Cybersecurity is a moving target. Technology evolves faster than the law and hackers compete to be the first to exploit gaps in either.

Bulkley Richardson works with businesses, professionals and individuals to put contractual, procedural and educational safeguards in place in order to allocate risks and minimize liability before any breach event occurs.

Bulkley Richardson also works to keep our clients abreast of, and in compliance with, emerging regulations. This level of proactivity goes back to 2010 when Massachusetts pioneered data privacy and protection standards with the issuance of 201 C.M.R. 17, and the firm helped clients draft Written Information Security Programs (WISP). Bulkley Richardson’s Cybersecurity practice group continues to keep our clients informed of the rapidly evolving personal information and data security laws and regulations of the fifty states and international regions in which our clients have customers and employees, such as relevant aspects of the European Union’s General Data Protection Regulations (GDPR), the California Consumer Protection Act, and the New York SHIELD Act.


The Cybersecurity team works to protect clients both before and after a data breach. This includes helping companies prevent a breach by conducting risk assessments and helping clients design and implement a cybersecurity program – or modify an existing program – to meet new conditions. We and our select technical partners develop incident response plans to put our clients in the best position to respond if a breach occurs. We also assist in reviewing cyber insurance policies to ensure that clients receive the best coverage at the lowest cost.

Bulkley Richardson regularly assists clients in complying with a broad range of regulations. From HIPAA to GDPR and from 201 CMR 17 to the safe harbor rule in Ohio, we have it – and our clients – covered.

The Cybersecurity team also has experience advising companies on the data privacy and security implications of mergers and acquisitions, outsourcing arrangements, cross-border data transfers and other transactions. We perform contract reviews to ensure that vendors commit to protecting and maintaining the confidentiality, integrity, and availability of data that our clients entrust to them. We respond to inquiries from federal and state regulators and, when necessary, litigate to protect our clients’ valuable information.


If a data breach occurs, Bulkley Richardson’s Cybersecurity team provides rapid and comprehensive incident response, including handling communications with cyber insurance carriers, assessing potential reporting obligations and performing after-action analysis.

  • General Data Protection Regulation (GDPR)
    • Drafted controller-processor agreements for U.S. companies with European Economic Area end-users.
    • Advised companies on data privacy and security implications of cross-border data transfers.
    • Adapted privacy policies to comply with GDPR.
  • Written Information Security Program (WISP)
    • Prepared WISPs whose security requirements protect nine categories of “personal information” as defined by five states in which company has employees and customers.
    • Drafted WISPs for companies collecting a broad range of personal information, including credit card information from residents of all fifty states.
  • Health Insurance Portability and Accountability Act (HIPAA)
    • Assisted a range of medical establishments in complying with HIPAA.
  • California Consumer Privacy Act (CCPA)
    • Assisted clients with national markets to determine applicability of CCPA and moved those clients subject to its requirements toward achieving compliance before CCPA’s effective date of January 1, 2020.
  • Malpractice
    • Assisted client in recovering funds lost to his previous attorneys’ disclosure of client’s valuable person information arising from failure to recognize ongoing business email compromise scheme.
  • Insurance
    • Reviewed proposed cyber insurance policy with client, provided advice regarding gaps in coverage, and prepared inquiries for negotiations with the insurer.
  • Other
    • Responded to inquiries from the Department of Health and Human Services Office of Civil Rights (OCR) regarding a major HIPAA breach experienced by a client.
    • Advised and assisted clients with preservation obligations, procedures and forensic imaging.
  • Regulators
    • Reported breach of client’s customer information to regulators, including, where applicable, state attorneys general, to efficiently resolve regulatory concerns.
  • Individuals
    • Drafted breach notices to individuals in forty-eight states whose credit card information may have been breached, in compliance with their respective state guidelines.
  • Others
    • Notified third-party vendor who processed personal information of potential breach.
  • Indemnification, Representations and Warranties
    • Evaluated and provided guidance establishing minimal required technology to comply with relevant regulations.
    • Assessed potential exposure of client arising from historical information security practices of to-be-acquired company.
  • Privacy Addendum
    • Defined the processes and structures of how personal data will be collected, stored and processed.
  • Permissions/Disclosures
    • Drafted terms obtaining promise that vendor, not client, was responsible for obtaining end-users’ consent for client to process personal information.