Privacy and Cybersecurity

Our integrated cross-border counsel blends deep deal expertise with strong litigation insight, enabling clients to manage risks confidently and seize opportunities to turn complex data challenges into competitive advantage. Our clients include strategic companies and private equity firms across industries, as well as financial institutions, family offices, early-stage companies and nonprofits.

Cybersecurity Regulatory/Enforcement

Cybersecurity has become a perennial priority for federal, state and local regulators, who are often equipped with expansive jurisdictional mandates to investigate potential cybersecurity shortcomings, particularly in the wake of an incident. Our regulatory and enforcement attorneys includes a deep bench of alums from the Securities and Exchange Commission and the cyber divisions of several key districts of the U.S. Attorney’s Office. They bring experience responding on behalf of clients to formal and informal inquiries, investigations, examinations and actions from a wide range of regulators including the Federal Trade Commission, the SEC, the Department of Justice, the offices of various state attorneys general, the New York Department of Financial Services, the Financial Industry Regulatory Authority and the Commodities Futures Trading Commission, among others.

Cybersecurity Readiness and Response

Preparing for a cybersecurity incident is not just best practice; it is often a regulatory requirement and a baseline expectation for external stakeholders, including directors, investors and customers. To help our clients meet these requirements and expectations, we partner with subject-matter experts to prepare response plans, lead tabletop exercises, perform cyber-regulatory risk assessments and provide tailor-made training for legal departments, managers, and directors. We also routinely counsel clients on cyber disclosure obligations, including compliance with the latest SEC rules on cyber-related disclosures in annual reports and other public filings.

When an incident does occur, our swift, sophisticated approach to breach response helps clients mitigate risk and manage the fallout from attacks including ransomware deployment, extortion demands, insider threats, business email compromises, phishing campaigns, DDOS attacks, data theft, SEO poisoning, deepfake fraud, wire fraud, hack-pump-and-dump schemes and more. From immediate crisis management to forensic analysis coordination, liaising with law enforcement, navigating communications and executing remediation strategies, we offer deep experience and technical sophistication to help clients navigating these and other cyber and data privacy crises.

Cybersecurity and Data Breach Litigation

Commercial disputes and consumer class actions now routinely follow in the wake of enterprise cybersecurity incidents. For the targets of an attack, managing the risks of these disputes and claims while recovering from an event can seem overwhelming. For third-party victims or business counterparts, obtaining information while preserving and protecting reasonable interests can seem like an impossible challenge. Our top-ranked litigators and class action attorneys have experience guiding clients from nearly all angles of an incident, including defending against significant data breach litigation matters, seeking to resolve disputes in the wake of business email compromise attacks and representing insurance carriers in cyber-related coverage matters. 

Cybersecurity and Corporate Transactions

We regularly advise on cybersecurity and data privacy in complex transactions, including mergers and acquisitions, capital markets offerings and strategic partnerships. Our approach is focused on executing transactions efficiently while protecting long-term value. 

Privacy Compliance (U.S.)

We advise clients across industries on all facets of personal data management, from collection and processing to retention, sharing and secure destruction. We conduct rigorous due diligence on the data practices of M&A targets, joint ventures and business partners to identify risks as well as opportunities. Drawing on deep knowledge of clients’ operations and data flows, we navigate the ever-evolving patchwork of U.S. privacy laws and regulations, including the Federal Trade Commission Act (FTC Act); the California Consumer Privacy Act, as amended (CCPA/CPRA); the Gramm-Leach-Bliley Act (GLBA) and state equivalents, such as the California Financial Information Privacy Act (FIPA); the Health Insurance Portability and Accountability Act, as amended (HIPAA/HITECH) and state equivalents, such as the California Confidentiality of Medical Information Act (CMIA); the Telephone Consumer Protection Act (TCPA); the Family Educational Rights and Privacy Act (FERPA); the Colorado Privacy Act (CPA); the Illinois Biometric Information Privacy Act (BIPA); the Connecticut Data Privacy Act (CTDPA); the Oregon Consumer Privacy Act (OCPA); the Virginia Consumer Data Protection Act (CDPA); the Washington My Health My Data Act (MHMDA); and other state and federal privacy laws.

Beyond compliance, we help clients integrate privacy into their business strategies to enhance customer trust and competitive advantage. We also advise on disclosure obligations related to personal information in securities filings, annual reports and public communications, ensuring transparency without exposing unnecessary risk. Our multi-disciplinary approach combines legal insight with practical understanding of technology and operations, enabling clients to proactively manage data risks while driving innovation.

Privacy Compliance (U.S. Healthcare & Life Sciences)

Navigating the complex intersection of digital health acceleration, fragmented state and federal laws and highly sensitive, often immutable patient data has made privacy compliance more challenging than ever. We provide clients in the healthcare and life sciences sector with proactive legal strategies that translate stringent, often contradictory, privacy frameworks into operational safeguards.

Our team has deep expertise in HIPAA/HITECH and state equivalents, including California’s Confidentiality of Medical Information Act (CMIA), helping clients safeguard protected health information (PHI) while enabling innovation in patient care and data management. Our privacy best practices emphasize not only regulatory compliance but also operational efficiency and patient trust, helping clients implement comprehensive policies, secure technologies, incident response protocols, data minimization strategies and vendor management processes that collectively reduce risk while supporting broader business objectives. We also counsel clients on the emerging regulatory framework around consumer health data, including the FTC’s Health Breach Notification Rule (HBNR) and key state-specific privacy laws, including the California Consumer Privacy Act, as amended (CCPA/CPRA), as well as Washington’s My Health My Data Act (MHMDA). Our guidance helps clients navigate these evolving mandates by developing targeted compliance programs, managing cross-jurisdictional risks and optimizing disclosure and breach response strategies. By partnering closely with organizational leadership and compliance teams, we help maintain a proactive, adaptive privacy posture that evolves in step with dynamic legal landscapes and industry standards.

Privacy Compliance (EU/UK)

The European privacy and cybersecurity regulatory framework is complex and continually evolving. Foundational laws such as the GDPR, ePrivacy Directive, NIS 2 Directive and UK Data Protection Act 2018 are subject to ongoing amendment and judicial interpretation, whilst an array of adjacent and sectoral requirements have emerged in recent years, such as DORA, the Digital Services Act and the UK Data (Use and Access) Act.

Our multi-disciplinary team has deep experience counselling clients across the full range of existing and upcoming requirements in this area. Whether it is designing and implementing a future-proof compliance framework, getting a deal across the line, responding to a breach, interacting with regulators and data subjects, defending litigation or advising on specific international transfer, marketing, cookie, disclosure or other issues draw on our experience to obtain the best result for our clients.