Heyl Royster

Select an Area of Practice

Heyl Royster





Every business that handles financial information or other confidential customer or employee data is a potential target for a cyber attack. What precautions does your business need to take to minimize your potential liability from a security breach, what is your action plan if a breach occurs, and how can you protect yourself, and your customers, after a breach?

Heyl Royster’s Cybersecurity and Data Privacy Practice provides businesses with counseling, project management, and legal services designed to help you proactively take the necessary precautions to either prevent a cyber attack or, since no business is immune, to minimize your exposure post-breach. We have a multidisciplinary team of attorneys whose experience and credentials include information privacy, IT and IP, employment law, corporate governance, commercial litigation, and government relations, as well as knowledge in specific areas of law such as HIPAA compliance and financial industry regulation.

Some of the areas where we can be of assistance include:

  • Compliance and Protection

  • HR Policies

  • Contract Negotiation and Drafting

  • Risk Assessment

  • Crisis Planning and Response

  • Post-Breach Defense and Prosecution

An additional benefit of engaging Heyl Royster to help manage your cyber risk is that the Attorney/Client Privilege can attach to certain areas of counseling and the management of outside vendors, which can provide your business with an additional layer of protection.

Every Business is Different
In Illinois, the Personal Information Protection Act (effective 1/1/17) requires all companies dealing with records that contain the personal information of Illinois residents to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Although the Act does not specify what constitutes “reasonable security measures,” effective policies that are tailored to your business can help meet this standard. Having effective cyber policies and procedures in place can help any company that handles customer data. Businesses that are subject to unique regulatory requirements, such as the financial services or healthcare industries, have additional standards and need specialized policies that meet those enhanced legal requirements.

Compliance and Protection
In the fight to minimize cyber liability the best offense is a good defense. Having a comprehensive data-security strategy can help protect your business before, during, and after a cyber attack. Having some level of protection and a plan can help you mitigate loss, as well as help prevent reputational damage, in the event of a cyber attack.

Cyberliability insurance can protect you from the financial exposure that can result from malicious hacking or other non-malicious digital risks. We can help you reduce your exposure though the purchase of a specific line of insurance designed to insure businesses that engage in electronic activities, such as ecommerce or maintaining financial and personal data on an internal network.

We can also help you protect your business by ensuring that you have the appropriate clauses in your vendor and vendee contracts.

HR Policies
It is important to look at cyber exposure from an HR and company policy perspective. Studies have shown that between employee negligence and malicious acts, approximately 90% of all cyber claims stem from some type of human error or behavior. Although every organization is different, most businesses benefit from strong policies, such as Acceptable Use Policy, Privacy Policy, Data Policy, Security-Related HR Policy, and Password Security Policy. We can assist in developing those policies.

If all the necessary policies are in place, you may still benefit from employee training sessions covering hardware, software, and password use. We can audit your internal policies and procedures to help ensure that your business has certain basic protections in place, and either update existing policies or provide additional policies to fill the gaps. Similarly, we can assist companies in developing data retention programs that include spoliation prevention policies.

Contract Negotiation and Drafting
In the evolving regulation of data privacy, businesses must sign data-processing and data-use agreements in order to comply with data privacy laws.  These laws include the General Data Privacy Regulation (GDPR), state data privacy laws, and ongoing HIPAA compliance obligations. Our attorneys can assist data controllers or primary holders of identifiable information in drafting forms or negotiating specific agreements to meet your business needs. As a data processor or secondary holder of identifiable information, Heyl Royster attorneys can assist you in separating what is actually required from what creates additional duties and potential liability for your organization.

When your business purchases or upgrades its technology, your software licenses should reflect the services you are purchasing and guarantee adequate testing and staff training prior to go-live. Heyl Royster can help assure that your technology purchases meet your business needs.

Risk Assessment
Heyl Royster can guide you in conducting a risk assessment that can expose potential weaknesses in your system. At this stage of an engagement, we work with your internal IT department and outside vendors to help you create a comprehensive data loss-prevention strategy. We can also provide advice on state and federal statutes, as well as other privacy regulations that relate to your specific industry.

Crisis Planning and Response
For many businesses it’s not a matter of if an attack will occur, it’s a matter of when an attack will occur. Emergencies can come in the form of a computer virus, loss or theft of an employee assigned computer or jump drive, or a ransomware attack. Regardless of the threat, you have to be ready to act immediately. Having an incident response plan in place is critical. Heyl Royster can help you develop a set of instructions and assigned tasks that will specify the actions necessary to respond to a specific security emergency.

Post-Breach Defense and Prosecution
Civil matters arise from an organization or customers suing a company for a cyber breach. We can advise on the legal grounds for bringing or defending an action in the wake of a data breach, including simple negligence, strict liability, failure to provide reasonable security, failure to protect information, duty to inform of security breach, and failure to mitigate damages. Whether your company was breached, or affected by another company’s breach, we can help you cut your losses or recover appropriate damages.

Criminal matters can result from either an insider or external party committing a cyber offense. Here, we would provide assistance by interfacing with law enforcement and investigating criminal and civil remedies for the attack. We can help identify all regulatory agencies that carry enforcement authority over cybersecurity programs or breaches. We can help you comply with regulations to avoid fines and sanctions, or help you to find the appropriate agency to help you go after the responsible parties.


  • “Cybersecurity Consideration in a Remote Work Environment,” Springfield Business Journal (2021)
  • “Small Business Cybersecurity and the Internet of Things,” Springfield Business Journal (2019)
  • "The Charitable Powers of Blockchain Technology," Springfield Business Journal (2018)
  • “Blockchain Technology for Business,” Springfield Business Journal (2017) - Download Article
  • "Buckle Up for Cybersecurity," Springfield Business Journal (2017) - Download Article
  • "Seven Cybersecurity Recommendations for Small Businesses," Springfield Business Journal (2017) - Download Article
  • “Cyber Security Recommendations for Small Business,” InterBusiness Issues (2017) - Download Article