Examples of Marla’s experience include:

Data Privacy

• Represented international data lake and analytics platform in creation of US and EU compliant data processing addendums where the company acted as both a processor to end users and a sub-processor to resellers; representation included coordination with local counsel and security negotiation.
• Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes, and regulations, including consumer privacy requirements, data breach preparation and response, data subject requests, digital marketing and targeted advertising, health care privacy laws, vendor management and data processing agreements, international data transfers and localizations, and written information security plans.
• Drafted new, or supplemented existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
• Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
• Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
• Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
• Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.
• Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).

Cybersecurity

• Assisted a city government in responding to business email compromise arising out of an international bad actor phishing scheme that resulted in compromise of thousands of entities sensitive personal information; representation included retaining third-party forensic firm under the attorney-client privilege, completing data mining and analysis with third-party forensic firm; addressing data breach notification obligations, and advising on communications to impacted entities.
• Assisted logistics and shipping company with operations across North America in assessing and responding to BlackCat ransomware attack, including through engaging digital forensic and incident response consulting agency, undertaking dark web monitoring, engaging with regulatory agencies to reinstate access to federal import and export control system, and advising on potential CTPAT and other incident notification obligations.
• Assisted a city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case; representation included retaining third-party forensic firm under the attorney-client privilege, addressing data breach notification obligations, and advising on communications to impacted constituents.
• Counseled clients on responding to incident notification letters received from third-party service providers in connection with CL0P ransomware group intrusion into MOVEit’s managed file transfer program, including advising on breach response and potential litigation.
• Assisted nationally recognized business associate in responding to business email compromise, including retaining third-party digital forensic and incident response consultant, assessing breadth of compromise including to personal data, and counseling on data breach notification process under federal and state law.
• Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
• Advised a chemical manufacturing corporation on Chemical Facility Anti-Terrorism Standards (CFATS) and Maritime Transportation Security Act (MTSA) compliance following a cybersecurity incident and data breach.
• Counseled an international software company on a data breach incident involving U.S. and EU residents’ sensitive data and drafted appropriate notices to data subjects and the appropriate international data protection authority.

Telecommunications Laws (TCPA)

• Counseled global manufacturing firm on federal telecommunications law (TCPA) with respect to implementing company-wide SMS communications, including opt-in and opt-out processes.
• Counseled a national telecommunications company on federal telecommunications law (TCPA) with respect to implementing a new marketing campaign and the use of an automatic telephone dialing system (ATDS).
• Assisted national restaurant chain in implementation of SMS communications, including obtaining prior written consent.
• Advised a national telecommunications company on Connecticut Telemarketing law with respect to restrictions and requirements on obtaining written consent prior any marketing calls to Connecticut telephone numbers.

Corporate and New Ventures

• Advised early-stage data analytics company on applicability of state data broker laws, registration of the company as a data broker, and created comprehensive data privacy and cybersecurity program compliant with US data privacy laws and state specific data broker laws.
• Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.
• Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
• Assessed and identified the current, immediate, and long-term state of new venture companies to determine applicability of state and international privacy laws and advise on Privacy by Design implementation.
• Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations and industry standards for Privacy by Design implementation.