Kathryn Rattigan is a member of the firm's Business Litigation Group and Data Privacy + Cybersecurity Team. She advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. Kathryn also provides legal advice regarding the use of unmanned aerial systems (UAS, or drones) and Federal Aviation Administration (FAA) regulations. She represents clients across all industries, such as insurance, health care, education, energy, and construction.
Data Privacy and Cybersecurity Compliance
Kathryn helps clients comply with all state and federal regulations related to data privacy and cybersecurity. She counsels clients facing government investigations over alleged non-compliance. She advises clients on the development of privacy and security plans, and how to best handle high-risk data to avoid breaches and cyber intrusions. Kathryn helps clients review, revise, and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA), Telephone Consumer Protection Act (TCPA), the Children's Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), and other federal and state laws and regulations. She assists businesses and organizations with measures to protect the security and confidentiality of personal and sensitive information. She provides guidance regarding privacy and data protection in connection with mobile devices, data storage technologies, mobile applications, and location-based services. Kathryn assists with the development of website and mobile app privacy policies and terms and conditions of use. She also advises clients on social media policies and practices, and 'Bring Your Own Device' in the workplace. She is a member of the firm's Financial Services Cyber-Compliance Team.
Unmanned Aerial Systems and FAA Compliance
Kathryn is a member of the firm’s Drone Compliance Team. As such, she advises clients on all legal issues surrounding the use of commercial drones, including navigation of Federal Aviation Administration regulations, commercial registration requirements, and Part 107 waivers. She reviews and prepares employee and subcontractor agreements for the piloting and use of drones. She advises commercial businesses on insurance options for adequate coverage for drone use. Kathryn is well versed on various local and state laws, regulations, and ordinances which apply to a business’ drone use. She assists clients with privacy and cybersecurity policies, procedures and programs to mirror the National Telecommunications and Information Administration’s voluntary best practices, as well as other industry standards. Kathryn also handles drone-related litigation, such as claims involving manufacturing defects, personal injury, or property damage. She has given numerous presentations about implementing UAS into company infrastructure and privacy and cybersecurity issues related to drone use.
Kathryn counsels clients on HIPAA compliance, including assisting with employee training, and providing guidance on the implementation of required and recommended Privacy Rule and Security Rule policies and procedures.
Data Breach Preparedness and Emergency Response
Kathryn provides clients with the information needed to effectively handle potential and confirmed data breaches, including insight into state and federal regulations and requirements. If a client suffers a data breach, she assists with the follow-up response, including notification, remediation, and litigation.
Privacy and Class Action Litigation and Enforcement
If a data breach or cybersecurity issue results in litigation or an enforcement action, Kathryn represents clients in court and before government regulatory agencies. This includes assisting clients with matters related to the unauthorized access, use or disclosure of health, financial, or personally identifiable information.
Cannabis Industry and Cybersecurity Threats
All companies face cybersecurity threats, but the legalized cannabis industry's storage of personally identifiable information and reliance on seed-to-sale tracking software can place it firmly within hackers' crosshairs; even though there’s more physical cash than electronic transactions, these companies are no less a target for hackers. Most point-of-sale systems at both medical and recreational cannabis businesses automatically report to their state's compliance tracking system, which might include the individual's name, birth date and contact information based on the scanning of a driver's license or state-issued ID card. The data can also be targeted by cybercriminals, including "ethical hackers" who do not agree with the legalization of cannabis and seek to expose consumers. Kathryn assists companies with privacy and cybersecurity from the ground up, whether the cannabis business is a start-up just entering this arena or an established, licensed facility or storefront. Additionally, as cannabis companies attempt to combat bad actors, these businesses typically will not find data privacy or cybersecurity guidance or requirements in the laws permitting the sale or use of marijuana. Instead, companies are regulated by states' data breach notification laws and possibly the California Consumer Privacy Act (CCPA), if they fall under that law's requirements. Kathryn advises these companies in regard to applicable state laws and how they can implement an enterprise-wide privacy and security plan to protect their customer data and their proprietary information and formulae.
Pro Bono and Community Involvement
Kathryn is committed to doing pro bono work and being involved in the community. Her recent efforts include assisting Inner Explorer, a non-profit which works to help students focus and succeed through mindfulness practice in the classroom, and College Visions, which helps low-income students pursue a college education.
She writes for two of the firm’s blogs, Data Privacy + Security Insider and Health Law Diagnosis.