Data Privacy & Cybersecurity Compliance

• Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes and regulations, including consumer privacy requirements; employee data privacy notices and policies; data breach preparation and response; data subject requests; digital marketing and targeted advertising; medical data, clinical trials, and healthcare privacy laws; vendor management and data processing agreements; international data transfers and localizations; written information security plans; WCAG compliance; and biometric data processing.
• Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data events, including ransomware attacks and other incidents involving the unauthorized access, acquisition, or disclosure of personal data or confidential information.
• Drafted online terms and conditions and privacy policies for domestic and global companies.
• Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
• Assisted government contractors with adhering to the NIST standards and other federal regulations and rules on the safeguarding of controlled unclassified information.
• Assisted organizations in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive data.
• Advised clients on a broad range of data protection laws, including the FTC Act, GLBA, HIPAA, CAN-SPAM, TCPA, COPPA, CFAA, ECPA, CCPA, CPRA, VCDPA, BIPA, and other privacy legislation.

Data Breach Response Matters

• Assisted county school district with its response to the unauthorized exfiltration of students’ and educators’ personal information from the PowerSchool data platform; drafted notification to students, parents and administration, undertook data mining, advised on compliance with federal education privacy law (FERPA) recordkeeping obligations, and advised on federal and state data breach notification obligations.
• Represented energy industry client in its response to Eldorado ransomware incident impacting its third-party payroll service provider. Engagement included working with local counsel in the Middle East to facilitate data subject and regulatory notifications and providing guidance on indemnification and breach of contract remedies.
• Provided counsel on global manufacturer’s response to Cl0p exploitation of a zero-day vulnerability in Cleo managed file transfer software that resulted in exfiltration of confidential information and personal data pertaining to client; representation included advising on data breach notification obligations and third-party recovery options.
• Served as breach coach for construction consultant with respect to Play ransomware attack; retained digital forensic expert and threat actor negotiators and advised on data breach notification obligations with respect to potential compromise of current and former employees’ sensitive HR data.
• Assisted business associate technology company with responding to Play ransomware attack, including with respect to threat actor negotiations and HIPAA security incident and breach reporting obligations.
• Assisted global manufacturing company in responding to BlackSuit double extortion ransomware attack that impacted client’s operations in dozens of countries. Representation included retaining digital forensic consultant, negotiating $25 million ransom demand, engaging with law enforcement and regulatory authorities, and drafting and processing formal data incident notification communications to impacted employees, customers, and other third parties in accordance with the client’s data breach notification obligations.
• Assisted school district in responding to RansomHub cybersecurity incident, including with respect to threat actor communications, sanctions checks, digital forensics, and drafting and disseminating data subject notices pursuant to FERPA and U.S. state law.
• Assisted client in responding to intrusion into a remote employee’s personal and professional devices, including leading forensic investigation and advising on federal and state data breach notification laws.
• Assisted textile manufacturer with response to business email compromise that resulted in unauthorized access to unencrypted payment card information; advised on data mining process and complying with U.S. state data breach notification laws with respect to informing impacted customers and regulatory agencies.
• Advised public school district on its response to unauthorized intrusion into its information networks; retained digital forensic investigator and advised on data breach reporting obligations to impacted students, administrators and other third parties, and with respect to state comptroller.
• Assisted logistics and shipping company with operations across North America in assessing and responding to BlackCat ransomware attack, including through engaging digital forensic and incident response consulting agency, undertaking dark web monitoring, engaging with regulatory agencies to reinstate access to federal import and export control system, and advising on potential CTPAT and other incident notification obligations.
• Assisted U.S. chemical and manufacturing company in responding to Akira ransomware, including leading investigation under the attorney-client privilege, retaining digital forensic and IT consultant firm, undertaking data mining and threat actor communications, and notifying impacted data subjects and regulatory authorities.
• Counseled and assisted global organization in the specialty chemical sector in responding to domain controller compromise and compromise of company files likely attributable to Volt Typhoon, including advising on U.S. state personal data breach notification requirements and cyber incident reporting obligations pursuant to the Chemical Facility Anti-Terrorism Standards (CFATS) and U.S. Coast Guard Policy on Reporting Suspicious Activity and Breaches of Security (CG-5P Policy Letter, No. 08-16).
• Provided assistance to city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case, including retaining third-party forensic firm under the attorney-client privilege, consulting on threat actor communications and law enforcement engagement in light of active communications with threat actor, addressing data breach notification obligations, and advising on communications to impacted constituents.
• Engaged with global welding company and helped respond to a business email compromise arising from unauthorized intrusion into email account based in Austria and coordinated with EU legal counsel with respect to data breach reporting obligations pursuant to EU, U.S., and UK data protection law, investigating nature and scope of the incident through independent IT security consultant, and drafting incident notification communications to impacted data subjects.
• Assisted global manufacturing company in responding to network intrusion based on SIM hijacking and provided guidance with respect to data mining and security incident notification.
• Assisted global manufacturing company in responding to cyberattack involving service account compromise and use of RDAT backdoor to exfiltrate certain data from company’s IT environment and provided legal guidance regarding requirements applicable to publicly traded companies and pursuant to state data breach notification obligations.
