Marashlian & Donahue

Information Privacy, Data Security and Consumer Protection





In today’s Internet-based global marketplace, communications, software and other technology services providers face real concerns related to customer privacy, data protection and network security. The modern importance of privacy protections continues to rise as the U.S. federal and state governments and regulatory authorities worldwide address privacy issues associated with new technologies. Agency enforcement actions, self-regulation and other forms of accountability are on the rise in the United States and across borders. One of the greatest risks is damage to a company’s reputation and its relationships with customers and business partners. Successful companies must navigate a complex web of rapidly evolving laws, regulations and policies at all levels of government, both domestic and international.


The CommLaw Group’s information privacy, data security and consumer protection practice encompasses cloud computing, breach notification requirements, and privacy policies for companies that handle, collect and use personal data. See below for additional information regarding each of these distinct areas of our practice.

Our privacy professionals help clients implement best practices in information privacy and data security. We are aware of the potential for domestic and international enforcement actions for failure to protect consumer information. We have advised clients dealing with security breach and unauthorized disclosures of personal information, including state breach notification requirements. To ensure adequate protections, companies must work directly with vendors, employees, independent contractors and customers to obtain, use, secure and protect internal and external customer data. We also recognize the need to address legal and reputational risks while preserving an organization’s ability to use information in ways that achieve organizational goals. We work with clients to develop privacy practices that support business success.

Our clients are providers of Cloud communications, software as a service ("SaaS"), communications as a service ("CaaS") and other software-enabled communications and collaboration services, application (apps) services & developers, and all forms of Internet Based (IP-based) services, including Voice over Internet Protocol ("VoIP") and other hybrid & convergent communications service providers.  We have regularly counseled our clients on the data security laws and regulations that govern the handling of financial information – under the Gramm Leach Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transaction Act (FACTA), Red Flags Rules -- security breach disclosure laws; industry standards, such as PCI DSS; mandatory and voluntary compliance plans for the Fair Debt Collection Practices Act (FDCPA), TCPA and CAN-SPAM; and the FCC’s CPNI rules.  We help clients realize business goals, manage risk, and comply with privacy and data protection laws.


Cloud Computing

The flexibility and ease of storing and processing data in the cloud also present legal risks and challenges in complying with privacy and data protection laws.  We help companies understand that they must manage risks depending on the type of data that could be hosted, how much control they have over handling or moving the data, and the degree to which the data is protected through contracts and appropriate audit and reporting measures and security protections.  We can assist our clients in reviewing cloud services agreements, counseling on data privacy and security compliance requirements, and ensuring that security protections are adequately addressed in contracts.


Security Breach Disclosure

Breach incidents that might have allowed personal information to be accessed by unauthorized third parties are governed by differing federal, state and territorial laws.  Each applies to different types of data and imposes different obligations.  We can assist companies to prepare for a possible breach of security of their systems.  If a breach occurs, we assist clients in responding, evaluating the breach, determining whether security breach disclosure laws apply to the incident, addressing associated contractual issues, and complying with breach notification requirements under various state laws as required.


Information Privacy and Data Security Policies and Procedures

No one privacy policy is appropriate for all clients.  Published privacy policies must reflect actual practices of a company and must not over- or understate the commitments a company makes concerning its use of personal data.  Procedures used by another company could be irrelevant to the practices or type of data that another company collects and uses for different purposes.  We can help our clients take the time to draft clear, complete, accurate privacy or security policies relevant to the applicable laws and the company’s activities concerning the collection and use of personal data.


Our Team and the Scope of Our Services

Our experienced attorneys provide creative, practical, specialized, legal counsel and support to enable companies to successfully manage their compliance risks. Specialized in representing all aspects of the communications sector, including providers of cloud communications, broadband and Internet access, and VoIP services, we carefully weave privacy and security in all aspects of the business to minimize its exposure while advising clients how to use information in ways that benefit the business and its customers. We offer comprehensive assessments of privacy and security requirements to ensure compliance with of the myriad U.S. federal and state laws, regulations and policies addressing privacy issues, including:

  • FCC Customer Proprietary Network Information (“CPNI”) rules
  • Telephone Consumer Protection Act (“TCPA”)
  • CAN-SPAM Act
  • Children’s Online Privacy Protection Act ("COPPA")
  • Federal Trade Commission (“FTC”) Fair Information Practices Principles
  • Other developments in federal laws and regulations supported by the FTC, as embodied in its 2012 Report to lawmakers and businesses: FTC Report: Protecting Consumer Privacy in an Era of Rapid Change

Our attorneys advise on structuring and implementing a compliant privacy policy and assist clients with measures designed to safeguard customer data, such as developing employee guidelines and standards and drafting customer notifications. In addition to general compliance, our firm can evaluate and propose a compliant solution for commercial advertising campaigns. Finally, our team can help minimize losses in instances of breach by assisting with customer notification measures.

We offer guidance on an array of privacy related matters, including the following:

  • Development of data security plans
  • Compliance with federal privacy mandates, including the FCC’s CPNI rules
  • Drafting compliant privacy policies and website disclosures
  • Developing TCPA and CAN-SPAM-compliant email and Internet commerce policies
  • Handling data security breaches and privacy complaints
  • Litigating and defending privacy-related cases before the FCC, federal and state courts, Administrative Law Judges, and the FTC
  • Management of document retention policies
  • Responding to law enforcement inquiries (wiretap and communications records) and reporting security breaches
  • Compliance with state and local privacy mandates
  • Reviewing and preparing contracts addressing privacy concerns with third-party vendors
  • Creating FTC and FCC-compliant prepaid calling card disclosures
  • Non-disclosure and non-compete agreements addressing the protection of confidential information
  • Responding to legislative and regulatory initiatives
  • Encryption of sensitive information
  • Training employees and conducting security risk assessments
  • Compliance with FTC’s “Red Flag” rules and federal privacy matters related to credit, debit and stored value transactions
  • State and local laws and rules aimed at protecting consumer privacy
  • International laws associated with consumer privacy, data protection and security, including the EU Data Protection Directive
  • Payment Card Industry Data Security Standard (PCIDSS), which provides data security guidelines for companies processing credit card transactions and handling related transaction and account data
  • Mandatory and voluntary compliance plans for the Fair Debt Collection Practices Act (FDCPA)
  • Automated communications with cell phones and other wireless devices (TCPA)
  • Stored Communications Act compliance plans

Guides & Manuals




© 2018 Marashlian & Donahue All Rights Reserved.