Winchester, Alan M.

Alan is a cybersecurity and data privacy attorney who works with companies to develop new and innovative ways to share, use and safeguard the information they control. This includes working to develop internal programs which comply with applicable security and privacy regulations; drafting data use, transference and data use or sharing agreements; ensuring that data subject privacy notices on websites and applications that collect consumer information comply with all applicable regulations; and working with companies to implement processes and procedures to comply with information requests from data subjects.

Alan also works with companies seeking to merge publicly available information with information voluntarily provided by data subjects to develop new and useful insights to help provide that drive better products and services for these organizations, while also to their customers and develop strategy around managing the privacy issues raised by this practice.

The specific regulations he addresses most frequently are federal laws such as DFARS/CMMC, Sarbanes Oxley, HIPAA, and FERPA; international laws such as Europe’s GDPR or PEPIDA; U.S. state laws such as California’s CCPA/CPRA, Colorado’s CPA, and Virginia’s VCDPA; and the laws involving regulators such as New York Department of Financial Services, Department of Defense and the Office of Human Rights.

When security and privacy practices fail, Alan also helps with an organization’s incident response. He routinely works with forensic consultants to help identify, scope, mitigate and remediate the effects of a breach and with negotiators to address ransom demands; provides opinions and draft notices to affected individuals and customers; represents clients appearing before regulators; and handles claims where the incident involves a breach of a contractual duty concerning how the data was intended to be managed.

With a Bachelor of Science in Computers and his legal background, Alan understands both the technology and legal requirements associated with security and privacy incidents, communicates these issues to the relevant stakeholders and achieves a fast resolution to any dispute.

Areas of focus: Cybersecurity, data privacy agreements, breach coaching, development of policies and procedures to help organizations make the most of the information they control.

Information Governance
Alan works with organizations to develop information governance policies. This includes preparing organizations for a potential regulatory or legal action, developing policies to safeguard important business transactions, and helping organizations comply with government and industry standards in developing best practices to manage and retain documents. Alan also assists organizations with information management relating to the development of document management strategies and retention policies and the development of disaster recovery plans.

E-Discovery
Alan is experienced in all phases of the electronic discovery process. He and his group, which includes forensically trained IT professionals, routinely help organizations with the identification and preservation of potentially relevant content; its collection; review and finally production to the requesting party. He is a pioneer in the use of predictive coding to cost effectively and quickly identify responsive documents for early case assessment and review purposes and has been lecturing and writing in this area for the last four years. He has developed sampling methods used to test key word searches and to validate coding decisions.

Pharmaceutical and Medical Device Defense
In the tort arena, Alan focuses his practice primarily on litigation involving technology and pharmaceutical products. He has defended manufacturers of chemical or pharmaceutical products in products liability claims brought as class actions, multi-district litigation and statewide consolidations or as individual suits involving cancer, cardiac and pulmonary defects, birth defects and other systemic injuries. He has also acted as national counsel, local counsel, and science counsel for numerous companies.

Representative Matters

Data Breaches

We have handled breaches for towns, municipalities, and businesses – including HIPAA covered entities and federally regulated banks.

Data Privacy and Security Programs, Web Privacy Policies

Harris Beach has helped organizations from all industry sectors to implement data privacy and security programs that comply with New York Shield Law, California’s data privacy laws and the many additional privacy laws being developed in each state. This work also includes developing Web Privacy policies that balance the reporting and disclosure requirements with the flexibility to effectively use data collected from data subjects in the future. This is especially important for companies that want to allow for the possibility to merge into other organizations or be sold or acquired.
Successfully resolved complaint made against U.S.-based business by Data Subject to the UK Data Protection Authority (the ICO) under the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR).
Drafted and revised Data Protection Agreements and Policies and Procedures for multiple businesses to reflect compliance obligations under the GDPR, the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and other regulations governing data transfers, data privacy, and cybersecurity.
Defended multi-site healthcare provider in data breach/HIPAA violation action.

Defense Contractors

We have worked with many defense contractors to define policies and controls to support DFARS and NIST 171 security compliance. We are now working with many of these companies to implement programs that comply with the new CMMC security standard so they may certify to the level required for the contracts they desire.

Education

Harris Beach has developed privacy policies for many of New York’s school districts that comply with the new cybersecurity and data privacy regulation promulgated to support New York’s Education Law 2D as well as the federal standard, FERPA.

