Data Privacy & Cyber Security Law

How companies collect, use, and share personal data, how secure their data systems are, and how transparent they are about their data privacy and security practices, are popular public and legal issues. With several high-profile data breaches and data mining scandals, online privacy is a hot topic among legislatures, government regulators, consumer advocacy groups, and industry leaders. Privacy concerns also generate the attention of consumers. Indeed, consumers more regularly read websites’ and apps’ terms and conditions and privacy policies, which they used to largely ignore.

Companies need to be vigilant about their data privacy and security policies and practices. Government agencies and private groups are policing those practices to monitor whether companies are complying with their own policies and promises and maintaining industry standards on data security. Corporate and consumer customers expect organizations to maintain significant data security practices. Increasing enforcement actions and private lawsuits (including large class actions) have compelled companies to better vet their data collection and usage practices, engage experienced legal counsel and outside privacy vendors, and ensure their practices match their public-facing policies.

Ifrah Law has extensive experience in data privacy and cyber security law and is recognized as an industry leader. Practice Group Leader, Michelle Cohen, was recently appointed by OneTrust, a leading privacy, security and third-party risk technology platform, as a D.C. Chapter Chair of “Privacy Connect,” a global community of privacy, security and marketing professionals focused on tools and best practices. Michelle has also been recognized by the National Law Journal as a “Top Rated Lawyer” multiple times. She is featured as technology law policy expert on “Sourcelist,” through the Brookings Institution ( Since 2008, Michelle has been certified as a Certified Information Privacy Professional – CIPP (US), through the International Association of Privacy Professionals (IAPP). Associate Nicole Kardell currently co-chairs IAPPs Washington D.C. KnowledgeNet chapter, which regularly hosts meetings and seminars regarding cutting-edge privacy topics in the D.C. area for privacy professionals Nicole has been certified as a CIPP (EU) privacy professional for several years Nicole and Michelle author the OneTrust DataGuidance privacy law overview for the District of Columbia.

Our Data Privacy and Cybersecurity Team regularly advises organizations on developing industry-appropriate protocols, drafting privacy policies, and preparing for, and responding to data breaches. Our attorneys counsel businesses and individuals on information storage and rights of retrieval and deletion. Our clients span many industries, including fintech companies, healthcare companies, non-profit organizations, and social media influencers. In our Chambers-ranked Gaming practice, our clients are often required to collect substantial personal information to verify age, geolocation, and in furtherance of AML requirements. We help these businesses ensure that their practices comply with the evolving privacy and data security requirements, including substantial new state requirements.

What Are the Costs of Breaches in Data Privacy?

There are many ways in which a company’s private data can be infiltrated by third parties or, more commonly, leaked due to human error. Such a breach can be devastating to a company’s economic prospects, especially if private assets and intellectual property end up falling into the wrong hands. The costs of a data breach are high. Beyond fines, audits, civil lawsuits, and potential criminal prosecution, companies that fail to protect personal data invoke the wrath of a public body that has grown increasingly frustrated with the misuse of its personal information. Breaches significantly erode consumer confidence, resulting in lost sales. Of course, defending a class action lawsuit is a costly endeavor as well. According to an annual report published by IBM Security, the average cost of a data breach is almost $4 million ($3.86 million for 2020, $3.92 million for 2019).

What Kinds of Regulations Govern Privacy and Cybersecurity in the United States?

Currently, there is no legislation at the federal level in the United States that universally addresses data privacy. There are certain industry-specific federal laws such as HIPPA (health privacy), Gramm-Leach-Bliley (financial privacy), and COPPA (children’s online privacy). However, there are several state-level legal and regulatory frameworks, and others that may become effective soon.

One of the most significant recent developments in state-level privacy law is California’s Consumer Privacy Act (CCPA), which was passed by the state legislature in 2019 and took effect on January 1, 2020.

What Does the CCPA Require Businesses to Do?

Broadly speaking, the CCPA requires businesses that work extensively with personal data or bring in more than $25 million per year in revenue to inform customers of what personal data they are collecting, grant those customers the right to have their data deleted and prevent it from being sold, and refrain from penalizing customers who utilize their rights under the CCPA.

Other states are considering similar pieces of legislation, and the CCPA itself may be subject to additional expansion depending on the outcome of certain ballot initiatives. In the meantime, businesses are likely to be subject to continued class action litigation from California residents if they inadvertently leak customer data (as the law provides for a private right of action).

Data Protection for Children

One of the few pieces of federal legislation addressing data privacy is the Children’s Online Privacy and Protection Act (COPPA), which puts significant restrictions on what website operators and app developers can do with regard to the personal data of children under 13.

Specifically, Internet companies handling children’s data must have especially robust privacy policies and take extra care to ensure children’s personal information remains secure. This includes seeking explicit consent from parents before collecting a child’s personal information.

However, because this act has been around since 1998, not all of its components match up perfectly with modern data information collection. The Federal Trade Commission has pursued several high-profile enforcement issues under COPPA, resulting in multi-million-dollar settlements. Engaging specialized legal counsel is especially important for any business that needs to ensure compliance with COPPA, and other data privacy and cybersecurity laws related to children. Our attorneys have worked with several clients seeking COPPA guidance, including top social media influencers.

Ifrah Law’s GDPR Services

The General Data Protection Regulation (GDPR) became effective on May 25, 2018, and dramatically changed the way companies collect, store, or mine the personal data of European residents. Failure to comply risks lawsuits and significant fines for businesses.

Ifrah Law helps clients navigate the requirements for how companies handle personal data of European residents. Our attorneys offer a reasonably priced fixed fee program to review an organization’s current business practices and update contracts, policies, and protocols to help organizations remain GDPR compliant. We also help clients navigate the evolving legal requirements for data transfers between European and non-European countries.

How Can Ifrah Law Help Strengthen Your Data Privacy and Cybersecurity Strategy?

Even the most thorough privacy and cybersecurity strategy cannot account for every possible external factor and internal mistake, which is why seeking guidance from legal professionals with extensive experience in privacy and cybersecurity law is essential. Even if your business has not experienced a data breach, an experienced data privacy and cybersecurity lawyer can help your organization construct a comprehensive plan to minimize your risk of future leaks or fine-tune an existing plan to cover potential gaps.

In the aftermath of a data breach, our attorneys can help your company respond quickly to address legal ramifications, minimize damage to financial prospects, and address important public relations concerns.


Does GDPR Apply To You?

Case Studies
Publications + Presentations