Every organization, regardless of size, relies upon sensitive business information and personal information about employees and others—clients, patients, donors, data provided by business partners and contractors—for their operations. 

Attorneys in the Bond Cybersecurity and Data Privacy Practice assist clients across the full spectrum of legal services in the privacy and cybersecurity arenas, offering proactive advice to shore up cybersecurity programs and data privacy practices and respond in the wake of a breach. Our clients have the benefit of deep industry experience as we counsel them about cybersecurity and data privacy. Our attorneys also practice in litigation, corporate governance and transactions, health care, higher education, labor law and private equity. 

Who We Serve
We serve clients across the broad range of industries—finance, manufacturing, hospitality, retail, education, health care, social services and other industries. We advise large and small corporations, not-for-profit organizations and municipal corporations.

Our Cybersecurity Practice
We assist clients proactively to devise sound policies and procedures, review existing policies and practices, provide employee training and prepare for a breach. We also work with our clients to respond promptly and effectively in the event of a breach. Specifically, our services include:

  • Preparation, review and implementation of cybersecurity policies and programs;
  • Advice about applicable laws and regulations, including the NYS Cybersecurity Rule, FTC guidance and oversight, Gramm-Leach Bliley Act, federal banking oversight, HIPAA, FERPA and GDPR;
  • Preparation and review of third party agreements, including Business Associate Agreements;
  • Review and advice regarding cybersecurity insurance policies;
  • Breach response, including investigations, notice, remediation and response to regulatory oversight;
  • Advice about the duty to notify under international, federal and state laws, including GDPR, HIPAA and state breach notification laws;
  • Employee training; and
  • Advice to Boards of Directors about their oversight duties, governance structures and Board training.

Our Data Privacy Practice
We counsel clients about the industry-specific privacy laws and regulations that apply to them as well as their obligations to protect confidential employee information. We work with clients to build strong privacy policies and practices that comply with the regulatory mandates applicable to their industry or business as a for-profit or not-for-profit organization. Specifically, our services include:

  • Development and review of privacy policies, gap analysis and implementation; 
  • Third party agreements; 
  • Workforce training;
  • Board governance structures, training and internal reporting to meet fiduciary standards;
  • Compliance by health systems, hospitals and other providers with federal and state laws and regulations as they exchange data for population health management and care coordination; 
  • Compliance by institutions of higher education with GDPR, GLBA, FERPA and HIPAA; and
  • Policies, procedures and GDPR implementation.

General Data Protection Regulation (GDPR)
Bond organized a dedicated group of attorneys to assist our clients to meet the complex challenges posed by GDPR compliance. We developed detailed policies, including template forms and notices, to assist our clients in addressing the demanding requirements of GDPR. We also counsel clients about GDPR implementation, including integration of GDPR privacy requirements with existing privacy programs and rules, focusing on practical solutions that achieve compliance while seeking to minimize disruption to business operations. We prepare third party agreements, advise about the agreements our clients receive and counsel our clients about responding to GDPR requests from individuals such as the right to be forgotten. 

Our attorneys are solution-focused when dealing with clients in breach response scenarios, as well as in preemptive cybersecurity planning. We advise clients on matters related to compliance with New York General Business Law §899-aa, which requires written notification to the people whose information was accidentally released, and the filing of a specific written notice of the accidental release to the New York State Attorney General, the New York State Department of State, Division of Consumer Protection, and the New York State Police. We also advise on the applicability of other state and federal statutes pertaining to inadvertent releases of private financial information, including: 

  • The restrictions against disclosure of student information under "FERPA”, the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. §1232g); 
  • The "Safeguards Rule" under the Gramm Leach Bliley Act (requiring financial and educational institutions to implement certain security programs to protect against unauthorized access to student financial information); and 
  • The FTC "Red Flag Rules" regarding identity theft protection (16 CFR 68.2).

Bond assists clients in a wide range of industries, without regard to size, with their data privacy and cybersecurity compliance.

Our attorneys work with clients to conduct legal assessments, data audits, risk management assessments, trainings, policy drafting, vendor assessments, due diligence review, filings, data subject request responses, data governance, as well as contract drafting and review.

Up to date on the regularly changing landscape of international and domestic cybersecurity and data privacy, we advise clients concerning a number of different regulations including, but not limited to: 

  • European Union’s General Data Protection Regulation (GDPR) 
  • United Kingdom General Data Protection Regulation (UK-GDPR) 
  • California Consumer Privacy Act, California Consumer Privacy Rights Act (CCPA/CPRA) 
  • Virginia Consumer Data Privacy Act (CDPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Health Insurance Portability and Accountability Act (HIPAA) 
  • Graham-Leach-Bliley Act (GLBA)
  • Fair Credit Reporting Act (FCRA)
  • Family Educational Rights and Privacy Act (FERPA)
  • New York Education Law 2-D
  • PCI-DSS Compliance
  • New York “Stop Hacks and Improve Electronic Data Security” Act (SHIELD), and
  • New York Department of Financial Services Cybersecurity Regulation

An attorney may be the first person contacted in the event of a crisis. Our practice goes to great lengths to ensure that crises are dealt with swiftly or prevented in the first place. 

It is futile to expect the preservation of any confidential data without the proper systems and procedures in place. Our practice counsels a wide range of clients in this area, from financial planners in their development of apps to government entities and school districts. 

With school districts, we assist administrators in complying with Education Law section 2-d regarding the protection of student PII. We ensure that these districts comply with Section 2-d for all vendor and third party contracts, which includes ensuring proper encryption, safety and recovery protocols for protected information as well as remedies and protections for inadvertent releases of such information.

Our attorneys routinely assist a wide range of clients with their cyber incident preparedness, from the business to the education sectors. We have advised boards of directors and management teams on their responsibilities with respect to cybersecurity risk mitigation, including compliance with the recently enacted New York State Department of Financial Services cybersecurity regulations.

We work with clients in conducting internal investigations following a breach to determine the facts relating to the incident, review the client’s policies and procedures and make recommendations. We collect all relevant electronic information, interview all pertinent witnesses and prepare reports with factual findings and recommendations.

All too often, companies react to trade secret theft and competitive threats due to employee departures, rather than position for it. Under these circumstances, they are faced with no choice but to engage in costly litigation.

Our Trade Secret Protection Audit assists companies in identifying critical intangible assets and guides the development of procedures, contract language, employment and non-disclosure agreements designed to protect them. Undertaken periodically, audits are able to help companies anticipate possible threats and reduce the areas of risk most often encountered in the course of conducting business. In performing this due diligence, our attorneys may also call upon other professionals in connection with the evaluation and testing of protocols related to the protection of computer data.

See the link below for more information on the Trade Secret Protection Audit.

In addition to the audit, our capabilities include:

  • Cease & Desist Letters
  • Computer & Information Use Policies
  • Confidentiality Agreements
  • Departure/Exit Protocols
  • Employment Agreements
  • Fraud & Security Audits
  • Invention Assignment Agreements
  • Non-compete Agreements
  • Non-disclosure Agreements
  • Restrictive Covenant Agreements
  • Technology Use Agreements
  • Trade Secret Theft Claims
  • Trade Secret Litigation 

Click here to view Bond's Trade Secret Protection Audit brochure.