main content

Cybersecurity Protection and Response

Legal Practice

Harris Beach offers a dynamic combination of legal and technical support to protect digital assets and business interests, as well as a rapid response team in the event of a breach. We provide a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols. Our cybersecurity team of attorneys, information security and communications management professionals leverages its experience with highly regulated industries to provide the strategic counsel and guidance organizations need to manage the potentially devastating risks associated with the theft or compromise of intellectual property or the personal information of customers or employees.

Our technical team's certifications include:

  • Certified Information Security Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Hacking Forensic Investigator (CHFI)
  • Certified in Risk and Information Systems Control (CRISC)
All Insights, All Publications, Legal Alert |
 March 24, 2023
Lawsuits Reinforce Importance of Health Care Websites being HIPAA Compliant
Health care providers are urged to increase cyber security to avoid violating HIPAA and other patient privacy laws....read more
All Insights, All Publications, Legal Alert |
 February 16, 2023
State Privacy Laws Differ; One Comprehensive Privacy Policy May Be Best
California, Colorado, and Virginia have similar privacy laws and businesses should consider one policy while remaining in compliance with fe...read more
All Insights, All Blogs, Health Care Blog |
 November 4, 2022
Ransomware Attack Hits Major Healthcare System CommonSpirit Health
A major healthcare system recently experienced a ransomware attack that affected patient care....read more
All Insights, All Publications, Legal Alert |
 October 14, 2022
Cyberattacks Hitting School Districts
School districts are particularly vulnerable to hackers because they operate with limited budgets...read more
All Insights, All Publications, Legal Alert |
 April 4, 2022
Division Y-Cyber Incident Report for Critical Infrastructure Act of 2022 Becomes Law, with Regulations Expected by 2025
Division Y – Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law by President Biden on March 15....read more
All Blogs, Health Care Blog |
 March 3, 2022
Ukraine Conflict Creates Need for Enhanced Health Care Cybersecurity
With its trove of sensitive patient and personal data and increasingly digitized records, the health care industry is always vulnerable to c...read more
Legal Alert, All Insights, All Publications |
 March 3, 2022
‘Shields Up’ on Cybersecurity in Wake of Ukraine Conflict
Fears of cybersecurity attacks are mounting in the wake of the Russian invasion of Ukraine. From the war itself, a number of malware variant...read more
All Publications, Legal Alert |
 February 11, 2022
Recent NYSED Decision Underscores Need for School Districts to Protect Data Privacy
School districts must consider the sanctity and privacy of data they maintain, as a recent decision underscores from the New York State Educ...read more
All Insights, All Blogs, Health Care Blog |
 October 31, 2021
Increases in Telemedicine and Use of Digital Health Create Both Flexibility and Compliance Headaches
The explosion of telemedicine and telehealth, or virtual patient care and monitoring, presents many opportunities for enhanced, more streaml...read more

Cybersecurity Protection and Response

Legal Practice

Profile

Harris Beach offers a dynamic combination of legal and technical support to protect digital assets and business interests, as well as a rapid response team in the event of a breach. We provide a full range of data privacy and cybersecurity services – from compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols. Our cybersecurity team of attorneys, information security and communications management professionals leverages its experience with highly regulated industries to provide the strategic counsel and guidance organizations need to manage the potentially devastating risks associated with the theft or compromise of intellectual property or the personal information of customers or employees.

Our technical team's certifications include:

  • Certified Information Security Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Hacking Forensic Investigator (CHFI)
  • Certified in Risk and Information Systems Control (CRISC)

Services

Regulatory Compliance and Cyberrisk Assessment

Our assessments identify gaps in organizations’ critical risk areas and include recommendations on how to close them. This includes vendor and contract review, transactional due diligence, evaluating cyber insurance policies, and counseling upper management and board members on the scope of the risk and need for affirmative action.

Process:

  • Identify applicable industry-specific and jurisdictional laws, regulations and standards regarding personal and protected data to help ensure regulatory compliance
  • Conduct in-depth analysis of our clients’ current security programs, including interviews with key stakeholders, to identify vulnerabilities and establish a cyberrisk profile
  • Help clients identify high legal-risk scenarios for security prioritization
  • Identify applicable state-specific safe harbors for organizations using consulting services to help mitigate cyberrisk

Deliverables:

  • A detailed cyberrisk report with strategic recommendations for developing and/or enhancing information security programs and policies to help ensure regulatory compliance and proactive risk management, including:
    • Information governance programs
    • Records management policies
    • Breach notification policies
    • Protocol manuals
    • Incident monitoring and reporting processes
    • Emergency response plans
    • Security awareness education and training
    • Negotiate with cybersecurity insurance carriers and brokers to determine appropriate levels of coverage
  • Assistance with drafting and implementing policies and programs to address weaknesses identified in the cyberrisk report

Communication Planning

Our pre-breach communications planning services help clients position themselves to mitigate the potentially damaging repercussions of a data breach.