• Advised a global manufacturer in responding to ransomware attack by Black Basta that encrypted its VMware ESXi; representation included retaining an IT consultant to restore data from backups and analyze logs derived from third-party security tool to identify compromised data sets and rendering legal counsel on complying with data breach notification obligations.
• Assisted manufacturer of high-quality retail and foodservice desserts in responding to Akira ransomware attack. Retained digital forensic and security consultant to lead remediation and restoration, engaged in threat actor negotiations, drafted data breach incident notifications in multiple languages, procured credit monitoring services for affected data subjects, and furnished formal notification of incident to regulatory authorities.
• Assisted a global manufacturing client in responding to use of compromised credentials to access third-party HR data platform, including retaining third-party IT consultant to undertake log analysis, engaging platform host to assess liability and responsibility, advising on data breach notification obligations and helping client raise Computer Fraud and Abuse Act (CFAA) and Stored Communications Act (SCA) claims against former employee responsible for the attack.
• Assisted global manufacturing company in responding to a Lockbit 3.0 ransomware and extortion attack, including by retaining a third-party incident response team and ransomware negotiator, conducting OFAC checks, issuing litigation holds, and providing formal notification to data subjects, regulators and credit monitoring agencies.
• Helped managed service provider respond to Conti ransomware attack that targeted third-party client’s IT environment, including by issuing litigation hold, engaging Digital Forensics and Incident Response (DFIR) vendor, analyzing export control laws related to use of DFIR vendor’s proprietary software, and drafting litigation risk assessment.
• Helped global manufacturing company respond to a Royal ransomware and extortion attack, including retaining an independent incident response and digital forensic consultant, retaining a separate ransomware negotiator, leading data mining efforts, issuing litigation holds, and coordinating with foreign counsel to ensure proper data incident notifications to data subjects and regulatory officials in the United States, European Economic Area, United Kingdom, and Australia.
• Counseled multiple clients on responding to incident notification letters received from third-party service providers in connection with CL0P ransomware group intrusion into MOVEit’s managed file transfer program, including advising on breach response and potential litigation.
• Represented an EU-based client in its response to Akira ransomware attack; engagement included retaining digital forensic firm, assessing publicly available decryption tools, engaging in external and internal notifications, and addressing threat actor communications and engagement with federal law enforcement.
• Assisted a manufacturer client in responding to insider threat issue in connection with former remote-only employee making threats concerning misuse of data after termination; representation included retaining third-party IT consultant to undertake security review; drafting affidavits related to the confidentiality, integrity and security of client data and IT systems; and addressing engagement with local law enforcement.
• Served as breach counsel for county school district and led investigation into business email compromise; provided legal advice and counsel on state sovereign immunity laws, data breach reporting obligations and FERPA compliance.
• Assisted third-party healthcare benefits administrator with responding to theft at corporate offices which compromised hard copies of records containing protected health information. Representation included engaging with client’s customers (employers) about the incident, drafting notice of the incident to impacted employees, retaining credit monitoring services for affected data subjects, and submitting formal notice of the incident to law enforcement and federal regulatory authorities.
• Advised client on intrusion into HR system that resulted in payroll diversion scams involving fraudulent direct deposit information; representation included working with HR system provider to assist client throughout technical remediation and business loss recovery process.
• Assisted a city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case; representation included retaining third-party forensic firm under the attorney-client privilege, addressing data breach notification obligations, and advising on communications to impacted constituents.
• Assisted nationally recognized business associate in responding to business email compromise, including retaining third-party digital forensic and incident response consultant, assessing breadth of compromise including to personal data, and counseling on data breach notification process under federal and state law.
• Advised national restaurant chain client on responding to security compromise wherein threat actor gained unauthorized access to loyalty program and made unauthorized purchases from consumer accounts, including providing legal analysis of data breach notification obligations and advising on third-party digital forensic consultant to undertake independent investigation.
• Advised U.S.-based publicly traded multinational corporation on whether inclusion of social security numbers on health plan communications transmitted via mail from business associate would be considered a data breach for purposes of federal and state data breach notification laws.
• Assisted consumer goods company in investigating and responding to data breach arising from unauthorized access to, and exfiltration of, customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
• Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
• Represented defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the case without adverse action to client.
• Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, partnering with European Union counsel to facilitate notifications to supervisory authorities pursuant to the European Union (EU) General Data Protection Regulation and EU Member State law.
• Counseled healthcare business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information and drafted formal data breach notification communications and reports.
• Advised private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data and invoking the “good faith” exception within certain U.S. state data breach notification laws.
• Assisted global manufacturing company with response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafting, preparing and submitting voluntary disclosures to federal department arising from the same.
• Assisted employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
• Assisted supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.

