Cyber | Data | Artificial Intelligence | Emerging Technology

Navigating the Complex Technologies Landscape of Data, Security, and Innovation

In today’s digital age, businesses must protect their data while leveraging cutting-edge technologies for growth. Our team excels in Cybersecurity and Data Privacy and Artificial Intelligence (AI) and Emerging Technology, offering a seamless approach to these critical areas. We keep our clients secure and ahead of the curve.

Read our Privacy and Cybersecurity Solutions blog.

Overview

Strategic Legal Counsel for a Secure Future

At Spencer Fane, we help clients navigate the evolving landscape of cybersecurity, data privacy, AI, and emerging technology with confidence and clarity. Whether managing a critical data breach or proactively implementing AI governance strategies, our attorneys bring the deep legal knowledge and forward-thinking approach necessary to protect assets, maintain compliance, and harness innovation.

Legal Experience, Tailored for What’s Next

Our team offers tailored legal guidance that meets clients where they are – responding decisively to urgent threats and designing long-term programs to reduce risk, ensure regulatory alignment, and support ethical technology integration. We advise clients across industries on developing robust data privacy and cybersecurity frameworks, preparing for and responding to incidents, and ensuring that AI and emerging technologies are adopted responsibly and effectively.

Our focus on innovation, compliance, and the ethical use of AI and new technologies ensures that our clients can confidently embrace the future with optimism and success. We understand that technology does not stand still. That’s why we deliver practical, actionable counsel that integrates seamlessly with each client’s business objectives and risk tolerance, helping them not only meet today’s legal and regulatory challenges but also plan for tomorrow’s opportunities. From securing sensitive data to advising on AI compliance and governance, Spencer Fane empowers clients to embrace innovation while safeguarding what matters most.

Experience

Showcasing successful Breach and Investigation outcomes through client testimonials that highlight effective Cyber Risk Management and proactive Privacy Management Strategies, ensuring crises are prevented and confidence is maintained.

Data Management Strategies

  • Counseled a private equity firm regarding the assessment of the types of data gathered and maintained by its multiple entities, including applicable regulatory requirements for each entity and relevant risks and considerations for the private equity firm.
  • Worked with numerous financial institutions in the implementation of the FDIC’s Financial Guidance on Response Programs.
  • Drafted policies and procedures for numerous covered entities and business associates to implement revisions to the HIPAA regulations under HITECH.
  • Drafted privacy and security policies and procedures for regulated financial institutions to comply with the Gramm-Leach-Bliley Act.
  • Coordinated security risk assessments for organizations handling personally identifiable information or protected health information, including engagement of security consultants for HIPAA assessments, PCI DSS audits, and red team assessments.
  • Developed a vendor management program for a large healthcare organization, including implementation of a vendor risk assessment process, standard business associate and non-business associate vendor agreements, and training for contracting staff regarding effective implementation.
  • Created a data extraction process for a company serving as third-party administrator to standardize and coordinate the processing of data requests from its self-insured health plan clients and their other contracted vendors.

Privacy Policies and Notices

  • Prepared consumer notices for numerous banking institutions under Gramm-Leach-Bliley.
  • Revised Notice of Privacy Practices for health care providers and health plans to incorporate revisions under HITECH and the Omnibus HIPAA regulations.
  • Created an organized healthcare arrangement among a group of covered entities, including a Joint Notice of Privacy Practices, to structure a new primary care service model.
  • Drafted privacy notices and terms of use for multiple organizations engaged in online retail and e-commerce.

Breach Investigation and Notification

  • Analyzed a wide variety of privacy and security incidents occurring within organizations that are covered entities or business associates to determine the probability of compromise to the protected health information and whether notification is required under HIPAA or state law.
  • Managed the investigation of a breach at a large physician group that included financial information collected through an online payment portal and online employment applications and provided notifications to affected individuals across 42 states.
  • Coordinated the investigation and notification process on behalf of a critical access hospital following the unauthorized access and disclosure of patient records by one of its former employees.
  • Participated in the development of notifications on behalf of one of six covered entities affected by a business associate breach that involved collective notification to over three million individuals.
  • Managed the incident response of a consumer products firm regarding a breach of customers’ personal data from its e-commerce platform, including investigation, response, and notification requirements.

