Privacy & Data Security

While certainly not the case when most businesspeople today began their careers, personal data, and its cousin, Big Data, are now the lifeblood of businesses ranging from the most basic manufacturer to the most sophisticated online content aggregator. While many clients’ overseas competitors have the advantage of operating either under very light regulation in some jurisdictions, or under a well-known comprehensive body of law governing this area in others, U.S. clients are faced with a thicket of overlapping, quickly changing laws and regulations from a variety of sources. Culhane Meadows is proud to have multiple attorneys who have qualified as Certified Information Privacy Professionals (US) through the IAPP.

Most U.S. businesses today can expect that their customer data handling practices can be subject to regulation under Federal Trade Commission guidance grounded only loosely in the words of a relevant U.S. statute, and which is emerging through FTC investigatory proceedings.  The FTC’s regulatory focus can shift among various new “hot topics” such as online tracking, online behavioral advertising, or children online with surprising speed.  In addition, states emerge with new regulations touching on their own hot topics, such as social media and encryption of data, on a monthly basis.  Meanwhile, clients whose businesses involve special sectors such as financial services or health care face additional layers of personal data regulation.

Finally, U.S. clients operating overseas are often baffled by the extent of the regulatory burdens on their use of even basic personal data, such as requirements of government filings and permissions to post their own employee’s contact information on internal websites, or pop-up consents to place ordinary cookies on users’ computers.

Fortunately, Culhane Meadows attorneys are adept at guiding clients through these quickly evolving laws, whether in the U.S. or elsewhere. Whether needing advice on a simple online advertising campaign, or needing assistance in rolling out a new business based upon the use and sharing of sensitive personal health data among many actors in many jurisdictions, clients can count on Culhane Meadows attorneys to provide them with clear, business-minded advice and recommendations.

Attorney Representative Transactions

Comprehensive Company Programs.  Created, implemented and trained employees on comprehensive U.S. data privacy and security compliance program, including compliance with applicable federal (including, inter alia, FTC caselaw and guidance, FCRA/FACTA, GLB, CAN-SPAM, COPPA, and FCC Do-Not-Call) and state laws (e.g.,  California’s Shine the Light Law and Massachusetts Data Security Law) for:

  • A German luxury car manufacturer;
  • A national quick-service restaurant company; and
  • A nationwide online bakery, as well as many others.


HIPAA Compliance.  Advised various software/IT vendors and consultants who process Protected Health Information as to the HIPAA privacy, security and breach issues they face as a Business Associates under HIPAA and HITECH and what obligations they have as Business Associates.

Multi-Jurisdictional Compliance Programs.  Created global data protection and security programs (in consultation with foreign counsel) for the following clients, among others:

  • A global package delivery company (responsible for EU and Canadian compliance programs for operations in all applicable jurisdictions);
  • A top U.S. testing company (three EU jurisdictions plus the U.S. and Canada); and
  • A health-improvement service provider to global businesses and their employees (Australia and U.S.).


Storage and Security Breach.  Advised nationwide insurance brokerage and top U.S. testing company (as well as many others) on compliance with various state laws regarding data breach and encryption, as well as those on use and disclosures of SSNs. Advised numerous clients on compliance with security standards, ranging from PCI standards through those applicable to financial institutions and their service providers under GLB and HIPAA.

Advertising Compliance.   Advised broad range of clients on data handling compliance issues, from the simple to the most complex arrangements under CAN-SPAM, FCRA/FACTA affiliate marketing issues, and, in the case of a mobile marketing client, on FTC and FTC compliance obligations in establishing and implementing a mobile device application platform for the distribution of SMS based coupons on mobile devices.

Safe Harbor/TRUSTe.  Advised clients including a global supply chain finance provider, a utility service company and others on entrance into available data privacy certification programs.



Certified IAPP Professionals

A number of our attorneys have earned and maintained the Certified Information Privacy Professional/United States (CIPP/US) or CIPP/Europe credentials through the International Association of Privacy Professionals (IAPP) and focus on privacy and data security issues, standards, and regulations.  The CIPP is the global standard in privacy certification. Developed and launched by the IAPP with leading subject matter experts, the CIPP is the world’s first broad-based global privacy and data protection credentialing program. The CIPP/US demonstrates a strong foundation in U.S. private-sector privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and other jurisdictions.


*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Please do not send us unsolicited confidential information. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.