Home 9 Practice Areas 9 Data Privacy & Security

Data Privacy & Security

Data privacy and security issues are keeping companies large and small awake at night – and rightly so. As our world becomes increasingly digital – and legal compliance becoming a legal necessity – it’s important to have experienced data privacy and security experts on your team who fully understand the legal implications of this ever-evolving landscape.
Led by Data Privacy & Security Attorney/Shareholder/Head of Austin Office Stephen Toland, FBFK’s Privacy & Cybersecurity team combines in-house legal experience with extensive technical, operational and compliance backgrounds to provide comprehensive legal support and global privacy and data security strategies for today’s challenging digital economy. We work with clients of all sizes and types, including those operating in heavily regulated industries such as communications, energy, financial services, healthcare, retail, and information technology.

Our Data Privacy & Security Team

Our team’s expertise spans numerous areas, including privacy, cybersecurity, Internet, intellectual property, and consumer protection laws, including government investigations. We assess, develop, implement, and maintain robust privacy and security frameworks for businesses, helping them establish best practice policies for long-term success and stability. And although we think prevention is the best defense, should the need arise, our team will fight to protect the right to privacy and security.
With a particular focus on business use and protection of digital assets, our team is well versed on legal issues related to pharmaceutical trials, healthcare research, international data transfers, big data storage, tech agreements, social media, mobile applications, cybersecurity, online tracking and analytics, and software development.

Our Data Privacy & Security Practice

Practice Areas

Jurisdiction Specific Expertise: International and US State Privacy Law Compliance


  • General Data Protection Act (GDPR)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • California Privacy Rights Act (CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)


  • Texas Data Privacy and Security Act (TDPS)
  • Washington My Health My Data Act (HB 1155)
  • Iowa Act Relating to Consumer Data Protection (ICDPA)
  • Indiana Consumer Data Protection Act (INCDPA)
  • Tennessee Information Protection Act (TIPA)
  • Florida Digital Bill of Rights (“FDBR”)
  • Montana Consumer Data Privacy Act (MCDPA)
  • Oregon Consumer Privacy Act (OCPA)
  • Delaware Personal Data Privacy Act (DPDA)
  • New Hampshire Privacy Act (NMPA)
  • Nebraska Data Privacy Act (NEDPA)
  • Maryland Online Data Privacy Act (MODPA)

Industry Specific Expertise: Federal and Sectoral US Privacy Law Compliance

  • Artificial Intelligence Compliance and Governance
  • Children’s Privacy, namely GDPR & COPPA, FERPA and state law requirements, edTech and parental consent requirements
  • FTC and Section 5 violations
  • Fin-Tech and U.S. financial privacy and security laws (including GLB Act and agency regulations)
  • Consumer credit laws (e.g. FCRA, FACTA, etc.)
  • Video Privacy Protection Act (VPPA) and similar state laws
  • U.S. healthcare privacy and data security laws (including HIPAA and related state regulation)
  • Emails and texts (including CAN- SPAM and TCPA)
  • Biometric data and facial recognition/detection (including BIPA)
  • ADA accessibility for websites and online services (including W3C Web Content Accessibility Guidelines (WCAG) compliance)
  • Wiretapping laws (e.g. Electronic Communications Privacy Act)
  • Payment Card Industry Data Security Standard (PCI DSS)

Data Privacy Services

  • Data processing agreements
  • Cross-border data transfer requirements (SCCs, GDPR)
  • Privacy risk and impact assessments
  • Privacy policies
  • Terms of service
  • Data governance program management
  • Data inventories, data mapping and data subject requests
  • Opt-out obligations (including responding to Do Not Sell or Share requests and GPC signals)
  • Data retention and minimization
  • Product development and disclosures
  • Training and awareness
  • Product & Privacy by Design

AI Compliance and Governance

Establish AI Governance structure.

It’s crucial for AI not only to align with current regulations but also to anticipate the future compliance landscape, with a steadfast focus on data privacy. AT FBFK we pay attention to key regulatory influences and adopt a proactive stance towards ethical and responsible AI practices, placing data privacy at the forefront.

Conduct AI risk assessment and configure ongoing risk management.

Our services encompass evaluating and aligning AI solutions with established data protection, information security, and data privacy standards, including frameworks like EU AI and NIST AIRMF. We prioritize ethical and accountable AI practices, actively counteracting biases, discriminatory actions, and flaws in AI systems, ensuring a heightened focus on protecting user privacy. Additionally, we help clients anticipate future regulatory changes with a data privacy lens, proactively aligning current practices with AI solutions and preparing for forthcoming regulatory alterations, with a dedicated focus on data privacy compliance.

Develop a responsible AI strategy.

By following these guidelines, organizations can ensure that their AI initiatives not only meet current regulatory requirements but also anticipate and adapt to future compliance challenges, safeguarding data privacy and maintaining ethical standards in an evolving technological landscape.


Current and Anticipated Regulations
  • EU AI Act / European Commission
  • AI Risk Management Framework / NIST
  • Biden Executive Order on AI

Cybersecurity Services

  • Cybersecurity policy and procedure drafting
  • Cybersecurit plan drafting (including BC/DR, Incident Response, etc.)
  • Cybersecurity Risk Assessments
  • Security Incident Preparedness and Breach Response
  • Cybersecurity Frameworks Implementation (including NIST CSF, ISO 27,000, SOC2)
  • FTC Safeguards compliance
  • NY DFS Cybersecurity compliance and violations
  • NY SHIELD compliance
  • SEC Cybersecurity compliance and violations

M&A Due Diligence

In the context of M&A transactions, robust data privacy and cybersecurity due diligence play a pivotal role.

  • Risk Identification and Mitigation

  • Business Continuity and Reputation

Technology Transactions

  • License agreements
  • Data Processing Agreements/Addendums
  • Joint development agreements
  • SaaS (Software as a Subscription) agreements
  • Software licenses
  • Software development agreements
  • End User License Agreements (EULA)
  • Master & Service Level Agreements (MSA/SLA)
  • MSP & Cloud Computing Agreements
  • Distribution agreements
  • Reseller agreements

Representative Data Privacy & Security Matters

News & Events