Process:

  • Our in-house communications team works with our clients’ communications and public relations professionals, or acts on their behalf

Deliverables:

  • Develop or enhance communications management plans to include cybersecurity components and ensure plans address affected internal and external stakeholders
  • Provide communications and media training to the designated organization spokespeople

Rapid Incident Response

Upon notification of an actual or suspected breach, we deploy attorneys and IT professionals to coordinate a thorough response under the protection of attorney-client privilege during the critical time when an organization’s investors, customers and regulators are closely monitoring the situation and its potential outcome.

Process:

  • Immediately start the process to identify and contain the risk
  • Identify the scope of the breach through forensic investigations
  • Provide tactical recommendations to prevent additional incidents
  • Identify records containing personally identifiable information (PII) and/or protected health information (PHI) and determine which may have been breached
  • Provide guidance on notifying affected individuals of breaches involving such information
  • Consult on when and how to cooperate with regulatory agencies and/or law enforcement during an investigation

Deliverables:

  • Implement comprehensive security breach response to reduce liability and enable compliance going forward
  • Guide breached entities in dealing with regulatory agencies and law enforcement
  • Provide strategic recommendations for preventing similar incidents from recurring
  • Confirm the necessary steps are taken to ensure appropriate insurance coverage

Privacy-Related Litigation and Investigation

Our attorney team has experience handling high-stakes class-action lawsuits, government investigations and regulatory enforcement actions.

Process:

  • Provide pretrial guidance including evaluating potential claims and liability risks, as well as assessing options for alternative dispute resolution
  • Build and deploy the right attorney and technology team, tailoring specific data privacy and cybersecurity experience to provide innovative, practical and cost-effective solutions for the unique challenges of each matter

Deliverables:

  • Represent and defend clients in all aspects of litigation and regulatory investigations arising from data breaches and alleged violations of data privacy requirements – from pretrial and investigative phases through trial and appeal

Communications Plan Execution

We help breached organizations hit the ground running to manage message points, put the controversy behind them, and preserve their image, brand and internal morale.

Process:

  • Our communications professionals work side by side with our technical and regulatory compliance teams to provide a timely and efficient response to help protect our clients’ reputations and business interests

Deliverables:

  • Develop communications for appropriate channels and stakeholders
  • Identify or act as third-party spokespeople
  • Conduct media outreach
  • Monitor media, including social media, and advise on appropriate response

87% of U.S. chief executives said they were worried that cyberthreats could impact growth prospects, up from 69% the year before.*

*Source: 2015 US State of Cybercrime Survey, cosponsored by CSO, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC, and the US Secret Service, May–June 2015

Experience

Data Breaches

  • We have handled breaches for towns, municipalities, and businesses – including HIPAA covered entities and federally regulated banks.

Data Privacy and Security Programs, Web Privacy Policies  

  • Harris Beach has helped organizations from all industry sectors to implement data privacy and security programs that comply with New York Shield Law, California’s data privacy laws and the many additional privacy laws being developed in each state. This work also includes developing Web Privacy policies that balance the reporting and disclosure requirements with the flexibility to effectively use data collected from data subjects in the future.  This is especially important for companies that want to allow for the possibility to merge into other organizations or be sold or acquired.
  • Successfully resolved complaint made against US-based business by Data Subject to the UK Data Protection Authority (the ICO) under the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR).
  • Drafted and revised Data Protection Agreements and Policies and Procedures for multiple businesses to reflect compliance obligations under the GDPR, the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and other regulations governing data transfers, data privacy, and cybersecurity.
  • Defended multi-site healthcare provider in data breach/HIPAA violation action.

Defense Contractors   

  • We have worked with many defense contractors to define policies and controls to support DFARS and NIST 171 security compliance.  We are now working with many of these companies to implement programs that comply with the new CMMC security standard so they may certify to the level required for the contracts they desire.

Education   

  • Harris Beach has developed privacy policies for many of New York’s school districts that comply with the new cybersecurity and data privacy regulation promulgated to support New York’s Education Law 2D as well as the federal standard, FERPA.

Energy

  • Assisting energy sector companies in events where one or more individuals from outside of the organization obtained access to: email systems; file servers and data bases without authorization.  Harris Beach helped these companies with the initial investigation by retaining and directing forensic investigators to identify the root cause and scope of these events.  The firm then assists its clients with their legal and contractual breach notification obligations and improving their security plan to reduce the risk of these events from occurring again.
  • Harris Beach is currently working with an IT security vendor to develop and implement a standard system security plan and set of controls for use in energy power plants for both operation technology and for informational technology.  These will ultimately be implemented in over 70 power plants.
  • Harris Beach is working with a large regional reseller of energy products to develop a system security plan for the processing of Payment Cards and individual privacy requirements for all the states that company is currently operating within.
  • Harris Beach has assisted its energy clients with drafting data sharing and transfer agreements to allow the transfer of data between the US, Canada and the European Union.
  • Harris Beach is working with some of its major utility clients with cybersecurity matters involving federal and state agencies.  This includes compliance with New York State’s Department of Financial Services.