Energy

Assisting energy sector companies in events where one or more individuals from outside of the organization obtained access to: email systems; file servers and data bases without authorization. Harris Beach helped these companies with the initial investigation by retaining and directing forensic investigators to identify the root cause and scope of these events. The firm then assists its clients with their legal and contractual breach notification obligations and improving their security plan to reduce the risk of these events from occurring again.
Harris Beach is currently working with an IT security vendor to develop and implement a standard system security plan and set of controls for use in energy power plants for both operation technology and for informational technology. These will ultimately be implemented in over 70 power plants.
Harris Beach is working with a large regional reseller of energy products to develop a system security plan for the processing of Payment Cards and individual privacy requirements for all the states that company is currently operating within.
Harris Beach has assisted its energy clients with drafting data sharing and transfer agreements to allow the transfer of data between the US, Canada and the European Union.
Harris Beach is working with some of its major utility clients with cybersecurity matters involving federal and state agencies. This includes compliance with New York State’s Department of Financial Services.

Financial Institutions

The firm has worked with insurance carriers, financial institutions and brokers to comply with Sarbanes Oxley, Gramm Leach Bliley, New York State Department of Financial Services, Federal Trade Commission, and Federal Communication Commission data protection and privacy rules.
Represented clients before the DFS

Health Care

We have worked with several hospitals and health care systems, nursing and assisted living centers and insurers to develop system security plans that comply with HIPAA, CMS Medicaid data and NY State’s OHIP 3.1 data protection standard.
Performed HIPAA cyber assessments and audits

Additional Legal Representation

Discovery counsel for a major pharmaceutical drug subject to recall due to concerns about the manufacturing process.
Discovery counsel to defendants in complex federal court matters in the implementation of litigation holds and good faith compliance with obligations for disclosure of Electronically Stored Information (ESI) under the revised Federal Rules.
Document counsel to an entity involved in a significant Department of Justice investigation.
Regulatory and compliance counsel to national health care insurer seeking to develop document retention plans that incorporate ESI.
Regulatory and compliance counsel to quasi-governmental agencies seeking counseling on record retention strategies for ESI.
Risk assessment counsel to multiple international pharmaceutical companies seeking prelaunch evaluations of their products.
National counsel of a manufacturer of devices and pharmaceuticals used in dentistry.
Counsel to a company involving the theft of intellectual property through its computer systems by a competitor.
Counseling companies which maintain credit card information on the requirement of PCI data security standards.
Discovery counsel to a compounding pharmacy facing criminal and civil liability associated with allegedly contaminated pharmaceuticals.
Regional counsel to a sporting goods and toy manufacturer for product liability and Consumer Products Safety Commission claims.

Professional and Civic

Claims and Litigation Management Alliance, member
Defense Research Institute, member
Sedona Conference, member
New York State Unified Court System’s E-Discovery Working Group, co-leader of the Operations Group, by appointment of Chief Administrative Judge Ann Pfau

Recognition

Super Lawyers, E-Discovery and Personal Injury – Products: Defense, since 2014

Industry Teams

K-12 Education

Medical and Life Sciences

Real Estate Developers

Unmanned Aircraft Systems – Drones

Brooklyn Law School

1989

Albany Law School

1986

Location

New York, NY Office

Rochester, NY Office

June 5, 2023

Recent New York Cybersecurity Enforcement Provides Latest Reason for Companies to be Proactive

New York State enforces compliance with Cybersecurity Regulation to avoid vulnerability and risk to cybersecurity events.

March 24, 2023

Lawsuits Reinforce Importance of Health Care Websites being HIPAA Compliant

Health care providers are urged to increase cyber security to avoid violating HIPAA and other patient privacy laws.

February 16, 2023

State Privacy Laws Differ; One Comprehensive Privacy Policy May Be Best

California, Colorado, and Virginia have similar privacy laws and businesses should consider one policy while remaining in compliance with fe

November 4, 2022

Ransomware Attack Hits Major Healthcare System CommonSpirit Health

A major healthcare system recently experienced a ransomware attack that affected patient care.

October 14, 2022

Cyberattacks Hitting School Districts

School districts are particularly vulnerable to hackers because they operate with limited budgets

April 4, 2022

Division Y-Cyber Incident Report for Critical Infrastructure Act of 2022 Becomes Law, with Regulations Expected by 2025

Division Y – Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law by President Biden on March 15.

