INCIDENT RESPONSE - In the event of a data incident, Polsinelli's incident response team can be contacted at any time of day at

The protection of data and personal information is of utmost importance to all organizations.  Polsinelli recognizes this and has assembled a deep, inter-disciplinary team whose sole focus is assisting organizations as they strive to protect information, comply with ever evolving privacy and security regulations and respond to data incidents, regulatory investigations and litigation. 
Polsinelli’s team includes:
  • Incident response attorneys who are some of the most experienced in the country;
  • Alumni of enforcement agencies charged with enforcing privacy and security regulations, such as the Department of Health and Human Services Office for Civil Rights;
  • Attorneys with international backgrounds who are equipped to counsel organizations on evolving international data protection regulations;
  • Former in-house data privacy attorneys who understand not only the regulatory landscape but the logistical and business considerations associated with creating and maintaining privacy and cybersecurity programs; and
  • A deep bench of technology transaction attorneys with experience working on privacy and security issues for everyone from mid-market to Fortune 500 companies. 

Privacy and Cybersecurity Counseling

Polsinelli takes an inter-disciplinary approach to privacy and cybersecurity by teaming attorneys with both data privacy and industry-specific experience. 

Polsinelli attorneys counsel clients on privacy regulations including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA) and the EU General Data Protection Regulation (GDPR), as well as numerous state privacy laws.

Polsinelli privacy and cybersecurity attorneys counsel clients on their technology transactions and in connection with third party data transfer, vendor and business associate agreements.

Polsinelli attorneys also assist in the acquisition, management, use and disposition of data by performing the following services:
  • Overseeing privacy and security risk assessments;
  • Formulating and implementing organization-specific policies and procedures;
  • Developing data breach response plans and conducting mock tabletop breach exercises; and
  • Providing privacy and data security counseling and training.

Data Incident Response & Preparedness

Polsinelli attorneys have a long history of counseling clients impacted by data breaches and other cyber incidents.  In fact, one of our shareholders handled one of the first data breach cases after California passed its breach notification law in 2003.  Our attorneys collectively have handled over one thousand data security incidents and have counseled clients through nearly every conceivable breach, from system-wide malware attacks and network intrusions to missing laptops and misdirected emails.  Our incident response team provides a full spectrum of services – from data breach response, internal investigations and litigation, to policy development and industry-specific compliance and regulatory counseling.  Our interdisciplinary approach encompasses all aspects of data and system security, both before and after an incident.

When an incident occurs, we provide comprehensive assistance, including overseeing forensic investigations and crisis management activities, notifications to affected individuals, regulators and payment card issuers, responding to federal and state regulatory inquiries and litigation defense.  

Additionally, Polsinelli’s rapid response capability is augmented by the strong working relationships we have with other vitally important professionals that may be needed to respond to a breach, such as forensics, crisis management and public relations services, providers of identity theft protection services and call and mail centers.

Polsinelli attorneys have served a broad range of clients in multiple sectors, including banking and financial services, health care, pharmaceutical, technology, e-commerce, trade associations, for-profit and not-for-profit education, retail, manufacturing, life sciences, food and beverage, accounting, legal and other professional services.  Our attorneys also have extensive litigation experience and have represented clients in a broad range of privacy, data security, technology and other cyber-related individual lawsuits and class actions in state and federal courts across the country.
  • Served as breach response and litigation counsel for financial institution that lost backup tapes containing account information of approximately two million customers
  • Served as breach counsel for academic health system in connection with an incident arising out of a threat actor’s deletion and attempted extortion for the return of the ePHI of approximately 80,000 patients residing across the U.S. and in multiple foreign jurisdictions
  • Served as breach counsel for financial institution that was the target of ransomware and extortion attack involving the acquisition and posting on various social media sites the sensitive member information and personal information of more than 46,000 of the institution’s members and other affected individuals
  • Served as breach response counsel for international financial institution whose Office 365 e-mail accounts of users in the United States and the United Kingdom were compromised potentially triggering the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies and the United Kingdom’s Data Protection Act of 2018
  • Served as breach response counsel for more than one hundred incidents involving credit unions across the United States, including ransomware, extortion, fraudulent wire transfers, Office 365 e-mail account compromises, network intrusions and employee misconduct
  • Served as counsel for manufacturer whose production line system was compromised resulting in intentional alteration of product specifications and demand by threat actor for payment to cease further product alterations and information on past product alterations
  • Served as breach response counsel for health care system that experienced a malware attack potentially impacting approximately four million customers and 40,000 employees
  • Served as breach counsel to university following brute-force password attack resulting in the compromise of personally identifiable information (PII) of over 60,000 students, alumni and employees residing in more than 40 states and several foreign countries
  • Served as breach response counsel for website/e-commerce hosting services provider that sustained a malware attack impacting hundreds of third-party companies that used client’s hosting services as well as thousands of those companies' customers
  • Served as breach response counsel for health care system in connection with potential exposure of radiological records of approximately 400,000 patients
  • Served as breach response counsel and law enforcement liaison for a national restaurant chain in connection with possible insider theft of payroll records
  • Served as breach response counsel for community bank that sustained malware attack on online banking portal impacting customers across numerous states
  • Served as breach response counsel for health care provider investigating whether patient information was stolen as part of an identity theft ring focused on illegally acquiring prescription medications
  • Served as breach response counsel for law firm following theft of the firm's servers containing PII and protected health information (PHI) of approximately 20,000 clients, adversaries and witnesses located in multiple states
  • Assisted major financial institutions to update and improve information security and data privacy practices, including data breach response procedures, and conducting data privacy audits to identify potential privacy and data security issues
  • Conducted table top exercises for members of New York based hedge fund community
  • Counseled numerous entities in situations involving ransomware and other types of cyber-extortion
  • Counseled numerous entities in situations involving wire fraud and other types of cyber fraud 
  • Conducted review of multinational food and beverage company information policies to ensure compliance with data privacy and security best practices
  • Conducted privacy and risk management audits for numerous multistate retailers and life science companies
  • Developed employee training programs on information security and data privacy compliance for several investment advisers, broker-dealers and other financials service institutions 
  • Performed comprehensive regulatory compliance and privacy audit of a Fortune 500 company with internal and external data flows spanning dozens of countries around the world 
  • Drafted and revised approximately 15 enterprise-wide internal privacy, security, access, and technology use policies for a well-known large cap technology company 
  • Advised client regarding response obligations, agency and public notice, and best practices to quickly and effectively identify, contain, and remedy a data breach involving PII and PHI
  • Counseled a Fortune 500 company on breach analysis and potential obligations related to theft of encrypted laptops and mobile devices
Recent News