Focus Areas
Examples of Marla’s experience include:
Data Privacy
- Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes, and regulations, including consumer privacy requirements, data breach preparation and response, data subject requests, digital marketing and targeted advertising, health care privacy laws, vendor management and data processing agreements, international data transfers and localizations, and written information security plans.
- Drafted new, or supplemented existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
- Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
- Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
- Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
- Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.
- Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
Cybersecurity
- Assisted logistics and shipping company with operations across North America in assessing and responding to BlackCat ransomware attack, including through engaging digital forensic and incident response consulting agency, undertaking dark web monitoring, engaging with regulatory agencies to reinstate access to federal import and export control system, and advising on potential CTPAT and other incident notification obligations.
- Assisted a city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case; representation included retaining third-party forensic firm under the attorney-client privilege, addressing data breach notification obligations, and advising on communications to impacted constituents.
- Counseled clients on responding to incident notification letters received from third-party service providers in connection with CL0P ransomware group intrusion into MOVEit’s managed file transfer program, including advising on breach response and potential litigation.
- Assisted nationally recognized business associate in responding to business email compromise, including retaining third-party digital forensic and incident response consultant, assessing breadth of compromise including to personal data, and counseling on data breach notification process under federal and state law.
- Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
- Advised a chemical manufacturing corporation on Chemical Facility Anti-Terrorism Standards (CFATS) and Maritime Transportation Security Act (MTSA) compliance following a cybersecurity incident and data breach.
- Counseled an international software company on a data breach incident involving U.S. and EU residents’ sensitive data and drafted appropriate notices to data subjects and the appropriate international data protection authority.
Telecommunications Laws (TCPA)
- Counseled global manufacturing firm on federal telecommunications law (TCPA) with respect to implementing company-wide SMS communications, including opt-in and opt-out processes.
- Counseled a national telecommunications company on federal telecommunications law (TCPA) with respect to implementing a new marketing campaign and the use of an automatic telephone dialing system (ATDS).
- Assisted national restaurant chain in implementation of SMS communications, including obtaining prior written consent.
- Advised a national telecommunications company on Connecticut Telemarketing law with respect to restrictions and requirements on obtaining written consent prior any marketing calls to Connecticut telephone numbers.
Corporate and New Ventures
- Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.
- Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
- Assessed and identified the current, immediate, and long-term state of new venture companies to determine applicability of state and international privacy laws and advise on Privacy by Design implementation.
- Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations and industry standards for Privacy by Design implementation.
- “Significant Changes to Florida’s Privacy reach Notification and Telemarketing Laws,” Pratt’s Privacy and Cybersecurity Law Report, November 2023
- “NYDFS Amends Data Breach and Cybersecurity Regulations,” Thompson Hine Privacy & Cybersecurity Update, November 2023
- “FTC Amends Safeguards Rule and Data Breach Notification Obligations,” Thompson Hine Privacy & Cybersecurity Update, November 2023
- “Major Changes to California Privacy Laws,” Thompson Hine Privacy & Cybersecurity Update, October 2023
- “Delaware Personal Data Privacy Act Signed Into Law With 2025 Effective Date,” Thompson Hine Privacy & Cybersecurity Update, September 2023
- “Preparing for Connecticut’s New Telemarketing Law,” Thompson Hine Privacy & Cybersecurity Update, August 2023
- “California Announces Privacy Audits of Connected Vehicles and Related Technologies,” Thompson Hine Privacy & Cybersecurity Update, August 2023
- “California Investigates Employee/HR Data Processing in Privacy Enforcement Actions,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “Oregon Legislature Passes Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “California Privacy Law Enforcement Delayed Until 2024,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “FBI Issues Business Email Compromise Alert,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- “Texas Enacts Privacy Law; Amends Data Breach Notification Law,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- “Significant Changes to Florida’s Privacy, Breach Notification, and Telemarketing Laws,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- “Washington State Enacts My Health, My Data Act,” Thompson Hine Privacy & Cybersecurity Update, May 2023
- “Startups Streamlined – Data Privacy Compliance: Is Your Company Keeping Up?” Thompson Hine Webinar, July 2023
- Selected to the Illinois Rising Stars list, 2022 & 2023
- Received a 2024 Best Lawyers: Ones To Watch recognition for Corporate Law, and Mergers and Acquisitions Law
Professional Associations
- International Association of Privacy Professionals, Certified Information Privacy Professional/United States (CIPP/US)
- Women’s Bar Association of Illinois
Community Activities
- Jewish Reconstructionist Camping Corporation, President
Education
- Benjamin N Cardozo School of Law, J.D., 2015,
Cardozo Arts & Entertainment Law Journal, articles editor
- Brandeis University, B.A., 2012, cum laude
Bar Admissions
- Illinois
Court Admissions
- U.S. District Court for the Northern District of Illinois
Select a filter
- New Ventures Update – November 2023, November 28, 2023
- Significant Changes to Florida’s Privacy Breach Notification and Telemarketing Laws,
Pratt’s Privacy and Cybersecurity Law Report
, November 15, 2023 - NYDFS Amends Data Breach and Cybersecurity Regulations,
Privacy & Cybersecurity Update
, November 7, 2023 - FTC Amends Safeguards Rule and Data Breach Notification Obligations,
Privacy & Cybersecurity Update
, November 1, 2023 - Major Changes to California Privacy Laws,
Privacy & Cybersecurity Update
, October 17, 2023 - Delaware Personal Data Privacy Act Signed Into Law With 2025 Effective Date,
Privacy & Cybersecurity Update
, September 13, 2023 - Preparing for Connecticut’s New Telemarketing Law,
Privacy & Cybersecurity Update
, August 21, 2023 - California Announces Privacy Audits of Connected Vehicles and Related Technologies,
Privacy & Cybersecurity Update
, August 7, 2023 - California Investigates Employee/HR Data Processing in Privacy Enforcement Actions,
Privacy & Cybersecurity Update
, July 19, 2023 - Oregon Legislature Passes Privacy Law,
Privacy & Cybersecurity Update
, July 6, 2023