Biometrics, CIPA, TCPA & Other Privacy Litigation Defense

• Represented real estate-related data broker in class action lawsuit alleging that its collection and processing of covered personal data violated New Jersey’s Daniel’s Law; representation included assisting in joint defense group seeking dismissal of the case on the grounds that the law is unconstitutional.
• Represented large hospital in class action arising from alleged data breach incident impacting protected health information in custody and control of business associate, including claims of negligence and intrusion upon seclusion.
• Defended Fortune 100 personal healthcare goods provider in lawsuit alleging that its ecommerce platform violated Title III of the ADA because plaintiff with visual impairment was unable to identify promotional items on client’s website because of improper screen readers.
• Assisted private sector entity furnishing “white labeled” online property tax platform to California state agencies comply with California Assembly Bill No. 434 and WCAG 2.0.
• Represented a broad range of businesses in arbitration, litigation and settlement negotiations with respect to claims that their corporate website tracking technologies violate the Pen Register and Trap and Trace Device provisions of the California Invasion of Privacy Act (CIPA).
• Defended dozens of companies in various sectors in arbitration, litigation and settlement negotiations with respect to allegations that their website configurations, such as their use of third-party advertising cookies and pixels, violate the CIPA and similar federal and state laws governing wiretapping, eavesdropping and data privacy.
• Represented global marine technology and equipment manufacturer in resolving a legal demand wherein a consumer alleged that the client’s use of a social media advertising pixel on its corporate website violated the California law governing the use of pen registers and trap and trace devices.
• Defended a Fortune 100 consumer and personal goods company in class action where plaintiff alleged client’s SMS/text marketing program violated certain provisions of Florida’s Telephone Solicitation Act.
• Represented a defense contractor in nationwide class action litigation arising from alleged data security breach impacting employees’ personal data, including claims that plaintiffs incurred or would immediately incur physical harm, emotional distress and identity theft.
• Assisted futures broker in responding to business email compromise that resulted in fraudulent wire transfer, including with respect to digital forensic investigation, data mining, Suspicious Activity Reporting (SAR) to the Treasury Department and data breach notification laws and regulations.
• Assisted multiple clients whose employee health care plans were indirectly affected by the Change Healthcare ransomware attack, including by providing legal and policy advice regarding informal and formal notifications to impacted employees and regulatory authorities.
• Assisted technology services provider in responding to intrusion into its customer-facing platform. Provided guidance on contractual and legal notification obligations with respect to its customers (i.e., educational institutions) regarding unauthorized access to their data, including personal data related to students, teachers and school administrators, advised on data mining processes, retained credit monitoring services and drafted notices to customers and affected parties.
• Advised property management and investment organization on responding to notification from the IRS that its corporate tax records, which contained sensitive personal data, were subject to unauthorized access and included as part of the U.S. government’s prosecution of a former IRS contractor. Drafted data incident notification disclosures in accordance with the client’s legal and compliance obligations.
• Assisted manufacturing company in responding to business email compromise and potential lateral movement resulting in malicious activity across the client’s environment, including engaging with third-party forensic firm and advising on federal regulations governing the unauthorized access and use of ITAR-covered data.
• Advised third-party logistics company on its response to data security incident impacting its third-party business intelligence contractor, including undertaking due diligence of contractor’s incident notification framework and disclosures and advising on data breach legal and regulatory obligations.
• Assisted regional law firm in responding to malicious intrusion into its IT environment, including retaining digital forensic and incident response firm and advising on data incident notification laws and regulations and professional and ethical standards.
• Represented a global airline in responding to data security event arising from its third-party healthcare benefit provider’s use of MOVEit software, including with respect to client’s formal notification obligations and litigation risk assessments, and represented client with respect to its potential indemnification claims arising from the third-party provider’s breach of its legal obligations and contractually mandated security requirements.
• Assisted a global logistics and storage business in responding to a data security breach impacting an employee analytics software application; representation included assisting client with drafting and submission of formal data breach notification to employees and regulatory authorities, and representing client with respect to legal and indemnification claims against third-party software provider.
• Assisted a global energy management and transportation company with investigating unauthorized disclosure of sensitive personal data in connection with its celebrity clientele who use private aviation services; provided formal legal guidance with respect to data breach notification requirements and litigation risk.
• Represented a global manufacturer and provider of reusable textiles in arbitration arising from claims that client unlawfully aided a third-party service provider in intercepting and collecting communications transmitted to client’s website through the use of the third-party’s pixel in violation of the California Invasion of Privacy Act (CIPA) and other state privacy laws.
• Defended U.S. defense contractor in class action litigation in the Southern District of Ohio alleging that a recently disclosed data security incident potentially impacting plaintiffs resulted from client’s negligence, and similar common law and contractual violations.
• Advised a Fortune 50 company on implementing Windows Hello and PingID on employer-provided devices in a manner consistent with U.S. biometric data processing laws and regulations.
• Counseled a global manufacturing firm on federal telecommunications law (TCPA) with respect to implementing company-wide SMS communications, including opt-in and opt-out processes.
• Assisted a national financial institution in responding to complaint filed in California state court that its website violated the Video Privacy Protection Act of 1998 for implementing certain third-party pixels, cookies, and tags without proper notice and consent.
• Counseled a national real estate marketing firm on responding to complaint that its website violated federal and state wiretapping laws for implementing certain third-party pixels, cookies, and tags on its website without proper notice and consent.
• Advised a globally recognized museum on responding to a complaint and demand that its website violated the Video Privacy Protection Act of 1998 for implementing a social media pixel on its public and private websites.
• Counseled a national manufacturing company on responding to formal complaint that its website violated federal and state wiretapping laws with respect to its data processing activities.
• Assisted an international manufacturing company in implementing biometric processing compliance program in the employment context for its operations in the United States and Canada, including advising on implementing biometric privacy policies, obtaining employee consent for biometric collection, and publishing public notices.
• Advised a Fortune 100 company on implementing Windows Hello on employer-provided devices and updating its privacy notices and obtaining employee consent related to the same.