Regulatory Investigations and Litigation

  • Resolved an investigation with Office for Civil Rights through voluntary compliance following a breach reported by the hospital after its vendor inadvertently published the financial information of over 8,000 individuals on the internet.
  • Responded to inquiries from several state attorney generals related to voluntary breach notifications or consumer complaints regarding privacy or security practices.
  • On behalf of a nonprofit organization, resolved an Office for Civil Rights and attorney general investigation following a ransomware attack affecting the organization’s computer systems and storage of personal information.
  • Defended claims brought by patients alleging privacy violations against hospitals and other health care providers in state court.

Areas of Focus

Developing sound strategies to safeguard the privacy of patients and customers

The risks companies face in handling personally identifiable information (PII) and protected health information (PHI) continue to increase. The Spencer Fane Privacy Management Strategies team helps organizations in health care, banking, and other industries reach a stronger privacy state by guiding them to best practices for using and disclosing consumer information. We provide legal counsel aimed at creating a business culture of care and compliance in handling data.

Our lawyers:

  • Assess our client’s role as they gather information so that the applicable laws can be identified and incorporated into the privacy strategy.
  • Identify steps to improve privacy best practices.
  • Develop training regimens and policies for staff.
  • Create extra value for clients by handling privacy and security matters, helping business leaders to better understand both how to both protect PII and PHI and handle it appropriately.

Our team employs a proactive approach to privacy management, enabling our clients to prevent unintentional violations of federal and other privacy rules, while also handling the rare but critical intentional violations by an employee.

Protecting against breaches and other threats to systems, data, and customer information. The Spencer Fane Cyber Risk Management team guides business leaders through each important phase of the cyber and data risk analysis and management process, giving them confidence that their systems and data will remain secure.

Members of our team:

  • Build out phased plans that allow companies to quickly address the most critical and immediate risks while also safeguarding against future threats.
  • Build relationships with third-party vendors for deep assessments of systems.
  • Test incident response plans through tabletop exercises, and reassess and reformulate plans at regular intervals.
  • Establish a review cycle – thorough and recurring – to keep policies and procedures up to date.
  • Advise on the purchase of comprehensive cyber insurance.

We focus on the long-term health of a business, learning the types of work it performs, its customers or consumers, and the data it collects. Our attorneys then identify potential risks and develop a strategic, customized plan to minimize them.

Swift and detail-oriented responses, allowing clients to minimize interruptions to operations and financial loss. The Spencer Fane Cyber and Data team provides support to companies in cyber crisis mode to not only meet legal requirements for data breach notifications and disclosures, but also to determine how and why a breach occurred.

Working to enable clients to maintain the trust of their customers, vendors, and other partners, our attorneys:

  • Give each case the individual attention and tailored service needed to ensure the approach is appropriate based on the needs of the company and the industry involved.
  • Identify the specific details of the incident and apply the necessary resources to effectively manage the situation from start to finish. We don’t make assumptions or pull template policies or procedures.
  • Incorporate national best practice standards.
  • Provide guidance on incident response plans, including development and implementation.
  • Analyze breach notification requirements.
  • Advise on management of notification obligations.
  • Work with affected business partners.
  • Help clients resolve resulting regulatory investigations or litigation.
  • Rapid incident response protocols
  • Forensic investigation and containment

Translating dense laws and rules into effective governance structure and operational processes – tailored to your business. Spencer Fane attorneys help clients across industries evaluate how to implement a data governance structure and create sound privacy policies and notices, allowing business leaders to implement that structure, protect the privacy of those they serve, and avoid litigation.

Whether the organization is a health care provider, insurance company, financial institution, e-commerce company, or other business, our team works with the organization to:

  • Analyze regulatory requirements, information flow, and business needs
  • Develop a data governance structure that oversees the use and protection of information in an operational manner
  • Create policies and procedures to support the governance structure and define expectations for workforce members
  • Monitor implementation, evaluate compliance, and adjust as needs change

  • Preparedness for regulatory audits and investigations
  • Legal guidance during compliance reviews and inquiries
  • Representation in investigations related to privacy breaches or cybersecurity incidents

Primary Contacts

Stacy Harper
Partner
913.327.5120
Spencer Fane attorney Shawn Tuma
Spencer Fane attorney Shawn Tuma
Shawn Tuma
Partner
972.324.0317
See all professionals

Related Insights

If You or Your Clients Are Using AI, Here is What You Should Know

September 15, 2025

Allen Darrah to Speak at ACI Conference

September 04, 2025

Christine Chasse Talks Health Care AI and Law on Blak Cyber Podcast

September 02, 2025

See All Insights

Related Services