February 11, 2022

Recent NYSED Decision Underscores Need for School Districts to Protect Data Privacy

School districts must consider the sanctity and privacy of data they maintain, as a recent decision underscores from the New York State Educ

July 8, 2021

New York Sen. Gillibrand Proposes Data Protection Agency to Regulate Collection, Sharing of Personal Information

A cynical online commenter once wrote this about the data collection practices of the online news site Digg: “If you are not paying for it,

March 17, 2021

When in Doubt, Report Cybersecurity Events

The New York State Department of Financial Services (DFS) announced the $1.5 million settlement of its investigation of Residential Mortgage

February 19, 2021

New York’s Department of Financial Services Urges Cyber Insurance Companies to Require Insureds to Implement Robust Cybersecurity Programs

The New York State Department of Financial Services (DFS) issued a letter to the cyber insurance community on February 4, 2021 that should s

October 7, 2020

Education Data Privacy and Security Laws: Best Practices for School Districts

As if this fall weren’t hectic enough, school districts now need to prioritize compliance with a critical new regulation expanding New York

June 24, 2020

COVID-19’s Impact on Cybersecurity – Don’t Let Your Data Privacy, Security and Regulatory Compliance Waver

COVID-19 has had a dramatic impact on nearly all aspects of organizations nationwide – from employee safety to reimagined workplaces to fina

April 10, 2020

12 Ways to Ensure Strong Cybersecurity During the COVID-19 Pandemic

In addition to the upheaval and emergency measures taken to combat the COVID-19 virus, organizations are increasingly vulnerable to cyber-at

January 14, 2020

New York Board of Regents Approves Part 121 Regulations Required by Education Law § 2-d

Today the Board of Regents formally adopted Part 121 to the Commissioner’s Regulations to implement Education Law § 2-d. The regulation will

December 23, 2019

New Guidance Clarifies Schools Health Records Governed by FERPA Are Not Subject to HIPAA

New guidance issued jointly by the U.S. Department of Education and the U.S. Department of Health and Human Services advises schools that mo

November 21, 2019

Alan Winchester Presents SHIELD Act Webinar

For many organizations, New York’s SHIELD Act is the first legal obligation to implement security protections. Any business that maintains p

September 25, 2019

NYS Education Law Section 2-D

Now that school is back in session, partners Ed Trevvett and Alan Winchester discuss New York state’s renewed focus on strengthening data pr

June 20, 2019

Six Steps To Take Immediately After You Suspect Wire Fraud

Wire fraud is on the rise. Health care providers engaging in transactions, whether operational or financial, need to remain aware of crimes

June 5, 2019

Legislation Poised to Award Increased Rights for Breach of Consumer Data

Legislation pending in New York state may grant broader rights to consumers after breaches expose their personal information. If passed and

April 3, 2019

Illinois Law Restricting Biometric Identifiers May Set Precedent for Other States

The Illinois Biometric Information Privacy Act (BIPA) is receiving a great deal of attention because it includes a private right of action.

December 19, 2018

Breach of Health Systems Data: Managing and Mitigating Risks

Earlier this year, Anthem, Inc. agreed to pay $16 million to settle claims brought by the Office of Civil Rights of the U.S. Department of

December 5, 2018

Breach of Consumer Information Yields Lessons for Companies

As Marriott International and Quora reel from data breaches, we discuss ways for companies to implement lessons learned and strengthen their

May 15, 2023

Alan Winchester Discusses Website Pixel Technology in New York Law Journal

Partner Alan Winchester discusses how pixel codes that track website behavior risks posing health information to social media sites.

May 12, 2023

Alan Winchester and Jared Kasschau Presenting at The County Attorneys’ Association of the State of New York (CAASNY) Annual Meeting

Partners Alan Winchester and Jared Kasschau are presenting on cybersecurity risks to municipal systems at the New York CAASNY Annual Meeting

March 10, 2022

Caetra.io Wins Legalweek 2022 Leader in Tech Award in Cybersecurity and Data Privacy

Caetra.io, a provider of governance, risk and legal compliance (GRC) software, has been recognized at Legalweek New York 2022 for precedent-

December 19, 2021

Caetra.io Named Finalist in 2nd Annual Legalweek Leaders in Tech Law Awards

Harris Beach PLLC subsidiary Caetra.io has been named a finalist in the data privacy and cybersecurity category of the Leaders in Tech Law A

June 8, 2021

Alan Winchester discusses law firm technology with Rochester Business Journal

Like all businesses, law firms have been forced to accelerate their plans for technology transformation in the wake of the global pandemic.

