Data Privacy and Security

A medical center recently retained Mandell Menkes to represent it in connection with an investigation launched by various government entities regarding the safeguarding of patient health information. The client previously entered into an agreement with a company that extracts silver from x-ray film, limiting the extraction to records stored for over 5 years and mandating that the company not disseminate the records to anyone.


After the parties signed the agreement, a recovery company employee removed numerous boxes of material from the clinic and left the records in the garage of his rented residence, in violation of the agreement. His landlord then found the material and alerted authorities of his discovery, prompting an investigation by the U.S. Department of Health and Human Services. Mandell Menkes is playing a critical role in the clinic’s crisis response and is spearheading the clinic’s compliance with HIPAA Security and Privacy Rules as well as the ongoing investigation.

As consumer products companies, retailers, healthcare providers, financial institutions and other businesses have increased the personal data they collect and store, a myriad of regulations – state, federal and throughout the world – have been enacted to address how the information is collected, the rights of those whose information is being collected, and the responsibilities of the entities storing the information if the security of the information is breached.


Mandell Menkes has extensive experience working with clients to develop privacy and data security policies and defending actions based on alleged data security breaches and violations of individual privacy.  The firm has an in-depth knowledge of the various laws that give rise to data security and privacy obligations and that are typically triggered in data breach litigation, including the Do Not Call Act, CAN-SPAM, Telephone Consumer Protection Act (TCPA), Junk Fax Prevention Act (JFPA), the Health Insurance Portability and Accountability Act (HIPPA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), the Electronic Communications Privacy Act (ECPA), the FTC Act and its state counterparts and various state common law and statutory privacy laws.   The firm also has experience with workplace privacy issues, including the regulations that bear on employee testing and background screening.


The firm’s clients include consumer finance companies, nationwide private label credit card issuers, banks, record labels, mobile device content providers, insurers, hospitals, nationwide debt collection agencies, nationwide retailers, advertising agencies and several Internet ventures.

Mandell Menkes has litigated complex commercial disputes across the country in federal and state courts and before arbitration panels, including individual and class actions suits arising out of privacy and data security breaches. Some of its key representations in this area include:


  • Robinson v. TJX Companies, Inc. (defended TJX in class action alleging negligence and failure to follow Payment Card Industry Data Security Standards in connection with massive data security breach);
  • Bonner v. Travel Centers of America, Inc. (defended national travel center chain in class action alleging violation of the Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act);
  • Lozano v. Twentieth Century Fox (defended Fox in novel class action claim alleging violation of the TCPA based on the delivery of unauthorized text messages);
  • Goyke v. MetLife, Inc. (defended MetLife in class action alleging violation of the TCPA based on the delivery of unsolicited faxes);
  • Antonov v. Thumbplay, Inc. (ND Ill.); Hatfield v. Thumbplay, Inc. (WD Wash.); Zijdel v. Thumbplay, Inc. (ND Cal.); Garcia v. Thumbplay, Inc. (SD Fla.); Williams v. Thumbplay, Inc. (Ill.); Walker v. Thumbplay, Inc. (ND Ill.); Gray v. Thumbplay, Inc. (ND Ill.) (defended mobile content publisher in multiple state and federal class actions filed across the country alleging consumer fraud and other theories of recovery based on unauthorized “cramming” of mobile entertainment content);
  • Best v. A & E Television Networks, Inc. (defended A & E, The Biography Channel and television production company against claims for violation of the federal Driver’s Privacy Protection Act and other common law and constitutional privacy claims based on disclosure of information on police officer’s laptop screen during reality TV show);
  • Ricobene v. JPMorgan Chase Bank, N.A. (defended bank against various privacy claims based on bank’s alleged efforts to collect a debt by posting to the plaintiff’s MySpace page);
  • Harris v. Mediacom Communications Corp. (defended cable television operator against claims for violation of the Electronic Communications Privacy Act (“ECPA”) and the Stored Communication Act).


The firm monitors state and federal legislation regarding data security and privacy and authors the annual updates (for the prestigious Media Law Resource Center) on developments in privacy and related areas of law, and is a member of the International Association of Privacy Professionals.