The Cybersecurity and Data Privacy group is comprised of a multidisciplinary team of highly qualified lawyers with intimate knowledge of the insurance industry and experienced in compliance, corporate governance, first and third-party coverage, and litigation. 

Insurance carriers long have turned to White and Williams for advice. For cybersecurity and data privacy, it is no different. Our attorneys bring a deep breadth of experience in the insurance industry, and advise insurance carriers in a wide array of matters from compliance and corporate governance to first-party and third-party coverage matters, and litigation.

Compliance with Data Security and Privacy Laws and Regulations (Pre-Breach Services)

If your company has data, it's a target. Depending upon the industry, your company likely has legal requirements to develop and implement an adequate data security program to safeguard the confidentiality, integrity and availability of information and your company’s information systems. Data security programs include written policies and procedures, documented employee training, vendor oversight, and sometimes personal certification of compliance with a cybersecurity law or regulation by a C-Suite officer. 

White and Williams assists clients with developing and implementing comprehensive data security and privacy programs to meet their legal needs under growing state and federal data protection laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HI-TECH Act), the Gramm-Leach-Bliley Act (GLBA), and the New York Department of Financial Services cyber regulations. We also help clients comply with the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA). Our lawyers help clients draft policies and procedures, including incident response plans, respond to requests for certification of compliance from regulators and business partners, conduct training and tabletop exercises, and establish third-party vendor management programs.

Mergers, Acquisitions, and Corporation Disclosures

An entity’s cybersecurity health is critical to its value in the context of a merger or sale. A prior cybersecurity incident or lax safeguards that fail to mitigate risk represent significant potential liability (and decreased value). White and Williams helps clients conduct the required and critical due diligence to assess and evaluate cybersecurity policies, programs, and incidents, whether they are the subject of a potential sale and looking for fair value, or to provide an evaluation of risks a client may inherit through a transaction. Our lawyers also review technology contracts and transactions to strengthen our client's interests and protection.

Cybersecurity Incident Response and Notification

When an organization sustains a suspected cybersecurity incident they are required by law (or sometimes by contract, or both) to undertake a prompt investigation and provide notification of the incident in a short period of time. Sometimes, a company's notification window is a mere 72 hours after knowledge of the event. White and Williams provides clients with critical crisis management to investigate and respond to cybersecurity incidents. From ransomware to data breaches, our lawyers work with forensic investigators to determine the “who, what, why and how” of an incident. We help companies with coordinated public relations efforts, potential interactions with law enforcement, and determination of required third-party notifications to consumers, business partners, regulators, State Attorneys General, and others.


A dispute involving a cybersecurity incident can devolve into litigation, whether a business-to-business lawsuit or a data breach class action. White and Williams represents corporations in a wide variety of business sectors in litigation in state and federal courts across the country. The firm’s approach to complex litigation matters is to staff them with senior litigators who assemble efficient teams of attorneys.


Insurance carriers long have turned to White and Williams for first-party and third-party coverage matters. For cyber liability, it is no different. Our lawyers provide exposure analysis and litigate complex coverage matters for cybersecurity incidents, from data breaches and business email compromises (BECs) to wrongful collection and use of personal identifiable information (PII), media liability, and e-surveillance. Our lawyers regularly write and lecture on insurance law, including on cyber and privacy insurance, and assist with policy drafting. White and Williams also offers in-house instruction and continuing education courses to insurance claims professionals on cyber liability and coverage issues.


Representative Matters

  • Assisted with drafting and implementing information security programs under GDPR
  • Advised with compliance under New York DFS cyber regulations 23 NYCRR 500, including certification and implementation of cybersecurity programs
  • Led multiple investigations of cybersecurity incidents
  • Led and coordinated response effort to data breach suffered by corporate client, including coordination with law enforcement
  • Coordinated the investigation for an international corporation concerning internal and external fraud committed through its computer systems
  • Represented insurer in coverage matter involving high-profile security data breach
  • Coordinated and negotiated with law enforcement following contact with corporate client regarding potential data breach and identified theft ring involving former employee
  • Represented insurers in coverage litigation and related matters involving unlawful acquisition and use of PII
  • Helped client evaluate cybersecurity protocols, revise employee handbook for cybersecurity and privacy matters, and created in-house cyber response teams with corporate cybersecurity response plan
  • Advised client on compliance under NIST SP 800-171 Standard for DOD Contracting, including development and implementation of a cybersecurity program 
  • Represented clients in response to government subpoenas for their electronic data
  • Counseled clients in addressing cyber-harassment issues
  • Drafted and updated online service agreements, privacy policies and terms of use for client’s websites and intranet sites


Arrow Back To Top
Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use.