed or exfiltrated by the hackers.

  • Company Facing IP Theft

    Worked with a company to determine the source of a theft of intellectual property, ultimately building a case against several former employees who had left the company to start a competitor.

  • Insurance Company Audit Committee

    Advised audit committee of insurance company seeking to test the company’s preparedness for a cyber attack, including conducting extensive physical and network penetration testing, and drafted report detailing suggested improvements to their security.

  • Abveris

    Nutter advised Abveris (formally known as AbX Biologics, Inc.), a privately-held in vivo antibody discovery services company, in connection with its acquisition by Twist Bioscience Corporation (NASDAQ: TWST), a leading and rapidly growing synthetic biology and genomics company that has developed a disruptive DNA synthesis platform to industrialize the engineering of biology.

  • AppwoRx LLC

    Nutter served as legal counsel to AppwoRx LLC, a Boston-based medical technology manufacturer, in connection with its acquisition by PatientNOW, a private equity-backed computer software company headquartered in Englewood, CO.

  • Dragonfly Group Inc.

    Nutter served as legal counsel to Dragonfly Group Inc., a technology-enabled platform acquiring and scaling standout e-commerce brands, in a significant, proprietary investment from the Flagship Buyout Fund of L Catterton, the largest global consumer-focused private equity firm.

  • REAL Software Systems

    Nutter served as legal counsel to REAL Software Systems in connection with its acquisition by Rightsline, the leading rights and finance management platform for the media and entertainment industry.

  • T.F. Boyle Transportation, Inc.

    Nutter served as legal counsel to T.F. Boyle Transportation, Inc. in its acquisition by Toronto-based Andlauer Healthcare Group Inc. (TSX: AND).

  • Veristat, LLC

    Nutter served as legal counsel to Veristat, LLC, a scientifically minded global clinical research organization (CRO), in its acquisition by WindRose Health Investors, LLC, a New York City-based health care private equity firm.

News & Insights





More >
Back to Page