Data Protection, Privacy & Security

Beckage attorneys provide on-site and around-the-clock counsel to clients on data protection and information security practices required under state or federal law. The firm advises on critical data breach response and notification requirements, helps manage and minimize security risks, reviews insurance policies for coverage, responds to regulatory inquires, coordinates response teams, and defends against enforcement efforts and lawsuits. In today’s evolving world, Beckage provides the practical and technology-oriented counsel clients need most.

Beckage attorneys include Certified Information Privacy Professionals/United States (CIPP/US) and Certified Information Privacy Professionals/Europe (CIPP/E) by the International Association of Privacy Professionals (IAPP). With many CIPP/US and CIPP/E attorneys on our team, our commitment to being industry leaders in cyber security, privacy and data breach law is apparent.

Data Breach Response, Mitigation & Notification

In 2018, 2019, and again in 2020, after "nominations, input from numerous senior lawyers in the filed, and considerable research," Cybersecurity Docket recognized Jennifer A. Beckage, Esq., CIPP/US, CIPP/E as one of the top 30 data breach attorneys in the nation and one of the "key players - both in the public eye and behind-the-scenes in the most significant data breach responses worldwide."

Beckage attorneys have extensive experience responding to headline-making national and international data breaches, cyber incidents, inadvertent disclosures, and data theft. Beckage works with clients to manage response and mitigate risk, conduct forensic analyses and notify required stakeholders. We have worked with numerous law enforcement agencies and regulators around the globe.

In times of crisis, effective incident response is crucial. Beckage attorneys have extensive experience responding to headline-making national and international data breaches, cyber incidents, inadvertent disclosures, and data theft. Beckage works with clients to manage response and mitigate risk, conduct forensic analyses and notify required stakeholders.  

If a company is experiencing or has had a data security incident, Beckage is available by calling its 24/7/365 hotline at 1-844-502-9363 to be connected with a lawyer.

IT Policies & Practices

In the age of data proliferation, sound technology policies and practices are the foundation to smart business growth. Beckage attorneys advise companies on end-user policies, including Information Technology and Cybersecurity Policies, Privacy Policies, Terms of Service/Use, ADA Website Accessibility Statements, Bring Your Own Device (BYOD), Data Protection Programs, Incident Response Plans, Disaster Recovery Plans, along with Record Retention and Deletion Policies, data sharing, transfer and disclosure policies, and workforce data security matters.

As CIPP/E attorneys, coupled with our experience, we provide counsel on GDPR programs, polices and data processing agreements (DPAs).

Privacy Law & GDPR Compliance

Beckage has multiple attorneys designated as Certified Information Privacy Professional, United States (CIPP/US) and Certified Information Privacy Professional, Europe (CIPP/E) by the International Association of Privacy Professionals (IAPP), to provide up-to-date and practical compliance counsel to clients in connection with a range of state, federal and international regulatory regimes including but not limited to:

·        General Data Protection Regulation (GDPR).

·        HIPAA, HITECH regulations and state laws relating to protected health information.

·        New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).

·        Gramm-Leach Bliley Act (GLBA) and related state laws.

·        Children’s Online Privacy Protection Act (COPPA).

·        Family Educational Rights and Privacy Act (FERPA).

·        Payment Card Industry Data Security Standard (PCI-DSS).

·        California Consumer Protection Act (CCPA) and other emerging state privacy laws.

·        Americans with Disabilities Act (ADA).

·        CAN-SPAM, and other telemarketing rules.

·        Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA).

·        State consumer protection laws and those relating to minors.

·        Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada Anti-Spam Legislation (CASL).

·        Federal Risk and Authorization Management Program (FEDRamp)

·        Cybersecurity Maturity Model Certification (CMMC)

·        Defense Acquisition Federal Regulation Supplement (DFARS)

·        New York Act to Stop Hacks and Improve Electronic Data (SHIELD Act)

 We also advise clients on enforcement actions by regulatory and law enforcement agencies including the European Supervisory Authorities, the Federal Trade Commission (FTC), state attorney’s generals and other regulatory bodies.


Our collective team members have decades of experience interfacing with regulators at the federal and state levels in areas ranging from audits to PHI data loss. We help oversee internal audits of client operations to ensure patient privacy compliance with the HIPAA Privacy and Security Rules as well as New York's Public Health Law and Civil Rights Law. Our services include drafting client contracts with business associates and vendors to ensure third-party compliance, assisting with oversight required within those relationships, and evaluating risk mitigation strategies. We have significant experience with all compliance issues for privacy and IT security in the health care provider and insurance areas.

Technology Supported Initiatives

Beckage leverages Jim Gerland and other technical resources and a global network of strong relationships in the infoTech space to provide legal advice that contemplates all technical aspects of work.  

Beckage is guided by the firm’s CISO. The firm’s CISO has served as the CISO at multiple Fortune 1000 companies, including a major, public internet retailer, over a security career that has spanned multiple decades and successful exits. He is also actively involved in many industry associations and has served on multiple national advisory and executive boards as well as co-founded internet security technologies to help continue the advancement of end-user and organizational safety.

Cyber & Privacy Insurance Policy Review

Our experienced team of breach lawyers and privacy professionals can perform a gap assessment and review cyber insurance and privacy insurance to best help protect your organization.

Risk Management

The Beckage Risk Management Practice offers its Risk Assessment as a privileged precursor or simply a part of a broader audit strategy, to make sure our clients are on track with their technology and legal postures as it relates to information technology and data security. To learn more visit our risk management page.

Binding Corporate Rules

Our compliance team guides clients through applicable data protection, legislation, and rules, including deployment of data transfers safeguards between affiliates and subsidiaries across jurisdictions.  

We work with clients to develop and obtain approval of Binding Corporate Rules (BCRs) from European data protection authorities. BCRs allow intra-organizational transfers of personal data across borders in compliance with EU data protection law. BCRs function as a code of conduct for data protection practices, based on strict principles established by EU data protection authorities.  

Binding Corporate Rules Lead Data Protection Authority Determinations

We assist clients in making strategic decisions regarding BCR applications, including determining where to file a BCR application and identification of a Lead Data Protection Authority (DPA). The Lead DPA determination may impacts timing for the BCR application, as different DPAs take longer than others. We work with clients to understand data processing flows within the organization and determine whether to file as a processor, controller or both; and train Data Protection Officers within the organization to interface with DPAs.  

Binding Corporate Rules Policies

We develop policies to support a client’s BCR application, including Data Subject Requests processes, Privacy By Design methodologies, Privacy Impact Assessments, and BCR training programs.  

We work with clients to evaluate how to best make the BCRs binding on all entities as well as employees, contractors, sub-contractors, and third- party beneficiaries. If there are collective bargaining agreements or union representation, the binding nature of the BCRs may have to go to a works council to discuss.

Binding Corporate Rules Application to DPA

We draft the BCR application, which is then followed by circulation of the BCR Application to interested DPAs, this will evaluate the application for its adherence to the Working Paper 153 checklist. Revisions may be required and cooperation with DPAs is recommended. Ultimately, the Final Application is sent to DPAs for confirmation that they are satisfied with the adequacy of the privacy and security safeguards. Following approval of the BCRs, the company may request authorization of transfer on the basis of the adopted BCRs.