March 23, 2021

Alan Winchester, Mike Compisi Discuss Cyber-Insurance

Ongoing threats to cybersecurity and data privacy have organizations increasingly thinking about ways to reduce risks through cyber insuranc

December 13, 2019

Alan Winchester Discusses Nuances of CCPA and NYS SHIELD Act Regulations

Data privacy considerations will get much more complicated in the new year as both New York and California implement new laws aimed at prote

November 12, 2019

79 Attorneys from Harris Beach Named to 2019 Super Lawyers List

A total of 79 Harris Beach PLLC attorneys have been named to the 2019 edition of Super Lawyers, a peer-based rating service that recognizes

February 21, 2019

Harris Beach Launches Software Company to Address Gaps in Cybersecurity Regulatory Compliance

First new application, CyMetric, converts cyber and data privacy regulations into measurable policies and controls Harris Beach PLLC, one o

May 10, 2023

Alan Winchester and Jared Kasschau Presenting at The County Attorneys’ Association of the State of New York (CAASNY) Annual Meeting

Alan Winchester and Jared Kasschau will present “Cyber Security, Privacy and Data Protection.”

September 27, 2022

Alan Winchester and Dawn Russell Presenting at CyMetric K-12 User Group Conference v1.0

CyMetric K-12 User Group Conference is designed for customers to share experiences, define best practices and network with peers.

June 14, 2022

Alan Winchester and Mike Compisi to Join War and Cyberwar Expert Panel

Presented by Core BTS, Harris Beach, Caetra.io and Arctic Wolf, this presentation meant to unpack some of the behind-the-scenes geopolitical

June 14, 2022

Alan Winchester and Mike Compisi to Present on War and Cyberwar Panel

Harris Beach and its subsidiary Caetra.io are co-sponsoring a “War and Cyberwar seminar/ webinar.”

April 22, 2022

Alan Winchester to Present on Panel at TechRochester and The Builders Exchange of Rochester Program on Cybercrime: A $6T Business, Are You at Risk?

Join TechRochester and the Builders Exchange of Rochester on Tuesday, May 10, 2022 at 7:30 AM at Blades Private Events and Catering for Cybe

November 19, 2021

Harris Beach, Tompkins Insurance Agencies and Caetra.io Present Cyber Insurance 101 Webinar Recording

The rise of ransomware attacks has spurred an increased demand for cybersecurity insurance. However, many organizations find coverage can be

November 15, 2021

Cybersecurity in Schools Webinar: The Dark Web, Ransomware & Protecting Your District

Who should attend: School board members, Superintendents, business officials, data and privacy officers

November 11, 2019

Alan Winchester Presents SHIELD Act Webinar

For many organizations, New York’s SHIELD Act is the first legal obligation to implement security protections. Any business that maintains p

September 30, 2019

Alan Winchester Presenting CLE on Cybersecurity at the National Federation of Paralegal Association Annual Convention and Policy Meeting

The program will cover: cybersecurity; cybersecurity compliance and data privacy, how they differ and overlap and form part of a governance

August 21, 2019

Neal Slifkin and Alan Winchester to Speak at Photonics Business Meeting

Neal and Alan will speak at the New York Photonics Business Meeting on September 9th on the new Department of Defense (DOD) cybersecurity st

March 21, 2019

Alan Winchester Presenting CLE on Cybersecurity at the National Federation of Paralegal Association Annual Convention and Poicy Meeting

The program will cover: cybersecurity; cybersecurity compliance and data privacy, how they differ and overlap and form part of a governance

March 21, 2019

Alan Winchester Presenting at ISACA WNY 2019 Control and Compliance Conference

Alan will be presenting ” Laws, Controls and Compliance – Solving the Puzzle” at the ISACA WNY Cybersecurity Past, Present and Future confer

November 29, 2018

Alan Winchester Presenting to NY Photonics Executives

Alan Winchester, leader of the Harris Beach Cybersecurity Protection and Response Practice Group will discuss how to prevent an attack, acti

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Alan M. Winchester

Member

(He/Him/His)

Brooklyn Law School

Albany Law School

Alan M. Winchester

■ Areas of Expertise

Industry Teams

■ Profile

■ Representative Matters

■ Professional and Civic

■ Admissions

■ Education

Offices throughout New York:

Cookies