Financial Institutions

  • The firm has worked with insurance carriers, financial institutions and brokers to comply with Sarbanes Oxley, Gramm Leach Bliley, New York State Department of Financial Services, Federal Trade Commission, and Federal Communication Commission data protection and privacy rules.
  • Represented clients before the DFS

Health Care  

  • We have worked with several hospitals and health care systems, nursing and assisted living centers and insurers to develop system security plans that comply with HIPAA, CMS Medicaid data and NY State’s OHIP 3.1 data protection standard.
  • Performed HIPAA cyber assessments and audits.

People

Team Leaders

Alan M. Winchester

Member
(212) 313-5403
awinchester@harrisbeach.com

Team

Peri A. Berger

Member
(212) 912-3574
pberger@harrisbeach.com

Terrance P. Flynn

Member
(716) 200-5120
tflynn@harrisbeach.com

Ross B. Hofherr

Member
(212) 313-5482
rhofherr@harrisbeach.com

Michael F. Nozzolio

Counsel
(585) 419-8648
mnozzolio@harrisbeach.com

Daniel Pesciotta

Ethics and Risk Counsel
(585) 419-8733
dpesciotta@harrisbeach.com

Jaime L. Regan

Member
(212) 912-3506
jregan@harrisbeach.com

Dawn M. Russell

Consultant
(585) 419-8708
drussell@harrisbeach.com

Richard A. Shutts

Chief Information Officer
(585) 419-8770
rshutts@harrisbeach.com

Alan M. Winchester

Member
(212) 313-5403
awinchester@harrisbeach.com

Harris Beach and its subsidiaries provide a full range of legal and professional services for clients across New York state, as well as nationally and internationally. Harris Beach is among the country’s top law firms as ranked by The National Law Journal and is among the BTI Elite law firms based on in-depth interviews of more than 600 corporate counsel at the world’s largest and most influential companies. Our clients include Fortune 100 corporations, privately-held companies, emerging businesses, public sector entities, not-for-profit organizations and individuals. Principal industries we represent include education, energy, financial, food and beverage, health care, insurance, manufacturing, medical and life sciences, real estate developers, and state and local governments and authorities.

Industry Teams
Automotive and Vehicle Dealerships
Blockchain and Digital Assets 
Cannabis
Construction and Surety
Educational Institutions Higher Ed
Educational Institutions K-12
EMS and Fire Protection Providers
Energy
Financial Institutions and Capital Markets
Food and Beverage
Health Care
Industrial and Consumer Manufacturing
Medical and Life Sciences
Municipalities and Local Agencies
Nanotechnology
Photonics
Racing and Gaming
Real Estate Developers
Science and Technology
Telecommunications and Media
Unmanned Aircraft Systems
USA Collegiate Sports
Veterinary Medicine

Practices
Alternative Dispute Resolution
Appellate
Business and Commercial Litigation
Collection Law
Commercial Real Estate
Corporate
Cybersecurity Protection and Response
Diversity Compliance
E-Discovery (e-infoSM)
Employee Benefits
Employment Litigation
Environmental Law
Environmental, Social and Governance (ESG)
Financial Restructuring, Bankruptcy and Creditors’ Rights
Government Compliance and Investigations
Health Law
Immigration Law
Insurance Coverage
Intellectual Property Law
International Trade Law
Internet Law
Labor and Employment Law
Mass Torts and Industry-Wide Litigation
New Markets Tax Credit
Patent, Trademark and Copyright Law
Product Liability and Comprehensive General Liability
Public Finance and Economic Development
Real Property Valuation Litigation
Residential Real Estate
Tax Law
White Collar Crime
Wills, Trusts and Estates

Consulting Services
HB Solutions LLC
Collegiate Sports Compliance
Data Privacy and Cybersecurity
Economic Development and Public Affairs
Educational Institution Assistance
EMRG® (E-Discovery Management Resources Group)
Energy
Health and Human Services
Human Resources
Information Technology
Marketing and Communication Services
Municipal and Local Agency Assistance

HB Cornerstone LLC
Owner Representation
Design Services
Facilities Consulting
Move Management

Caetra.io
CyMetric (Cybersecurity Regulation Compliance Software)

Offices throughout New York:

Albany
677 Broadway
Albany, NY 12207
518-427-9700

Buffalo
726 Exchange Street
Buffalo, NY 14210
716-200-5050

Ithaca
119 East Seneca Street
Ithaca, NY 14850
607-273-6444

Long Island
333 Earle Ovington Boulevard
Uniondale, NY 11553
516-880-8484

New York City
100 Wall Street
New York, NY 10005
212-687-0100

Rochester
99 Garnsey Road
Pittsford, NY 14534
585-419-8800

Saratoga Springs
513 Broadway
Saratoga Springs, NY 12866
518-587-0551

Syracuse
333 West Washington Street
Syracuse, NY 13202
315-423-7100

White Plains
445 Hamilton Avenue
White Plains, NY 10601
914-683-1200

Offices also in:

New Haven, CT
195 Church Street
New Haven, CT 06510
203-784-3159

Newark, NJ
One Gateway Center
Newark, NJ 07102
973-848-1244

Washington, DC
800-685-1429

Attorney Advertising. Prior results do not guarantee a similar outcome.
© 2022 Harris Beach PLLC

Content current as of April 2, 2023 4:17 am