California Consumer Privacy Act (CCPA)

• Performed data mapping to identify whether an organization’s data processing activities implicate California residents and the CCPA.
• Assessed and identified the current state of an organization’s policies and procedures to determine its compliance with the CCPA.
• Drafted privacy notices and statements to address the CCPA’s notice requirement, including drafting website privacy policies, employee privacy statements, and job candidate privacy notices.
• Drafted new, or supplement existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
• Identified whether an organization “sells” personal information within the meaning of the CCPA, and, if so, developed mechanisms for customers to “opt in” or “opt out” of the sale of their personal information.
• Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
• Identified whether an organization offers financial incentives related to data processing and, if so, ensured such incentives align with the CCPA’s anti-discrimination requirements.
• Drafted new, or reviewed existing, data incident response plans to ensure they align with California’s legal requirements and best practices.

The General Data Protection Regulation (GDPR)

• Appointed by state attorney general to assist public university assess its compliance with the GDPR and UK Data Protection Act 2018; retained and led local counsel with respect to the same.
• Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
• Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
• Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
• Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
• Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
• Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
• Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
• Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
• Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.

M&A Due Diligence & Cybersecurity Risk

• Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
• Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
• Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
• Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.

Health & Medical Data Privacy

• Appointed by state attorney general to counsel public university undertaking clinical trials in the European Union and the United Kingdom with respect to its legal obligations under data protection and pharmaceutical regulations and directives and, in conjunction with local counsel, develop and implement data protection and clinical trials compliance checklist.
• Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
• Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
• Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
• Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
• Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.

Third Party IT Contracting

• Drafted and negotiated a wide range of technology and data protection agreements and statements of work, including end user license agreements for software and embedded technology solutions; master service agreements with IT services providers; contracts and statements of work for cloud storage, penetration testing and vulnerability scanning, and managed IT services; and personal data processing, transfer, and security agreements.
• Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.